Edit tour

Windows Analysis Report
7wOqCnSoTo.exe

Overview

General Information

Sample name:	7wOqCnSoTo.exe renamed because original name is a hash value
Original sample name:	6D24D29F877F3BF814604A1ED5FC24C1.exe
Analysis ID:	1581792
MD5:	6d24d29f877f3bf814604a1ed5fc24c1
SHA1:	b1523779085cfeb469fc5509ebb4fef9c4484fad
SHA256:	382a60ba2c82182eb8c93295c280f42301882a4e3ad07b2c139a6dca4ba8d9de
Tags:	exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

AI detected suspicious sample

Checks if browser processes are running

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates a Windows Service pointing to an executable in C:\Windows

Deletes itself after installation

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to modify clipboard data

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

7wOqCnSoTo.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\7wOqCnSoTo.exe" MD5: 6D24D29F877F3BF814604A1ED5FC24C1)

svchost.exe (PID: 7352 cmdline: C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\5870343.gho	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: 7wOqCnSoTo.exe PID: 7304	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.7wOqCnSoTo.exe.405624.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.7wOqCnSoTo.exe.405624.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
1.2.svchost.exe.10000000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.7wOqCnSoTo.exe.400000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.7wOqCnSoTo.exe.400000.0.unpack	ZxShell_Related_Malware_CN_Group_Jul17_3	Detects a ZxShell related sample from a CN threat group	Florian Roth	0x2cc94:$s1: %s\nt%s.dll 0x2cbc0:$s2: RegQueryValueEx(Svchost\netsvcs)

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility, CommandLine: C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility, ProcessId: 7352, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Backdoor family PCRat/Gh0st CnC traffic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T00:26:59.334023+0100	2016922	1	Malware Command and Control Activity Detected	192.168.2.4	49730	106.54.31.97	8810	TCP
2024-12-29T00:26:59.453550+0100	2016922	1	Malware Command and Control Activity Detected	192.168.2.4	49730	106.54.31.97	8810	TCP

ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T00:27:46.643910+0100	2048478	1	A Network Trojan was detected	106.54.31.97	8810	192.168.2.4	49730	TCP
2024-12-29T00:28:46.675861+0100	2048478	1	A Network Trojan was detected	106.54.31.97	8810	192.168.2.4	49730	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7wOqCnSoTo.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5870343.gho

Avira: detection malicious, Label: BDS/Agent.1.dll

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5870343.gho	ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: 7wOqCnSoTo.exe

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5870343.gho

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7wOqCnSoTo.exe

Joe Sandbox ML: detected

Source: 7wOqCnSoTo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100054D0 lstrlenA,ExpandEnvironmentStringsA,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,wsprintfA,lstrlenA,FindNextFileA,FindClose,	1_2_100054D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100050E0 ExpandEnvironmentStringsA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	1_2_100050E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10005660 ExpandEnvironmentStringsA,FindFirstFileA,FindClose,FindClose,	1_2_10005660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10004EE0 ExpandEnvironmentStringsA,LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	1_2_10004EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10005760 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	1_2_10005760

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DFF0 GetVersionExA,gethostname,GetSystemInfo,SHGetFileInfo,GetLogicalDriveStringsA,lstrlenA,GetDiskFreeSpaceExA,lstrlenA,lstrlenA,strncpy,

1_2_1000DFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49730 -> 106.54.31.97:8810
Source: Network traffic	Suricata IDS: 2048478 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive : 106.54.31.97:8810 -> 192.168.2.4:49730

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 106.54.31.97 8810

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 106.54.31.97:8810

Source: Joe Sandbox View

ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa

Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97
Source: unknown	TCP traffic detected without corresponding DNS query: 106.54.31.97

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_10002870 select,recv,

1_2_10002870

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_100074A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,lstrcatA,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,

1_2_100074A0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000B1E0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,

1_2_1000B1E0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_100074A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,lstrcatA,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,

1_2_100074A0

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\svchost.exe

Code function: RegOpenKeyExW,RegQueryValueA,RegCloseKey,lstrlenA,strstr,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle, Applications\iexplore.exe\shell\open\command

1_2_100067B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.7wOqCnSoTo.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DCC0: lstrlenA,wsprintfA,wsprintfA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,

1_2_1000DCC0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_004029E0 wsprintfA,CreateEventA,StartServiceA,WaitForSingleObject,ControlService,Sleep,DeleteService,CloseHandle,

0_2_004029E0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000F6A0 ExitWindowsEx,

1_2_1000F6A0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041B224	0_2_0041B224
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041CA34	0_2_0041CA34
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041AAF4	0_2_0041AAF4
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_00417C36	0_2_00417C36
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_004174C3	0_2_004174C3
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041C4B4	0_2_0041C4B4
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_00417566	0_2_00417566
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_004175E0	0_2_004175E0
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041A664	0_2_0041A664
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041AF94	0_2_0041AF94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10015C00	1_2_10015C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10017410	1_2_10017410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10013820	1_2_10013820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10015040	1_2_10015040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10011C90	1_2_10011C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100154D0	1_2_100154D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10015970	1_2_10015970
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10012612	1_2_10012612
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10016E90	1_2_10016E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100123A4	1_2_100123A4

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Security

Jump to behavior

Source: 5870343.gho.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 7wOqCnSoTo.exe	Binary or memory string: OriginalFilename vs 7wOqCnSoTo.exe
Source: 7wOqCnSoTo.exe, 00000000.00000000.1654707172.0000000000432000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinstall.exe vs 7wOqCnSoTo.exe
Source: 7wOqCnSoTo.exe, 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedmdskmgr.dllX vs 7wOqCnSoTo.exe
Source: 7wOqCnSoTo.exe, 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameinstall.exe vs 7wOqCnSoTo.exe
Source: 7wOqCnSoTo.exe	Binary or memory string: OriginalFilenameinstall.exe vs 7wOqCnSoTo.exe

Source: 7wOqCnSoTo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.7wOqCnSoTo.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_3 date = 2017-07-08, hash1 = 2e5cf8c785dc081e5c2b43a4a785713c0ae032c5f86ccbc7abf5c109b8854ed7, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@2/2@0/1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000F600 GetCurrentProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,

1_2_1000F600

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DFF0 GetVersionExA,gethostname,GetSystemInfo,SHGetFileInfo,GetLogicalDriveStringsA,lstrlenA,GetDiskFreeSpaceExA,lstrlenA,lstrlenA,strncpy,

1_2_1000DFF0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00401030 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,Process32First,_mbscpy,Process32Next,CloseHandle,

0_2_00401030

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_10010500 CoCreateInstance,CoUninitialize,GetLastError,WideCharToMultiByte,lstrlenA,wcslen,WideCharToMultiByte,lstrcpyA,lstrlenA,lstrlenA,SysFreeString,

1_2_10010500

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_004029E0 wsprintfA,CreateEventA,StartServiceA,WaitForSingleObject,ControlService,Sleep,DeleteService,CloseHandle,

0_2_004029E0

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \BaseNamedObjects\Global\b1629435498_8810j

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

File created: C:\Users\user\AppData\Local\Temp\5870343.gho

Jump to behavior

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7wOqCnSoTo.exe

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\7wOqCnSoTo.exe "C:\Users\user\Desktop\7wOqCnSoTo.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntfastuserswitchingcompatibility.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000FEC0 GetTickCount,lstrcmpiA,gethostbyname,gethostbyname,gethostbyname,gethostbyname,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,??2@YAPAXI@Z,lstrcpyA,GetTickCount,??3@YAXPAX@Z,

1_2_1000FEC0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0042084A push ebx; ret	0_2_0042084B
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_00414084 push dword ptr [10019090h]; ret	0_2_00414147
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041E935 push ebp; retf	0_2_0041E978
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0041D4D4 push eax; ret	0_2_0041D502
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_00420598 push cs; iretd	0_2_0042066E
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_0042069A push cs; iretd	0_2_0042066E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1001B076 push cs; iretd	1_2_1001B04A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1001B226 push ebx; ret	1_2_1001B227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1000EA60 push dword ptr [10019090h]; ret	1_2_1000EB23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10017EB0 push eax; ret	1_2_10017EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10019311 push ebp; retf	1_2_10019354
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10019350 push ebp; retf	1_2_10019354
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1001AF74 push cs; iretd	1_2_1001B04A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_1001CB98 push eax; retf	1_2_1001CB99

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\svchost.exe

Code function: lstrlenA,wsprintfA,wsprintfA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

1_2_1000DCC0

Creates a Windows Service pointing to an executable in C:\Windows

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\Parameters ServiceDll C:\Windows\system32\ntfastuserswitchingcompatibility.dll

Jump to behavior

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	File created: C:\Users\user\AppData\Local\Temp\5870343.gho			Jump to dropped file
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	File created: C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

File created: C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)

Jump to dropped file

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

File created: C:\Users\user\AppData\Local\Temp\5870343.gho

Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_100033F0 lstrcatA,lstrcatA,lstrcatA,lstrcatA,ExpandEnvironmentStringsA,SHGetSpecialFolderPathA,wsprintfA,lstrcatA,CloseHandle,lstrcmpiA,GetVersionExA,??2@YAPAXI@Z,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrcmpA,lstrcpyA,lstrcpyA,lstrcpyA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,lstrlenA,??3@YAXPAX@Z,

1_2_100033F0

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\svchost.exe

Code function: lstrlenA,wsprintfA,wsprintfA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

1_2_1000DCC0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility

Jump to behavior

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_004029E0 wsprintfA,CreateEventA,StartServiceA,WaitForSingleObject,ControlService,Sleep,DeleteService,CloseHandle,

0_2_004029E0

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\svchost.exe

File deleted: c:\users\user\desktop\7woqcnsoto.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_10006920 OpenEventLogA,ClearEventLogA,CloseEventLog,

1_2_10006920

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_100089C0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_100089C0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00403200

0_2_00403200

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00401030 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,Process32First,_mbscpy,Process32Next,CloseHandle,

0_2_00401030

Source: C:\Windows\SysWOW64\svchost.exe

Code function: Sleep,GetCursorPos,Sleep,GetCursorInfo,

1_2_1000B860

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,EnumServicesStatusA,malloc,EnumServicesStatusA,??2@YAPAXI@Z,strncpy,free,??3@YAXPAX@Z,CloseServiceHandle,

1_2_1000C760

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapAlloc,GetAdaptersInfo,StrStrIA,StrStrIA,GetProcessHeap,HeapFree,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,

1_2_1000DA00

Source: C:\Windows\SysWOW64\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-7011

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5870343.gho

Jump to dropped file

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00403200

0_2_00403200

Source: C:\Windows\SysWOW64\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100054D0 lstrlenA,ExpandEnvironmentStringsA,wsprintfA,wsprintfA,FindFirstFileA,lstrlenA,wsprintfA,wsprintfA,lstrlenA,FindNextFileA,FindClose,	1_2_100054D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_100050E0 ExpandEnvironmentStringsA,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,FindNextFileA,FindClose,	1_2_100050E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10005660 ExpandEnvironmentStringsA,FindFirstFileA,FindClose,FindClose,	1_2_10005660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10004EE0 ExpandEnvironmentStringsA,LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,	1_2_10004EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10005760 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	1_2_10005760

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DFF0 GetVersionExA,gethostname,GetSystemInfo,SHGetFileInfo,GetLogicalDriveStringsA,lstrlenA,GetDiskFreeSpaceExA,lstrlenA,lstrlenA,strncpy,

1_2_1000DFF0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DFF0 GetVersionExA,gethostname,GetSystemInfo,SHGetFileInfo,GetLogicalDriveStringsA,lstrlenA,GetDiskFreeSpaceExA,lstrlenA,lstrlenA,strncpy,

1_2_1000DFF0

Source: 5870343.gho.0.dr	Binary or memory string: VMware
Source: 5870343.gho.0.dr	Binary or memory string: mPsVC.eXE\cmd.exeABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%02XVMwareSCSIDISK\\.\Scsi%d:\\.\PhysicalDrive%dMozilla/4.0 (compatible)~MHzHARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: svchost.exe, 00000001.00000002.2907224890.0000000003026000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000AC00 BlockInput,BlockInput,

1_2_1000AC00

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00401030 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,Process32Next,Process32First,_mbscpy,Process32Next,CloseHandle,

0_2_00401030

Source: C:\Windows\SysWOW64\svchost.exe

1_2_1000FEC0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_004084C4 mov eax, dword ptr fs:[00000030h]		0_2_004084C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10002EA0 mov eax, dword ptr fs:[00000030h]		1_2_10002EA0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_004014C0 LookupAccountNameA,GetLastError,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,LookupAccountNameA,GetFileSecurityA,GetLastError,GetProcessHeap,RtlAllocateHeap,GetFileSecurityA,InitializeSecurityDescriptor,GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetProcessHeap,RtlAllocateHeap,InitializeAcl,GetAce,EqualSid,AddAce,GetModuleHandleA,6C986DE0,AddAccessAllowedAce,GetAce,AddAce,SetSecurityDescriptorDacl,GetModuleHandleA,6C986DE0,GetSecurityDescriptorControl,SetFileSecurityA,

0_2_004014C0

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe	Code function: 0_2_00403200 GetCommandLineA,strstr,strstr,strncpy,_strcmpi,_strcmpi,GetTickCount,Sleep,GetTickCount,SetUnhandledExceptionFilter,??3@YAXPAX@Z,ExitProcess,	0_2_00403200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10008C80 SetUnhandledExceptionFilter,GetModuleFileNameA,lstrcatA,	1_2_10008C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_10008CA0 SetUnhandledExceptionFilter,	1_2_10008CA0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 106.54.31.97 8810

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenProcess,OpenProcessToken, explorer.exe

1_2_1000FC40

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000B010 SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,

1_2_1000B010

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000B010 SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,mouse_event,

1_2_1000B010

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

0_2_004014C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_100078B0 InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,

1_2_100078B0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_10008D70 GetLocalTime,

1_2_10008D70

Source: C:\Users\user\Desktop\7wOqCnSoTo.exe

Code function: 0_2_00403380 memset,memset,memset,GetSystemDirectoryA,GetSystemDirectoryA,lstrcat,GetUserNameA,MultiByteToWideChar,WideCharToMultiByte,73AE1840,

0_2_00403380

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_1000DFF0 GetVersionExA,gethostname,GetSystemInfo,SHGetFileInfo,GetLogicalDriveStringsA,lstrlenA,GetDiskFreeSpaceExA,lstrlenA,lstrlenA,strncpy,

1_2_1000DFF0

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.405624.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.405624.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7wOqCnSoTo.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5870343.gho, type: DROPPED

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.405624.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.405624.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7wOqCnSoTo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7wOqCnSoTo.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\5870343.gho, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Service Execution	121 Windows Service	1 Access Token Manipulation	11 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	3 Clipboard Data	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	121 Windows Service	1 Software Packing	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	112 Process Injection	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Masquerading	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
7wOqCnSoTo.exe	97%	ReversingLabs	Win32.Infostealer.Magania
7wOqCnSoTo.exe	100%	Avira	BDS/Agent.188418
7wOqCnSoTo.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\5870343.gho	100%	Avira	BDS/Agent.1.dll
C:\Users\user\AppData\Local\Temp\5870343.gho	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5870343.gho	92%	ReversingLabs	Win32.Trojan.Redosdru
C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)	92%	ReversingLabs	Win32.Trojan.Redosdru

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
106.54.31.97	unknown	China		45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581792
Start date and time:	2024-12-29 00:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7wOqCnSoTo.exe renamed because original name is a hash value
Original Sample Name:	6D24D29F877F3BF814604A1ED5FC24C1.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@2/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 134
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 7wOqCnSoTo.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	118.28.147.172
	db0fa4b8db0333367e9bda3ab68b8042.sh4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	49.235.142.203
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	150.158.255.197
	telnet.arm.elf	Get hash	malicious	Unknown	Browse	106.53.85.48
	telnet.sh4.elf	Get hash	malicious	Unknown	Browse	129.211.52.2
	armv5l.elf	Get hash	malicious	Mirai	Browse	106.52.4.53
	armv5l.elf	Get hash	malicious	Mirai	Browse	120.53.15.208
	splmpsl.elf	Get hash	malicious	Unknown	Browse	81.69.163.83
	nklx86.elf	Get hash	malicious	Unknown	Browse	106.52.120.9
	armv6l.elf	Get hash	malicious	Unknown	Browse	81.69.202.135

Process:	C:\Users\user\Desktop\7wOqCnSoTo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.325314312049634
Encrypted:	false
SSDEEP:	3072:OG9v4j63IWg/1y14FDTZ2WRDiPa3TBft8nIQHtLl:Ogvw7H/8167hiPa3TBl8nIQHtL
MD5:	2B3E2D024B0CF48693A691969CD4F9D4
SHA1:	7D9B8CE28D73BE369427E0E439E1B36146409642
SHA-256:	F7E8543C01FF903035CC393569A24738577165EC5F2294B042A884D9624958A7
SHA-512:	A9D035EBA9B711787A4FDB7240F041D78E00B98AB1FE8BC061B9E029F7BF9413A450A2D67937B4A7EF81FFC1BF31462D4ED0C25EC5BB2315910FFFAAD6FC2931
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: C:\Users\user\AppData\Local\Temp\5870343.gho, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j.j.j...n...l....k...d.j.h....g.j.....J.....k...i.Richj.........PE..L...0..I...........!.........................................................p..........................................F............@.......................P..(....................................................................................text....w.......................... ..`.rdata...P.......`..................@..@.data....C.......0..................@....rsrc........@....... ..............@..@.reloc.......P... ...0..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)

Download File

Process:	C:\Users\user\Desktop\7wOqCnSoTo.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.325314312049634
Encrypted:	false
SSDEEP:	3072:OG9v4j63IWg/1y14FDTZ2WRDiPa3TBft8nIQHtLl:Ogvw7H/8167hiPa3TBl8nIQHtL
MD5:	2B3E2D024B0CF48693A691969CD4F9D4
SHA1:	7D9B8CE28D73BE369427E0E439E1B36146409642
SHA-256:	F7E8543C01FF903035CC393569A24738577165EC5F2294B042A884D9624958A7
SHA-512:	A9D035EBA9B711787A4FDB7240F041D78E00B98AB1FE8BC061B9E029F7BF9413A450A2D67937B4A7EF81FFC1BF31462D4ED0C25EC5BB2315910FFFAAD6FC2931
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j.j.j...n...l....k...d.j.h....g.j.....J.....k...i.Richj.........PE..L...0..I...........!.........................................................p..........................................F............@.......................P..(....................................................................................text....w.......................... ..`.rdata...P.......`..................@..@.data....C.......0..................@....rsrc........@....... ..............@..@.reloc.......P... ...0..............@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.877406940387711
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	7wOqCnSoTo.exe
File size:	85'504 bytes
MD5:	6d24d29f877f3bf814604a1ed5fc24c1
SHA1:	b1523779085cfeb469fc5509ebb4fef9c4484fad
SHA256:	382a60ba2c82182eb8c93295c280f42301882a4e3ad07b2c139a6dca4ba8d9de
SHA512:	17f9f83e0eb27404d619689ba06e2de618d7f523de9ce8fd6b50222cd320f1600e20a2aa951af62c0b6016cef7d3687231d95f096f1b0fb347387dd043c3920a
SSDEEP:	1536:5kPr46xvd+5X5Ek6OZ3RJ01m5HswdxAULtFyX3wXnSZso4+Tp:iPsKviXSr4S3wdx5IXAXnEVJV
TLSH:	9483028E6F881D90ECF786F31A11C907194BBC9E5D5A5B1C4942C6FAA03D6D0DA8DC3B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.$...JO..JO..JOs.FO..JO...O..JO..DO..JO..@O..JO..NO..JO..KOr.JO..AO..JO..LO..JORich..JO........PE..L......I.................P.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x430ea0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x49FDDCE7 [Sun May 3 18:05:27 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4a808dc3f3a9b0712288dfa8c7e7e8a4

Entrypoint Preview

Instruction
pushad
mov esi, 0041D000h
lea edi, dword ptr [esi-0001C000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F87947E6F62h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F87947E6F59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F87947E6F3Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F87947E6F59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F87947E6F41h
jne 00007F87947E6F5Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F87947E6F36h
xor ecx, ecx
sub eax, 03h
jc 00007F87947E6F5Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F87947E6FC6h
mov ebp, eax
add ebx, ebx
jne 00007F87947E6F59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F87947E6F59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F87947E6F72h
inc ecx
add ebx, ebx
jne 00007F87947E6F59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F87947E6F41h
jne 00007F87947E6F5Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F87947E6F36h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F87947E6F61h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F87947E6F49h
jmp 00007F87947E6EB8h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32464	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x464	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x1c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x1d000	0x15000	0x14200	5a5bd3dfe165710b852ccf65e9592a9e	False	0.9849936917701864	data	7.937103188251331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x32000	0x1000	0x800	bffc66c7c6f48c5a708bb5987385e952	False	0.33935546875	data	3.0521833549731534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3205c	0x408	data	Chinese	China	0.42344961240310075

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
MSVCRT.dll	exit
NETAPI32.dll	NetApiBufferFree
SHLWAPI.dll	SHDeleteKeyA
USER32.dll	wsprintfA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T00:26:59.334023+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.4	49730	106.54.31.97	8810	TCP
2024-12-29T00:26:59.453550+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.4	49730	106.54.31.97	8810	TCP
2024-12-29T00:27:46.643910+0100	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	1	106.54.31.97	8810	192.168.2.4	49730	TCP
2024-12-29T00:28:46.675861+0100	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	1	106.54.31.97	8810	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 00:26:59.210715055 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:26:59.330315113 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:26:59.330382109 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:26:59.334022999 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:26:59.453475952 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:26:59.453550100 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:26:59.573069096 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:27:00.920974970 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:27:00.967078924 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:27:40.935944080 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:27:41.055766106 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:27:46.643909931 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:27:46.644942999 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:27:46.764430046 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:28:26.779853106 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:28:26.899362087 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:28:46.675860882 CET	8810	49730	106.54.31.97	192.168.2.4
Dec 29, 2024 00:28:46.676760912 CET	49730	8810	192.168.2.4	106.54.31.97
Dec 29, 2024 00:28:46.796269894 CET	8810	49730	106.54.31.97	192.168.2.4

Target ID:	0
Start time:	18:26:53
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\7wOqCnSoTo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7wOqCnSoTo.exe"
Imagebase:	0x400000
File size:	85'504 bytes
MD5 hash:	6D24D29F877F3BF814604A1ED5FC24C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:26:56
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
Imagebase:	0x900000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.8%
Total number of Nodes:	248
Total number of Limit Nodes:	4

Executed Functions

Function 004014C0 Relevance: 63.4, APIs: 32, Strings: 4, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00401573
GetLastError.KERNEL32 ref: 00401587

Strings

AddAccessAllowedAceEx, xrefs: 004017F1
SetSecurityDescriptorControl, xrefs: 004018CB
advapi32.dll, xrefs: 004018D0
advapi32.dll, xrefs: 004017F6

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: AccountErrorLastLookupName
String ID: AddAccessAllowedAceEx$SetSecurityDescriptorControl$advapi32.dll$advapi32.dll
API String ID: 2602008735-3887939555
Opcode ID: cc6a82b71d85b1d409067cdcdb8ee318592978e0516a6faa3fde6a360ba559a5
Instruction ID: 076de8306ef7af5f0a633401674b58b8b408aadb3a17e32da0ccc6597a029df5
Opcode Fuzzy Hash: cc6a82b71d85b1d409067cdcdb8ee318592978e0516a6faa3fde6a360ba559a5
Instruction Fuzzy Hash: 6DF110B1900208DBDB14DFE4DD99BEEB7B8BF48304F24812AE609B7290D7785945CF59

Function 00403200 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 95
stringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403120: memcpy.MSVCRT(00000000,00405024,000005F8), ref: 004031E8

GetCommandLineA.KERNEL32(0042CCE0), ref: 00403245
strstr.MSVCRT ref: 0040324C
strstr.MSVCRT ref: 0040326D
strncpy.MSVCRT ref: 0040328C
_strcmpi.MSVCRT ref: 004032B5
_strcmpi.MSVCRT ref: 004032CD
GetTickCount.KERNEL32 ref: 004032E0
Sleep.KERNELBASE(000007D0), ref: 004032EE
GetTickCount.KERNEL32 ref: 004032F4
SetUnhandledExceptionFilter.KERNEL32(Function_00002230), ref: 00403302
??3@YAXPAX@Z.MSVCRT(?), ref: 0040335A
ExitProcess.KERNEL32 ref: 00403364

Strings

$$6688ISBADMAN$, xrefs: 00403234
explorer.exe, xrefs: 004032A9
cmd.exe, xrefs: 004032C1

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: CountTick_strcmpistrstr$??3@CommandExceptionExitFilterLineProcessSleepUnhandledmemcpystrncpy
String ID: $$6688ISBADMAN$$cmd.exe$explorer.exe
API String ID: 2769590137-224212852
Opcode ID: cd1634280e2cd7212fa6984c215baabca4aadbc0538dbbd0c780d32f7bf28efc
Instruction ID: 2e9bab66063231f6918f95a01212747edec3bbe87a0dfe11de26421c20e8538e
Opcode Fuzzy Hash: cd1634280e2cd7212fa6984c215baabca4aadbc0538dbbd0c780d32f7bf28efc
Instruction Fuzzy Hash: BC31C6B1E00208ABDB14DFA1DC4A7DE7F78AB54306F1084BAE605B22D1D7B94784CB99

Function 00403380 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004033B9
memset.MSVCRT ref: 004033CF
memset.MSVCRT ref: 004033E5
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004033F9
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040340B
lstrcat.KERNEL32(?,\Drivers), ref: 0040341D
GetUserNameA.ADVAPI32(?,00000032), ref: 0040342E

Part of subcall function 004014C0: LookupAccountNameA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 00401573

Part of subcall function 004014C0: GetLastError.KERNEL32 ref: 00401587

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000064), ref: 00403480
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,000000FF,?,00000064,00000000,00000000,00000000,?,00000000,00000001,00000000,000000FF,00000000,00000000), ref: 0040352B
73AE1840.NETAPI32(00000000,00000000,?,00000000,00000001,00000000,000000FF,00000000,00000000), ref: 0040358B

Strings

\Drivers, xrefs: 00403411
2, xrefs: 00403389

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: memset$ByteCharDirectoryMultiNameSystemWide$AccountE1840ErrorLastLookupUserlstrcat
String ID: 2$\Drivers
API String ID: 2399967737-3839437488
Opcode ID: 5db39ebd6230b7af80bf8d8886d1dc7878dfabdd8f36a329ef22c0f0727cf006
Instruction ID: f575d00626f86a6b21e49569673d624e215cab84f2c844c3a1626ffb6a2c4219
Opcode Fuzzy Hash: 5db39ebd6230b7af80bf8d8886d1dc7878dfabdd8f36a329ef22c0f0727cf006
Instruction Fuzzy Hash: 515140B5910218ABEB25DB50DC45FD9777CAB54704F0082EAF209761D0EBB45BC8CF95

Function 004029E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85
servicesleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401140: GetTickCount.KERNEL32 ref: 00401146
Part of subcall function 00401140: srand.MSVCRT ref: 0040114D
Part of subcall function 00401140: rand.MSVCRT ref: 0040116F
Part of subcall function 00401140: _ftol.MSVCRT ref: 00401186

wsprintfA.USER32 ref: 00402A47
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00402A5A
StartServiceA.ADVAPI32(?,00000002,00000000), ref: 00402A6D
WaitForSingleObject.KERNEL32(?,00003A98), ref: 00402A80
ControlService.ADVAPI32(?,00000001,?), ref: 00402AAD
Sleep.KERNEL32(000007D0), ref: 00402ABE
DeleteService.ADVAPI32(?), ref: 00402AC8
CloseHandle.KERNELBASE(?), ref: 00402AD2

Strings

Global\ki%sll, xrefs: 00402A3E

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: Service$CloseControlCountCreateDeleteEventHandleObjectSingleSleepStartTickWait_ftolrandsrandwsprintf
String ID: Global\ki%sll
API String ID: 4207212367-1724092387
Opcode ID: 679f5aa09ab1969dd45b467d0bf9666bc5b6ac5c884b4d8066725dfab2ec8a5a
Instruction ID: 2970cc82f404072c9a9b0ad3b2537efcd5f12b7c37007ba901835ef4e6fd4cd9
Opcode Fuzzy Hash: 679f5aa09ab1969dd45b467d0bf9666bc5b6ac5c884b4d8066725dfab2ec8a5a
Instruction Fuzzy Hash: 70316171A00208ABDB14CFE4DD49BDDBBB9AF88704F104169F605BA2C0DBB99684CF64

Function 00401030 Relevance: 12.1, APIs: 8, Instructions: 80
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401078
Process32First.KERNEL32(000000FF,00000128), ref: 00401098
GetCurrentProcessId.KERNEL32(00000002,00000000), ref: 004010A1
Process32First.KERNEL32(000000FF,00000128), ref: 004010DC
_mbscpy.MSVCRT(?,?,000000FF,00000128,00000002,00000000), ref: 004010FE
CloseHandle.KERNELBASE(000000FF,000000FF,00000128,00000002,00000000), ref: 00401120

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: FirstProcess32$CloseCreateCurrentHandleProcessSnapshotToolhelp32_mbscpy
String ID:
API String ID: 3641878678-0
Opcode ID: 4ce8d3a8b498914af595202a1d5f0738dd76d4113471882353b6a26ea002dec1
Instruction ID: a9ccb5ae2c699945df0fb846d34caee584bc31ba2eedd66cbf1c58ac121fb588
Opcode Fuzzy Hash: 4ce8d3a8b498914af595202a1d5f0738dd76d4113471882353b6a26ea002dec1
Instruction Fuzzy Hash: AA314FB5914218ABDB14DFB1CD50BDEB7B8AB48304F1081AAE644B72D0D778DF90CB99

Function 00402AE0 Relevance: 80.9, APIs: 34, Strings: 12, Instructions: 402
stringregistryserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,0042C93C,00000000,00000001,80000002), ref: 00402B53
_CxxThrowException.MSVCRT(0042CBA8,004042D0), ref: 00402B78
RegQueryValueExA.KERNELBASE(80000002,netsvcs,00000000,?,?,00000400), ref: 00402BA7
RegCloseKey.KERNELBASE(80000002), ref: 00402BB4
_CxxThrowException.MSVCRT(0042CBC0,004042D0), ref: 00402BD6
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00402BE4
_CxxThrowException.MSVCRT(0042CBE4,004042D0), ref: 00402C0F
_mbscpy.MSVCRT(00000000,?), ref: 00402C5B
strcmp.MSVCRT ref: 00402C7A
OpenEventA.KERNEL32(00000001,00000000,00000000), ref: 00402CBD
GetServiceKeyNameA.ADVAPI32(00000000,00000000,00000000,00000050), ref: 00402CF4
lstrcat.KERNEL32(00000000,0042CC30), ref: 00402D0A
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402D28
lstrlen.KERNEL32(?), ref: 00402D6B
_strcmpi.MSVCRT ref: 00402DB1
_strcmpi.MSVCRT ref: 00402DC9
_strcmpi.MSVCRT ref: 00402DE3
_strcmpi.MSVCRT ref: 00402DFB
_strlwr.MSVCRT ref: 00402E13
wsprintfA.USER32 ref: 00402E28
SHDeleteKeyA.SHLWAPI(80000002,00000000), ref: 00402E7F
wsprintfA.USER32 ref: 00402E9F
GetLongPathNameW.KERNELBASE(?), ref: 00402EBE
lstrcpy.KERNEL32(00000000,?), ref: 00402EDC
lstrlen.KERNEL32(?), ref: 00402F8A
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00402F94
lstrcpy.KERNEL32(00000000,?), ref: 00402FC2

Part of subcall function 00401000: GetFileAttributesA.KERNELBASE(?), ref: 00401007
Part of subcall function 00401000: GetLongPathNameW.KERNELBASE(?,00000080), ref: 0040101D
Part of subcall function 00401000: GetLongPathNameW.KERNELBASE(?), ref: 00401027

CloseServiceHandle.ADVAPI32(00000000), ref: 00402FE3
GetLongPathNameW.KERNELBASE(00000000), ref: 00402F0C

Part of subcall function 00402750: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00402762
Part of subcall function 00402750: wsprintfA.USER32 ref: 004027B6
Part of subcall function 00402750: lstrlen.KERNEL32(?,00000000), ref: 004027C5
Part of subcall function 00402750: lstrlen.KERNEL32(00000000,00000001), ref: 00402801
Part of subcall function 00402750: memset.MSVCRT ref: 00402835
Part of subcall function 00402750: GetModuleHandleA.KERNEL32(00000000), ref: 00402848
Part of subcall function 00402750: GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 00402866
Part of subcall function 00402750: lstrlen.KERNEL32(?,00000000), ref: 00402875

lstrcat.KERNEL32(?,0042CCB4), ref: 00403029
_CxxThrowException.MSVCRT(0042CCC4,004042D0), ref: 00403089
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 004030DE
CloseServiceHandle.ADVAPI32(00000000), ref: 004030E8

Strings

ImagePath, xrefs: 00402E40
SYSTEM\CurrentControlSet\Services\%s, xrefs: 00402E1C
.del, xrefs: 00402EE2
iprip, xrefs: 00402DA5
FreeTest, xrefs: 00402F23
netsvcs, xrefs: 00402B9E
FreeTest, xrefs: 00403038
nwsaPAgEnT, xrefs: 00402DBD
P, xrefs: 00402D10
%s\nt%s.dll, xrefs: 00402E93
serviceone, xrefs: 00402DD7
servicetwo, xrefs: 00402DEF

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: Name$lstrlen$ExceptionLongOpenPathServiceThrow_strcmpi$CloseHandlewsprintf$FileManagerModulelstrcatlstrcpy$??2@AttributesDeleteDirectoryEventQueryStartSystemValue_mbscpy_strlwrmemsetstrcmp
String ID: %s\nt%s.dll$.del$FreeTest$FreeTest$ImagePath$P$SYSTEM\CurrentControlSet\Services\%s$iprip$netsvcs$nwsaPAgEnT$serviceone$servicetwo
API String ID: 927526690-4998997
Opcode ID: 4fb0da0dedd743de8e2b79d248ab9152761e1f986ac8c5739229fa581b35c483
Instruction ID: 674a0566996d68c6dc6e287dceae6e4c51b35c85be8b73b54e55a526d572bb31
Opcode Fuzzy Hash: 4fb0da0dedd743de8e2b79d248ab9152761e1f986ac8c5739229fa581b35c483
Instruction Fuzzy Hash: 09F1A9B1A002189BDB24DF60DD89BEEB774BF48304F1445AAE209B72C1D7799B84CF95

Function 00401AC0 Relevance: 70.4, APIs: 28, Strings: 12, Instructions: 355
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401B02
memset.MSVCRT ref: 00401B18
memset.MSVCRT ref: 00401B2E
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?), ref: 00401B53

Strings

%-24s %-15s 0x%x(%d) , xrefs: 00401F3F
%-24s %-15s %s , xrefs: 00401F0E
, xrefs: 00401E3A
REG_BINARY, xrefs: 00401F79
%-24s %-15s , xrefs: 00401F62
REG_EXPAND_SZ, xrefs: 00401F02
REG_MULTI_SZ, xrefs: 00401F56
REG_DWORD, xrefs: 00401F33
[%s], xrefs: 00401DB5
REG_SZ, xrefs: 00401ED5
%-24s %-15s , xrefs: 00401F85
%-24s %-15s %s , xrefs: 00401EE1

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: memset$Open
String ID: $%-24s %-15s $%-24s %-15s $%-24s %-15s %s $%-24s %-15s %s $%-24s %-15s 0x%x(%d) $REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 276825008-2210255179
Opcode ID: 17364aeff8d203769f0d60bd68f37ffd1806145618a3f86fdc1d56489f699548
Instruction ID: 6c50e8a978043c007ce4dc66064e9769bbad23c3acbcf1292ba5f9e3b7766167
Opcode Fuzzy Hash: 17364aeff8d203769f0d60bd68f37ffd1806145618a3f86fdc1d56489f699548
Instruction Fuzzy Hash: 28E188B1900218DFDB14DF90DC85FDE7778AB48705F1041AAF609B62D0D7799A84CFA9

Function 00402750 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 146
stringserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00402762
wsprintfA.USER32 ref: 004027B6
lstrlen.KERNEL32(?,00000000), ref: 004027C5
lstrlen.KERNEL32(00000000,00000001), ref: 00402801

Part of subcall function 00402050: RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004020B8

memset.MSVCRT ref: 00402835
GetModuleHandleA.KERNEL32(00000000), ref: 00402848
GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 00402866
lstrlen.KERNEL32(?,00000000), ref: 00402875
lstrcat.KERNEL32(?,\Parameters), ref: 004028AA
lstrlen.KERNEL32(?,00000000), ref: 004028B6
DeleteService.ADVAPI32(00000000), ref: 00402914
CloseServiceHandle.ADVAPI32(?), ref: 00402925

Strings

\Parameters, xrefs: 0040289E
Description, xrefs: 004027D2
FreeTest, xrefs: 004028E0
%SystemRoot%\System32\svchost.exe -k netsvcs, xrefs: 00402775
ServiceDll, xrefs: 004028C3
SYSTEM\CurrentControlSet\Services\%s, xrefs: 004027AA
UpdateCrc, xrefs: 0040280E
ServiceMain, xrefs: 004028E7
Module, xrefs: 00402885

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: lstrlen$HandleModuleService$CloseCreateDeleteFileManagerNameOpenlstrcatmemsetwsprintf
String ID: %SystemRoot%\System32\svchost.exe -k netsvcs$Description$FreeTest$Module$SYSTEM\CurrentControlSet\Services\%s$ServiceDll$ServiceMain$UpdateCrc$\Parameters
API String ID: 2211222406-3909586527
Opcode ID: ce6972748af2c27ef903e32cc9546a47f1bb5d2e9d32062e96d2da1f3728a7d5
Instruction ID: 9d57d29eb484b56534a9072897a0b05d8e268929d94608a2c9c9324aa2b45ef6
Opcode Fuzzy Hash: ce6972748af2c27ef903e32cc9546a47f1bb5d2e9d32062e96d2da1f3728a7d5
Instruction Fuzzy Hash: CE5194B5640214BBEB10EF90ED8AFEF7778AB48705F108159BB08B61C1D6F4AA44CF64

Function 00402320 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 145
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402250: memset.MSVCRT ref: 0040225E
Part of subcall function 00402250: GetTempPathA.KERNEL32(?,?), ref: 0040226E
Part of subcall function 00402250: GetWindowsDirectoryA.KERNEL32(?,?), ref: 00402285
Part of subcall function 00402250: lstrcat.KERNEL32(?,\temp), ref: 00402294
Part of subcall function 00402250: lstrcpy.KERNEL32(?,c:\temp), ref: 004022B8
Part of subcall function 00402250: SetEnvironmentVariableA.KERNEL32(TMP,?), ref: 004022C7
Part of subcall function 00402250: SetEnvironmentVariableA.KERNEL32(TEMP,?), ref: 004022D6
Part of subcall function 00402250: lstrlen.KERNEL32(?), ref: 004022E0
Part of subcall function 00402250: CreateDirectoryA.KERNEL32(?,00000000), ref: 00402304

GetTickCount.KERNEL32 ref: 00402367
wsprintfA.USER32 ref: 00402381
CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 004023A3
WriteFile.KERNELBASE(00000000,?,00025000,?,00000000), ref: 004023F6
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00402409
WriteFile.KERNELBASE(00000000,MZPE,00000002,?,00000000), ref: 00402428
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 00402443
WriteFile.KERNELBASE(00000000,00004550,00000004,?,00000000), ref: 00402462
memset.MSVCRT ref: 00402473
SystemTimeToFileTime.KERNEL32(000007D5,?), ref: 004024B6
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004024CA
SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 004024E7
CloseHandle.KERNELBASE(00000000), ref: 004024F4
wsprintfA.USER32 ref: 00402514

Strings

MZPE, xrefs: 0040241A, 00402420
PE, xrefs: 004023C9
%s\%d.gho, xrefs: 00402375
$P@, xrefs: 0040232A, 004023DC

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: File$Time$Write$CreateDirectoryEnvironmentPointerVariablememsetwsprintf$CloseCountHandleLocalPathSystemTempTickWindowslstrcatlstrcpylstrlen
String ID: $P@$%s\%d.gho$MZPE$PE
API String ID: 2394119838-1104145768
Opcode ID: fc37065f8eccaf37d3e00629aa2bc90ebb02c75271ef1b62d4df92442ff0c6c5
Instruction ID: 94a51981fe450f5382987a27d357c8853ed9de673eeba55365cf68bdcc9a3c6e
Opcode Fuzzy Hash: fc37065f8eccaf37d3e00629aa2bc90ebb02c75271ef1b62d4df92442ff0c6c5
Instruction Fuzzy Hash: 315157B1950218ABDB24DB94DD89FDA737CAF98704F0045E8F309B6190D7B4AB84CF69

Function 00402250 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 65
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040225E
GetTempPathA.KERNEL32(?,?), ref: 0040226E
GetWindowsDirectoryA.KERNEL32(?,?), ref: 00402285
lstrcpy.KERNEL32(?,c:\temp), ref: 004022B8
SetEnvironmentVariableA.KERNEL32(TMP,?), ref: 004022C7
SetEnvironmentVariableA.KERNEL32(TEMP,?), ref: 004022D6
lstrlen.KERNEL32(?), ref: 004022E0
lstrcat.KERNEL32(?,\temp), ref: 00402294

Part of subcall function 004014A0: GetFileAttributesA.KERNELBASE(?), ref: 004014A7

CreateDirectoryA.KERNEL32(?,00000000), ref: 00402304

Strings

c:\temp, xrefs: 004022AF
\temp, xrefs: 0040228B
TMP, xrefs: 004022C2
TEMP, xrefs: 004022D1

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: DirectoryEnvironmentVariable$AttributesCreateFilePathTempWindowslstrcatlstrcpylstrlenmemset
String ID: TEMP$TMP$\temp$c:\temp
API String ID: 2583438259-3585525604
Opcode ID: fce1a2f41ae422038ebdd6f27db0731927d7d5ca22a10f8d4343d0bb6251c5d2
Instruction ID: b8f5a7428a511615b8bb1fa7dc739d198ef9a72a09c88c97c6bda81338f97b68
Opcode Fuzzy Hash: fce1a2f41ae422038ebdd6f27db0731927d7d5ca22a10f8d4343d0bb6251c5d2
Instruction Fuzzy Hash: A021F4B9600108FBDB10DFE0DD49E6E3769AB48315F10C129FF19A7250D679DA00CB58

Function 0040362E Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 0040365B
__p__fmode.MSVCRT ref: 00403670
__p__commode.MSVCRT ref: 0040367E
__setusermatherr.MSVCRT ref: 004036AA
_initterm.MSVCRT ref: 004036C0
__getmainargs.MSVCRT ref: 004036E3
_initterm.MSVCRT ref: 004036F3
GetStartupInfoA.KERNEL32(?), ref: 00403732
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403756
exit.MSVCRT ref: 00403766
_XcptFilter.MSVCRT ref: 00403778

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: a2492541970acebd283c93dc5a517e7eb089c5ed44448fba80b425a8176df71a
Instruction ID: fcfb5bf2ea6f01a0be7cc3ba79ed6d77ca76a329c3d2625f01d356aaba10ae2c
Opcode Fuzzy Hash: a2492541970acebd283c93dc5a517e7eb089c5ed44448fba80b425a8176df71a
Instruction Fuzzy Hash: 8F418CF1900308AFDB209FA4D989AAABFBCEB49715F20413BE551B72D1D77849418B58

Function 00402050 Relevance: 7.6, APIs: 5, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004020B8
RegOpenKeyExA.KERNELBASE(?,?,00000000,0002001F,?), ref: 004020DA

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 405f96a4812c958386ef17f0c3a0afc3d9bc1a640aff08f0532b9e1367c8f42c
Instruction ID: 3fd1d2d84d95bd56aa30ec61edb30b59fd6064bd9fd2f81bd1a90e7b4aa6c627
Opcode Fuzzy Hash: 405f96a4812c958386ef17f0c3a0afc3d9bc1a640aff08f0532b9e1367c8f42c
Instruction Fuzzy Hash: 445122B1604209EBDB14CF95DE49FEF77B8AB48700F10812AFB15BA2C0D6B9D941CB65

Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00401007
GetLongPathNameW.KERNELBASE(?,00000080), ref: 0040101D
GetLongPathNameW.KERNELBASE(?), ref: 00401027

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: LongNamePath$AttributesFile
String ID:
API String ID: 1814499483-0
Opcode ID: 21ba31ed52733d6f16092632b1c5c96dd07394d370fc4ba64aa12589fb1a4319
Instruction ID: 0be0b6235f415d18b0e6e3e736b6cebc019057e1070da197e4baf51e0a45ff4f
Opcode Fuzzy Hash: 21ba31ed52733d6f16092632b1c5c96dd07394d370fc4ba64aa12589fb1a4319
Instruction Fuzzy Hash: 40D09B76110308ABD7105FF4ED59A96376CFB88741F008414FB49AA250CB39D950C794

Function 004014A0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 004014A7

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2a350e55d268c932b9d3f7566af4e62a81c32ba548859f8b864fc8996fa11ed6
Instruction ID: 66c1970a0777b88fc23dc7440c8c19aeee50d0697e0565a15dcac8752b27fbec
Opcode Fuzzy Hash: 2a350e55d268c932b9d3f7566af4e62a81c32ba548859f8b864fc8996fa11ed6
Instruction Fuzzy Hash: E9C02B7A01030807CA000BF8B84A4CD33CC1A085303100310B33DD31C0D530E8804B50

Non-executed Functions

Function 0041AAF4 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

@, xrefs: 0041AEDF

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 48eff2a7801c53515d0a3e191879c88aee7849a14c06626edc83123803753199
Instruction ID: 2ed792b81175d364ea3d2df66666944705673a8372468837a6b6af7f0a6b2840
Opcode Fuzzy Hash: 48eff2a7801c53515d0a3e191879c88aee7849a14c06626edc83123803753199
Instruction Fuzzy Hash: BDE17A356093418FC724CF28D0806ABB7E2EFD9300F64492EE58597350E779E996CB8B

Function 00417566 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00417566

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6151ed039b13ec5a092c60174a63d83eb824881f28bb0baf8c7ea8173abdbf34
Instruction ID: 2cec9ff0455e5e09dcb903c4f689176cb4da3315b3085f84d65c67a0d29575ad
Opcode Fuzzy Hash: 6151ed039b13ec5a092c60174a63d83eb824881f28bb0baf8c7ea8173abdbf34
Instruction Fuzzy Hash: 8CD172716087018FDB18CF19C4906ABBBF2BFD4300F24895EE8958B35AE735D985CB85

Function 00417C36 Relevance: .9, Instructions: 859COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2289b0b616234bb7f5d57d8648c5bccaedf71cb136f782451cad4865faa728e3
Instruction ID: 8942ec533f094851de5ded5c6eed825994fd0d70762897ac41297206fc4a9195
Opcode Fuzzy Hash: 2289b0b616234bb7f5d57d8648c5bccaedf71cb136f782451cad4865faa728e3
Instruction Fuzzy Hash: C97295716087058FC718DF18D8D06AAB7E2FFD8300F14856EE8468B749EB75D986CB85

Function 004174C3 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4af7cf9041fae671b7d0662e01221e1465887a3480ef74cfdcc2e4ab53c6f5
Instruction ID: b1b5cbdf4bcefeddfa05960451646b424c94951b1a88955fe90a3786e7460809
Opcode Fuzzy Hash: 0d4af7cf9041fae671b7d0662e01221e1465887a3480ef74cfdcc2e4ab53c6f5
Instruction Fuzzy Hash: 670250B06087018BDB18CF19C4907ABBBF2BFD4704F24895EE8958B35AD735D986CB85

Function 0041A664 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194a49a91c8205d420f13bab9228849bae6ccef58ec52bd7d47a7834336057be
Instruction ID: 880940c3acb03957402dbcee554ab1579a8dbe1bdb745e8a78dfd4967e3048d7
Opcode Fuzzy Hash: 194a49a91c8205d420f13bab9228849bae6ccef58ec52bd7d47a7834336057be
Instruction Fuzzy Hash: 96E1AF712093858FC708CF2CC5902BABBE1EF89344F14496EE8D6C7342D679D886CB46

Function 0041C4B4 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction ID: 3546388baf4d738c4ee354cd76c99f5dac38d30439d75c6569f6b2566e224980
Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction Fuzzy Hash: E7F1AFB65092408FC309CF18D8D89E27BE6EF98714B1F42FEC4599B362D3369981CB95

Function 004175E0 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f583a24cc478989d019d9d8e28ea1d33f6d075c3718b550e8542b508461e97
Instruction ID: 235f5e9e0107205455806777cd41e1b92e7e89e3f810776f1488046386f3294b
Opcode Fuzzy Hash: 19f583a24cc478989d019d9d8e28ea1d33f6d075c3718b550e8542b508461e97
Instruction Fuzzy Hash: 51C14FB46087018FDB19CF19C49066BBBF2BFD4300F248A5EE8958B35AD735D986CB85

Function 0041CA34 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c922dc9f2665d1cafd52cdd6fea141166ce3da96321cc231385448c61bb97d75
Instruction ID: b691796711810a969101aba059d6cfc6ab6d25c5266c34fea731358c89a9ce23
Opcode Fuzzy Hash: c922dc9f2665d1cafd52cdd6fea141166ce3da96321cc231385448c61bb97d75
Instruction Fuzzy Hash: 56D17A756092518FC719CF18E8D88E27BE5BF98700F1E82F9C9498B323D3719985CB95

Function 0041AF94 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction ID: 8b408f4455f2fb6bdca5e06c3a71612ca4c5eaf5af12e485f48619e34ef57073
Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction Fuzzy Hash: CE71723374598207EB2DCE3E8C602FBABD34FCA21432EC87E94DAC7702EC6994165244

Function 0041B224 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec999dbffa1d3a980eb9605c937a7d846e2cf271484d46126a47b5c2c8cf571
Instruction ID: e98de5b9b3aa840a6f3c0607bc6ad08d2c5c6e26e58c0d323b0fc222808aef3d
Opcode Fuzzy Hash: 2ec999dbffa1d3a980eb9605c937a7d846e2cf271484d46126a47b5c2c8cf571
Instruction Fuzzy Hash: 59818D32B141A25BEB19CF29DCD056BB7E3EBCE300B59C93DD64687356CA31E8558780

Function 004084C4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d89c483f63984bc4f1102d27eb1679f1d1d73486744a7394c1e736eebe3e6bf
Instruction ID: 0287f48c194fe8d0e21a929703fe5077dfdc92ba41e51f0fc01da0142d11f788
Opcode Fuzzy Hash: 9d89c483f63984bc4f1102d27eb1679f1d1d73486744a7394c1e736eebe3e6bf
Instruction Fuzzy Hash: 89B002375A18818FD657D748C99172473B4F745745F8404705066C7951D51CA5129504

Function 00402550 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 138stringregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,netsvcs,00000000,?,?,00000800), ref: 004025B8
lstrcmpiA.KERNEL32(?,00000000), ref: 00402642
lstrlen.KERNEL32(00000000), ref: 0040267F
lstrlen.KERNEL32(00000000), ref: 00402694
memcpy.MSVCRT(?,00000000,-00000002), ref: 004026B0
lstrlen.KERNEL32(00000000), ref: 004026BF
lstrlen.KERNEL32(00000000), ref: 0040270B
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00402715

Strings

netsvcs, xrefs: 004026D8
netsvcs, xrefs: 004025AF

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: lstrlen$??2@QueryValuelstrcmpimemcpy
String ID: netsvcs$netsvcs
API String ID: 2413807454-3773080176
Opcode ID: 877a627bced424f4f177a5ab64e79a16a4d94a9c32c52e0cae7439a93ca4eadf
Instruction ID: 5657caa8df0d0ef2eafe2f6a1cff9cfa6c6526f171cfd7fb6fdb54ab2a13cb8b
Opcode Fuzzy Hash: 877a627bced424f4f177a5ab64e79a16a4d94a9c32c52e0cae7439a93ca4eadf
Instruction Fuzzy Hash: 945164B1900218EBDB10DBA0DD49BEE77B8BF48304F10C4A9E649B6280DB799B45CFD5

Function 00402940 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000017C), ref: 00402951
memset.MSVCRT ref: 0040296C
memcpy.MSVCRT(?,106.54.31.97,00000118), ref: 00402982
_mbscpy.MSVCRT(?,0042D50E), ref: 00402999

Part of subcall function 00401230: _itoa.MSVCRT ref: 004012B2
Part of subcall function 00401230: strlen.MSVCRT ref: 004012D0
Part of subcall function 00401230: toupper.MSVCRT ref: 004012E6
Part of subcall function 00401230: _mbscpy.MSVCRT(00000000,00000000), ref: 004012FF

wsprintfA.USER32 ref: 004029BD
??3@YAXPAX@Z.MSVCRT(?), ref: 004029D0

Strings

Global\ki%Xll, xrefs: 004029B4
106.54.31.97, xrefs: 00402979

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: _mbscpy$??2@??3@_itoamemcpymemsetstrlentoupperwsprintf
String ID: 106.54.31.97$Global\ki%Xll
API String ID: 3314415999-1802195691
Opcode ID: 044a8ebc6a1435026d7557cc3ff9835352ac8c3f8ed84dbc7a9a5a094a661e06
Instruction ID: 2ffdd702b9794b3ef2090fa4539c7e172b44f3e7ab2a06d04f0ebb255b6603b4
Opcode Fuzzy Hash: 044a8ebc6a1435026d7557cc3ff9835352ac8c3f8ed84dbc7a9a5a094a661e06
Instruction Fuzzy Hash: 221161F5E00208BBDB04EFE4DC42E9E7B78AB54705F1044A9F90477381E639AB108B99

Function 004019F0 Relevance: 10.0, APIs: 8, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,004019EE), ref: 004019FC
HeapFree.KERNEL32(00000000), ref: 00401A03
GetProcessHeap.KERNEL32(00000000,00000000,004019EE), ref: 00401A15
HeapFree.KERNEL32(00000000), ref: 00401A1C
GetProcessHeap.KERNEL32(00000000,00000000,004019EE), ref: 00401A2E
HeapFree.KERNEL32(00000000), ref: 00401A35
GetProcessHeap.KERNEL32(00000000,00000000,004019EE), ref: 00401A47
HeapFree.KERNEL32(00000000), ref: 00401A4E

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c62c351f267e8a037fd09e038a524a249c00bb0f3359e712c1e43ea44bd93763
Instruction ID: 6f122c8b1d398ae76f74a68e00cebf1e46d59c7acf91d3b7bf1e75f289059a80
Opcode Fuzzy Hash: c62c351f267e8a037fd09e038a524a249c00bb0f3359e712c1e43ea44bd93763
Instruction Fuzzy Hash: 7EF09CB1A15204EBEB049BD4DE5DBAE7639BB84302F040125F305B61E0C7745844CF28

Function 00401320 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040133D
_itoa.MSVCRT ref: 004013AB
strlen.MSVCRT ref: 004013C9
tolower.MSVCRT ref: 004013DF
_mbscpy.MSVCRT(?,00000000), ref: 004013F8

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: strlen$_itoa_mbscpytolower
String ID:
API String ID: 302482078-0
Opcode ID: 92de5cfe614cc0789c2e4371552246bc9b6c7b2f8039382dfcff61283bb2cfd1
Instruction ID: 1cdbcc38cd626b065a4e1a3c29a60d0e8e483081dba60a7a9104dbf289dda369
Opcode Fuzzy Hash: 92de5cfe614cc0789c2e4371552246bc9b6c7b2f8039382dfcff61283bb2cfd1
Instruction Fuzzy Hash: 1C3182B0D041499BDF04DFA9C881ABFBBB5AF48304F14817ED9157B291E6386705CBA6

Function 00401410 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0040143E

Part of subcall function 00401320: strlen.MSVCRT ref: 0040133D
Part of subcall function 00401320: _itoa.MSVCRT ref: 004013AB
Part of subcall function 00401320: strlen.MSVCRT ref: 004013C9
Part of subcall function 00401320: tolower.MSVCRT ref: 004013DF
Part of subcall function 00401320: _mbscpy.MSVCRT(?,00000000), ref: 004013F8

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040145C
lstrcat.KERNEL32(?,0042C934), ref: 0040146B
lstrcat.KERNEL32(?,00000000), ref: 0040147C
lstrcat.KERNEL32(?,?), ref: 0040148A

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$DirectorySystem_itoa_mbscpylstrcpytolower
String ID:
API String ID: 3170448849-0
Opcode ID: 6568edfa59490125a2a174c832f0d0d15ff2b42e0125202a73f7e4a637617323
Instruction ID: 6abaa479cc9015c8336985ba75610240dcfe3b73b50ba9b111437133db599ce1
Opcode Fuzzy Hash: 6568edfa59490125a2a174c832f0d0d15ff2b42e0125202a73f7e4a637617323
Instruction Fuzzy Hash: 320167F6500108FBDB10DFA4DD84EDAB779AB98300F008569F749A7150DAB49A84CFD5

Function 00401230 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

_itoa.MSVCRT ref: 004012B2
strlen.MSVCRT ref: 004012D0
toupper.MSVCRT ref: 004012E6
_mbscpy.MSVCRT(00000000,00000000), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: _itoa_mbscpystrlentoupper
String ID:
API String ID: 2724506213-0
Opcode ID: f1cbf843382ea555a545f81363ea015a67597f1e202c4749eb7d08ea07514e0d
Instruction ID: 9d9f28f3c0f32cfc1f9343b282890907f8244d2bfb82986657eee80d103c8214
Opcode Fuzzy Hash: f1cbf843382ea555a545f81363ea015a67597f1e202c4749eb7d08ea07514e0d
Instruction Fuzzy Hash: 62318070D04248EBCB04DFA8C881AAEBBB4AF09314F1446BEE516BB381D234A744DB85

Function 00401140 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00401146
srand.MSVCRT ref: 0040114D
rand.MSVCRT ref: 0040116F
_ftol.MSVCRT ref: 00401186

Memory Dump Source

Source File: 00000000.00000002.1680317289.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1680301090.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680317289.000000000042F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680362666.0000000000430000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1680373997.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7wOqCnSoTo.jbxd

Yara matches

Similarity

API ID: CountTick_ftolrandsrand
String ID:
API String ID: 1641837072-0
Opcode ID: e57609fb0b70fc1510b6367c0afe0e177e87f1f25ec1bbcafec583d6e37917ac
Instruction ID: 4889f8cf9cabca7c7f3cfd90e527be4fdb5dbf2ba62627635eddc35ab301c71a
Opcode Fuzzy Hash: e57609fb0b70fc1510b6367c0afe0e177e87f1f25ec1bbcafec583d6e37917ac
Instruction Fuzzy Hash: 6FF09074804108EBCB04EFA5DD4669C7BB8AF44309F1080A5E905BB361C639AB94EB9A

Analysis Process: svchost.exePID: 7352, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.5%
Total number of Nodes:	723
Total number of Limit Nodes:	38

Executed Functions

Function 100089C0 Relevance: 89.4, APIs: 22, Strings: 29, Instructions: 121
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 100089DD
GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 100089EA
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 10008A06
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 10008A13
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 10008A2F
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 10008A3C
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 10008A49
GetProcAddress.KERNEL32(00000000,SHDeleteKeyA), ref: 10008A65
GetProcAddress.KERNEL32(00000000,SHCopyKeyA), ref: 10008A72
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 10008A8E
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 10008A9B
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 10008AA8
GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 10008AB5
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 10008AC2
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 10008ACF
GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 10008ADC
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 10008AE9
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10008B05
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 10008B12
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 10008B1F
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 10008B2C
GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 10008B46

Strings

InternetReadFile, xrefs: 10008B14
shlwapi.dll, xrefs: 10008A4B
ImmReleaseContext, xrefs: 10008A3E
WTSFreeMemory, xrefs: 100089DF
CreateDIBSection, xrefs: 10008AAA
InternetCloseHandle, xrefs: 10008B21
SHCopyKeyA, xrefs: 10008A67
GDI32.DLL, xrefs: 10008A74
PSAPI.DLL, xrefs: 100089EC
sFC.dLl, xrefs: 10008B2E
CreateCompatibleDC, xrefs: 10008A9D
ImmGetCompositionStringA, xrefs: 10008A29
WININET.DLL, xrefs: 10008AEB
IMM32.DLL, xrefs: 10008A15
SelectObject, xrefs: 10008ADE
CreateCompatibleBitmap, xrefs: 10008A90
InternetOpenA, xrefs: 10008AFF
EnumProcessModules, xrefs: 10008A00
DeleteDC, xrefs: 10008AB7
SHDeleteKeyA, xrefs: 10008A5F
GetDIBits, xrefs: 10008AD1
DeleteObject, xrefs: 10008AC4
InternetOpenUrlA, xrefs: 10008B07
GetModuleFileNameExA, xrefs: 10008A08
BitBlt, xrefs: 10008A88
WTSQuerySessionInformationA, xrefs: 100089D7
SfcIsFileProtected, xrefs: 10008B40
ImmGetContext, xrefs: 10008A31
WTSAPI32.DLL, xrefs: 100089C2

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDIBSection$DeleteDC$DeleteObject$EnumProcessModules$GDI32.DLL$GetDIBits$GetModuleFileNameExA$IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmReleaseContext$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$PSAPI.DLL$SHCopyKeyA$SHDeleteKeyA$SelectObject$SfcIsFileProtected$WININET.DLL$WTSAPI32.DLL$WTSFreeMemory$WTSQuerySessionInformationA$sFC.dLl$shlwapi.dll
API String ID: 551388010-4030630288
Opcode ID: 3db9a7ab92610eb812e9919b22956462e60c96e113e9ff56a4323f248bf6ff4a
Instruction ID: c555c83b1b4fa03cc544d3cbe7857f9a46f0d0b268db9b30baf612df9c715dbb
Opcode Fuzzy Hash: 3db9a7ab92610eb812e9919b22956462e60c96e113e9ff56a4323f248bf6ff4a
Instruction Fuzzy Hash: 8931E3F1C053247AE711EBF66D8DC6B7DBAED515947B0092BF50893222EB78A102CE91

Function 1000FEC0 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 131
librarynetworkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 1000FEDA
lstrcmpiA.KERNEL32(?,10023338), ref: 1000FEF3
gethostbyname.WS2_32(?), ref: 1000FF1F
gethostbyname.WS2_32(www.baidu.com), ref: 1000FF39
gethostbyname.WS2_32(www.163.com), ref: 1000FF48
LoadLibraryA.KERNEL32(dnSaPI.dlL,00000000,?,00000000,00000000), ref: 1000FF6A
GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 1000FF7E
GetProcAddress.KERNEL32(00000000,DnsRecordListFree), ref: 1000FF88
??2@YAPAXI@Z.MSVCRT(00000028), ref: 1000FF90
lstrcpyA.KERNEL32(10023338,?), ref: 10010003
GetTickCount.KERNEL32 ref: 1001000F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1001001B

Strings

www.baidu.com, xrefs: 1000FF34
202.96.75.68, xrefs: 1000FFCB
DnsQuery_A, xrefs: 1000FF78
202.99.160.68, xrefs: 1000FFB7
202.96.102.3, xrefs: 1000FFAD
202.102.152.3, xrefs: 1000FFA0
DnsRecordListFree, xrefs: 1000FF80
202.101.224.68, xrefs: 1000FFC1
dnSaPI.dlL, xrefs: 1000FF65
www.163.com, xrefs: 1000FF43

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: gethostbyname$AddressCountProcTick$??2@??3@LibraryLoadlstrcmpilstrcpy
String ID: 202.101.224.68$202.102.152.3$202.96.102.3$202.96.75.68$202.99.160.68$DnsQuery_A$DnsRecordListFree$dnSaPI.dlL$www.163.com$www.baidu.com
API String ID: 1417392130-1138650064
Opcode ID: bbc90da7d3b42cb370c49366106192757fbd95d312e71a0730175c81225ee38c
Instruction ID: 4f93d23a3d20f4d22ef0b211a37b79afda0665a54f752dce94d7c48daf3c5703
Opcode Fuzzy Hash: bbc90da7d3b42cb370c49366106192757fbd95d312e71a0730175c81225ee38c
Instruction Fuzzy Hash: F641E475A003119FE710EF65ECC8A9ABBE4FB883A1F518429F545C7610DB35D60A8BA1

Function 1000DA00 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 1000DA1C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,00000000), ref: 1000DA33
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 1000DA36
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 1000DA4C
StrStrIA.SHLWAPI(0000010C,VMware,00000000,?,?,00000000), ref: 1000DA73
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 1000DA82
HeapFree.KERNEL32(00000000,?,00000000), ref: 1000DA85
wsprintfA.USER32 ref: 1000DAC1
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 1000DAE1
HeapFree.KERNEL32(00000000,?,00000000), ref: 1000DAE4

Strings

%02X, xrefs: 1000DABB
VMware, xrefs: 1000DA6D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Heap$Process$AdaptersFreeInfo$Allocwsprintf
String ID: %02X$VMware
API String ID: 1287907346-2899430762
Opcode ID: 0d06cae9bc58fd8cfa762effd833683442a1a251687d8a6c4e804a547035af21
Instruction ID: c7586293515f495e183e80e5a26b4817b16db580dd134eb8abd6aee773169005
Opcode Fuzzy Hash: 0d06cae9bc58fd8cfa762effd833683442a1a251687d8a6c4e804a547035af21
Instruction Fuzzy Hash: E921B27A2483056FE310EB65DCC0B9B73E8EB897D0F414529FA49C3245DA35ED098772

Function 10010500 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32 ref: 10010563
CoUninitialize.OLE32 ref: 1001056D
GetLastError.KERNEL32 ref: 10010573

Strings

FriendlyName, xrefs: 10010652

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CreateErrorInstanceLastUninitialize
String ID: FriendlyName
API String ID: 113958023-3623505368
Opcode ID: 67b8596a925f2be3cf3228db238ec75253c2d9b7ef497e54c20df637224f82e1
Instruction ID: 5aaaebcb6b29ba98e5cd863c9015a02387db0fef2a4f67deb6a630013f6c5647
Opcode Fuzzy Hash: 67b8596a925f2be3cf3228db238ec75253c2d9b7ef497e54c20df637224f82e1
Instruction Fuzzy Hash: F6614675204345AFD750DF54C884B9BB7E8FB89720F00891CF5998B290CB74E986CB92

Function 1000DFF0 Relevance: 12.1, APIs: 8, Instructions: 116stringnetworkCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000000), ref: 1000E024
gethostname.WS2_32(?,00000032), ref: 1000E033

Part of subcall function 1000DF90: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000DFAF
Part of subcall function 1000DF90: RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,?,1000E03E), ref: 1000DFD0
Part of subcall function 1000DF90: RegCloseKey.ADVAPI32(?,?,?,?,?,?,1000E03E), ref: 1000DFDB

GetSystemInfo.KERNEL32(?), ref: 1000E05A
GetLogicalDriveStringsA.KERNEL32(00000100,?), ref: 1000E085
GetDiskFreeSpaceExA.KERNEL32(?,?,?,00000000), ref: 1000E0CA
lstrlenA.KERNEL32(?), ref: 1000E10D
lstrlenA.KERNEL32(?), ref: 1000E13B
strncpy.MSVCRT ref: 1000E16F

Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 1000887D
Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,GetVolumeInformationA), ref: 1000888A
Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 10008897
Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 100088A4
Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,SHGetFileInfoA), ref: 100088C0
Part of subcall function 10008860: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 100088CD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$lstrlen$CloseDiskDriveFreeInfoLogicalOpenQuerySpaceStringsSystemValueVersiongethostnamestrncpy
String ID:
API String ID: 3769866440-0
Opcode ID: 0a059d7319f65ed2a7de46bb374aeecbe31cc3acde902389898d3478902a4f36
Instruction ID: b6746441cf6d598649ae33ec038056c462935200efe5d9c4c61b9a32e2e87ed2
Opcode Fuzzy Hash: 0a059d7319f65ed2a7de46bb374aeecbe31cc3acde902389898d3478902a4f36
Instruction Fuzzy Hash: B14181B55043819FE311DF64C881BABBBE4FF95340F40482DF58993251E775A949CB62

Function 1000DCC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000DCE2
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1000DCFB
DeviceIoControl.KERNEL32 ref: 1000DD49
CloseHandle.KERNEL32(00000000), ref: 1000DDBC
CloseHandle.KERNEL32(00000000), ref: 1000DE1D

Part of subcall function 1000DC60: DeviceIoControl.KERNEL32(00000000,0007C088,?,00000020,00000000,00000210,00074080,00000000), ref: 1000DCB7

Strings

\\.\PhysicalDrive%d, xrefs: 1000DCDC

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseControlDeviceHandle$CreateFilewsprintf
String ID: \\.\PhysicalDrive%d
API String ID: 1422569621-2935326385
Opcode ID: 2f61d85fc1e467655dc27194b0abc99de4e989565b6bb12fc98fad58f39ac2dc
Instruction ID: f0955a83f9dfc0378fb9662a5b0d0a942d19150f19e710d26f7dbfa1381efa04
Opcode Fuzzy Hash: 2f61d85fc1e467655dc27194b0abc99de4e989565b6bb12fc98fad58f39ac2dc
Instruction Fuzzy Hash: D041F535508380AEE311DB24DC85BABBBE9EFD6754F00892EF58587290D6758609C762

Function 10002870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93networkCOMMON

Download Yara Rule

APIs

Part of subcall function 100029F0: WaitForSingleObject.KERNEL32(?,00000000,?,1000E91B), ref: 100029FB
Part of subcall function 100029F0: SetEvent.KERNEL32(?), ref: 10002A0C

select.WS2_32(00000000,?,00000000,00000000,?), ref: 100028DD
recv.WS2_32(?,?,00002005,00000000), ref: 10002915

Strings

e, xrefs: 10002951

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: EventObjectSingleWaitrecvselect
String ID: e
API String ID: 1101665243-4024072794
Opcode ID: 81366880f6cb407052ee030dada0d245d407fa5a0b8fe540c610e029e9762a18
Instruction ID: 11b9d688f375e1a419a68d3cab2bf3755ea877f9058b9e546938511f86bb812a
Opcode Fuzzy Hash: 81366880f6cb407052ee030dada0d245d407fa5a0b8fe540c610e029e9762a18
Instruction Fuzzy Hash: D231A4302083456AFB50CF64C885BDFB3D5FF89794F400A2CF98997285DB71A94A8752

Function 10006920 Relevance: 4.5, APIs: 3, Instructions: 42COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,?), ref: 10006967
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 10006976
CloseEventLog.ADVAPI32(00000000), ref: 1000697D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID:
API String ID: 1391105993-0
Opcode ID: 7ae7f45da41be8d2f2fa9f648578c68569a079edbef25e0e506c6b7bf6370113
Instruction ID: 743320e6771225ff5b22108875f7f5391905317cab8855eb42e3ef9e805afe46
Opcode Fuzzy Hash: 7ae7f45da41be8d2f2fa9f648578c68569a079edbef25e0e506c6b7bf6370113
Instruction Fuzzy Hash: FEF0F932109715ABE310DF84EC80B5FB7ACEF956D0F600419ED4197504DBB6DA4A47D2

Function 1000ECC0 Relevance: 58.0, APIs: 30, Strings: 3, Instructions: 269
sleepthreadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncpy.MSVCRT ref: 1000ECDF
wcstombs.MSVCRT ref: 1000ECF1

Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 100089DD
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 100089EA
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 10008A06
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 10008A13
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 10008A2F
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 10008A3C
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 10008A49
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,SHDeleteKeyA), ref: 10008A65
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,SHCopyKeyA), ref: 10008A72
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,BitBlt), ref: 10008A8E
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 10008A9B
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 10008AA8
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 10008AB5
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 10008AC2
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 10008ACF
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 10008ADC
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,SelectObject), ref: 10008AE9
Part of subcall function 100089C0: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10008B05

RegisterServiceCtrlHandlerA.ADVAPI32(10022FC0,1000F040), ref: 1000ED08
_strlwr.MSVCRT ref: 1000ED18

Part of subcall function 1000E4A0: CreateFileA.KERNEL32(c:\windows\system32\ntfastuserswitchingcompatibility.dll,00000001,00000001,?,00000003,00000080,?), ref: 1000E4CD
Part of subcall function 1000E4A0: SetFilePointer.KERNEL32(?,FFFFFA08,00000000,00000002), ref: 1000E4DF
Part of subcall function 1000E4A0: ReadFile.KERNEL32(?,?,000005F8,00000000,00000000), ref: 1000E4FA
Part of subcall function 1000E4A0: CloseHandle.KERNEL32(?), ref: 1000E510
Part of subcall function 1000E4A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E548
Part of subcall function 1000E4A0: lstrcatA.KERNEL32(?,1001F9CC), ref: 1000E55E
Part of subcall function 1000E4A0: lstrlenA.KERNEL32(?), ref: 1000E565
Part of subcall function 1000E4A0: lstrcpyA.KERNEL32(?,1001F014), ref: 1000E57A
Part of subcall function 1000E4A0: lstrcatA.KERNEL32(?,.cfg), ref: 1000E58F
Part of subcall function 1000E4A0: CreateFileA.KERNEL32(?,00000001,00000001,00000000,00000003,00000080,00000000), ref: 1000E5A5
Part of subcall function 1000E4A0: ReadFile.KERNEL32(00000000,?,000005F8,?,00000000), ref: 1000E5CB
Part of subcall function 1000E4A0: CloseHandle.KERNEL32(00000000), ref: 1000E5D2

Part of subcall function 1000EFF0: SetServiceStatus.SECHOST ref: 1000F035

MessageBoxA.USER32(00000000,kill,10021D44,00200000), ref: 1000ED62
Sleep.KERNEL32(00000064), ref: 1000ED70
Sleep.KERNEL32(00000BB8), ref: 1000ED92
strncpy.MSVCRT ref: 1000EDBF
wcstombs.MSVCRT ref: 1000EDCD
??2@YAPAXI@Z.MSVCRT(0000017C), ref: 1000EDF8
??3@YAXPAX@Z.MSVCRT(00000000,00000000,0000017C,10023314,0000017C), ref: 1000EE5A
wsprintfA.USER32 ref: 1000EE7A
CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 1000EEC2
ResetEvent.KERNEL32(00000000), ref: 1000EECE
CreateThread.KERNEL32(00000000,00000000,1000E6C0,10022FC0,00000000,00000000), ref: 1000EEE8
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000EEF3
CloseHandle.KERNEL32(00000000), ref: 1000EEFA
WaitForSingleObject.KERNEL32(?,00000000), ref: 1000EF03
Sleep.KERNEL32(00000BB8), ref: 1000EF18
CreateThread.KERNEL32(00000000,00000000,1000EA60,c:\windows\system32\ntfastuserswitchingcompatibility.dll,00000000,?), ref: 1000EF3A
CloseHandle.KERNEL32(00000000), ref: 1000EF41
Sleep.KERNEL32(000001F4), ref: 1000EF48
lstrlenA.KERNEL32(10022FC0), ref: 1000EF5B
IsBadStringPtrW.KERNEL32(00000000,00000000), ref: 1000EF68
_wcsicmp.MSVCRT ref: 1000EF7B
IsBadReadPtr.KERNEL32(?,00000004), ref: 1000EF93
IsBadReadPtr.KERNEL32(?,00000010), ref: 1000EF9E
FreeLibraryAndExitThread.KERNEL32(?,00000000,?,00000010), ref: 1000EFC9
CloseHandle.KERNEL32(?), ref: 1000EFD8
FreeLibraryAndExitThread.KERNEL32(?,00000000), ref: 1000EFE8

Strings

kill, xrefs: 1000ED5B
c:\windows\system32\ntfastuserswitchingcompatibility.dll, xrefs: 1000EF2E
Global\ki%sll, xrefs: 1000EE74

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$CloseCreateFileHandle$ReadSleepThread$EventExitFreeLibraryObjectServiceSingleWaitlstrcatlstrlenstrncpywcstombs$??2@??3@CtrlDirectoryHandlerMessagePointerRegisterResetStatusStringSystem_strlwr_wcsicmplstrcpywsprintf
String ID: Global\ki%sll$c:\windows\system32\ntfastuserswitchingcompatibility.dll$kill
API String ID: 2714652951-1128401851
Opcode ID: 527175ae298cd086053e33729752966b6f8f08ce6863379d696a17bb59777130
Instruction ID: 4f113fdb4c54dad8950bc1e20cc262a7fbb1f6d168c06246e809ca077b8a4724
Opcode Fuzzy Hash: 527175ae298cd086053e33729752966b6f8f08ce6863379d696a17bb59777130
Instruction Fuzzy Hash: 9F91D5B1A00259BBF700DFA4CCC5F9A77B9EF48344F104529FA09AB285DB71AE418B61

Function 100098B0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 317
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(00000000,00000000,00000000,00020019,?,00000000,?,00000000), ref: 1000991C

Part of subcall function 10009CC9: RegCloseKey.ADVAPI32(00000000,10009A60), ref: 10009CCD
Part of subcall function 10009CC9: RegCloseKey.ADVAPI32(?), ref: 10009CDA

Strings

REG_MULTI_SZ, xrefs: 10009C75
%-24s %-15s , xrefs: 10009C81, 10009C9B
REG_EXPAND_SZ, xrefs: 10009C29
REG_BINARY, xrefs: 10009C8F
%-24s %-15s 0x%x(%d) , xrefs: 10009C62
%-24s %-15s %s , xrefs: 10009C35
REG_SZ, xrefs: 10009C1B
[%s], xrefs: 10009B3B
REG_DWORD, xrefs: 10009C56

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Close$Open
String ID: %-24s %-15s $%-24s %-15s %s $%-24s %-15s 0x%x(%d) $REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 2976201327-2684303279
Opcode ID: a4d3bd8d0037556746778a2848af485df9c8c098dc3f0c60d6851e2482d5b986
Instruction ID: ea28a9e86f036ab3ef4ea0fbcc7f4b783fcd52bacc67ae51feb7587214fc9f2c
Opcode Fuzzy Hash: a4d3bd8d0037556746778a2848af485df9c8c098dc3f0c60d6851e2482d5b986
Instruction Fuzzy Hash: 00C185B1900518AFEB14CF94CC84FEEB3B9FB89340F508699F619A3290D775AA55CF90

Function 1000E6C0 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 256
stringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenWindowStationA.USER32(winsta0,00000000,02000000), ref: 1000E709
SetProcessWindowStation.USER32(00000000,?,?,?,?,10018661,000000FF), ref: 1000E716
CloseWindowStation.USER32(00000000,?,?,?,?,10018661,000000FF), ref: 1000E71D

Part of subcall function 100023E0: WSAStartup.WS2_32(00000202,?), ref: 10002454
Part of subcall function 100023E0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000245F
Part of subcall function 100023E0: InitializeCriticalSection.KERNEL32(?), ref: 100024AD

CoInitialize.OLE32(00000000), ref: 1000E724
lstrcpyA.KERNEL32(?,?,?,?,?,?,10018661,000000FF), ref: 1000E73E
SetErrorMode.KERNEL32(00008003), ref: 1000E752
WaitForSingleObject.KERNEL32(?,00002710), ref: 1000E82D
strstr.MSVCRT ref: 1000E877
lstrcpyA.KERNEL32(106.54.31.97,00000010), ref: 1000E8BB

Part of subcall function 100029F0: WaitForSingleObject.KERNEL32(?,00000000,?,1000E91B), ref: 100029FB
Part of subcall function 100029F0: SetEvent.KERNEL32(?), ref: 10002A0C

GetTickCount.KERNEL32 ref: 1000E92B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 1000E9CD
SetErrorMode.KERNEL32(00000000), ref: 1000EA03

Strings

http://, xrefs: 1000E871
106.54.31.97, xrefs: 1000E893, 1000E8B6, 1000E8E8
P, xrefs: 1000E76F
winsta0, xrefs: 1000E703

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: StationWaitWindow$ErrorEventInitializeModeObjectSinglelstrcpy$CloseCountCreateCriticalMultipleObjectsOpenProcessSectionStartupTickstrstr
String ID: 106.54.31.97$P$http://$winsta0
API String ID: 3638678691-4045997840
Opcode ID: 671da5f4a01a0c3ec1cb1c42e5957ba6965ca0609a91a17c06c2de479ada0fdd
Instruction ID: ecd2e9a4863b3e059ab7ddc4fa35b5789f62aa48b412155106ad74dc5b7471e4
Opcode Fuzzy Hash: 671da5f4a01a0c3ec1cb1c42e5957ba6965ca0609a91a17c06c2de479ada0fdd
Instruction Fuzzy Hash: 4591F3755083859FF351DF64CC84AABB7E9FB88384F40492CF58963286DB30AD06CB62

Function 1000E4A0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(c:\windows\system32\ntfastuserswitchingcompatibility.dll,00000001,00000001,?,00000003,00000080,?), ref: 1000E4CD
SetFilePointer.KERNEL32(?,FFFFFA08,00000000,00000002), ref: 1000E4DF
ReadFile.KERNEL32(?,?,000005F8,00000000,00000000), ref: 1000E4FA
CloseHandle.KERNEL32(?), ref: 1000E510
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E548
lstrcatA.KERNEL32(?,1001F9CC), ref: 1000E55E
lstrlenA.KERNEL32(?), ref: 1000E565
lstrcpyA.KERNEL32(?,1001F014), ref: 1000E57A
lstrcatA.KERNEL32(?,.cfg), ref: 1000E58F
CreateFileA.KERNEL32(?,00000001,00000001,00000000,00000003,00000080,00000000), ref: 1000E5A5
ReadFile.KERNEL32(00000000,?,000005F8,?,00000000), ref: 1000E5CB
CloseHandle.KERNEL32(00000000), ref: 1000E5D2

Strings

090504, xrefs: 1000E5EC
\kernel32.dll, xrefs: 1000E5F7
c:\windows\system32\ntfastuserswitchingcompatibility.dll, xrefs: 1000E4C8
.cfg, xrefs: 1000E589

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$CloseCreateHandleReadlstrcat$DirectoryPointerSystemlstrcpylstrlen
String ID: .cfg$090504$\kernel32.dll$c:\windows\system32\ntfastuserswitchingcompatibility.dll
API String ID: 4151605332-3596480681
Opcode ID: 34e2c50aee76f446ae9f997628cd1b203381f024c5b44f25c29cf9e842ccca95
Instruction ID: 6185da63c2b28bff5ed89029a49e4e5de168836734bd615a80f59dbc72e83b68
Opcode Fuzzy Hash: 34e2c50aee76f446ae9f997628cd1b203381f024c5b44f25c29cf9e842ccca95
Instruction Fuzzy Hash: 2F51F576544361AFE721DB10DC85FEB33E5FB88344F018928FA4567291DB74BA0ACB92

Function 10006B50 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 357
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(1001EAF5,00000000), ref: 10006BE7

Strings

d, xrefs: 10006B80
d, xrefs: 10006C27

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen
String ID: d$d
API String ID: 1659193697-195624457
Opcode ID: 806dce29a77245f976201b426fcbec94390477c0a7e7f374ebd12501398b0d2c
Instruction ID: 6cdfb7908424317163a230e52672ba0d4bc60ee84784a99992004279ef85ee7a
Opcode Fuzzy Hash: 806dce29a77245f976201b426fcbec94390477c0a7e7f374ebd12501398b0d2c
Instruction Fuzzy Hash: 38C1F27A744300ABF760DB54DC4AFFB7752EB88750F14803AFB898A1C1C6726519C7A6

Function 100025E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 159
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10002C10: setsockopt.WS2_32(?,0000FFFF,00000080), ref: 10002C43
Part of subcall function 10002C10: CloseHandle.KERNEL32(?,00000000,?,10002D29,00000001,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C61
Part of subcall function 10002C10: InterlockedExchange.KERNEL32(?,00000000), ref: 10002C7A
Part of subcall function 10002C10: SetEvent.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C87

ResetEvent.KERNEL32(?,00000001,00000000,00000000,00000000,00000000), ref: 100025F7
socket.WS2_32(00000002,00000001,00000006), ref: 1000260B

Strings

N, xrefs: 1000276F
Global\b%d_%dj, xrefs: 10002660

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Event$CloseExchangeHandleInterlockedResetsetsockoptsocket
String ID: N$Global\b%d_%dj
API String ID: 345061326-2840929366
Opcode ID: 152ddb9bc127c47cae7bb2ce021df587ec0fa2373a6e93c406b33c4ad7ae8683
Instruction ID: 233d9ba7535d2d8bb4066c89d098b858afb63c9b2165d03a047d6e40863820af
Opcode Fuzzy Hash: 152ddb9bc127c47cae7bb2ce021df587ec0fa2373a6e93c406b33c4ad7ae8683
Instruction Fuzzy Hash: 1A510676604304AFE310DF64DC85F9BB7E8EB85750F10491EF68A87281DB72A845CB72

Function 10017C5E Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 10017D04
GetLastError.KERNEL32 ref: 10017D10
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 10017D43
InterlockedExchange.KERNEL32(?,00000000), ref: 10017D55
LocalAlloc.KERNEL32(00000040,00000008), ref: 10017D69
FreeLibrary.KERNEL32(00000000), ref: 10017D86
GetProcAddress.KERNEL32(?,?), ref: 10017DE7
GetLastError.KERNEL32 ref: 10017DF3
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 10017E25

Strings

$, xrefs: 10017C7A

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 86e9e4dda0d85718e5013886af870a64e7782b03213a84328cccc3a72c37e819
Instruction ID: dac68e4d45f1264dcbbcd9a77415a987eddf25df27bfd7805c463f6be9831669
Opcode Fuzzy Hash: 86e9e4dda0d85718e5013886af870a64e7782b03213a84328cccc3a72c37e819
Instruction Fuzzy Hash: 54612F75A0020AAFEB15DFA9DC84AAA77F5FF48740F11806DE519EB250DB70EE41CB60

Function 1000E190 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 96
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32 ref: 1000E1DC
GlobalMemoryStatusEx.KERNEL32 ref: 1000E207
strncpy.MSVCRT ref: 1000E25C
strncpy.MSVCRT ref: 1000E287
strncpy.MSVCRT ref: 1000E2A3
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?), ref: 1000E2E1
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 1000E2E8

Part of subcall function 10002CB0: _ftol.MSVCRT ref: 10002CDA
Part of subcall function 10002CB0: ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 10002CEE
Part of subcall function 10002CB0: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002D18

Strings

090504, xrefs: 1000E24F
@, xrefs: 1000E1FF

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: strncpy$Process$??2@??3@CurrentGlobalMemoryStatusTimes_ftolgetsockname
String ID: 090504$@
API String ID: 705730206-3838986517
Opcode ID: 76b2d805334ea1a877ce213f58ee9a39deed38ab39aac1af2db9c78ff9a87a96
Instruction ID: bb6f0090ac37e0dfe279f5920095b014a8f450d4fa4d7c5fe92169338a6eda19
Opcode Fuzzy Hash: 76b2d805334ea1a877ce213f58ee9a39deed38ab39aac1af2db9c78ff9a87a96
Instruction Fuzzy Hash: 9141F5B5508341AFD724CF64C889AEBBBF5FBCC300F40892DF68997251DA74A9448F92

Function 1000DB00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1000DB27
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1000DB47
strncpy.MSVCRT ref: 1000DB8F
DeviceIoControl.KERNEL32 ref: 1000DBBE
CloseHandle.KERNEL32(00000000), ref: 1000DC23
CloseHandle.KERNEL32(00000000), ref: 1000DC2A

Strings

\\.\Scsi%d:, xrefs: 1000DB21
SCSIDISK, xrefs: 1000DB6B

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandle$ControlCreateDeviceFilestrncpywsprintf
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 3338169099-2176293039
Opcode ID: 109d4754439ef933bf2992773cf478591a539256594f3aef4cb8e98600103087
Instruction ID: a93f51d6172f255da0f4118ead2f6963618a5c0895e3c4ab6c8b20aef061b64a
Opcode Fuzzy Hash: 109d4754439ef933bf2992773cf478591a539256594f3aef4cb8e98600103087
Instruction Fuzzy Hash: AE31DE70508341ABE320DF18DC85B9FBBE8EFD5744F10491EF98597291E3B4960ACBA2

Function 100077E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 1000813D
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CancelIo), ref: 1000814A
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,SetErrorMode), ref: 10008157
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,DeviceIoControl), ref: 10008164
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateRemoteThread), ref: 10008171
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,OpenProcess), ref: 1000817E
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 1000818B
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreatePipe), ref: 10008198
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateEventA), ref: 100081A5
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateDirectoryA), ref: 100081B2
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 100081BF
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 100081CC
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateThread), ref: 100081D9
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 100081E6
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,DeleteCriticalSection), ref: 100081F3
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,DeleteFileA), ref: 10008200
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,DisconnectNamedPipe), ref: 1000820D
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,EnterCriticalSection), ref: 1000821A
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,TerminateThread), ref: 10008227
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,FindClose), ref: 10008234
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,FindFirstFileA), ref: 10008241
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,FindNextFileA), ref: 1000824E
Part of subcall function 10008120: GetProcAddress.KERNEL32(00000000,FindResourceA), ref: 1000825B

Part of subcall function 100078B0: InitializeSecurityDescriptor.ADVAPI32(1000EEAB,00000001,00000118,1001F3EA,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007909
Part of subcall function 100078B0: AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10017F02), ref: 10007929
Part of subcall function 100078B0: GetLengthSid.ADVAPI32(?,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007937
Part of subcall function 100078B0: GetProcessHeap.KERNEL32(00000008,-00000010,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007948
Part of subcall function 100078B0: HeapAlloc.KERNEL32(00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 1000794F
Part of subcall function 100078B0: InitializeAcl.ADVAPI32(00000000,-00000010,00000002,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007962
Part of subcall function 100078B0: AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,?,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007978
Part of subcall function 100078B0: SetSecurityDescriptorDacl.ADVAPI32(1000EEAB,00000001,00000000,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 1000798A
Part of subcall function 100078B0: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB), ref: 100079B2
Part of subcall function 100078B0: HeapFree.KERNEL32(00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB), ref: 100079B9

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000594,krisig_jhaji), ref: 1000783F
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 10007861
GetProcessHeap.KERNEL32(00000000,?), ref: 1000787F
HeapFree.KERNEL32(00000000), ref: 10007886
GetProcessHeap.KERNEL32(00000000,?), ref: 1000789A
HeapFree.KERNEL32(00000000), ref: 100078A1

Strings

krisig_jhaji, xrefs: 1000782C

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Heap$Process$FreeInitialize$DescriptorFileSecurity$AccessAllocAllocateAllowedCreateDaclLengthMappingView
String ID: krisig_jhaji
API String ID: 1611438149-3549629934
Opcode ID: 08bacdada3485cd3c563a9698ce82fcabc520b0520d49791ffcb2cf896a61df4
Instruction ID: 11737f4e7f6a474969424b4a8bbc12438f9edc466a1400842c2cf38a82b20fdd
Opcode Fuzzy Hash: 08bacdada3485cd3c563a9698ce82fcabc520b0520d49791ffcb2cf896a61df4
Instruction Fuzzy Hash: B321AF74948311BFF740DF64CC89B9B7BE8EB88B81F108519F949D6290D774C548CBA2

Function 100023E0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10002030: InitializeCriticalSection.KERNEL32(?,?,1000240B,?,00000000), ref: 10002048

WSAStartup.WS2_32(00000202,?), ref: 10002454
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 1000245F
InitializeCriticalSection.KERNEL32(?), ref: 100024AD

Strings

c, xrefs: 10002465
1, xrefs: 1000246F
b, xrefs: 1000246A
s, xrefs: 10002474

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CriticalInitializeSection$CreateEventStartup
String ID: 1$b$c$s
API String ID: 3361264690-2979176101
Opcode ID: e14633a95ab2b7cf9f98bcecec4560efe27a5f84b86e4b10e8499b780f7906f8
Instruction ID: 640b8385fb96bbceff067c589fe7732360feaa0bdba33cffc5aefa2c85e9a407
Opcode Fuzzy Hash: e14633a95ab2b7cf9f98bcecec4560efe27a5f84b86e4b10e8499b780f7906f8
Instruction Fuzzy Hash: 34213074509780EFE321CF68C884B97FBE9AB56744F50891EE4DA47292C774A149CB23

Function 1000EC40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000EC58
OpenEventA.KERNEL32(00000002,00000000,?,1001F3EA,?,00000000), ref: 1000EC69
SetEvent.KERNEL32(00000000,?,00000000), ref: 1000EC82
CloseHandle.KERNEL32(00000000,?,00000000), ref: 1000EC89
Sleep.KERNEL32(000003E8,?,00000000), ref: 1000EC90
OpenEventA.KERNEL32(00000002,00000000,?,?,00000000), ref: 1000ECA1

Strings

Global\ki%sll, xrefs: 1000EC50

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Event$Open$CloseHandleSleepwsprintf
String ID: Global\ki%sll
API String ID: 2948338543-1724092387
Opcode ID: dfb480012b2e31fbb2d78019f1c3535d90c94ab3fc1b4b6158e524c31bf09fce
Instruction ID: 6192f1868f013060a5a8e74ba683810886024ec1d65252185e6c2bab20c31e0a
Opcode Fuzzy Hash: dfb480012b2e31fbb2d78019f1c3535d90c94ab3fc1b4b6158e524c31bf09fce
Instruction Fuzzy Hash: D0F0FF729007B57BF211DBA48C89EBF3768EBC5794F044128FE0582180DB31DC0787A2

Function 10009D40 Relevance: 12.1, APIs: 8, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,74DF0F00,74DF0F00,74DF0F00,00000000,00000000,Module,00000001,00000000,00000000), ref: 10009D97
RegOpenKeyExA.ADVAPI32(0002001F,00000000,00000000,0002001F,?,?,?,?,?,?,?,?,?,?,?), ref: 10009DB7
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10009DF0
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10009E1D
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 10009E3B
RegDeleteKeyA.ADVAPI32(?,?), ref: 10009E4D
RegOpenKeyExA.KERNEL32(?,?,00000000,0002001F,?), ref: 10009E6B
RegDeleteValueA.KERNEL32(?,?), ref: 10009E7D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: OpenValue$Delete$Create
String ID:
API String ID: 2295199933-0
Opcode ID: 6a999881b25c16595bc96b2283bf1c4b2ef874e3071ea7a166a7c919475bc23f
Instruction ID: eb142783ed94b03972eadfec29153d0edd70a38efe999a859117321bbbfb36e3
Opcode Fuzzy Hash: 6a999881b25c16595bc96b2283bf1c4b2ef874e3071ea7a166a7c919475bc23f
Instruction Fuzzy Hash: 38411DB5604259ABEB10DFD5CC84DAFB7BCFB88690B20811DFA19D3258DB35ED018B60

Function 10007D30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
GetProcAddress.KERNEL32(00000000), ref: 10007D59
LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

Strings

kernel32.dll, xrefs: 10007D51
LoadLibraryA, xrefs: 10007D4C

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: HandleModule$AddressLibraryLoadProc
String ID: LoadLibraryA$kernel32.dll
API String ID: 3248658196-2572683754
Opcode ID: 2113049260cf55a8d54835f731698b83995433fed07709036c8491c8fdd15aee
Instruction ID: b0eb66cdaffcf4aea261932e7cb4ce45ed40dd3df6eb0d3051f23b1f64bb04dc
Opcode Fuzzy Hash: 2113049260cf55a8d54835f731698b83995433fed07709036c8491c8fdd15aee
Instruction Fuzzy Hash: C9E086315041616EF600E7A5DC40CAA63E8EF941D47010016E900D3110D734D9429661

Function 1000DF90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000DFAF
RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,?,1000E03E), ref: 1000DFD0
RegCloseKey.ADVAPI32(?,?,?,?,?,?,1000E03E), ref: 1000DFDB

Strings

~MHz, xrefs: 1000DFCA
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 1000DFA5

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3677997916-2226868861
Opcode ID: c1c9175ac491f47d40b1299fac317fb98f692bd318687da6c3acdf579ebe3bef
Instruction ID: 61b1798417077f1d85be4b7c9a68adface3aa0f4b41a1fe5feb018de27eb8821
Opcode Fuzzy Hash: c1c9175ac491f47d40b1299fac317fb98f692bd318687da6c3acdf579ebe3bef
Instruction Fuzzy Hash: DCF0F8B9108351FFE700DB64CC84E6BB7E8EB84704F50C91DF65982250D630E819CB56

Function 10002D90 Relevance: 7.6, APIs: 5, Instructions: 84networksleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 10002DB2
send.WS2_32(?,?,?,00000000), ref: 10002DD5
Sleep.KERNEL32(0000000A), ref: 10002E02
send.WS2_32(?,?,?,00000000), ref: 10002E23
LeaveCriticalSection.KERNEL32(10002D62), ref: 10002E56

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CriticalSectionsend$EnterLeaveSleep
String ID:
API String ID: 1213401221-0
Opcode ID: 64997f89458a0f03b82818034326ac94d230e8e638590d4918d26cb77bfe2c2c
Instruction ID: 60f6ee946c418f96e91c01931b96d452755ae57a0117944dd4ed5c6762599ef1
Opcode Fuzzy Hash: 64997f89458a0f03b82818034326ac94d230e8e638590d4918d26cb77bfe2c2c
Instruction Fuzzy Hash: 56217C322083529FE304DF64C888B5BB7E5FBC8394F200A2DF5899B251D770E8458BA2

Function 10006380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,1001F014), ref: 10006395

Part of subcall function 10003FE0: lstrcpyA.KERNEL32(00000000,?), ref: 10004010
Part of subcall function 10003FE0: lstrcpyA.KERNEL32(?,100231E4,74DE83C0), ref: 10004034
Part of subcall function 10003FE0: lstrcpyA.KERNEL32(00000000,?,?), ref: 10004045
Part of subcall function 10003FE0: lstrcatA.KERNEL32(?,?,?,?), ref: 10004050

GetFileAttributesA.KERNEL32(?,1001F014), ref: 100063B2
WaitForSingleObject.KERNEL32(?,00000000), ref: 10006418

Strings

.key, xrefs: 1000639F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$AttributesFileObjectSingleWaitlstrcat
String ID: .key
API String ID: 1323467792-343438762
Opcode ID: baa1e1fd65516b985ed0432d1faf6983719d1f83daa496b21d7b2b64b75879af
Instruction ID: 62069952b5abd2cc09df0068d72781caeda17d1dd3073563db716b0882a44cf1
Opcode Fuzzy Hash: baa1e1fd65516b985ed0432d1faf6983719d1f83daa496b21d7b2b64b75879af
Instruction Fuzzy Hash: 5A1129B59043912BFB14EB609CC1B7A379EEB057C4F644424FA844219BE636D50AD222

Function 10005B50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87sleepstringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10005B94
lstrlenA.KERNEL32(00000000,00000000), ref: 10005BA4
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?), ref: 10005BF7

Strings

Module, xrefs: 10005BBB, 10005C39

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Sleeplstrlenwsprintf
String ID: Module
API String ID: 1736695411-193471262
Opcode ID: 02606a1ee223b83cd8450e9b91be95d95c8312cd915f4e2111e37817f9cbeeea
Instruction ID: 06a63d86fd0a7669c77c4f36d6d27c8beae4f5bca40f9cb56930bdc97510d600
Opcode Fuzzy Hash: 02606a1ee223b83cd8450e9b91be95d95c8312cd915f4e2111e37817f9cbeeea
Instruction Fuzzy Hash: E02125B66003007BF314D668DC96FEB7798EB84740F00492CFB49D61D2FAB5E244C692

Function 100022D0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 1000230A
_ftol.MSVCRT ref: 10002312

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: _ftolceil
String ID:
API String ID: 2006273141-0
Opcode ID: 7b7fadb36cc1cdb5d040ae55a43f56e121d71a5289b5a561f055c89d26160920
Instruction ID: 172f575a5ed8bd1cd57efda1a07e5b1c85afbe0fa517748a12bb50a48e3dad64
Opcode Fuzzy Hash: 7b7fadb36cc1cdb5d040ae55a43f56e121d71a5289b5a561f055c89d26160920
Instruction Fuzzy Hash: CA11E4726043049FEB00EF24AC8162AF7E0FB98761F00843EFD458B345EA75D908CA62

Function 1000F8C0 Relevance: 6.0, APIs: 4, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1000F8E3
_beginthreadex.MSVCRT ref: 1000F914
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 1000F925
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 1000F930

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
String ID:
API String ID: 92035984-0
Opcode ID: 2ec29a1a3b53fc0cd4416f8b4c03769f950a34d2d5c37dce1d0334132164db3a
Instruction ID: 0190c40ff42dee746bcecac89ad97e4f2ae521f36601ce3a59c1c6c146b86b9b
Opcode Fuzzy Hash: 2ec29a1a3b53fc0cd4416f8b4c03769f950a34d2d5c37dce1d0334132164db3a
Instruction Fuzzy Hash: 25015274208311AFD300DF68CC85F6BBBE4EB88654F548A1CF59893350D630D5458B92

Function 100027C0 Relevance: 4.6, APIs: 3, Instructions: 52networkstringCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000001,00000100), ref: 100027DE
strncpy.MSVCRT ref: 100027F8
gethostbyname.WS2_32(?), ref: 10002805

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: gethostbynamegethostnamestrncpy
String ID:
API String ID: 1743340580-0
Opcode ID: fb9b653fb751d63ee6e2c19621e3b80debea3c342f67ec7bbc3c8e520dd8d24a
Instruction ID: 4a29d65d87cd11ac5f357a7e04bdfb88954c66c9e7db8c21f9ea61dd1be21a5b
Opcode Fuzzy Hash: fb9b653fb751d63ee6e2c19621e3b80debea3c342f67ec7bbc3c8e520dd8d24a
Instruction Fuzzy Hash: DE11CE796012229FF305DF18EC80B9633E4EB55790F65C26DE5058B2A5DBB4E883CB51

Function 10010080 Relevance: 4.5, APIs: 3, Instructions: 13fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(10005C03,00000000,10005C03,?,?,?,?,?,?,?,?,?,?), ref: 10010086
SetFileAttributesA.KERNEL32(10005C03,00000080,?,?,?,?,?,?,?,?,?), ref: 10010096
DeleteFileA.KERNEL32(10005C03,?,?,?,?,?,?,?,?,?), ref: 1001009D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$Attributes$Delete
String ID:
API String ID: 3735447641-0
Opcode ID: b1344481ef90f5305f7852d8b348e3d2901029c14a3441fc2fb5b010eb68fa2b
Instruction ID: 5485823ceab41215b84e05e1a195dca1eae18f4f66caa79b6d16b1ddfff94c8c
Opcode Fuzzy Hash: b1344481ef90f5305f7852d8b348e3d2901029c14a3441fc2fb5b010eb68fa2b
Instruction Fuzzy Hash: EAC01232501930BBD5426BA49C5CBCF3B68AF0A641F118041F18561121C77455438B95

Function 1000EFF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetServiceStatus.SECHOST ref: 1000F035

Strings

, xrefs: 1000F021

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-3916222277
Opcode ID: 9e4958e18cb5a9cbc6ebcde78aa0c3a52df771083a4b53e2bd39df8ebcef7a1a
Instruction ID: 05ad0dd892fff40c2c899c0c46c613db9ad6d7b60a461bfedda70fab1d265165
Opcode Fuzzy Hash: 9e4958e18cb5a9cbc6ebcde78aa0c3a52df771083a4b53e2bd39df8ebcef7a1a
Instruction Fuzzy Hash: CCF02BB4908341AFD380DF29C99461ABBE4BBC8348F508A6DF48CD3351E37596558F56

Function 10015010 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1001501A

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c21f5ae2d1c69433f71f17d1a8e22083ce6c08007e41989e42a6e7cfde5bd297
Instruction ID: 35ffac9deba131cd409419e8e2eebd935eda7934e7605c6224116b01ac664f1e
Opcode Fuzzy Hash: c21f5ae2d1c69433f71f17d1a8e22083ce6c08007e41989e42a6e7cfde5bd297
Instruction Fuzzy Hash: 43B09275404202BFE608CB54E98980ABBA8AA90204F808854F54A86020C235E5948A07

Function 10015030 Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 10015035

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ced40dd1175bcbaa9c7fc7c9976257c2d794472f41d95f0e59a86f2de81aaa81
Instruction ID: 59cae8b0fd08867d13dd2c5701b8089b61d371fb9365f6673ad78db9ccdc56cf
Opcode Fuzzy Hash: ced40dd1175bcbaa9c7fc7c9976257c2d794472f41d95f0e59a86f2de81aaa81
Instruction Fuzzy Hash: C1A002B6546252FFEF049BA4D98C88A7FA8EF88652B208849F147C74A0CB35D8909B11

Non-executed Functions

Function 100033F0 Relevance: 51.1, APIs: 23, Strings: 6, Instructions: 305stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,1001F9CC), ref: 10003430
lstrcatA.KERNEL32(?,?), ref: 1000343B
lstrcatA.KERNEL32(?,1001F874), ref: 10003449

Part of subcall function 10004500: GetFileAttributesA.KERNEL32(?,10005C14,?,?,?,?,?,?,?,?,?,?,?), ref: 10004505

ExpandEnvironmentStringsA.KERNEL32(%USERPROFILE%\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk,?,00000105), ref: 1000346B
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 1000347F
wsprintfA.USER32 ref: 1000349F
lstrcatA.KERNEL32(?,1001F874), ref: 100034D3
CloseHandle.KERNEL32(00000000), ref: 100034DA
lstrcmpiA.KERNEL32(?,?), ref: 10003514
GetVersionExA.KERNEL32(?), ref: 10003541
??2@YAPAXI@Z.MSVCRT(00001000), ref: 10003567
GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,00000002), ref: 100035A5
GetPrivateProfileStringA.KERNEL32(00000000,DialParamsUID,00000000,?,00000100,00000002), ref: 10003621
lstrcmpA.KERNEL32(?,00000000), ref: 10003646
lstrcpyA.KERNEL32(?,00000200), ref: 10003681
lstrcpyA.KERNEL32(?,00000100), ref: 10003696
GetPrivateProfileStringA.KERNEL32(00000000,PhoneNumber,00000000,?,00000100,00000002), ref: 100036C3
GetPrivateProfileStringA.KERNEL32(00000000,Device,00000000,?,00000100,00000002), ref: 100036DB
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?), ref: 10003734
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,?,?,?,?,?), ref: 10003741
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?), ref: 10003752
lstrlenA.KERNEL32(00000000,?,?,00000000,?,?,?,?,?), ref: 1000375B
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100037EF

Strings

Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000348C
%s\%s, xrefs: 10003499
Device, xrefs: 100036D5
%USERPROFILE%\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10003466
PhoneNumber, xrefs: 100036BD
DialParamsUID, xrefs: 10003619

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@PrivateProfilelstrcat$String$lstrcpy$??2@AttributesCloseEnvironmentExpandFileFolderHandleNamesPathSectionSpecialStringsVersionlstrcmplstrcmpilstrlenwsprintf
String ID: %USERPROFILE%\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk$%s\%s$Device$DialParamsUID$Microsoft\Network\Connections\pbk\rasphone.pbk$PhoneNumber
API String ID: 977450401-1701591215
Opcode ID: 8ba5b12fb5b6d9b77bb3168f49c4e7453afd1cfc5cfbe964d969ef9b7c24d4c9
Instruction ID: 38655e5df9fbbaa52785a527cf0b9d784f351f32ada4d4d6394548e325dace49
Opcode Fuzzy Hash: 8ba5b12fb5b6d9b77bb3168f49c4e7453afd1cfc5cfbe964d969ef9b7c24d4c9
Instruction Fuzzy Hash: 5CB190B5104385AFE721DB14CC84FEBB7EDEB88344F00892DF58997251EB74E9098B52

Function 100067B0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 106stringregistryprocessCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,Applications\iexplore.exe\shell\open\command,00000000,000F003F,?), ref: 100067FD
RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 1000681E
RegCloseKey.ADVAPI32(?), ref: 10006829
lstrlenA.KERNEL32(?), ref: 10006837
strstr.MSVCRT ref: 10006852
lstrcpyA.KERNEL32(00000000,?), ref: 10006864
lstrcatA.KERNEL32(?,ta0\D), ref: 100068BC
lstrcatA.KERNEL32(?,efault), ref: 100068C8
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 100068F2
CloseHandle.KERNEL32(?), ref: 10006907
CloseHandle.KERNEL32(?), ref: 1000690E

Strings

WinS, xrefs: 1000688A
Applications\iexplore.exe\shell\open\command, xrefs: 100067F3
efault, xrefs: 100068C2
D, xrefs: 1000687E
ta0\D, xrefs: 100068B6

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Close$Handlelstrcat$CreateOpenProcessQueryValuelstrcpylstrlenstrstr
String ID: Applications\iexplore.exe\shell\open\command$D$WinS$efault$ta0\D
API String ID: 1282623465-1042300674
Opcode ID: 7e9b71784dd8e324731674ee0edf9b6fa4ac01607a77df863c64b121bc5592a2
Instruction ID: 3b4e1f68138df6bcac72ec24ab3616313e6abb73a224a8782db373be9224cab5
Opcode Fuzzy Hash: 7e9b71784dd8e324731674ee0edf9b6fa4ac01607a77df863c64b121bc5592a2
Instruction Fuzzy Hash: 0A316D71508351ABE710CB60CC94FABB7E9EBC8340F008D1DF68997290DB78E948CB62

Function 100054D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 102fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,74DF0440), ref: 1000551D
wsprintfA.USER32 ref: 1000553B
FindFirstFileA.KERNEL32(?,?), ref: 10005550
wsprintfA.USER32 ref: 100055A2
FindNextFileA.KERNEL32(?,?), ref: 100055FC
FindClose.KERNEL32(?), ref: 1000560F

Strings

., xrefs: 10005574
%s*.*, xrefs: 10005535
%s%s, xrefs: 100055C8
%s%s\, xrefs: 1000559C

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Find$Filewsprintf$CloseEnvironmentExpandFirstNextStrings
String ID: %s%s$%s%s\$%s*.*$.
API String ID: 1378924236-2049418129
Opcode ID: f1e95feabcc9c0575de6f5feee063181bbffbaf30da37208e7f775b95d78fb03
Instruction ID: 46ca7f1a2a80123a60d9fe48fc06e70aa4aa4e2731a8d26b704ca5a2756b6a55
Opcode Fuzzy Hash: f1e95feabcc9c0575de6f5feee063181bbffbaf30da37208e7f775b95d78fb03
Instruction Fuzzy Hash: E531A6721087856BE324DB64CC95EEB77A9EBC4306F004D1DF69982190EB75A64CCBA2

Function 10004EE0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 169memoryfilestringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10004F20
LocalAlloc.KERNEL32(00000040,00002800), ref: 10004F39
wsprintfA.USER32 ref: 10004F56
FindFirstFileA.KERNEL32(?,?), ref: 10004F6C
LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 10004FC1
lstrlenA.KERNEL32(?), ref: 10005051
FindNextFileA.KERNEL32(?,?), ref: 100050A4
LocalFree.KERNEL32(00000000,00000000,-0000000D), ref: 100050C0

Strings

h, xrefs: 10004F84
%s\*.*, xrefs: 10004F50

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Local$AllocFileFind$EnvironmentExpandFirstFreeNextStringslstrlenwsprintf
String ID: %s\*.*$h
API String ID: 113591351-1052742963
Opcode ID: 91bac1dc3cd434e202af557af68ac6ac353a9d156cd6f3752f776035c86fe2b7
Instruction ID: 94963c8cf954e42fbc0e99aae0767747dfcb8a4f17cb028b54059bec929f056f
Opcode Fuzzy Hash: 91bac1dc3cd434e202af557af68ac6ac353a9d156cd6f3752f776035c86fe2b7
Instruction Fuzzy Hash: 16515CB55083869FE710CF24CC8069BBBE9EF99384F014A28F98997381D73AD90DC791

Function 10008D70 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 112timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?), ref: 10008D7D

Part of subcall function 10009340: wvsprintfA.USER32(?,?,?), ref: 10009359
Part of subcall function 10009340: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10009375

Part of subcall function 10009180: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 10009193
Part of subcall function 10009180: GetModuleFileNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 100091AC

Part of subcall function 10009220: IsBadWritePtr.KERNEL32(?,00000008), ref: 100092C5

Strings

Registers:, xrefs: 10008E2C
CS:EIP:%04X:%08X, xrefs: 10008E78
DS:%04X ES:%04X FS:%04X GS:%04X, xrefs: 10008EC0
EAX:%08XEBX:%08XECX:%08XEDX:%08XESI:%08XEDI:%08X, xrefs: 10008E60
//===============[%d-%d-%d %d:%d:%d]======================, xrefs: 10008DC3
SS:ESP:%04X:%08X EBP:%08X, xrefs: 10008E9A
Exception code: %08X %s, xrefs: 10008DE2
Flags:%08X, xrefs: 10008ED1
Fault address: %08X %02X:%08X %s, xrefs: 10008E1F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FileWrite$LocalModuleNameQueryTimeVirtualwvsprintf
String ID: Registers:$//===============[%d-%d-%d %d:%d:%d]======================$CS:EIP:%04X:%08X$DS:%04X ES:%04X FS:%04X GS:%04X$EAX:%08XEBX:%08XECX:%08XEDX:%08XESI:%08XEDI:%08X$Exception code: %08X %s$Fault address: %08X %02X:%08X %s$Flags:%08X$SS:ESP:%04X:%08X EBP:%08X
API String ID: 3392942872-629072311
Opcode ID: 325dc3a173fa5085d390c240393e6d3c7db53e928b67d0853a805707505b813c
Instruction ID: aadd6a77fe3facb75dc2a80480bce72fa474b4ba70e69a251953d90f6b869214
Opcode Fuzzy Hash: 325dc3a173fa5085d390c240393e6d3c7db53e928b67d0853a805707505b813c
Instruction Fuzzy Hash: C44121B5214701AFE314DB64DC41EBBB3AAEFC8340F01891CB69A47285C730BD44CBA2

Function 100050E0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,00000104,00000104), ref: 10005112
wsprintfA.USER32 ref: 10005130
FindFirstFileA.KERNEL32(?,?), ref: 10005145
wsprintfA.USER32 ref: 1000518E
FindNextFileA.KERNEL32(00000000,?), ref: 100051D9
FindClose.KERNEL32(00000000), ref: 100051E8

Strings

%s\*.*, xrefs: 1000512A
%s\%s, xrefs: 10005188, 100051B8
., xrefs: 10005160

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Find$Filewsprintf$CloseEnvironmentExpandFirstNextStrings
String ID: %s\%s$%s\*.*$.
API String ID: 1378924236-1471744235
Opcode ID: 4dc24c52a5406fd3d766983e72989e3c98f8ce5cea200cde8ce84f70a86e84a6
Instruction ID: c0c7167856801a1b805367f0f912c8d68e95651dcea2f481bbd8703bf51cd479
Opcode Fuzzy Hash: 4dc24c52a5406fd3d766983e72989e3c98f8ce5cea200cde8ce84f70a86e84a6
Instruction Fuzzy Hash: 7A31C5765043487BE320D764CC89FEB73ECEBD8315F448D1EF65982180F6B5A2498BA2

Function 1000B010 Relevance: 15.2, APIs: 10, Instructions: 160keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 1000FCF0: GetCurrentThreadId.KERNEL32 ref: 1000FD2A
Part of subcall function 1000FCF0: GetThreadDesktop.USER32(00000000), ref: 1000FD31
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD58
Part of subcall function 1000FCF0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1000FD65
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD92
Part of subcall function 1000FCF0: lstrcmpiA.KERNEL32(?,?), ref: 1000FDA5
Part of subcall function 1000FCF0: SetThreadDesktop.USER32(00000000), ref: 1000FDB0
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDBC
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDC3

SetCursorPos.USER32(?,?,?,?,?,?,1000AC53,?,?,00000000), ref: 1000B070
WindowFromPoint.USER32(?,?,?,?,?,?,1000AC53,?,?,00000000), ref: 1000B078
SetCapture.USER32(00000000,?,?,?,?,1000AC53,?,?,00000000), ref: 1000B07F
MapVirtualKeyA.USER32(?,00000000), ref: 1000B0BE
keybd_event.USER32(?,00000000), ref: 1000B0C8
MapVirtualKeyA.USER32(?,00000000), ref: 1000B0DC
keybd_event.USER32(00000000,00000000), ref: 1000B0E6
mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 1000B1AA

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Desktop$Thread$CloseInformationObjectUserVirtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpimouse_event
String ID:
API String ID: 1258999209-0
Opcode ID: d3e27dfc50a3f13f94667941d4ab02b0cb0209fa37e648e28ddb0116875a4a75
Instruction ID: e771643d60041fb7036561c89ed2cc5db87cfdc32dad2feb547ff6d22052c7c9
Opcode Fuzzy Hash: d3e27dfc50a3f13f94667941d4ab02b0cb0209fa37e648e28ddb0116875a4a75
Instruction Fuzzy Hash: 56416C317C4B24BAF2349E948CABF9A7665EB44FD1F708111FB01BE1C9C6E0B941869D

Function 100078B0 Relevance: 15.1, APIs: 10, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(1000EEAB,00000001,00000118,1001F3EA,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007909
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10017F02), ref: 10007929
GetLengthSid.ADVAPI32(?,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007937
GetProcessHeap.KERNEL32(00000008,-00000010,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007948
HeapAlloc.KERNEL32(00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 1000794F
InitializeAcl.ADVAPI32(00000000,-00000010,00000002,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007962
AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,?,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 10007978
SetSecurityDescriptorDacl.ADVAPI32(1000EEAB,00000001,00000000,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB,?), ref: 1000798A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB), ref: 100079B2
HeapFree.KERNEL32(00000000,?,?,?,?,10017F02,10019278,000000FF,?,1000EEAB), ref: 100079B9

Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,FreeSid), ref: 1000802D
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,GetLengthSid), ref: 1000803A
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 10008047
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,InitializeAcl), ref: 10008054
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 10008061
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,IsValidSid), ref: 1000806E
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LookupAccountNameA), ref: 1000807B
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 10008088
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 10008095
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LsaClose), ref: 100080A2
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LsaFreeMemory), ref: 100080AF
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LsaOpenPolicy), ref: 100080BC
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,LsaRetrievePrivateData), ref: 100080C9
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorDacl), ref: 100080D6
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,AddAccessAllowedAce), ref: 100080E3
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 100080F0
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 100080FD
Part of subcall function 10008010: GetProcAddress.KERNEL32(00000000,BuildExplicitAccessWithNameA), ref: 1000810A

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Heap$Initialize$DescriptorProcessSecurity$AccessAllocAllocateAllowedDaclFreeLength
String ID:
API String ID: 1461329683-0
Opcode ID: 335944da31aaf82200c29d7a58945a1b53f09e5c46889705128f29d287156984
Instruction ID: 34f91b7730cb6b4a33d7c2cfafcdfab02f288f1d7076a6928d15390dea9772ea
Opcode Fuzzy Hash: 335944da31aaf82200c29d7a58945a1b53f09e5c46889705128f29d287156984
Instruction Fuzzy Hash: 853172B2941254BFEB10DFE9DC88BDEBBB8FB48790F10452DF605A3280C6799941CB61

Function 100074A0 Relevance: 15.1, APIs: 10, Instructions: 65clipboardstringCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 100074A4
GetClipboardData.USER32(00000001), ref: 100074B4
CloseClipboard.USER32 ref: 100074C0
GlobalSize.KERNEL32(00000000), ref: 100074CD
GlobalLock.KERNEL32(00000000), ref: 100074D9
??2@YAPAXI@Z.MSVCRT(-00000002), ref: 100074E4
lstrcatA.KERNEL32(00000000,1001FC08), ref: 10007523
GlobalUnlock.KERNEL32(00000000), ref: 1000752A
CloseClipboard.USER32 ref: 10007530
??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000753D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlocklstrcat
String ID:
API String ID: 234222776-0
Opcode ID: ef9f1312ebf749aeb103c1796d29d9d2bcbb8adf19cbceda0384fbb73935307c
Instruction ID: 012ee4c170c628df250d90a8d10c5588261a88c15c3bccdb5304d5c85442d95e
Opcode Fuzzy Hash: ef9f1312ebf749aeb103c1796d29d9d2bcbb8adf19cbceda0384fbb73935307c
Instruction Fuzzy Hash: A01108726052286FE708ABB49C4966B7AEDFB48252B044069FD0BC3251DF76E904C6B1

Function 1000C760 Relevance: 13.6, APIs: 9, Instructions: 125servicestringCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000), ref: 1000C77E
EnumServicesStatusA.ADVAPI32(00000000,?,00000003,?,00000024,?,?,?), ref: 1000C7AE
malloc.MSVCRT ref: 1000C7B9
EnumServicesStatusA.ADVAPI32(00000000,?,00000003,00000000,?,?,?,?), ref: 1000C7DE
??2@YAPAXI@Z.MSVCRT ref: 1000C7F7
strncpy.MSVCRT ref: 1000C849

Part of subcall function 1000C5C0: OpenServiceA.ADVAPI32(?,?,000F01FF,?,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5D8
Part of subcall function 1000C5C0: QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5F2
Part of subcall function 1000C5C0: GetLastError.KERNEL32(?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5F8
Part of subcall function 1000C5C0: ??2@YAPAXI@Z.MSVCRT(?,00000001,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C610
Part of subcall function 1000C5C0: QueryServiceConfigA.ADVAPI32(00000000,00000000,?,?,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C622
Part of subcall function 1000C5C0: strncpy.MSVCRT ref: 1000C64A
Part of subcall function 1000C5C0: strncpy.MSVCRT ref: 1000C663
Part of subcall function 1000C5C0: strncpy.MSVCRT ref: 1000C67F
Part of subcall function 1000C5C0: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C693
Part of subcall function 1000C5C0: QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C6AB
Part of subcall function 1000C5C0: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C6CA

free.MSVCRT ref: 1000C8AE
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000001), ref: 1000C8B4
CloseServiceHandle.ADVAPI32(00000000), ref: 1000C8BD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Service$strncpy$QueryStatus$??2@??3@CloseConfigEnumHandleOpenServices$ErrorLastManagerfreemalloc
String ID:
API String ID: 3042377163-0
Opcode ID: 25db9a1ed30f7d6006a53c19552a4fc2d8bfea85584c41925cad96b948ab6964
Instruction ID: ad066054352deeb8793910da8f113d902a7ba25514cdf8bae78e8b9094f8c110
Opcode Fuzzy Hash: 25db9a1ed30f7d6006a53c19552a4fc2d8bfea85584c41925cad96b948ab6964
Instruction Fuzzy Hash: 53413BB6604305AFD304CF54C885EABB7E9FBC8740F04891DF59997240DB74EA09CBA6

Function 1000B1E0 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 1000B1E2
EmptyClipboard.USER32 ref: 1000B1EE
GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 1000B1FE
GlobalLock.KERNEL32(00000000), ref: 1000B20C
GlobalUnlock.KERNEL32(00000000), ref: 1000B229
SetClipboardData.USER32(00000001,00000000), ref: 1000B232
GlobalFree.KERNEL32(00000000), ref: 1000B239
CloseClipboard.USER32 ref: 1000B240

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: e2502516651dbcbcefb75123acd6609886b4e6d3806e2bce1ae564db42e1e21f
Instruction ID: c6f98577539bca579d7f77b4e6bf297cbae2df84160730063bb559a6b4455ba0
Opcode Fuzzy Hash: e2502516651dbcbcefb75123acd6609886b4e6d3806e2bce1ae564db42e1e21f
Instruction Fuzzy Hash: D0F01772200721AFFB05ABF48CCCAAF7AACFB48652B004419FA0692290CB749805CB71

Function 1000F600 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1000F618
OpenProcessToken.ADVAPI32(00000000), ref: 1000F61F
CloseHandle.KERNEL32(?), ref: 1000F632
LookupPrivilegeValueA.ADVAPI32(00000000,?,00000000), ref: 1000F65E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1000F676
GetLastError.KERNEL32 ref: 1000F67C
CloseHandle.KERNEL32(?), ref: 1000F68D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3435690185-0
Opcode ID: e9ec2f493e37695035a361b5205f47bd201c43e170d42496af1f4708a783a235
Instruction ID: f9f25395099ada7130a68df9ac072d47042231e9d23e06a08f0c7c0b9c686e62
Opcode Fuzzy Hash: e9ec2f493e37695035a361b5205f47bd201c43e170d42496af1f4708a783a235
Instruction Fuzzy Hash: F3117C71604321BBE704DB64CC8ABAB77E8AF88B40F81C91CF98586190D674D9459B51

Function 10005760 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,00000000), ref: 1000579E
FindClose.KERNEL32(00000000), ref: 10005818
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10005833
CloseHandle.KERNEL32(00000000), ref: 1000583A

Strings

p, xrefs: 100057AD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseFileFind$CreateFirstHandle
String ID: p
API String ID: 3283578348-2181537457
Opcode ID: c4507872fde626a0ba1d371c89ac177aff0737260ffaa00ba623de676772b744
Instruction ID: 289159cca765c33c93209cea9f7af8450f51873cbbec96cd5ab3f112c3a265bb
Opcode Fuzzy Hash: c4507872fde626a0ba1d371c89ac177aff0737260ffaa00ba623de676772b744
Instruction Fuzzy Hash: 1B21F575D0C221ABE324CB14C84571BBBD9EF843A1F15C92DF88DAB2D4D6319C418752

Function 10008C80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17stringCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(10008D00,?,10008C75), ref: 10008CB8
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\svchost.exe.txt,00000104,?,10008C75), ref: 10008CCF
lstrcatA.KERNEL32(C:\Windows\SysWOW64\svchost.exe.txt,.txt,?,10008C75), ref: 10008CDF

Strings

.txt, xrefs: 10008CD5
C:\Windows\SysWOW64\svchost.exe.txt, xrefs: 10008CC3, 10008CDA

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ExceptionFileFilterModuleNameUnhandledlstrcat
String ID: .txt$C:\Windows\SysWOW64\svchost.exe.txt
API String ID: 123458844-2612252972
Opcode ID: 0ffd31230b94e0d72ef5655b12fac63330c5905bcad9a32dc81ac4389c739be8
Instruction ID: 1d2f06c9f1f571fc3f21acc7e1b48d13e1171b3b3d7f3e39b4f6663a930daf0a
Opcode Fuzzy Hash: 0ffd31230b94e0d72ef5655b12fac63330c5905bcad9a32dc81ac4389c739be8
Instruction Fuzzy Hash: 95D05E71A02330BFF700E7E17C8DBE52A38E748711F804112F701A2191CBB088408B51

Function 10005660 Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON

Download Yara Rule

APIs

Part of subcall function 100023A0: RtlEnterCriticalSection.NTDLL(?), ref: 100023A8
Part of subcall function 100023A0: LeaveCriticalSection.KERNEL32(?,00000400), ref: 100023C1

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000104,00000000), ref: 100056AA

Part of subcall function 100042F0: lstrcpyA.KERNEL32(00000000,?), ref: 10004322
Part of subcall function 100042F0: strstr.MSVCRT ref: 1000432E
Part of subcall function 100042F0: lstrcatA.KERNEL32(?,00000006), ref: 1000437E
Part of subcall function 100042F0: lstrcpyA.KERNEL32(?,?), ref: 1000438A
Part of subcall function 100042F0: strstr.MSVCRT ref: 10004396
Part of subcall function 100042F0: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100043CE
Part of subcall function 100042F0: lstrcatA.KERNEL32(?,?), ref: 100043DD
Part of subcall function 100042F0: lstrlenA.KERNEL32(?), ref: 100043E4

Part of subcall function 10004850: lstrlenA.KERNEL32(?), ref: 10004881
Part of subcall function 10004850: malloc.MSVCRT ref: 10004889
Part of subcall function 10004850: lstrcpyA.KERNEL32(00000000,?), ref: 100048A0
Part of subcall function 10004850: GetFileAttributesA.KERNEL32(00000000), ref: 100048DB
Part of subcall function 10004850: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 100048EB
Part of subcall function 10004850: GetLastError.KERNEL32 ref: 100048F5
Part of subcall function 10004850: free.MSVCRT ref: 1000490A

FindFirstFileA.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 10005700
FindClose.KERNEL32(00000000,0000006D,?,00000000,00000000,00000001), ref: 10005729
FindClose.KERNEL32(00000000,?,00000000,00000000,00000001), ref: 10005742

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Findlstrcpy$CloseCriticalDirectoryFileSectionlstrcatlstrlenstrstr$AttributesCreateEnterEnvironmentErrorExpandFirstLastLeaveStringsSystemfreemalloc
String ID:
API String ID: 3932519220-0
Opcode ID: 0d8f9a0eaa92b1f5a8b42101a2ccd0f4d01bc5d6199b0b5776c7bd398975930a
Instruction ID: c3f288a6c87b5193cc76b8ed93b044eb4ecd32d0458bafcff27515ecb31b9308
Opcode Fuzzy Hash: 0d8f9a0eaa92b1f5a8b42101a2ccd0f4d01bc5d6199b0b5776c7bd398975930a
Instruction Fuzzy Hash: E921D675300600ABE324E724C896BAFB3A5EFC4701F10492EF29A87290DB75B9058B91

Function 1000FC40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 1000F940: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F951
Part of subcall function 1000F940: ??2@YAPAXI@Z.MSVCRT(00000128), ref: 1000F95E
Part of subcall function 1000F940: Process32First.KERNEL32(00000000,00000000), ref: 1000F970
Part of subcall function 1000F940: lstrcmpiA.KERNEL32(00000024,?), ref: 1000F983
Part of subcall function 1000F940: Process32Next.KERNEL32(00000000,00000000), ref: 1000F98F
Part of subcall function 1000F940: lstrcmpiA.KERNEL32(00000024,?), ref: 1000F99B
Part of subcall function 1000F940: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000F9AD
Part of subcall function 1000F940: CloseHandle.KERNEL32(00000000), ref: 1000F9B6

OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1000FC9C
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1000FCB2

Strings

explorer.exe, xrefs: 1000FC66

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: OpenProcessProcess32lstrcmpi$??2@??3@CloseCreateFirstHandleNextSnapshotTokenToolhelp32
String ID: explorer.exe
API String ID: 137257274-3187896405
Opcode ID: 44fa22bd778977caefb0fd81e46d669058d6ad1d0f7963aa88c17fc895bc60b3
Instruction ID: b4a92bf0a9f4b9d115f89efeaa1c0684825e6d38be4f32da24b90b6a5b23e8b2
Opcode Fuzzy Hash: 44fa22bd778977caefb0fd81e46d669058d6ad1d0f7963aa88c17fc895bc60b3
Instruction Fuzzy Hash: 3201B9B5D00658AFE750DF998D45FEEFBF8FB84660F10021AF924E3680D73519018BA1

Function 1000F6A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 1000F600: GetCurrentProcess.KERNEL32 ref: 1000F618
Part of subcall function 1000F600: OpenProcessToken.ADVAPI32(00000000), ref: 1000F61F
Part of subcall function 1000F600: CloseHandle.KERNEL32(?), ref: 1000F632

ExitWindowsEx.USER32(?,00000000), ref: 1000F6B6

Part of subcall function 1000F600: LookupPrivilegeValueA.ADVAPI32(00000000,?,00000000), ref: 1000F65E
Part of subcall function 1000F600: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000010,00000000,00000000), ref: 1000F676
Part of subcall function 1000F600: GetLastError.KERNEL32 ref: 1000F67C
Part of subcall function 1000F600: CloseHandle.KERNEL32(?), ref: 1000F68D

Strings

SeShutdownPrivilege, xrefs: 1000F6A2, 1000F6BE

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 681424410-3733053543
Opcode ID: b6682bc72b426bb4c2e2cd5dc50149dc092fbfd1bcb9edf6ba7fb169c5ec3514
Instruction ID: 361c1fb6bc7d7f3d3de8248a37518e961179a30db7be295a9d8ea752b5a88b14
Opcode Fuzzy Hash: b6682bc72b426bb4c2e2cd5dc50149dc092fbfd1bcb9edf6ba7fb169c5ec3514
Instruction Fuzzy Hash: 1AC0807C540200F7FD10D7907C47F863101EB14742FA04414F70C755D2D97271144566

Function 1000AC00 Relevance: 3.2, APIs: 2, Instructions: 151keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000000), ref: 1000AC40
BlockInput.USER32(?,?,?,00000000), ref: 1000AC59

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 9f6456709b8408ee7456789845f9cb6f0486a63b520b33b661a49fb8b2233276
Instruction ID: 7fd2c0aa583829303679202be6d0bd99b72acd7bc595da93fbbd7766a2dfca56
Opcode Fuzzy Hash: 9f6456709b8408ee7456789845f9cb6f0486a63b520b33b661a49fb8b2233276
Instruction Fuzzy Hash: E441D537B089889BD314DF59E4517BEFBA5F785A61F0082AFE85683B40CB366914C7D0

Function 1000B860 Relevance: 3.1, APIs: 2, Instructions: 117COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 1000B876
GetCursorInfo.USER32(?,74DF0F00,00000008), ref: 1000B897

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Cursor$Info
String ID:
API String ID: 2372773257-0
Opcode ID: f3bfb25facf0514a7057ad2df59d11cd15cb1b4e73ce52fa50420acd6915effa
Instruction ID: 675e944218638361a79c5bcad3f56e27e7e7a52f3585c7383346132f56f14f0e
Opcode Fuzzy Hash: f3bfb25facf0514a7057ad2df59d11cd15cb1b4e73ce52fa50420acd6915effa
Instruction Fuzzy Hash: 14412B75204B019FE324CF28C590BABB3E6EFC9740F14891DE59A87356DB70B905CB52

Function 10007D90 Relevance: 89.4, APIs: 25, Strings: 26, Instructions: 110libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,mixerGetNumDevs), ref: 10007DAD
GetProcAddress.KERNEL32(00000000,mixerOpen), ref: 10007DBA
GetProcAddress.KERNEL32(00000000,mixerClose), ref: 10007DC7
GetProcAddress.KERNEL32(00000000,mixerSetControlDetails), ref: 10007DD4
GetProcAddress.KERNEL32(00000000,mixerGetLineInfoA), ref: 10007DE1
GetProcAddress.KERNEL32(00000000,mixerGetLineControlsA), ref: 10007DEE
GetProcAddress.KERNEL32(00000000,mixerGetControlDetailsA), ref: 10007DFB
GetProcAddress.KERNEL32(00000000,waveInClose), ref: 10007E08
GetProcAddress.KERNEL32(00000000,waveInOpen), ref: 10007E15
GetProcAddress.KERNEL32(00000000,waveInPrepareHeader), ref: 10007E22
GetProcAddress.KERNEL32(00000000,waveInUnprepareHeader), ref: 10007E2F
GetProcAddress.KERNEL32(00000000,waveInAddBuffer), ref: 10007E3C
GetProcAddress.KERNEL32(00000000,waveInStart), ref: 10007E49
GetProcAddress.KERNEL32(00000000,waveInStop), ref: 10007E56
GetProcAddress.KERNEL32(00000000,waveInReset), ref: 10007E63
GetProcAddress.KERNEL32(00000000,waveOutClose), ref: 10007E70
GetProcAddress.KERNEL32(00000000,waveOutOpen), ref: 10007E7D
GetProcAddress.KERNEL32(00000000,waveOutPrepareHeader), ref: 10007E8A
GetProcAddress.KERNEL32(00000000,waveOutUnprepareHeader), ref: 10007E97
GetProcAddress.KERNEL32(00000000,waveOutWrite), ref: 10007EA4
GetProcAddress.KERNEL32(00000000,waveOutReset), ref: 10007EB1
GetProcAddress.KERNEL32(00000000,waveInGetNumDevs), ref: 10007EBE
GetProcAddress.KERNEL32(00000000,waveOutGetNumDevs), ref: 10007ECB
GetProcAddress.KERNEL32(00000000,mixerGetDevCapsA), ref: 10007ED8
GetProcAddress.KERNEL32(00000000,waveInGetDevCapsA), ref: 10007EE5

Strings

waveInStart, xrefs: 10007E3E
waveOutClose, xrefs: 10007E65
mixerOpen, xrefs: 10007DAF
waveOutPrepareHeader, xrefs: 10007E7F
waveOutWrite, xrefs: 10007E99
waveOutReset, xrefs: 10007EA6
waveOutUnprepareHeader, xrefs: 10007E8C
waveOutGetNumDevs, xrefs: 10007EC0
mixerSetControlDetails, xrefs: 10007DC9
mixerGetControlDetailsA, xrefs: 10007DF0
wINmM.dLl, xrefs: 10007D92
mixerGetLineControlsA, xrefs: 10007DE3
mixerGetDevCapsA, xrefs: 10007ECD
waveInUnprepareHeader, xrefs: 10007E24
waveInOpen, xrefs: 10007E0A
mixerGetNumDevs, xrefs: 10007DA7
waveInGetDevCapsA, xrefs: 10007EDA
waveInGetNumDevs, xrefs: 10007EB3
waveOutOpen, xrefs: 10007E72
waveInAddBuffer, xrefs: 10007E31
waveInPrepareHeader, xrefs: 10007E17
waveInReset, xrefs: 10007E58
waveInClose, xrefs: 10007DFD
mixerGetLineInfoA, xrefs: 10007DD6
waveInStop, xrefs: 10007E4B
mixerClose, xrefs: 10007DBC

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: mixerClose$mixerGetControlDetailsA$mixerGetDevCapsA$mixerGetLineControlsA$mixerGetLineInfoA$mixerGetNumDevs$mixerOpen$mixerSetControlDetails$wINmM.dLl$waveInAddBuffer$waveInClose$waveInGetDevCapsA$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInReset$waveInStart$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader$waveOutReset$waveOutUnprepareHeader$waveOutWrite
API String ID: 551388010-1525772563
Opcode ID: 1bd66437266f9b4567ecd2494d0a95af6a5b66ad5d8f76a7f810c33af7b4e8e3
Instruction ID: 46035b7744f41079a9091a19419f2641917d1424d4c5813b3ed565b200d7fab3
Opcode Fuzzy Hash: 1bd66437266f9b4567ecd2494d0a95af6a5b66ad5d8f76a7f810c33af7b4e8e3
Instruction Fuzzy Hash: EB31387081A36879E610EBB69D5CCAB2DE9EFA6214361052FE604DB121D77490829FA1

Function 10007EF0 Relevance: 68.3, APIs: 19, Strings: 20, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,AttachConsole), ref: 10007F0D
GetProcAddress.KERNEL32(00000000,AllocConsole), ref: 10007F1A
GetProcAddress.KERNEL32(00000000,FreeConsole), ref: 10007F27
GetProcAddress.KERNEL32(00000000,FillConsoleOutputCharacterA), ref: 10007F34
GetProcAddress.KERNEL32(00000000,WriteConsoleOutputA), ref: 10007F41
GetProcAddress.KERNEL32(00000000,GenerateConsoleCtrlEvent), ref: 10007F4E
GetProcAddress.KERNEL32(00000000,GetConsoleCP), ref: 10007F5B
GetProcAddress.KERNEL32(00000000,SetConsoleCP), ref: 10007F68
GetProcAddress.KERNEL32(00000000,GetConsoleOutputCP), ref: 10007F75
GetProcAddress.KERNEL32(00000000,SetConsoleOutputCP), ref: 10007F82
GetProcAddress.KERNEL32(00000000,GetConsoleScreenBufferInfo), ref: 10007F8F
GetProcAddress.KERNEL32(00000000,GetConsoleTitleA), ref: 10007F9C
GetProcAddress.KERNEL32(00000000,GetConsoleWindow), ref: 10007FA9
GetProcAddress.KERNEL32(00000000,ReadConsoleOutputA), ref: 10007FB6
GetProcAddress.KERNEL32(00000000,SetConsoleCtrlHandler), ref: 10007FC3
GetProcAddress.KERNEL32(00000000,SetConsoleScreenBufferSize), ref: 10007FD0
GetProcAddress.KERNEL32(00000000,SetConsoleWindowInfo), ref: 10007FDD
GetProcAddress.KERNEL32(00000000,WriteConsoleInputA), ref: 10007FEA
GetProcAddress.KERNEL32(00000000,GetStdHandle), ref: 10007FF7

Strings

GetConsoleScreenBufferInfo, xrefs: 10007F84
WriteConsoleOutputA, xrefs: 10007F36
GetStdHandle, xrefs: 10007FEC
GenerateConsoleCtrlEvent, xrefs: 10007F43
WriteConsoleInputA, xrefs: 10007FDF
FreeConsole, xrefs: 10007F1C
AttachConsole, xrefs: 10007F07
kernel32.dll, xrefs: 10007EF2
SetConsoleOutputCP, xrefs: 10007F77
GetConsoleTitleA, xrefs: 10007F91
SetConsoleWindowInfo, xrefs: 10007FD2
GetConsoleCP, xrefs: 10007F50
SetConsoleCP, xrefs: 10007F5D
ReadConsoleOutputA, xrefs: 10007FAB
GetConsoleWindow, xrefs: 10007F9E
GetConsoleOutputCP, xrefs: 10007F6A
FillConsoleOutputCharacterA, xrefs: 10007F29
SetConsoleScreenBufferSize, xrefs: 10007FC5
AllocConsole, xrefs: 10007F0F
SetConsoleCtrlHandler, xrefs: 10007FB8

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: AllocConsole$AttachConsole$FillConsoleOutputCharacterA$FreeConsole$GenerateConsoleCtrlEvent$GetConsoleCP$GetConsoleOutputCP$GetConsoleScreenBufferInfo$GetConsoleTitleA$GetConsoleWindow$GetStdHandle$ReadConsoleOutputA$SetConsoleCP$SetConsoleCtrlHandler$SetConsoleOutputCP$SetConsoleScreenBufferSize$SetConsoleWindowInfo$WriteConsoleInputA$WriteConsoleOutputA$kernel32.dll
API String ID: 551388010-3136314718
Opcode ID: 57f616a55f4e144146e4ea609a991c705d8374673020fbdc73a6c1e3f7e3bf25
Instruction ID: 162f278b92dfe395bfd7fc97045eee065fc035ce411e4143a13b73aefa157e67
Opcode Fuzzy Hash: 57f616a55f4e144146e4ea609a991c705d8374673020fbdc73a6c1e3f7e3bf25
Instruction Fuzzy Hash: 1B215B71C1667479EB10FBB68C58CE72DE8EFE6245312452FF504D6121DBB48182CFA4

Function 10008010 Relevance: 64.8, APIs: 18, Strings: 19, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,FreeSid), ref: 1000802D
GetProcAddress.KERNEL32(00000000,GetLengthSid), ref: 1000803A
GetProcAddress.KERNEL32(00000000,GetTokenInformation), ref: 10008047
GetProcAddress.KERNEL32(00000000,InitializeAcl), ref: 10008054
GetProcAddress.KERNEL32(00000000,InitializeSecurityDescriptor), ref: 10008061
GetProcAddress.KERNEL32(00000000,IsValidSid), ref: 1000806E
GetProcAddress.KERNEL32(00000000,LookupAccountNameA), ref: 1000807B
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 10008088
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 10008095
GetProcAddress.KERNEL32(00000000,LsaClose), ref: 100080A2
GetProcAddress.KERNEL32(00000000,LsaFreeMemory), ref: 100080AF
GetProcAddress.KERNEL32(00000000,LsaOpenPolicy), ref: 100080BC
GetProcAddress.KERNEL32(00000000,LsaRetrievePrivateData), ref: 100080C9
GetProcAddress.KERNEL32(00000000,SetSecurityDescriptorDacl), ref: 100080D6
GetProcAddress.KERNEL32(00000000,AddAccessAllowedAce), ref: 100080E3
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 100080F0
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 100080FD
GetProcAddress.KERNEL32(00000000,BuildExplicitAccessWithNameA), ref: 1000810A

Strings

AllocateAndInitializeSid, xrefs: 100080F2
AddAccessAllowedAce, xrefs: 100080D8
IsValidSid, xrefs: 10008063
FreeSid, xrefs: 10008027
advapi32.dll, xrefs: 10008012
LookupPrivilegeValueA, xrefs: 1000808A
BuildExplicitAccessWithNameA, xrefs: 100080FF
SetSecurityDescriptorDacl, xrefs: 100080CB
LsaOpenPolicy, xrefs: 100080B1
LsaRetrievePrivateData, xrefs: 100080BE
InitializeSecurityDescriptor, xrefs: 10008056
AdjustTokenPrivileges, xrefs: 100080E5
GetTokenInformation, xrefs: 1000803C
GetLengthSid, xrefs: 1000802F
LsaFreeMemory, xrefs: 100080A4
LsaClose, xrefs: 10008097
LookupAccountNameA, xrefs: 10008070
LookupAccountSidA, xrefs: 1000807D
InitializeAcl, xrefs: 10008049

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: AddAccessAllowedAce$AdjustTokenPrivileges$AllocateAndInitializeSid$BuildExplicitAccessWithNameA$FreeSid$GetLengthSid$GetTokenInformation$InitializeAcl$InitializeSecurityDescriptor$IsValidSid$LookupAccountNameA$LookupAccountSidA$LookupPrivilegeValueA$LsaClose$LsaFreeMemory$LsaOpenPolicy$LsaRetrievePrivateData$SetSecurityDescriptorDacl$advapi32.dll
API String ID: 551388010-1207734947
Opcode ID: 5dbc3cb666cfe8f01a1b1e0384d0749019e8e360227716b242f58f626bc8a47a
Instruction ID: bbad210a2aa7f12586fb3f27c9e7d0b0576f0b8b4215e7906dc73ada480f103f
Opcode Fuzzy Hash: 5dbc3cb666cfe8f01a1b1e0384d0749019e8e360227716b242f58f626bc8a47a
Instruction Fuzzy Hash: 54215AB18127747AE660FFB6AC8CDC73D9EEED5300791452BF204A2512DB784112CFA4

Function 100088E0 Relevance: 49.1, APIs: 13, Strings: 15, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,capCreateCaptureWindowA), ref: 100088FD
GetProcAddress.KERNEL32(00000000,capGetDriverDescriptionA), ref: 1000890A
GetProcAddress.KERNEL32(00000000,ICSeqCompressFrameStart), ref: 10008926
GetProcAddress.KERNEL32(00000000,ICSeqCompressFrameEnd), ref: 10008933
GetProcAddress.KERNEL32(00000000,ICSeqCompressFrame), ref: 10008940
GetProcAddress.KERNEL32(00000000,ICCompressorFree), ref: 1000894D
GetProcAddress.KERNEL32(00000000,ICClose), ref: 1000895A
GetProcAddress.KERNEL32(00000000,ICSendMessage), ref: 10008967
GetProcAddress.KERNEL32(00000000,ICOpen), ref: 10008974
GetProcAddress.KERNEL32(00000000,ICInfo), ref: 10008981
GetProcAddress.KERNEL32(00000000,ICInstall), ref: 1000898E
GetProcAddress.KERNEL32(00000000,ICRemove), ref: 1000899B
GetProcAddress.KERNEL32(00000000,ICLocate), ref: 100089A8

Strings

ICCompressorFree, xrefs: 10008942
AVICAP32.DLL, xrefs: 100088E2
capGetDriverDescriptionA, xrefs: 100088FF
ICLocate, xrefs: 1000899D
ICRemove, xrefs: 10008990
ICInstall, xrefs: 10008983
ICSeqCompressFrame, xrefs: 10008935
capCreateCaptureWindowA, xrefs: 100088F7
ICOpen, xrefs: 10008969
ICSendMessage, xrefs: 1000895C
ICSeqCompressFrameStart, xrefs: 10008920
ICInfo, xrefs: 10008976
ICSeqCompressFrameEnd, xrefs: 10008928
MSVFW32.DLL, xrefs: 1000890C
ICClose, xrefs: 1000894F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: AVICAP32.DLL$ICClose$ICCompressorFree$ICInfo$ICInstall$ICLocate$ICOpen$ICRemove$ICSendMessage$ICSeqCompressFrame$ICSeqCompressFrameEnd$ICSeqCompressFrameStart$MSVFW32.DLL$capCreateCaptureWindowA$capGetDriverDescriptionA
API String ID: 551388010-2170818041
Opcode ID: f3e780080a4519ee2e0767ffacbc0619af12fc5095d359d95e6b1e4b219fbd70
Instruction ID: 9bbad4689f7b44fd5fea2b51becec83ef4a0463f0672060762822429e47ebffb
Opcode Fuzzy Hash: f3e780080a4519ee2e0767ffacbc0619af12fc5095d359d95e6b1e4b219fbd70
Instruction Fuzzy Hash: 5011E270C013347AEA22EBB76C48C57BDFEED95558390052BF50893122DB749102CEA5

Function 10004980 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 286stringregistryprocessCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?), ref: 100049F2

Part of subcall function 100042F0: lstrcpyA.KERNEL32(00000000,?), ref: 10004322
Part of subcall function 100042F0: strstr.MSVCRT ref: 1000432E
Part of subcall function 100042F0: lstrcatA.KERNEL32(?,00000006), ref: 1000437E
Part of subcall function 100042F0: lstrcpyA.KERNEL32(?,?), ref: 1000438A
Part of subcall function 100042F0: strstr.MSVCRT ref: 10004396
Part of subcall function 100042F0: GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100043CE
Part of subcall function 100042F0: lstrcatA.KERNEL32(?,?), ref: 100043DD
Part of subcall function 100042F0: lstrlenA.KERNEL32(?), ref: 100043E4

lstrcpyA.KERNEL32(?,?), ref: 10004A25

Part of subcall function 10004500: GetFileAttributesA.KERNEL32(?,10005C14,?,?,?,?,?,?,?,?,?,?,?), ref: 10004505

strrchr.MSVCRT ref: 10004A3F
lstrcpyA.KERNEL32(?,?), ref: 10004A89
strrchr.MSVCRT ref: 10004A96
RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 10004AB7
RegQueryValueA.ADVAPI32(?,00000000,?,?), ref: 10004AD5
RegCloseKey.ADVAPI32(?), ref: 10004AE0
wsprintfA.USER32 ref: 10004B08
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,000F003F,?), ref: 10004B29
RegQueryValueA.ADVAPI32 ref: 10004B67
RegCloseKey.ADVAPI32(?), ref: 10004B72
strstr.MSVCRT ref: 10004B82
strstr.MSVCRT ref: 10004B9A
strstr.MSVCRT ref: 10004BB1
lstrcatA.KERNEL32(?,1001FAB8), ref: 10004C37
lstrcpyA.KERNEL32(?,?), ref: 10004C51
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10004CAA
CloseHandle.KERNEL32(?), ref: 10004CBF
CloseHandle.KERNEL32(?), ref: 10004CC6
strstr.MSVCRT ref: 10004CDA
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 10004CF1

Strings

D, xrefs: 10004C6A
"%1, xrefs: 10004B7C
%TEMP%, xrefs: 10004CD4
baijinUPdate, xrefs: 10004BAB
%s\shell\open\command, xrefs: 10004B02

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: strstr$lstrcpy$Close$lstrcat$FileHandleOpenQueryValuestrrchr$AttributesCreateDirectoryEnvironmentExpandMoveProcessStringsSystemlstrlenwsprintf
String ID: "%1$%TEMP%$%s\shell\open\command$D$baijinUPdate
API String ID: 2195187892-1061999522
Opcode ID: c90e3b9c0d6f74ab3cb8f7309ab84cdb80512adbc4e306f567b753ef6a171df7
Instruction ID: bfdb97ef6b95161c7a9801c1950dfda7fe7d38df5becf5aa3d86cffbb569b85a
Opcode Fuzzy Hash: c90e3b9c0d6f74ab3cb8f7309ab84cdb80512adbc4e306f567b753ef6a171df7
Instruction Fuzzy Hash: ED9107B25083456FE714CB74DC84EAB77E9EBC8350F404A2DF64997180EB75EA09CB62

Function 10008F00 Relevance: 43.8, APIs: 2, Strings: 23, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(NTDLL.DLL,?,00000000,1002297C,00000200,00000000,10008DDE,?,//===============[%d-%d-%d %d:%d:%d]======================,?,?,?,?,?,?), ref: 1000901E
FormatMessageA.KERNEL32(00000A00,00000000,?,//===============[%d-%d-%d %d:%d:%d]======================,?,?,?,?,?,?,?,?), ref: 1000902A

Strings

PRIV_INSTRUCTION, xrefs: 10008FFE
NTDLL.DLL, xrefs: 10009019
FLT_DENORMAL_OPERAND, xrefs: 10008FAE
INT_DIVIDE_BY_ZERO, xrefs: 10008FF2
FLT_UNDERFLOW, xrefs: 10008FEC
INVALID_DISPOSITION, xrefs: 10008FA2
IN_PAGE_ERROR, xrefs: 10008F69
DATATYPE_MISALIGNMENT, xrefs: 10008F39
FLT_STACK_CHECK, xrefs: 10008FE6
SINGLE_STEP, xrefs: 10008F63
FLT_INEXACT_RESULT, xrefs: 10008FD4
INVALID_HANDLE, xrefs: 10008FA8
FLT_INVALID_OPERATION, xrefs: 10008FDA
FLT_DIVIDE_BY_ZERO, xrefs: 10008FCE
BREAKPOINT, xrefs: 10008F45
INT_OVERFLOW, xrefs: 10008FF8
STACK_OVERFLOW, xrefs: 10009004, 10009018
ILLEGAL_INSTRUCTION, xrefs: 10008F96
ARRAY_BOUNDS_EXCEEDED, xrefs: 10008F90
FLT_OVERFLOW, xrefs: 10008FE0
NONCONTINUABLE_EXCEPTION, xrefs: 10008F9C
ACCESS_VIOLATION, xrefs: 10008F5D
GUARD_PAGE, xrefs: 10008F3F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FormatHandleMessageModule
String ID: ACCESS_VIOLATION$ARRAY_BOUNDS_EXCEEDED$BREAKPOINT$DATATYPE_MISALIGNMENT$FLT_DENORMAL_OPERAND$FLT_DIVIDE_BY_ZERO$FLT_INEXACT_RESULT$FLT_INVALID_OPERATION$FLT_OVERFLOW$FLT_STACK_CHECK$FLT_UNDERFLOW$GUARD_PAGE$ILLEGAL_INSTRUCTION$INT_DIVIDE_BY_ZERO$INT_OVERFLOW$INVALID_DISPOSITION$INVALID_HANDLE$IN_PAGE_ERROR$NONCONTINUABLE_EXCEPTION$NTDLL.DLL$PRIV_INSTRUCTION$SINGLE_STEP$STACK_OVERFLOW
API String ID: 2046974992-1041383458
Opcode ID: 2fb9bd78820e4340342e34873f9854f97554b6fcbba4fc28ce8fec3c276c5a22
Instruction ID: 0a35bca63697aea117e2513abc35e725dd8648cb77e7d847ccaf74d6811c8f06
Opcode Fuzzy Hash: 2fb9bd78820e4340342e34873f9854f97554b6fcbba4fc28ce8fec3c276c5a22
Instruction Fuzzy Hash: 6421292C7802C24BFB94D72869947AD6193F785290FE881E5F6C9C7EAACE6DCD815201

Function 1000A680 Relevance: 33.2, APIs: 22, Instructions: 226stringregistryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000A708
RegCreateKeyExA.ADVAPI32(00000000,00000003), ref: 1000A71D
lstrlenA.KERNEL32(?), ref: 1000A72C
SHDeleteKeyA.SHLWAPI(00000000,?,00000003), ref: 1000A741
lstrlenA.KERNEL32(?,00000000,?,00000003), ref: 1000A756
lstrlenA.KERNEL32(00000001,?,00000003), ref: 1000A75D
RegCreateKeyExA.ADVAPI32(00000000,00000000,?,00000003), ref: 1000A782
SHCopyKeyA.SHLWAPI(00000000,?,00000000,?,00000003), ref: 1000A7A1
RegDeleteKeyA.ADVAPI32(00000000), ref: 1000A7BA
lstrlenA.KERNEL32(?,?,?,00000001,?,00000003), ref: 1000A7CF
lstrlenA.KERNEL32(00000001,?,?,00000001,?,00000003), ref: 1000A7D6
RegSetValueExA.ADVAPI32(00000000,00000001,00000000,?,-00000007,?,?,?,?,?,00000001,?,00000003), ref: 1000A80E
lstrlenA.KERNEL32(?,?,?,?,?,00000001,?,00000003), ref: 1000A81D
lstrlenA.KERNEL32(?,?,?,?,?,?,?,00000001,?,00000003), ref: 1000A84A
lstrlenA.KERNEL32(00000001,?,?,?,?,?,?,00000001,?,00000003), ref: 1000A851
RegDeleteValueA.ADVAPI32(00000000,00000001,?,?,?,?,?,?,00000001,?,00000003), ref: 1000A8EB
RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 1000A912

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen$Delete$CreateValue$CloseCopy
String ID:
API String ID: 403517128-0
Opcode ID: 1bb1dd8aa6c3b853207b918c3cfeb3489d6ed0f5c57b8470b79a41668fa50094
Instruction ID: 62bbafedbb5b5799a4041e6cec194c8b26de3e9c1fc9c2a0343a9fe05c258005
Opcode Fuzzy Hash: 1bb1dd8aa6c3b853207b918c3cfeb3489d6ed0f5c57b8470b79a41668fa50094
Instruction Fuzzy Hash: 7861C7B5644316BFF210DF609C86F6F33ACEF45384F008A28F91596146EB31EA498772

Function 1000F410 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 153stringmemoryprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 1000F600: GetCurrentProcess.KERNEL32 ref: 1000F618
Part of subcall function 1000F600: OpenProcessToken.ADVAPI32(00000000), ref: 1000F61F
Part of subcall function 1000F600: CloseHandle.KERNEL32(?), ref: 1000F632

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 1000F457
LocalAlloc.KERNEL32 ref: 1000F484
Process32First.KERNEL32(00000000,?), ref: 1000F49B
OpenProcess.KERNEL32(00000410,00000000,00000128), ref: 1000F4B5
GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 1000F4F9
lstrlenA.KERNEL32(?), ref: 1000F50A
lstrlenA.KERNEL32(00000000), ref: 1000F516
LocalSize.KERNEL32(00000000), ref: 1000F520
LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 1000F52E
lstrlenA.KERNEL32(?), ref: 1000F545
lstrlenA.KERNEL32(?), ref: 1000F56A
lstrlenA.KERNEL32(00000000), ref: 1000F578
lstrlenA.KERNEL32(00000000), ref: 1000F59D

Strings

SeDebugPrivilege, xrefs: 1000F445, 1000F5DA

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen$LocalProcess$AllocOpen$CloseCreateCurrentFileFirstHandleModuleNameProcess32SizeSnapshotTokenToolhelp32
String ID: SeDebugPrivilege
API String ID: 3314448784-2896544425
Opcode ID: 91ef5bda2465e951ea60235f178e8da80ee563faff819dfbb8be2752a7edc3a3
Instruction ID: b339349cc301cb9f233d258bc38710a56b367f6a5190ecb9750e295057164dfb
Opcode Fuzzy Hash: 91ef5bda2465e951ea60235f178e8da80ee563faff819dfbb8be2752a7edc3a3
Instruction Fuzzy Hash: 13513671604305AFE721DF60CC84BAB77E9FB88344F00482DFA4A97290DB78E909CB52

Function 1000A060 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 126registrylibrarystringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000FBC0: GetVersionExA.KERNEL32(?), ref: 1000FBE8
Part of subcall function 1000FBC0: GetVersionExA.KERNEL32(0000009C), ref: 1000FBFB

LookupAccountNameA.ADVAPI32 ref: 1000A0B4
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 1000A0C3
GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidA), ref: 1000A0CF
RegOpenKeyA.ADVAPI32(80000003,?,00000000), ref: 1000A0FB
LocalFree.KERNEL32(?), ref: 1000A106
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000A10D
RegEnumKeyExA.ADVAPI32 ref: 1000A144
_memicmp.MSVCRT ref: 1000A16B
lstrlenA.KERNEL32(?,500,00000003,00000000,?), ref: 1000A183
_memicmp.MSVCRT ref: 1000A18F
RegOpenKeyA.ADVAPI32(80000003,?,?), ref: 1000A1AA

Strings

S-1-5-21-, xrefs: 1000A165
d, xrefs: 1000A0A4
advapi32.dll, xrefs: 1000A0BE
ConvertSidToStringSidA, xrefs: 1000A0C9
500, xrefs: 1000A17D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: OpenVersion_memicmp$??3@AccountAddressEnumFreeHandleLocalLookupModuleNameProclstrlen
String ID: 500$ConvertSidToStringSidA$S-1-5-21-$advapi32.dll$d
API String ID: 962094710-3143902932
Opcode ID: 8d7dfae49633fde00fdd58a27183bd849d3b31d2b5c819403bebf930d6c90c99
Instruction ID: 0ad2384039715fc5b92e64d5877a21bd7c30e1c811a7d1300b332d5c87649f83
Opcode Fuzzy Hash: 8d7dfae49633fde00fdd58a27183bd849d3b31d2b5c819403bebf930d6c90c99
Instruction Fuzzy Hash: 89412C72104312AEF310DB64CC98FEB77ECEB85794F408A1CF95996144E774DA49CBA2

Function 1000E330 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 96stringfileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000E347
lstrcpyA.KERNEL32(?,?), ref: 1000E360
lstrcatA.KERNEL32(?,1001F9CC), ref: 1000E372
lstrlenA.KERNEL32(?), ref: 1000E379
lstrcpyA.KERNEL32(?,1001F014), ref: 1000E38E

Part of subcall function 10003F10: _itoa.MSVCRT ref: 10003F70
Part of subcall function 10003F10: tolower.MSVCRT ref: 10003F90

lstrcatA.KERNEL32(?,.cfg), ref: 1000E39F
CreateFileA.KERNEL32(?,00000002,00000000,00000000,00000004,00000080,00000000), ref: 1000E3B5
GetTickCount.KERNEL32 ref: 1000E3E1
srand.MSVCRT ref: 1000E3E8
rand.MSVCRT ref: 1000E3F0
_ftol.MSVCRT ref: 1000E403
WriteFile.KERNEL32(00000000,?,000005F8,?,00000000), ref: 1000E430
CloseHandle.KERNEL32(00000000), ref: 1000E437
lstrcatA.KERNEL32(?,\kernel32.dll), ref: 1000E44A

Strings

\kernel32.dll, xrefs: 1000E444
.cfg, xrefs: 1000E399

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcat$Filelstrcpy$CloseCountCreateDirectoryHandleSystemTickWrite_ftol_itoalstrlenrandsrandtolower
String ID: .cfg$\kernel32.dll
API String ID: 1789050244-3861637056
Opcode ID: 697ddc1d696ab2cafb5df6468ba17f223c85da56664b46952e4abcb81e80941f
Instruction ID: fe55668757c34aece68da91c117663593229298112eeb18e9ab49308ed6da99d
Opcode Fuzzy Hash: 697ddc1d696ab2cafb5df6468ba17f223c85da56664b46952e4abcb81e80941f
Instruction Fuzzy Hash: CA31E771404356ABE610DB60DC89FEB77A8EB99304F008928F78557192EB74E54ECBA2

Function 1000B340 Relevance: 25.7, APIs: 17, Instructions: 210COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00000000), ref: 1000B3FD

Part of subcall function 1000FCF0: GetCurrentThreadId.KERNEL32 ref: 1000FD2A
Part of subcall function 1000FCF0: GetThreadDesktop.USER32(00000000), ref: 1000FD31
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD58
Part of subcall function 1000FCF0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1000FD65
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD92
Part of subcall function 1000FCF0: lstrcmpiA.KERNEL32(?,?), ref: 1000FDA5
Part of subcall function 1000FCF0: SetThreadDesktop.USER32(00000000), ref: 1000FDB0
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDBC
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDC3

GetDC.USER32(00000000), ref: 1000B44D
GetTickCount.KERNEL32 ref: 1000B46A
GetSystemMetrics.USER32(00000000), ref: 1000B49A
GetSystemMetrics.USER32(00000001), ref: 1000B4A8
CreateCompatibleDC.GDI32(?), ref: 1000B4E1
CreateCompatibleDC.GDI32(?), ref: 1000B4F4
CreateCompatibleDC.GDI32(00000000), ref: 1000B501
CreateCompatibleDC.GDI32(00000000), ref: 1000B50E

Part of subcall function 1000BB50: ??2@YAPAXI@Z.MSVCRT(?,000000E4,00000000,00000000,000000E8,00000000,1000B541,?,?,00000001), ref: 1000BB7B
Part of subcall function 1000BB50: GetDC.USER32(00000000), ref: 1000BBD6
Part of subcall function 1000BB50: CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 1000BBE3
Part of subcall function 1000BB50: GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000BBF6
Part of subcall function 1000BB50: ReleaseDC.USER32(00000000,00000000), ref: 1000BBFF
Part of subcall function 1000BB50: DeleteObject.GDI32(00000000), ref: 1000BC06

CreateDIBSection.GDI32(?,?,00000000,000000E4,00000000,00000000), ref: 1000B598
CreateDIBSection.GDI32(?,?,00000000,000000E8,00000000,00000000), ref: 1000B5B6
CreateDIBSection.GDI32(?,?,00000000,00000100,00000000,00000000), ref: 1000B5DA
SelectObject.GDI32(?,?), ref: 1000B5F4
SelectObject.GDI32(?,?), ref: 1000B608
SelectObject.GDI32(?,?), ref: 1000B61C
SetRect.USER32(000000BC,00000000,00000000,?,?), ref: 1000B639
??2@YAPAXI@Z.MSVCRT(00000002), ref: 1000B64B

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Create$Object$CompatibleDesktop$SectionSelectThread$??2@CloseInformationMetricsSystemUser$BitmapBitsCountCurrentCursorDeleteInputLoadOpenRectReleaseTicklstrcmpi
String ID:
API String ID: 1909460377-0
Opcode ID: c282a488af0d1cfdf28b8172baf98a4407112152ce570638df2c821c047f3354
Instruction ID: 4b006eea317c32a42c5377640ceefec24a1a03faff04a2e04fbdc31c99ffa027
Opcode Fuzzy Hash: c282a488af0d1cfdf28b8172baf98a4407112152ce570638df2c821c047f3354
Instruction Fuzzy Hash: 829117B5504B429FE364CF64C888BA7BBE9FB48704F10891DE5AE87341DB74B845CB62

Function 100041D0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100041DB
GetProcAddress.KERNEL32 ref: 100041FF
OpenProcess.KERNEL32(00000451,00000000,?), ref: 10004213
OpenProcess.KERNEL32(00000450,00000000,?), ref: 1000422F
OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 10004254
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000003,00000001,00000000), ref: 1000426F
GetModuleFileNameExA.PSAPI(?,00000000,?,00000104), ref: 1000428B
GetLastError.KERNEL32 ref: 10004291
GetLongPathNameA.KERNEL32(?,?,00000104), ref: 1000429E
CloseHandle.KERNEL32(?), ref: 100042A9
TerminateProcess.KERNEL32(00000000,00000000), ref: 100042D3
CloseHandle.KERNEL32(?), ref: 100042E0

Strings

ntdll.dll, xrefs: 100041D6
ZwDuplicateObject, xrefs: 100041E1

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Process$HandleOpen$CloseModuleNameToken$AddressDuplicateErrorFileLastLongPathProcTerminate
String ID: ZwDuplicateObject$ntdll.dll
API String ID: 2954029881-4228780385
Opcode ID: 4149fbc85c42c10d78f24046b5777b2cc925e2cfad691b8b693d9ff3ad0b51b1
Instruction ID: 91f5d5c3f578c08bac091ad2933b8f4e5c09a64e7d199e297092d5a44eeb307f
Opcode Fuzzy Hash: 4149fbc85c42c10d78f24046b5777b2cc925e2cfad691b8b693d9ff3ad0b51b1
Instruction Fuzzy Hash: C83191B06443217FF600DF50CC89F6B7BE8EB48B60F118508FA54A62D0DAB4E9048BA6

Function 10003D10 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85threadprocesslibraryCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 10003D2D
GetCurrentThreadId.KERNEL32 ref: 10003D35
GetCurrentProcessId.KERNEL32 ref: 10003D3F
GetModuleHandleA.KERNEL32(ntdll,ZwQueryInformationThread), ref: 10003D53
GetProcAddress.KERNEL32(00000000), ref: 10003D5A
Thread32First.KERNEL32(00000000,?), ref: 10003D68
OpenThread.KERNEL32(00000041,00000000,?,74DF0F00), ref: 10003D96
VirtualQuery.KERNEL32(?,?,0000001C), ref: 10003DBC
TerminateThread.KERNEL32(00000000,00000000), ref: 10003DD1
CloseHandle.KERNEL32(00000000), ref: 10003DD8
Thread32Next.KERNEL32(00000000,0000001C), ref: 10003DE4
CloseHandle.KERNEL32(00000000), ref: 10003DF0

Strings

ntdll, xrefs: 10003D4A
ZwQueryInformationThread, xrefs: 10003D45

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: HandleThread$CloseCurrentThread32$AddressCreateFirstModuleNextOpenProcProcessQuerySnapshotTerminateToolhelp32Virtual
String ID: ZwQueryInformationThread$ntdll
API String ID: 1032041570-2535630585
Opcode ID: 97a5da60e20bff8b7f95ef93b0187b49721e45b0736fd118bc639f93bd3bf63c
Instruction ID: 3efb098ae4529a8ecc4028589871f8c5eeb9a5c078cba439b90528098b69aba2
Opcode Fuzzy Hash: 97a5da60e20bff8b7f95ef93b0187b49721e45b0736fd118bc639f93bd3bf63c
Instruction Fuzzy Hash: 12218171604316AFF701DF60DC84FAB77EDEB88790F008819FA41D6254E774D9458B62

Function 10008860 Relevance: 24.5, APIs: 6, Strings: 8, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D3D
Part of subcall function 10007D30: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D56
Part of subcall function 10007D30: GetProcAddress.KERNEL32(00000000), ref: 10007D59
Part of subcall function 10007D30: LoadLibraryA.KERNEL32(?,?,?,100089CC,WTSAPI32.DLL,?,?,1000ECFE), ref: 10007D65

GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 1000887D
GetProcAddress.KERNEL32(00000000,GetVolumeInformationA), ref: 1000888A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 10008897
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 100088A4
GetProcAddress.KERNEL32(00000000,SHGetFileInfoA), ref: 100088C0
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 100088CD

Strings

SHELL32.DLL, xrefs: 100088A6
SHGetSpecialFolderPathA, xrefs: 100088C2
GetDriveTypeA, xrefs: 10008899
GetLogicalDriveStringsA, xrefs: 10008877
GetVolumeInformationA, xrefs: 1000887F
kernel32.dll, xrefs: 10008862
GetDiskFreeSpaceExA, xrefs: 1000888C
SHGetFileInfoA, xrefs: 100088BA

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: GetDiskFreeSpaceExA$GetDriveTypeA$GetLogicalDriveStringsA$GetVolumeInformationA$SHELL32.DLL$SHGetFileInfoA$SHGetSpecialFolderPathA$kernel32.dll
API String ID: 551388010-2399103611
Opcode ID: d332b64cee473334dfdf48ea2541941862237ff14754dc22b58e80f321e710df
Instruction ID: ab0acaa162c7c921addcd19610dada6d5b542073e2e90961baedacd482c79627
Opcode Fuzzy Hash: d332b64cee473334dfdf48ea2541941862237ff14754dc22b58e80f321e710df
Instruction Fuzzy Hash: B7F05470D043347AE610EBB66C49CABBEB9DE915907D0442FF50893122EB349506CE93

Function 10003810 Relevance: 22.9, APIs: 15, Instructions: 369COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000001C,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 10003890
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 100038D3
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 100038E7
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 1000392D
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 10003941
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 10003987
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 1000399B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 100039E1
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 100039F5
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 10003A3B
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,100037E0,?,10021D44,?,?,10021D44,10021D44), ref: 10003A4F
??3@YAXPAX@Z.MSVCRT(?,10021D44), ref: 10003AA8
??2@YAPAXI@Z.MSVCRT(?,10021D44), ref: 10003ABC
??3@YAXPAX@Z.MSVCRT(00000000,10021D44), ref: 10003B01
??2@YAPAXI@Z.MSVCRT(?,10021D44), ref: 10003B15

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@$??3@
String ID:
API String ID: 1245774677-0
Opcode ID: 30ff879118a7ae2d7bf217978ba66d541fe15b2299227a2ce5f71ba689cda5fa
Instruction ID: 3fbabbccb5d228cf02e1ff147f428ce447f7d24272625feecfebda0772c34e45
Opcode Fuzzy Hash: 30ff879118a7ae2d7bf217978ba66d541fe15b2299227a2ce5f71ba689cda5fa
Instruction Fuzzy Hash: C1C1A0B57002058BE718CE38C85292B77D6FF882A0B15862CF91A8B3C1DF71ED058791

Function 100042F0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 106stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 10004322
strstr.MSVCRT ref: 1000432E
lstrcatA.KERNEL32(?,00000006), ref: 1000437E
lstrcpyA.KERNEL32(?,?), ref: 1000438A
strstr.MSVCRT ref: 10004396
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100043CE
lstrcatA.KERNEL32(?,?), ref: 100043DD
lstrlenA.KERNEL32(?), ref: 100043E4
lstrcpyA.KERNEL32(?,?), ref: 100043FF
lstrlenA.KERNEL32(?), ref: 10004402

Strings

%SystemRoot%, xrefs: 10004390
%TEMP%, xrefs: 10004328

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$lstrcatlstrlenstrstr$DirectorySystem
String ID: %SystemRoot%$%TEMP%
API String ID: 318612431-703443648
Opcode ID: 9a7e5926dfc5330bcf2d42d038b585b166d28f3a3ecd7dfd3fb3823e3d9e6bc2
Instruction ID: 2a2de8aa29a70aafadc443fd5fa2ee608bfe74f29d79726ec339ac065308629e
Opcode Fuzzy Hash: 9a7e5926dfc5330bcf2d42d038b585b166d28f3a3ecd7dfd3fb3823e3d9e6bc2
Instruction Fuzzy Hash: 6731C6B66042165FE704DF64EC81AAB77E8EB88750F40482CFA42D3240DE79ED08C6B2

Function 1000EB30 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 69stringsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,c:\windows\system32\ntfastuserswitchingcompatibility.dll,00000104,?), ref: 1000EB71
GetSystemDirectoryA.KERNEL32(C:\Windows\system32\bjlog,00000104), ref: 1000EB81
lstrcatA.KERNEL32(C:\Windows\system32\bjlog,\bjlog), ref: 1000EB91
GetTickCount.KERNEL32 ref: 1000EB97

Part of subcall function 100077E0: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000594,krisig_jhaji), ref: 1000783F
Part of subcall function 100077E0: GetProcessHeap.KERNEL32(00000000,?), ref: 1000787F
Part of subcall function 100077E0: HeapFree.KERNEL32(00000000), ref: 10007886

WaitForSingleObject.KERNEL32(?,00000000,?), ref: 1000EBCB
wsprintfA.USER32 ref: 1000EC03
SHDeleteKeyA.SHLWAPI(80000002,?), ref: 1000EC16
CloseHandle.KERNEL32(?), ref: 1000EC24

Strings

C:\Windows\system32\bjlog, xrefs: 1000EB7C, 1000EB8C
c:\windows\system32\ntfastuserswitchingcompatibility.dll, xrefs: 1000EB54
\bjlog, xrefs: 1000EB87

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FileHeap$CloseCountCreateDeleteDirectoryFreeHandleMappingModuleNameObjectProcessSingleSystemTickWaitlstrcatwsprintf
String ID: C:\Windows\system32\bjlog$\bjlog$c:\windows\system32\ntfastuserswitchingcompatibility.dll
API String ID: 3514054930-988164425
Opcode ID: f4de5201176aa5f38d030338713a8b7b837cb0694158c2a2c53f93131818ed22
Instruction ID: 878ad3b0c05c0b9c25055e52d32df0f94cb4162deb8d5138cd336afa49ee5cc0
Opcode Fuzzy Hash: f4de5201176aa5f38d030338713a8b7b837cb0694158c2a2c53f93131818ed22
Instruction Fuzzy Hash: 2B21C3B56002A1FFF300DBA8DCC8E96BBA4F758340F50842DF645D2261D775A956CB21

Function 1000C5C0 Relevance: 18.1, APIs: 12, Instructions: 103stringserviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32(?,?,000F01FF,?,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5D8
QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5F2
GetLastError.KERNEL32(?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5F8
??2@YAPAXI@Z.MSVCRT(?,00000001,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C610
QueryServiceConfigA.ADVAPI32(00000000,00000000,?,?,00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C622
strncpy.MSVCRT ref: 1000C64A
strncpy.MSVCRT ref: 1000C663
strncpy.MSVCRT ref: 1000C67F
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C693
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C6AB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C6CA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C6DB

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Service$Querystrncpy$CloseConfigHandle$??2@??3@ErrorLastOpenStatus
String ID:
API String ID: 3364752253-0
Opcode ID: 1494d43164020dc58c7cd7c4bbd99715ae3153ebcad2e1c815c49084a017b71e
Instruction ID: 6f73288ddec9b3f7d1b3c57aa354f6dcf295c70eff7ec3cdb5cf3e39ef0ca598
Opcode Fuzzy Hash: 1494d43164020dc58c7cd7c4bbd99715ae3153ebcad2e1c815c49084a017b71e
Instruction Fuzzy Hash: 033147B6600301BBE314DBA5CC89E6BB7ECFB88750F105929F949C6241EB75F914CBA1

Function 1000B760 Relevance: 18.1, APIs: 12, Instructions: 67COMMON

Download Yara Rule

APIs

DeleteDC.GDI32(?), ref: 1000B794
DeleteDC.GDI32(?), ref: 1000B7A1
DeleteDC.GDI32(?), ref: 1000B7AE
DeleteDC.GDI32(?), ref: 1000B7BB
DeleteObject.GDI32(?), ref: 1000B7C8
DeleteObject.GDI32(?), ref: 1000B7D5
DeleteObject.GDI32(?), ref: 1000B7E2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,100185AB,000000FF,1000B748), ref: 1000B7F0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,100185AB,000000FF,1000B748), ref: 1000B7FF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,100185AB,000000FF,1000B748), ref: 1000B80B
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,100185AB,000000FF,1000B748), ref: 1000B817
DestroyCursor.USER32 ref: 1000B837

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Delete$??3@$Object$CursorDestroy
String ID:
API String ID: 201696281-0
Opcode ID: 48bf6f02f9dde62647be998c20284609076ca93ca28ac4828fc83c09a41d7e9c
Instruction ID: f58e2f188b16acca784aaf70efb93d91498d113b8b8f02f05d7945e61d22619c
Opcode Fuzzy Hash: 48bf6f02f9dde62647be998c20284609076ca93ca28ac4828fc83c09a41d7e9c
Instruction Fuzzy Hash: 5F214CB5500B51ABD324DFA4CC88B97B7E8FB48610F508D1DF59A87350DB38E841CBA0

Function 10010FA0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 151COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(-0000002C,00000001), ref: 1001101F
InterlockedExchange.KERNEL32(?,00000000), ref: 10011033
InterlockedExchange.KERNEL32(?,00000001), ref: 10011082
InterlockedExchange.KERNEL32(?,00000000), ref: 1001112C

Strings

Software\GNU\xvid, xrefs: 100110B2, 100110FB
divxSoftware\GNU, xrefs: 10011113
0, xrefs: 100110E7
Divx40.dll, xrefs: 10010FE0
xvid, xrefs: 10011098
display_status, xrefs: 100110AD, 100110F6

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: 0$Divx40.dll$Software\GNU\xvid$display_status$divxSoftware\GNU$xvid
API String ID: 367298776-1758966621
Opcode ID: fee4c9bbfa6fdc4f6e1fcc680f082af091460951cc062ccc5561e9643f326987
Instruction ID: 94e2c8d139e8046c454aba6acf5c18e018c1ee311737035f090f306896661ea4
Opcode Fuzzy Hash: fee4c9bbfa6fdc4f6e1fcc680f082af091460951cc062ccc5561e9643f326987
Instruction Fuzzy Hash: DF419D7A700220ABE318F7189C52FDB7390EBE4B14F51806AF7466E2D2D6B1D544C3E5

Function 100066B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 83processstringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,c:\windows\system32\ntfastuserswitchingcompatibility.dll), ref: 100066DB
GetTempFileNameA.KERNEL32(00000000), ref: 100066FD

Part of subcall function 100100B0: InternetOpenA.WININET(100213D8,00000000,00000000,00000000,00000000), ref: 100100D6

wsprintfA.USER32 ref: 10006759
CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,00000000,?,?,?,%s baijinUPdate %s,?,10023314), ref: 10006783
CloseHandle.KERNEL32(?), ref: 1000679B
CloseHandle.KERNEL32(?), ref: 100067A2

Strings

%s baijinUPdate %s, xrefs: 10006743
c:\windows\system32\ntfastuserswitchingcompatibility.dll, xrefs: 100066C9
update, xrefs: 100066EE
D, xrefs: 10006749

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandle$CreateFileInternetNameOpenProcessTemplstrcpywsprintf
String ID: %s baijinUPdate %s$D$c:\windows\system32\ntfastuserswitchingcompatibility.dll$update
API String ID: 2257721035-3575582074
Opcode ID: 539c430e021675418693ce8b36a516089c14c2eba9fe673c86f12b95c883dd71
Instruction ID: 4592ff749d397fdccc08670ab44cab029dec3cf8346eaa68776946f4e5781fb9
Opcode Fuzzy Hash: 539c430e021675418693ce8b36a516089c14c2eba9fe673c86f12b95c883dd71
Instruction Fuzzy Hash: CE2190B51083057FE710DBA8DC84EEBB7ECEBC8344F40892DF64583151EA79E9098B62

Function 10004150 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 49stringCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(?,?), ref: 10004171
GetWindowsDirectoryA.KERNEL32(?,?), ref: 10004180
lstrcatA.KERNEL32(?,\temp), ref: 1000418C
SetEnvironmentVariableA.KERNEL32(TMP,?), ref: 1000419E
SetEnvironmentVariableA.KERNEL32(TEMP,?), ref: 100041A6
lstrlenA.KERNEL32(?), ref: 100041A9
CreateDirectoryA.KERNEL32(?,00000000), ref: 100041C1

Strings

TMP, xrefs: 10004199
TEMP, xrefs: 100041A1
\temp, xrefs: 10004186

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: DirectoryEnvironmentVariable$CreatePathTempWindowslstrcatlstrlen
String ID: TEMP$TMP$\temp
API String ID: 3811192182-708888228
Opcode ID: 1b627841294b1398ef787a47fb1e7c58f347d768f773a337a5f5554ec3f662ab
Instruction ID: 8d2be628ee3d3af55f8e3aad4e308ebada3133f90511370f5e74478f8505de6e
Opcode Fuzzy Hash: 1b627841294b1398ef787a47fb1e7c58f347d768f773a337a5f5554ec3f662ab
Instruction Fuzzy Hash: C6F0A4B53015307FE711E7259C98EAF3A69EFCA2A17564028FA46C3310DB349902C6B6

Function 1000A350 Relevance: 16.6, APIs: 11, Instructions: 129registrymemorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 1000A36C
lstrcpyA.KERNEL32(00000002,?), ref: 1000A388
lstrlenA.KERNEL32(?), ref: 1000A38F
RegEnumKeyExA.ADVAPI32(?), ref: 1000A3C1
LocalSize.KERNEL32(00000000), ref: 1000A3DC
LocalReAlloc.KERNEL32(00000000,000003FD,00000042), ref: 1000A3F8
RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 1000A437
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000A459
RegCloseKey.ADVAPI32(?), ref: 1000A470
RegEnumKeyExA.ADVAPI32(?,00000100,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000A4A6
LocalFree.KERNEL32(00000000,00000000,-00000003), ref: 1000A4C4

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Local$AllocEnum$CloseFreeInfoOpenQuerySizelstrcpylstrlen
String ID:
API String ID: 3545219783-0
Opcode ID: 1bbc32d3968d101cd4c4f8bb8d40793efb65c63a4f30d61237259bb70c3822dd
Instruction ID: 3f70fd2d6978dd4a646f2be91f9437af878ab620098d952ccca543af8bf2db30
Opcode Fuzzy Hash: 1bbc32d3968d101cd4c4f8bb8d40793efb65c63a4f30d61237259bb70c3822dd
Instruction Fuzzy Hash: 66414F71204345AFE314DF64CC84FABB7EDFB89744F404918FA89D6285D7B4A905CBA2

Function 10010750 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 301COMMON

Download Yara Rule

Strings

create IAMStreamConfig error, xrefs: 1001085A
Fail to put sample grabber in graph, xrefs: 10010943
Capture Filter, xrefs: 100107AF
Failt to read the connected media type, xrefs: 100109F0
vids, xrefs: 10010848, 100108A6, 1001097B, 1001099C
Grabber, xrefs: 10010931

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CreateInstancelstrlen$??2@??3@lstrcpy
String ID: Capture Filter$Fail to put sample grabber in graph$Failt to read the connected media type$Grabber$create IAMStreamConfig error$vids
API String ID: 4279079251-3648156382
Opcode ID: 46a95e82903b2103b701279cd286df06ff9a7fb7edac281db6f4201ec00069f2
Instruction ID: c86d114d55265039ff4d356102df202a31306dcdd4699e4413c5ee14d349c6ab
Opcode Fuzzy Hash: 46a95e82903b2103b701279cd286df06ff9a7fb7edac281db6f4201ec00069f2
Instruction Fuzzy Hash: 5DB115B57043059FD700DF68C894E5AB7E5FF88310F108A68F9999B391DB70E886CB92

Function 100111C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148stringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000401), ref: 100111D3
ICGetInfo.MSVFW32 ref: 1001127D
wcsrchr.MSVCRT ref: 1001128C
_wcsicmp.MSVCRT ref: 100112AA
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100112DE
lstrcatA.KERNEL32(00000000,\divx40.dll), ref: 100112EE
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000401), ref: 10011398

Strings

\divx40.dll, xrefs: 100112E8
Divx40.dll, xrefs: 100112A4

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@??3@DirectoryInfoSystem_wcsicmplstrcatwcsrchr
String ID: Divx40.dll$\divx40.dll
API String ID: 1582765043-423273528
Opcode ID: 2061f6f856682351f95bc49f9c6925b6180e0324fe899be08812bc40c0dc7799
Instruction ID: de76d25a0c50ae2046e5b9fa6b79368759f12a34ca62c0b06c3f5cd13c915580
Opcode Fuzzy Hash: 2061f6f856682351f95bc49f9c6925b6180e0324fe899be08812bc40c0dc7799
Instruction Fuzzy Hash: 5251DA75604341AFE300DFA4CC85B9B77E8FB58704F04452CFA85AB242EB75EA49C752

Function 10004D10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

_strupr.MSVCRT ref: 10004D67
GetVolumeInformationA.KERNEL32(10022250,00000000,00000000,00000000,00000000,00000000,?,00000104,?), ref: 10004D97
SHGetFileInfo.SHELL32(10022250,00000080,?,00000160,00000410), ref: 10004DB5
lstrlenA.KERNEL32(?), ref: 10004DC9
lstrlenA.KERNEL32(?), ref: 10004DD3
GetDiskFreeSpaceExA.KERNEL32(10022250,?,?,00000000), ref: 10004DF2
GetDriveTypeA.KERNEL32(10022250), ref: 10004E39
lstrlenA.KERNEL32(10022250,?), ref: 10004EAB

Strings

g, xrefs: 10004D3D

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen$DiskDriveFileFreeInfoInformationSpaceTypeVolume_strupr
String ID: g
API String ID: 1646703850-30677878
Opcode ID: b6ba5737c46bd6b776f3fe6de501eb1bcea516c8c1893858cef907eaa4d535b0
Instruction ID: 025581b1ed7b5c57d154799ed9790115f76e9a00e081b047184e46b8d3d80eb4
Opcode Fuzzy Hash: b6ba5737c46bd6b776f3fe6de501eb1bcea516c8c1893858cef907eaa4d535b0
Instruction Fuzzy Hash: 2751F671608345AFD704EF54C840BABB7E9FBC8304F45492DF58A97241CB74AA0ACB52

Function 100100B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 110networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(100213D8,00000000,00000000,00000000,00000000), ref: 100100D6
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10010104

Strings

MZ, xrefs: 10010164

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: InternetOpen
String ID: MZ
API String ID: 2038078732-2410715997
Opcode ID: 7b413bf33559947b476255c9c5d58911e6ceb7426dc0e4b25ac45e57f30a1204
Instruction ID: 33cad3bf5459d740d5ef961d033f539f57c994da20549059f5c1c38658c976b2
Opcode Fuzzy Hash: 7b413bf33559947b476255c9c5d58911e6ceb7426dc0e4b25ac45e57f30a1204
Instruction Fuzzy Hash: F83136B26043187BD210DF61DC84F9B7BDCEB897A8F51092DFA8597100C679F88687A2

Function 1000A4E0 Relevance: 15.1, APIs: 10, Instructions: 129registrymemorystringCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 1000A4FB
LocalAlloc.KERNEL32(00000040,00000400), ref: 1000A518
lstrcpyA.KERNEL32(00000002,?), ref: 1000A534
lstrlenA.KERNEL32(?), ref: 1000A53B
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,00000000,?,00000000,00002000), ref: 1000A56E
LocalSize.KERNEL32(00000000), ref: 1000A596
LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,00000000,?,?,00000000,?,00000000,00002000), ref: 1000A5AD
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,00000000,00002000,?,?,?,?,00000000,?,?,00000000), ref: 1000A646
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000000,?,00000000,00002000), ref: 1000A658
LocalFree.KERNEL32(00000000,00000000,-00000003,?,?), ref: 1000A66C

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Local$AllocEnumValue$??2@??3@FreeSizelstrcpylstrlen
String ID:
API String ID: 2266045522-0
Opcode ID: fec269a74e508902ccefb4aa081e7b41c0ca08485e22f64742652a43594c62b0
Instruction ID: 743419e820a03608a698438b9b6fa611a73f9a7d64397543748b4e15874456b2
Opcode Fuzzy Hash: fec269a74e508902ccefb4aa081e7b41c0ca08485e22f64742652a43594c62b0
Instruction Fuzzy Hash: 05417C71204316AFE714DF54CC84BABB7E9FB88744F04491CF94A97285E774AA09CB62

Function 10001100 Relevance: 15.1, APIs: 10, Instructions: 90threadsleepinjectionCOMMON

Download Yara Rule

APIs

SuspendThread.KERNEL32(?,?,?,?,100010E8), ref: 1000111A
Sleep.KERNEL32(00000064,?,?,?,100010E8), ref: 1000112C
??3@YAXPAX@Z.MSVCRT(?,?,?,?,100010E8), ref: 1000119D
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,100010E8), ref: 100011A5
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,100010E8), ref: 100011AE
??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,100010E8), ref: 100011B7
CloseHandle.KERNEL32(?), ref: 100011CF
CloseHandle.KERNEL32(?), ref: 100011D5
TerminateThread.KERNEL32(?,000000FF), ref: 100011E1
CloseHandle.KERNEL32(?), ref: 100011EB

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@$CloseHandle$Thread$SleepSuspendTerminate
String ID:
API String ID: 1764729105-0
Opcode ID: 2c63d2846deab5fb6efaadaf2c1f41784c7d14f97170b39556e807eac37f4db7
Instruction ID: b21e849c402c9fe9e25c6d9f081209cac106ae16027860415c72533eaf9d75d6
Opcode Fuzzy Hash: 2c63d2846deab5fb6efaadaf2c1f41784c7d14f97170b39556e807eac37f4db7
Instruction Fuzzy Hash: 05317EB5200711ABE714DBA0CC88AA7B7FAFF8C7547104A08F69287751C775F842CBA0

Function 10004060 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,HKEY_LOCAL_MACHINE), ref: 10004075
lstrcmpiA.KERNEL32(?,HKEY_CLASSES_ROOT), ref: 1000408A

Strings

HKEY_LOCAL_MACHINE, xrefs: 1000406D
HKEY_USERS, xrefs: 100040AE
HKEY_CURRENT_USER, xrefs: 10004099
HKEY_CLASSES_ROOT, xrefs: 10004084
HKEY_CURRENT_CONFIG, xrefs: 100040C3

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcmpi
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
API String ID: 1586166983-3507829934
Opcode ID: 892d0f4178c8d1a36888c7f5f1ca97837d44c2489df4305cd593835ebfdf4f28
Instruction ID: a32a0b6ccd5caf027abfedced599da07a11ba0a4e5a9b0182ca74de595a89a2e
Opcode Fuzzy Hash: 892d0f4178c8d1a36888c7f5f1ca97837d44c2489df4305cd593835ebfdf4f28
Instruction Fuzzy Hash: 80F0FFD335152726E211E16D6C40FDA03CCCFD50E2F22413BFB08EA115DB6AC99616A5

Function 10001AF0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 281stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10001A50: lstrcmpiA.KERNEL32(?,?), ref: 10001AB6

??2@YAPAXI@Z.MSVCRT ref: 10001D10
??2@YAPAXI@Z.MSVCRT(?), ref: 10001D26
lstrcmpiA.KERNEL32(?,00000008), ref: 10001D8B
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10001DB6
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10001E0F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10001E86
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10001E9F

Strings

H, xrefs: 10001D5F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@$??2@lstrcmpi
String ID: H
API String ID: 4074385935-2852464175
Opcode ID: 76d3c9adaad18d54a63e94c8ba36d55814a0add5a2ac2ffab5eb8b03043bebb2
Instruction ID: a5bb0e71f2cb52acfea2d722dfafead45db2c9bc422b49a9971ba80ba1ba3609
Opcode Fuzzy Hash: 76d3c9adaad18d54a63e94c8ba36d55814a0add5a2ac2ffab5eb8b03043bebb2
Instruction Fuzzy Hash: 2FB14970608341ABE320CF54D884BAFB7E9FBC8394F10491DF59987244DB75E949CB52

Function 1000FA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

Part of subcall function 1000F940: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F951
Part of subcall function 1000F940: ??2@YAPAXI@Z.MSVCRT(00000128), ref: 1000F95E
Part of subcall function 1000F940: Process32First.KERNEL32(00000000,00000000), ref: 1000F970
Part of subcall function 1000F940: lstrcmpiA.KERNEL32(00000024,?), ref: 1000F983
Part of subcall function 1000F940: Process32Next.KERNEL32(00000000,00000000), ref: 1000F98F
Part of subcall function 1000F940: lstrcmpiA.KERNEL32(00000024,?), ref: 1000F99B
Part of subcall function 1000F940: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000F9AD
Part of subcall function 1000F940: CloseHandle.KERNEL32(00000000), ref: 1000F9B6

OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1000FA95
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 1000FAAF
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1000FACF
??2@YAPAXI@Z.MSVCRT(?), ref: 1000FAE4
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 1000FB06
??2@YAPAXI@Z.MSVCRT(00000100), ref: 1000FB2C
LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 1000FB5B

Strings

explorer.exe, xrefs: 1000FA59

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@Token$InformationOpenProcessProcess32lstrcmpi$??3@AccountCloseCreateFirstHandleLookupNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 1350646383-3187896405
Opcode ID: ddaf7ddd85c3244f590a13b705b935fb5aa8a72d5368fb1f0d502d8bbe773de1
Instruction ID: c12d8ac041f2ad44c46ec4b1daa2c1ab1f3687617bab713b110962b4a5f37206
Opcode Fuzzy Hash: ddaf7ddd85c3244f590a13b705b935fb5aa8a72d5368fb1f0d502d8bbe773de1
Instruction Fuzzy Hash: 444118B6D00218AFEB50DFA5DC85AEEBBB8FB48750F10456DF619A2240D7745A848F60

Function 10007C70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,1001F014,00000000), ref: 10007C8F

Part of subcall function 10003FE0: lstrcpyA.KERNEL32(00000000,?), ref: 10004010
Part of subcall function 10003FE0: lstrcpyA.KERNEL32(?,100231E4,74DE83C0), ref: 10004034
Part of subcall function 10003FE0: lstrcpyA.KERNEL32(00000000,?,?), ref: 10004045
Part of subcall function 10003FE0: lstrcatA.KERNEL32(?,?,?,?), ref: 10004050

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10007CBC
GetFileSize.KERNEL32(00000000,00000000), ref: 10007CCC
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10007CD5
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10007CE9
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 10007D0F
CloseHandle.KERNEL32(00000000), ref: 10007D19

Strings

.key, xrefs: 10007C99

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$File$??2@??3@CloseCreateHandleReadSizelstrcat
String ID: .key
API String ID: 2593585248-343438762
Opcode ID: 42bf7d059073085fd2ad9dfbdfcf5aff82c5e2fe83521ade4fba48fe05007eaa
Instruction ID: c414e2c5ab4fbfa3124ef3ad5d4e77bfd67a4983cc819e9dcf3103c8cf593926
Opcode Fuzzy Hash: 42bf7d059073085fd2ad9dfbdfcf5aff82c5e2fe83521ade4fba48fe05007eaa
Instruction Fuzzy Hash: 6111D0759003513BF320DB359C8DF6B3AADEBC9750F14092CF94986242EA79E809C2B1

Function 10003010 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 10003050

Strings

advapi32.dll, xrefs: 10003078
ConvertSidToStringSidA, xrefs: 10003085
L$_RasDefaultCredentials#0, xrefs: 10003077

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AccountLookupName
String ID: ConvertSidToStringSidA$L$_RasDefaultCredentials#0$advapi32.dll
API String ID: 1484870144-3270869392
Opcode ID: 361b45ba395dc846c2ea25cdd60523b7bd8449dcebff95152a0b308b4de5c7a4
Instruction ID: 8c25222f37b35ecbaee8d059ce12ad9ec93f0f7e5ddc38e662ff09e41eeca049
Opcode Fuzzy Hash: 361b45ba395dc846c2ea25cdd60523b7bd8449dcebff95152a0b308b4de5c7a4
Instruction Fuzzy Hash: F2113971504212AFE309CF64CC98AFB77E8EB94784F80891CF55982150F774DA498BA2

Function 10004850 Relevance: 13.6, APIs: 9, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10004881
malloc.MSVCRT ref: 10004889
lstrcpyA.KERNEL32(00000000,?), ref: 100048A0
GetFileAttributesA.KERNEL32(00000000), ref: 100048DB
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 100048EB
GetLastError.KERNEL32 ref: 100048F5
free.MSVCRT ref: 1000490A
CharNextA.USER32(00000000), ref: 1000491B
free.MSVCRT ref: 1000492C

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: free$AttributesCharCreateDirectoryErrorFileLastNextlstrcpylstrlenmalloc
String ID:
API String ID: 4019378373-0
Opcode ID: 7e72c5ea29944e3f2391e48fbb91aa0d3218285c5fe9364a5dab3285dea1a3e5
Instruction ID: 6ae30322d2a9583b5bc8a527a00f7ddabb83a7f8682fc5dbc30511dc5df73e79
Opcode Fuzzy Hash: 7e72c5ea29944e3f2391e48fbb91aa0d3218285c5fe9364a5dab3285dea1a3e5
Instruction Fuzzy Hash: 463106F2C00259AFEB11CF588C407AFBBB9EB457A0F11427AE8A493241CB345902CBA5

Function 1000F6D0 Relevance: 13.6, APIs: 9, Instructions: 95stringmemorywindowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,00000000,000003FF), ref: 1000F729
IsWindowVisible.USER32(?), ref: 1000F734
lstrlenA.KERNEL32(00000000), ref: 1000F74F
LocalAlloc.KERNEL32(00000040,00000001), ref: 1000F761
lstrlenA.KERNEL32(00000000), ref: 1000F775
LocalReAlloc.KERNEL32(?,?,00000042), ref: 1000F781
GetWindowThreadProcessId.USER32(?,74DF0440), ref: 1000F798
lstrlenA.KERNEL32(00000000,?,?,00000042), ref: 1000F7A5
LocalSize.KERNEL32 ref: 1000F7CD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: LocalWindowlstrlen$Alloc$ProcessSizeTextThreadVisible
String ID:
API String ID: 925664022-0
Opcode ID: 713b6f8cd4a06be79fc878950d4b948fbc3ea42e188b08125a71b8293f6248aa
Instruction ID: 329880d7b59117ffc87d1b574c9135a7d830f10d6df7fb7aa83465a9a71ebcf3
Opcode Fuzzy Hash: 713b6f8cd4a06be79fc878950d4b948fbc3ea42e188b08125a71b8293f6248aa
Instruction Fuzzy Hash: 88312871604259AFEB10DF64CC84BEA77B8FF48354F0085A9EA19E7280D7B49A45DBA0

Function 1000FCF0 Relevance: 13.6, APIs: 9, Instructions: 76threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1000FD2A
GetThreadDesktop.USER32(00000000), ref: 1000FD31
GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD58
OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1000FD65
GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD92
lstrcmpiA.KERNEL32(?,?), ref: 1000FDA5
SetThreadDesktop.USER32(00000000), ref: 1000FDB0
CloseDesktop.USER32(00000000), ref: 1000FDBC
CloseDesktop.USER32(00000000), ref: 1000FDC3

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
String ID:
API String ID: 3718465862-0
Opcode ID: 9e8d6b774ec65bc13dc58444b4413269bf7a3d10b218ceda25f2f7e35e015d1f
Instruction ID: 934a9f544559a8a7f6d3424e8c7e6ac2c2b46ec03aa96edcc97c4e8a623bced7
Opcode Fuzzy Hash: 9e8d6b774ec65bc13dc58444b4413269bf7a3d10b218ceda25f2f7e35e015d1f
Instruction Fuzzy Hash: 6E21A172204359BFF7159BA4CD89FEB77D9EB88740F000839F746E2190DA74A90987A2

Function 1000B250 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 1000B25A
GetClipboardData.USER32(00000001), ref: 1000B266
CloseClipboard.USER32 ref: 1000B276
GlobalSize.KERNEL32(00000000), ref: 1000B285
GlobalLock.KERNEL32(00000000), ref: 1000B28F
??2@YAPAXI@Z.MSVCRT(00000001), ref: 1000B298
GlobalUnlock.KERNEL32(?), ref: 1000B2BF
CloseClipboard.USER32 ref: 1000B2C5
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000001), ref: 1000B2D7

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlock
String ID:
API String ID: 3218637236-0
Opcode ID: 48d62ceb0a6c2eb9b38118efdfaddecdf04203cc1ab210c2e873bee4e91bed14
Instruction ID: f9ff586db9906f1378f8cf75ad9a5177287e933a1c226eb46348e0dcdbc85ba0
Opcode Fuzzy Hash: 48d62ceb0a6c2eb9b38118efdfaddecdf04203cc1ab210c2e873bee4e91bed14
Instruction Fuzzy Hash: F101D6355043246FE704EF789C89A9F36E8FF48642F804129FC0A93241EB75DD09C6B2

Function 1000D710 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000032), ref: 1000D804
WaitForSingleObject.KERNEL32(?,00000064), ref: 1000D9C8
TerminateProcess.KERNEL32(?,00000005), ref: 1000D9D8
GetExitCodeProcess.KERNEL32(?,?), ref: 1000D9E7

Strings

P, xrefs: 1000D79A
, xrefs: 1000D770
O, xrefs: 1000D7BC

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ObjectProcessSingleWait$CodeExitTerminate
String ID: $O$P
API String ID: 2953097262-3388381919
Opcode ID: be94225b7f0d36edf4da34ec3cc77c6393302296bb7933faf979d907c3fb5943
Instruction ID: a5f19a95adafd4d359d694dec77ba1a2841bab7c4a9583f6772af621f95c4a72
Opcode Fuzzy Hash: be94225b7f0d36edf4da34ec3cc77c6393302296bb7933faf979d907c3fb5943
Instruction Fuzzy Hash: 28818071518346ABE724DF50C8949AFB7E9FFC8780F00492DF98987254EB30EA05CB66

Function 10010380 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,10010368), ref: 100103A7
DestroyWindow.USER32(?,?,?,?,10010368), ref: 100103D1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,10010368), ref: 10010410
??3@YAXPAX@Z.MSVCRT(?,?,?,?,10010368), ref: 1001041C
CloseHandle.KERNEL32(?), ref: 1001048E
??3@YAXPAX@Z.MSVCRT(?), ref: 1001049C

Strings

Grabber, xrefs: 10010463

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@$CloseDestroyEventHandleWindow
String ID: Grabber
API String ID: 209381975-2189805962
Opcode ID: a10d1924c8e8bf228377d3455b2f75014a4c2d38a4fbb491293d2431f95ae611
Instruction ID: 5b615f5d3aef889dd194d02e2df09162fa7ab9702aff81bbcee7489a474e61b5
Opcode Fuzzy Hash: a10d1924c8e8bf228377d3455b2f75014a4c2d38a4fbb491293d2431f95ae611
Instruction Fuzzy Hash: E041A5B56006019FD754DFA8C8C881AB7F9FF482553508A6DF58ACBA11CB70FC86CB51

Function 10007A40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95stringCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 10007A7A
lstrcpyA.KERNEL32(0374FFF3,1001F014,?,00000001), ref: 10007AC6
GetFileAttributesA.KERNEL32(0374FFF3,?,00000001), ref: 10007AEC
SetWindowsHookExA.USER32(00000003,10007550,10000000,00000000), ref: 10007B25
GetLastError.KERNEL32(?,00000001), ref: 10007B48
wsprintfA.USER32 ref: 10007B70

Part of subcall function 100077E0: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000594,krisig_jhaji), ref: 1000783F
Part of subcall function 100077E0: GetProcessHeap.KERNEL32(00000000,?), ref: 1000787F
Part of subcall function 100077E0: HeapFree.KERNEL32(00000000), ref: 10007886

Strings

.key, xrefs: 10007AD2

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FileHeap$AttributesCountCreateErrorFreeHookLastMappingProcessTickWindowslstrcpywsprintf
String ID: .key
API String ID: 1463877243-343438762
Opcode ID: 0aea3c1a678eae069666b5bc69c59a1b0dcb49f928460f686a018f45ed3248e5
Instruction ID: 53bd45de73061675a46c8690235eb3553c7b79c3375e60e6f4915d85fdecbf24
Opcode Fuzzy Hash: 0aea3c1a678eae069666b5bc69c59a1b0dcb49f928460f686a018f45ed3248e5
Instruction Fuzzy Hash: BE31D875600211BFF700DFA8CCD4A66B7A9F749344F648558E50887365D735E84BCFA1

Function 10007060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 10007070
lstrcpyA.KERNEL32(00000000,1001F014,00000000), ref: 100070A5
lstrcpyA.KERNEL32(00000000,bjlog), ref: 100070D6
wsprintfA.USER32 ref: 100070F3
SetEvent.KERNEL32(?), ref: 10007117

Strings

.key, xrefs: 100070AB
bjlog, xrefs: 100070C7

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$CloseEventHandlewsprintf
String ID: .key$bjlog
API String ID: 4221542662-3606690550
Opcode ID: e1e7389de70a6d754f1ee5bd6ddac503031ff8cd30e7250aff6305178ec938bd
Instruction ID: 4da28d7efce1aea83fe09e6840e67a1adab7b9119a0af2da59bd09b84f985d33
Opcode Fuzzy Hash: e1e7389de70a6d754f1ee5bd6ddac503031ff8cd30e7250aff6305178ec938bd
Instruction Fuzzy Hash: 7D11A3B9D04210BBF604D7B4DCCAFAB336CEB48640F40C929F64586196EE75F604C7A2

Function 10005210 Relevance: 12.1, APIs: 8, Instructions: 87stringfilememoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,1000474D), ref: 10005233
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,1000474D), ref: 1000524C
GetFileSize.KERNEL32(00000000,?,74DF0440,?,?,1000474D), ref: 1000526B
CloseHandle.KERNEL32(00000000,?,?,1000474D), ref: 10005276
lstrlenA.KERNEL32(?,?,?,1000474D), ref: 1000527D
LocalAlloc.KERNEL32(00000040,-0000000A,?,?,1000474D), ref: 1000528B
lstrlenA.KERNEL32(?,?,?,1000474D), ref: 100052B9
LocalFree.KERNEL32(00000000,00000000,-0000000A,?,?,1000474D), ref: 100052E1

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FileLocallstrlen$AllocCloseCreateEnvironmentExpandFreeHandleSizeStrings
String ID:
API String ID: 1555963200-0
Opcode ID: d54a8c86b2bd043c97fbc341f01f025c7f05c1a9065a368ae78fb4a0357d5a49
Instruction ID: aa60e3803ad842a7941dd918d01492c14a7dfa99a54940d8d006987b1eedade1
Opcode Fuzzy Hash: d54a8c86b2bd043c97fbc341f01f025c7f05c1a9065a368ae78fb4a0357d5a49
Instruction Fuzzy Hash: C121F172700314AFEB04EF64EC85B5BB6D9FB88B11F448439FA06D7280DA75A809C771

Function 10005A20 Relevance: 12.1, APIs: 8, Instructions: 78servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,74DE83C0,00000000), ref: 10005A5E
OpenServiceA.ADVAPI32(00000000,00000007,000F01FF), ref: 10005A76
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10005A94
ControlService.ADVAPI32(00000000,00000001,?), ref: 10005AB1
Sleep.KERNEL32(00000320), ref: 10005AC0
DeleteService.ADVAPI32(00000000), ref: 10005AC7
wsprintfA.USER32 ref: 10005AEE
SHDeleteKeyA.SHLWAPI(80000002,?), ref: 10005B03

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Service$DeleteOpen$ControlManagerQuerySleepStatuswsprintf
String ID:
API String ID: 2632840174-0
Opcode ID: 6bb059d16bb798ec088b50acf3ef2c8d47962b91dba1a85fe429b4ad21afe3c8
Instruction ID: e3eb83e70585631748f3c138904968cd19ed198ef9f2ac9c938b81c81d8881a5
Opcode Fuzzy Hash: 6bb059d16bb798ec088b50acf3ef2c8d47962b91dba1a85fe429b4ad21afe3c8
Instruction Fuzzy Hash: 25219F71A00624AFE721DF94CC88BEBBBB8FB44791F104299F619A2280D7715B45CFA1

Function 1000C8ED Relevance: 12.1, APIs: 8, Instructions: 68servicestringCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 1000C900
lstrlenA.KERNEL32 ref: 1000C911
??2@YAPAXI@Z.MSVCRT(-0000001E), ref: 1000C91F
QueryServiceStatus.ADVAPI32(00000000,00000001), ref: 1000C92E
GetLastError.KERNEL32 ref: 1000C938
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?), ref: 1000C981
CloseServiceHandle.ADVAPI32(00000000,00000000,?), ref: 1000C98E
GetLastError.KERNEL32 ref: 1000CAFB

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Service$ErrorLast$??2@??3@CloseHandleOpenQueryStatuslstrlen
String ID:
API String ID: 4109660433-0
Opcode ID: d1cccca8d3091f2e5e2b043fc788d9a0faf16d891c9d803c682877a83451ff5f
Instruction ID: 8d28a867956fa8965d0f4a62d8eb4822e3c50870bd11a84a50f1af9a60bd1929
Opcode Fuzzy Hash: d1cccca8d3091f2e5e2b043fc788d9a0faf16d891c9d803c682877a83451ff5f
Instruction Fuzzy Hash: E81106B66047148FE314DBB49C99B5B7BE4FB48351F004029EC0A82246EE78D909C7A1

Function 1000CA29 Relevance: 12.1, APIs: 8, Instructions: 65servicesleepstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 1000CA2A
??2@YAPAXI@Z.MSVCRT(-00000006), ref: 1000CA3A
OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 1000CA62
QueryServiceStatus.ADVAPI32(00000000,?,?,000F01FF), ref: 1000CA74
ControlService.ADVAPI32(00000000,00000001,?), ref: 1000CA89
Sleep.KERNEL32(000003E8), ref: 1000CA94
DeleteService.ADVAPI32(00000000), ref: 1000CA9B
GetLastError.KERNEL32(?,000F01FF), ref: 1000CAA5

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Service$??2@ControlDeleteErrorLastOpenQuerySleepStatuslstrlen
String ID:
API String ID: 1824404850-0
Opcode ID: 8cd95d7028c607242111c189cacadd9b7fdc78c8ef31b2301b06ad81e62628de
Instruction ID: 07edf11c015c81ded708cd027399ba529a5b81dc46ed89663f2b746768a4194c
Opcode Fuzzy Hash: 8cd95d7028c607242111c189cacadd9b7fdc78c8ef31b2301b06ad81e62628de
Instruction Fuzzy Hash: FA11C4323047199FE359DBB8CC59A2A76EAFBC8740B14452CFA0BC7291DBB4D905C752

Function 10007290 Relevance: 12.1, APIs: 8, Instructions: 64filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(0374FFF3,40000000,00000002,00000000,00000004,00000080,00000000,?,?,?,?,?,10007443,?,?,00000000), ref: 100072B0
GetFileSize.KERNEL32(00000000,00000000), ref: 100072C3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100072D7
lstrlenA.KERNEL32(00000000), ref: 100072E2
??2@YAPAXI@Z.MSVCRT(00000000), ref: 100072EB
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 10007315
CloseHandle.KERNEL32(00000000), ref: 1000731C
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10007323

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$??2@??3@CloseCreateHandlePointerSizeWritelstrlen
String ID:
API String ID: 3872475119-0
Opcode ID: 0158dbfa42be1447d07493c496292a09e9baa6f9b2529bada684dce4d0ffdc6d
Instruction ID: 1354f2b0aef302ed8bd4e52a3c90f1a25475a1ed56e08f115394a043c1d51030
Opcode Fuzzy Hash: 0158dbfa42be1447d07493c496292a09e9baa6f9b2529bada684dce4d0ffdc6d
Instruction Fuzzy Hash: D41145F22403503BF2209B609CCEF2B3BACEB89741F200424F7069A2C2DA74EC068765

Function 10003C70 Relevance: 12.1, APIs: 8, Instructions: 61stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(100035C0,?,00000000,100035C0,00000000), ref: 10003C81
lstrlenA.KERNEL32(100035C0,00000000,00000002,?,00000000,100035C0,00000000), ref: 10003C8A
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,100035C0,00000000), ref: 10003C91
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,100035C0,00000000), ref: 10003C99
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,100035C0,000000FF,00000000,00000000,100035C0,00000000), ref: 10003CAF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10003CC2
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10003CC9
??2@YAPAXI@Z.MSVCRT(00000001,?,00000000,100035C0,00000000), ref: 10003CDC

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@$ByteCharMultiWidelstrlen$??3@
String ID:
API String ID: 2787905126-0
Opcode ID: 60586f48ff789a735ae3c91c06fbcbb6bdbea180d9ee720569b6243024229c8a
Instruction ID: be9c3be8c5f4bc89aac6ea230a7a8c78caae5e12b07ecdc85ec544e0caa6f9cf
Opcode Fuzzy Hash: 60586f48ff789a735ae3c91c06fbcbb6bdbea180d9ee720569b6243024229c8a
Instruction Fuzzy Hash: F101DB737452283AF22192A92C45F9B3ADCDB56BB0F154236FA18EA1C1E961EC50C2F5

Function 1000F940 Relevance: 12.1, APIs: 8, Instructions: 51stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F951
??2@YAPAXI@Z.MSVCRT(00000128), ref: 1000F95E
Process32First.KERNEL32(00000000,00000000), ref: 1000F970
lstrcmpiA.KERNEL32(00000024,?), ref: 1000F983
Process32Next.KERNEL32(00000000,00000000), ref: 1000F98F
lstrcmpiA.KERNEL32(00000024,?), ref: 1000F99B
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000F9AD
CloseHandle.KERNEL32(00000000), ref: 1000F9B6

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Process32lstrcmpi$??2@??3@CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 960992042-0
Opcode ID: 8603d443181d2f0b79415a7d635660113209f9d485f4d67f8f3e8c4764b52f10
Instruction ID: 5a87442bd4f904029cc8783de9f0de11cb4d0eaf29adee9a6dc3a176dcbb5355
Opcode Fuzzy Hash: 8603d443181d2f0b79415a7d635660113209f9d485f4d67f8f3e8c4764b52f10
Instruction Fuzzy Hash: 8E01BCB12003127BF3109F62CC88F6B7BECEB867D5F000828F845C6151EB30E94596A2

Function 100115D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 249COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000003C), ref: 1001162C
??2@YAPAXI@Z.MSVCRT(0000003C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10018786), ref: 100116A0

Strings

vidc, xrefs: 100117E1
divxSoftware\GNU, xrefs: 1001175C
M263, xrefs: 1001182F
divx, xrefs: 1001176A

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@
String ID: M263$divx$divxSoftware\GNU$vidc
API String ID: 1033339047-2315318433
Opcode ID: 1b8546831e5709f2b8b28668e764be834142878af343617d636822b7bd403224
Instruction ID: c55b0183696677e7904cb38dd561ede13593d4119a09299ff2f7e76eac9abc41
Opcode Fuzzy Hash: 1b8546831e5709f2b8b28668e764be834142878af343617d636822b7bd403224
Instruction Fuzzy Hash: 29919BB5A047119FE714CF64C880A9BB7F5FB88750F10892DF99A8B390DB71E981CB91

Function 100015E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170stringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 10008B50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,100069EA,?,?,?,?,00000000,?,?,10018423,000000FF), ref: 10008B6E

lstrcpyA.KERNEL32(?,?), ref: 100016E9
lstrlenA.KERNEL32(?), ref: 100016F3
CreateThread.KERNEL32(00000000,00000000,10001FE0,?,00000000,00000000), ref: 100017F6

Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerGetNumDevs), ref: 10007DAD
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerOpen), ref: 10007DBA
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerClose), ref: 10007DC7
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerSetControlDetails), ref: 10007DD4
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerGetLineInfoA), ref: 10007DE1
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerGetLineControlsA), ref: 10007DEE
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,mixerGetControlDetailsA), ref: 10007DFB
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInClose), ref: 10007E08
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInOpen), ref: 10007E15
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInPrepareHeader), ref: 10007E22
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInUnprepareHeader), ref: 10007E2F
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInAddBuffer), ref: 10007E3C
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInStart), ref: 10007E49
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInStop), ref: 10007E56
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInReset), ref: 10007E63
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutClose), ref: 10007E70
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutOpen), ref: 10007E7D
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutPrepareHeader), ref: 10007E8A
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutUnprepareHeader), ref: 10007E97
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutWrite), ref: 10007EA4
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutReset), ref: 10007EB1
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveInGetNumDevs), ref: 10007EBE
Part of subcall function 10007D90: GetProcAddress.KERNEL32(00000000,waveOutGetNumDevs), ref: 10007ECB

lstrcpyA.KERNEL32(?,?), ref: 10001785
lstrlenA.KERNEL32(?), ref: 1000178C

Strings

y, xrefs: 10001668

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Createlstrcpylstrlen$EventThread
String ID: y
API String ID: 2996987224-4225443349
Opcode ID: a361888cc31c9575b63174debee5a18172999c86f9aa66219a0c2b1a174fb9dd
Instruction ID: af167092927e10a679852101891b661ad51d6842b7c21ec34bbaf13cc3aa2fa2
Opcode Fuzzy Hash: a361888cc31c9575b63174debee5a18172999c86f9aa66219a0c2b1a174fb9dd
Instruction Fuzzy Hash: 64517371A0421AEFEB24CF54CC84BEEB7B9FF48384F104569E909A7284D774AA45CF90

Function 10002A30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 100020B0: RtlEnterCriticalSection.NTDLL(?), ref: 100020BE
Part of subcall function 100020B0: LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10002A71,?,?,?,00000001,00000000), ref: 100020DF

??2@YAPAXI@Z.MSVCRT(-0000000D,00000000,00000004,00000000,00000004,?,00000005,00000005,00000000,?,?,?,00000001,00000000), ref: 10002B2B
??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 10002B3C

Part of subcall function 10002C10: setsockopt.WS2_32(?,0000FFFF,00000080), ref: 10002C43
Part of subcall function 10002C10: CloseHandle.KERNEL32(?,00000000,?,10002D29,00000001,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C61
Part of subcall function 10002C10: InterlockedExchange.KERNEL32(?,00000000), ref: 10002C7A
Part of subcall function 10002C10: SetEvent.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C87

_CxxThrowException.MSVCRT(00000000,1001CBA0), ref: 10002BC2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000000), ref: 10002BDC
??3@YAXPAX@Z.MSVCRT(0000C350,?,?,?,00000001,00000000), ref: 10002BEC

Strings

bad buffer, xrefs: 10002BBB

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@??3@CriticalSection$CloseEnterEventExceptionExchangeHandleInterlockedLeaveThrowsetsockopt
String ID: bad buffer
API String ID: 641293571-1711599440
Opcode ID: d96938c118ce68f67217a34d3d27597d2f933f2a60fbb7c786bce2b32a603454
Instruction ID: 9a9b993668a07305b523280f466ea0fce0381f623e4e1eacb80697eb1d8c9a91
Opcode Fuzzy Hash: d96938c118ce68f67217a34d3d27597d2f933f2a60fbb7c786bce2b32a603454
Instruction Fuzzy Hash: FA517575A002099BEB04CFA4C841BEFB7F5EF49390F108169F919AB345DB74EA44CBA1

Function 10007340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95stringtimeCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 1000737B
GetWindowTextA.USER32(?,?,00000100), ref: 100073A7
GetLocalTime.KERNEL32(?,?,00000000), ref: 100073B2
wsprintfA.USER32 ref: 1000741A
lstrcatA.KERNEL32(0374FEEF,?,?,00000000), ref: 1000747D

Strings

[%02d/%02d/%d %02d:%02d:%02d] (%s), xrefs: 10007414

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Window$ActiveLocalTextTimelstrcatwsprintf
String ID: [%02d/%02d/%d %02d:%02d:%02d] (%s)
API String ID: 1894908016-1373887856
Opcode ID: f24776cc03b3dd5d010d1dcb00fd0101351453d60cdaaeb0251d000901747dc1
Instruction ID: 19c45f92cf89595fbc6223d1057c6619acf8e283015449798aec2d5c2a0f88c6
Opcode Fuzzy Hash: f24776cc03b3dd5d010d1dcb00fd0101351453d60cdaaeb0251d000901747dc1
Instruction Fuzzy Hash: 7031A7716042166BE714DF54CCC0AB7B7A9FF85340F148638F24987295D734E84ACBA1

Function 100065E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10006605
strrchr.MSVCRT ref: 10006621

Strings

D, xrefs: 10006667

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: mallocstrrchr
String ID: D
API String ID: 4015919094-2746444292
Opcode ID: 110a76b35a83b9e09891d82c0ef76cb4d141912cc19111e82969624b66046067
Instruction ID: 50982d5a6020367e856e1b57cecc3345553be0746b85b2d99767dbbdce1aad87
Opcode Fuzzy Hash: 110a76b35a83b9e09891d82c0ef76cb4d141912cc19111e82969624b66046067
Instruction Fuzzy Hash: 27110AB66042111BD704DA699C41AABB3DAEBD4370F10443EFE05C7240DA76E90E87B6

Function 10005300 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,10004760), ref: 10005334

Part of subcall function 100053E0: lstrlenA.KERNEL32(?,?,?,100054C1,00000000,00000000,?,00000001,?,?,?,?,1000474D), ref: 100053EE
Part of subcall function 100053E0: lstrlenA.KERNEL32(?,?,?,?,?,?,1000474D), ref: 10005413

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen$CreateFile
String ID:
API String ID: 2663515375-0
Opcode ID: b8c380e7dce78efff2a5ac8cb61386713f543e3fb0f4aa409961d38dbb4201c7
Instruction ID: 35a12630f601b58546c28f6fc7a990252fed25b736e8cc9e7007916ef77dadcd
Opcode Fuzzy Hash: b8c380e7dce78efff2a5ac8cb61386713f543e3fb0f4aa409961d38dbb4201c7
Instruction Fuzzy Hash: F221A176300210ABE310DBA5DC89F5BB7D8EB857A2F10852AF705DA2C0D6B2E8058775

Function 1000DEB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 1000DEE1

Strings

Mozilla/4.0 (compatible), xrefs: 1000DED8

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: InternetOpen
String ID: Mozilla/4.0 (compatible)
API String ID: 2038078732-4055971283
Opcode ID: 38de19a4d697ab5c458d48d632a4ad5c53b77928719eb392ab8bd667d8277d6b
Instruction ID: c6275882488cdaa3bbd96dbbe5950625dbdf7574c7085ac772b225dbd67db6ca
Opcode Fuzzy Hash: 38de19a4d697ab5c458d48d632a4ad5c53b77928719eb392ab8bd667d8277d6b
Instruction Fuzzy Hash: 3D1106B61442297FE210AA54ECC49EF73DCFBC52A5F50443AFA8582100DA3A5C4E87F1

Function 1000BB50 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,000000E4,00000000,00000000,000000E8,00000000,1000B541,?,?,00000001), ref: 1000BB7B
GetDC.USER32(00000000), ref: 1000BBD6
CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 1000BBE3
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000BBF6
ReleaseDC.USER32(00000000,00000000), ref: 1000BBFF
DeleteObject.GDI32(00000000), ref: 1000BC06

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@BitmapBitsCompatibleCreateDeleteObjectRelease
String ID:
API String ID: 1095915628-0
Opcode ID: 3dae8aaf770cb41d58ea95507ed154b75719f04e5b5112916bab723a4d18c43b
Instruction ID: 2307c6c186324f2ae16cdbb63c0ba819760e6dcacf4b185f00fc2209766e07d7
Opcode Fuzzy Hash: 3dae8aaf770cb41d58ea95507ed154b75719f04e5b5112916bab723a4d18c43b
Instruction Fuzzy Hash: 9E31F5712057019FE324CF69CCC4B6AFBE6FF85344F148A6DE5458B2A1E770A519CB50

Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1000101F
CreateEventA.KERNEL32(00000000,00000000,00000001,00000000), ref: 10001030
??2@YAPAXI@Z.MSVCRT(0000065A), ref: 1000105E
??2@YAPAXI@Z.MSVCRT(00000020,0000065A), ref: 1000106B
??2@YAPAXI@Z.MSVCRT(00000659,00000020,0000065A), ref: 10001076
??2@YAPAXI@Z.MSVCRT(00000020,00000659,00000020,0000065A), ref: 10001080

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@$CreateEvent
String ID:
API String ID: 747899935-0
Opcode ID: 61e94f496dff1fdbe9f706781d4accd5db0c1371fb7ff4fbbbacbe3407bbcadd
Instruction ID: 66166fe019f6cc7d73fbe8937caf68fb54692c18c636b83b307f65a6958812a2
Opcode Fuzzy Hash: 61e94f496dff1fdbe9f706781d4accd5db0c1371fb7ff4fbbbacbe3407bbcadd
Instruction Fuzzy Hash: 35215E70500B40DFD324CF6AC948657FBF8FF89704F50995EE48A8BA21E3B6A542CB55

Function 10004440 Relevance: 9.1, APIs: 6, Instructions: 75filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004500: GetFileAttributesA.KERNEL32(?,10005C14,?,?,?,?,?,?,?,?,?,?,?), ref: 10004505

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,10000000,00000000), ref: 10004486
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000), ref: 100044A6
GetFileTime.KERNEL32(00000000,?,00000000,?), ref: 100044C6
SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 100044D9
CloseHandle.KERNEL32(00000000), ref: 100044E5
CloseHandle.KERNEL32(00000000), ref: 100044E8

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$CloseCreateHandleTime$Attributes
String ID:
API String ID: 32189433-0
Opcode ID: 2baecb18b649f6f8a9dec83898c75f825ee1f349f33f97098441d87da8efe3fb
Instruction ID: 9f761871e21ce5ef95ec9f7aecb2290d08f757f126132ced89acc5afaffe0d3e
Opcode Fuzzy Hash: 2baecb18b649f6f8a9dec83898c75f825ee1f349f33f97098441d87da8efe3fb
Instruction Fuzzy Hash: F1115C752803253BF610DB149C46FFB335CEB827A4F110525FE60670D2EA65B90F8269

Function 10001530 Relevance: 9.1, APIs: 6, Instructions: 60windowsynchronizationCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10001540
WaitForSingleObject.KERNEL32(000003C0,000000FF,?,00000000,00000000), ref: 1000155E
SetEvent.KERNEL32(?,?,00000000,00000000), ref: 10001588
TranslateMessage.USER32(?), ref: 100015A1
DispatchMessageA.USER32(?), ref: 100015AC
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100015BD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Message$DispatchEventObjectSingleTranslateWait
String ID:
API String ID: 2282562747-0
Opcode ID: e714a10e7bc226875c4acc449bc130b2da934dc03aa6777fd49c69841cf76187
Instruction ID: 3063a511fdbd1596220885c6c8794ff2433b4b6aef92a0267a4fd02e0e7f4755
Opcode Fuzzy Hash: e714a10e7bc226875c4acc449bc130b2da934dc03aa6777fd49c69841cf76187
Instruction Fuzzy Hash: 2011DD71200710AFE320DF64CC88FAB77E8EB84361F208A1CF6468A290D730E541CB61

Function 1000C530 Relevance: 9.1, APIs: 6, Instructions: 51stringCOMMON

Download Yara Rule

APIs

QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,1000C692,00000000,?,?,?,?,?,1000C86F), ref: 1000C545
GetLastError.KERNEL32(?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C54B
??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C55F
QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C577
strncpy.MSVCRT ref: 1000C593
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,1000C86F,00000000,00000001,00000000), ref: 1000C5A2

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Config2QueryService$??2@??3@ErrorLaststrncpy
String ID:
API String ID: 2928110557-0
Opcode ID: cf92b39a08ed5f0838b8c4f498ceb89646618d8ef60bafa07ac91bd4fb39c27c
Instruction ID: ccc91cc0d7f08a738f4041513acf8e6201f6bcd71faeada869624a4bb54e57c3
Opcode Fuzzy Hash: cf92b39a08ed5f0838b8c4f498ceb89646618d8ef60bafa07ac91bd4fb39c27c
Instruction Fuzzy Hash: AE01DF756413116FF200DB24CC85FAB73ECEF95B91F104928F845D7254D630ED89CAA2

Function 1000AA30 Relevance: 9.1, APIs: 6, Instructions: 51synchronizationCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 1000AA68
InterlockedExchange.KERNEL32(?,00000000), ref: 1000AA70
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,10018518,000000FF,10006189,?), ref: 1000AA78
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,10018518,000000FF,10006189,?), ref: 1000AA84
CloseHandle.KERNEL32(?,?,?,?,00000000,10018518,000000FF,10006189,?), ref: 1000AA94
CloseHandle.KERNEL32(?,?,?,?,00000000,10018518,000000FF,10006189,?), ref: 1000AA9A

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseExchangeHandleInterlockedObjectSingleWait
String ID:
API String ID: 2999756886-0
Opcode ID: 2bdec2ded0cbf8019bccef691f467e93023550800d5c1f9e65f332110ebe21b7
Instruction ID: 7a3cf7975be31c6e2902c245e600b497fb14f5fc4228311dd894c5f95533de84
Opcode Fuzzy Hash: 2bdec2ded0cbf8019bccef691f467e93023550800d5c1f9e65f332110ebe21b7
Instruction Fuzzy Hash: 83115A75200B11AFD324EF68CD44B5AB3E8FB89B20F604B0DE166876E0C7B4F4418B51

Function 10010ED0 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,10018758,000000FF,10006269,?), ref: 10010F00
InterlockedExchange.KERNEL32(?,00000000), ref: 10010F0C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,10018758,000000FF,10006269,?), ref: 10010F18
CloseHandle.KERNEL32(?,?,?,?,00000000,10018758,000000FF,10006269,?), ref: 10010F28
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,10018758,000000FF,10006269,?), ref: 10010F34
CloseHandle.KERNEL32(?,?,?,?,00000000,10018758,000000FF,10006269,?), ref: 10010F3E

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$EventExchangeInterlocked
String ID:
API String ID: 375221225-0
Opcode ID: ab6ff7d4bf20f4d30b85263a0a3f5e28b2b43176370e4fbbcb427e69001327fb
Instruction ID: 6656d6caa7f59f1174fc9046a3b02d0fb2a62b35c03b7816cb373d66173f4f8e
Opcode Fuzzy Hash: ab6ff7d4bf20f4d30b85263a0a3f5e28b2b43176370e4fbbcb427e69001327fb
Instruction Fuzzy Hash: 42015E75104751ABD724DF68CD44B1BB7E8FB84A20F504B0DF062937D0CB78E4418B61

Function 10003310 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000337C

Part of subcall function 100030C0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100030E9

LsaFreeMemory.ADVAPI32(?), ref: 100033AA
LsaFreeMemory.ADVAPI32(?), ref: 100033D5

Part of subcall function 10003170: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,00000000,00000000), ref: 100031A9

Strings

L$_RasDefaultCredentials#0, xrefs: 10003336
RasDialParams!%s#0, xrefs: 1000333F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FreeMemory$ByteCharMultiOpenPolicyWidewsprintf
String ID: L$_RasDefaultCredentials#0$RasDialParams!%s#0
API String ID: 3354934605-1591505386
Opcode ID: 70163f9b3af6be6b5be40d2c2da32c6e5157fc9f19e5dbbaafcc430383b8a51c
Instruction ID: 8af141370f3604badf699e3bae083c76512854c321c477382d02567cb4b8527a
Opcode Fuzzy Hash: 70163f9b3af6be6b5be40d2c2da32c6e5157fc9f19e5dbbaafcc430383b8a51c
Instruction Fuzzy Hash: A1218075609711ABE305DF14D89497BB3E9EB9C740F00C92CF58583350DA35E905CBD1

Function 10005860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,100047D9), ref: 1000588C
SetFilePointer.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,100047D9,?,?), ref: 1000589D
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,100047D9,?,?), ref: 100058B7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,100047D9,?,?), ref: 100058C0

Strings

p, xrefs: 100058C8

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID: p
API String ID: 3604237281-2181537457
Opcode ID: 050d94bb32062409aa7a7fde6cb114933b75779df512d31aab03dd74b92d6c19
Instruction ID: 98fcecea56438d191367761a95eebc866caada0297812001dca12dab580af41d
Opcode Fuzzy Hash: 050d94bb32062409aa7a7fde6cb114933b75779df512d31aab03dd74b92d6c19
Instruction Fuzzy Hash: E6119D71644311ABE300DB64CC85F5BB7E8EB88725F104A19F654972C0D6B0A90587A1

Function 100030C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100030E9
LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 10003130
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,10003391,?), ref: 1000313B
LsaClose.ADVAPI32(?), ref: 10003148

Strings

L$_RasDefaultCredentials#0, xrefs: 100030C3

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@CloseDataOpenPolicyPrivateRetrieve
String ID: L$_RasDefaultCredentials#0
API String ID: 1135507544-2801509457
Opcode ID: 70decd187852c42fb8ad1ea49487745be656ca530e89d296a450a9594fcd2512
Instruction ID: d930f1fe99a99cb84fed9572afef1adfec43b34379e7d2077a596b9b937d1ef1
Opcode Fuzzy Hash: 70decd187852c42fb8ad1ea49487745be656ca530e89d296a450a9594fcd2512
Instruction Fuzzy Hash: 42113DB5218312AFE704CB64D855D6BB7F9EBC4314F008D2DF54987250EA34E90987A2

Function 10003FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 10004010

Part of subcall function 10003F10: _itoa.MSVCRT ref: 10003F70
Part of subcall function 10003F10: tolower.MSVCRT ref: 10003F90

lstrcpyA.KERNEL32(?,100231E4,74DE83C0), ref: 10004034
lstrcpyA.KERNEL32(00000000,?,?), ref: 10004045
lstrcatA.KERNEL32(?,?,?,?), ref: 10004050

Strings

c:\windows\system32\ntfastuserswitchingcompatibility.dll, xrefs: 1000402D, 10004032

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$_itoalstrcattolower
String ID: c:\windows\system32\ntfastuserswitchingcompatibility.dll
API String ID: 925287400-497848748
Opcode ID: c2a66cd827a1df8d6ad43e52d7bdaaaca8bc16a4a2ff35431ff4041789477425
Instruction ID: 3430b5d6a77ed7efc56c97cefb7968c38bb4cc9831c778a0d7cd68f4141844cb
Opcode Fuzzy Hash: c2a66cd827a1df8d6ad43e52d7bdaaaca8bc16a4a2ff35431ff4041789477425
Instruction Fuzzy Hash: 58F02DB65041557BE311D718DC41ADFBBACEFC4344F414825FA8493111DE39E605C6A3

Function 1000FE70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1000FE71
GetThreadDesktop.USER32(00000000), ref: 1000FE78

Part of subcall function 1000FE20: OpenDesktopA.USER32(?,00000000,00000000,400001CF), ref: 1000FE33

PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 1000FEA4
SetThreadDesktop.USER32(00000000), ref: 1000FEAF

Strings

Winlogon, xrefs: 1000FE7E

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: DesktopThread$CurrentMessageOpenPost
String ID: Winlogon
API String ID: 1322334875-744610081
Opcode ID: 9cd0df13864954e37531b2e20d28c0dad0331a034cfe48f2a33928f3dd5328b2
Instruction ID: 2c8d7c889e91d81891430f3cb9a486037273bb2d0e1e173fcd901e48b06b4e73
Opcode Fuzzy Hash: 9cd0df13864954e37531b2e20d28c0dad0331a034cfe48f2a33928f3dd5328b2
Instruction Fuzzy Hash: 17E07D3394137037F11163B0FC4DBDB320C9F04B40F010060F901D54E6E3608A8351C1

Function 1000C290 Relevance: 7.6, APIs: 5, Instructions: 129networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 1000C2DE
select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 1000C327
recv.WS2_32(?,?,00002000,00000000), ref: 1000C354
recv.WS2_32(?,?,00002000,00000000), ref: 1000C3A3
InterlockedDecrement.KERNEL32(?), ref: 1000C3E4

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Interlockedrecv$DecrementIncrementselect
String ID:
API String ID: 1404081449-0
Opcode ID: 9390e51d58d2e4e49001cfdec0295a780ca1f6801afc08e7fd4db451642b6bd2
Instruction ID: 6933bfc1820f7317c8b85e4648be5788c249f49a7d7f328b644ba1aa81eb6dcf
Opcode Fuzzy Hash: 9390e51d58d2e4e49001cfdec0295a780ca1f6801afc08e7fd4db451642b6bd2
Instruction Fuzzy Hash: 2E4191715143059FE350CF64CC84FABB7E8FB88780F118929F689D7255EB74E9058BA2

Function 1000F240 Relevance: 7.6, APIs: 5, Instructions: 98stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10002EB0: ??2@YAPAXI@Z.MSVCRT(00000032), ref: 10002ED0
Part of subcall function 10002EB0: ??2@YAPAXI@Z.MSVCRT(?,?,?,00003C14), ref: 10002F0D
Part of subcall function 10002EB0: ??2@YAPAXI@Z.MSVCRT(00000014,?,?,?,00003C14), ref: 10002F1C

lstrlenA.KERNEL32(?), ref: 1000F28B
LocalAlloc.KERNEL32(00000040,00000001), ref: 1000F2A8
lstrlenA.KERNEL32(?), ref: 1000F2E8
LocalSize.KERNEL32(00000000), ref: 1000F32C
LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000F33E

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@Local$lstrlen$AllocFreeSize
String ID:
API String ID: 1159677751-0
Opcode ID: 3daddb49bfaab0ac9af8f386de5c20385b6e1807fbc1840197b9e146fcde1b75
Instruction ID: 7ec2a9a6a24af1fca9dc03ce2afd0d48a87c704c74bc04ad592828f50f836d82
Opcode Fuzzy Hash: 3daddb49bfaab0ac9af8f386de5c20385b6e1807fbc1840197b9e146fcde1b75
Instruction Fuzzy Hash: CA31AD756083468FE310CF68C884B2BBBE4FB89794F50092CF99697350DB34E905CB92

Function 1000AAD0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AAF6
CloseHandle.KERNEL32(?,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB00
??2@YAPAXI@Z.MSVCRT(0000010C,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB21
??2@YAPAXI@Z.MSVCRT(0000010C,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB52

Part of subcall function 1000B340: LoadCursorA.USER32(00000000,00000000), ref: 1000B3FD

??2@YAPAXI@Z.MSVCRT(0000010C,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB79

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@$CloseCursorHandleLoadObjectSingleWait
String ID:
API String ID: 1916621575-0
Opcode ID: 0edb3742b9e70797271fb7092c1c07f40a445e6764adbf61d57c4cc643c556b2
Instruction ID: c16e0c3c8d0e8f66b67207309a1fc2b5f867ab8e474a515e5d48708e088236fd
Opcode Fuzzy Hash: 0edb3742b9e70797271fb7092c1c07f40a445e6764adbf61d57c4cc643c556b2
Instruction Fuzzy Hash: 6F31A270644741ABF764CF688C46B1BB6E2EF49750F100B1DF2869B6C5D7B1F5848B82

Function 1000BD00 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 1000BD6B
SelectObject.GDI32(?,00000000), ref: 1000BD7D
BitBlt.GDI32(?,?,00000000,?,?,?,?,00000000,?), ref: 1000BDA3
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 1000BDC9
DeleteObject.GDI32(00000014), ref: 1000BDF4

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Object$CreateDeleteSectionSelect
String ID:
API String ID: 3188413882-0
Opcode ID: cb4c91a91ec40212f83b318646cf78a46873ebbccb8fe8d3ca900bc4b95d8c21
Instruction ID: 51ac644a6b47b0063b7d59b13056256968306f443c079514c14c53eb9ef9b88e
Opcode Fuzzy Hash: cb4c91a91ec40212f83b318646cf78a46873ebbccb8fe8d3ca900bc4b95d8c21
Instruction Fuzzy Hash: 7F31C7B5200706AFE218CF64CD84F67F7A9EB88750F20861DF65A87795DB70B8058BA4

Function 10009EE0 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 10008B50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,100069EA,?,?,?,?,00000000,?,?,10018423,000000FF), ref: 10008B6E

??2@YAPAXI@Z.MSVCRT ref: 10009F26
GetTickCount.KERNEL32 ref: 10009F57
srand.MSVCRT ref: 10009F5E
rand.MSVCRT ref: 10009F78
_ftol.MSVCRT ref: 10009F8B

Part of subcall function 10004590: GetLogicalDriveStringsA.KERNEL32(00000100,10022250), ref: 10004600

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@CountCreateDriveEventLogicalStringsTick_ftolrandsrand
String ID:
API String ID: 4015177446-0
Opcode ID: 54c1280f083fabc706971d8402f1351239ce8b1f69712b245c79fca529cacea8
Instruction ID: f327c0a63e92a93478d21bb1adf537dbe976f36a77c0ae606c33f417fecec70d
Opcode Fuzzy Hash: 54c1280f083fabc706971d8402f1351239ce8b1f69712b245c79fca529cacea8
Instruction Fuzzy Hash: 5A2104B4A047819BE320DF64CC0174BBAE4FB84750F004E3DF18987291D778D58587E6

Function 10007730 Relevance: 7.6, APIs: 5, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(0374FFF3,40000000,00000002,00000000,00000002,00000080,00000000), ref: 100077D2
CloseHandle.KERNEL32(00000000), ref: 100077D9

Part of subcall function 10008C60: SetEvent.KERNEL32(?,1000AC78), ref: 10008C64

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseCreateEventFileHandle
String ID:
API String ID: 3912643050-0
Opcode ID: e10b5f9974eee32fbc983bcac8e77985a8d0fb696217de6fa9bac905f2aae5da
Instruction ID: 3b90916ad05f1dbe7ff2930bdbe7989b8f7db4f520b4571b44304b0f4c43e15d
Opcode Fuzzy Hash: e10b5f9974eee32fbc983bcac8e77985a8d0fb696217de6fa9bac905f2aae5da
Instruction Fuzzy Hash: 6B11ECB6E443503BF21097749CCAF457B98FF567E0F69C400F6889B2D5D278E8468B51

Function 10002500 Relevance: 7.6, APIs: 5, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,00000000,1001826C,000000FF,1000EA41), ref: 1000253F
RtlDeleteCriticalSection.NTDLL(?), ref: 1000254C
CloseHandle.KERNEL32(?), ref: 10002571
CloseHandle.KERNEL32(?), ref: 1000257E
CloseHandle.KERNEL32(?), ref: 1000258B

Part of subcall function 10002C10: setsockopt.WS2_32(?,0000FFFF,00000080), ref: 10002C43
Part of subcall function 10002C10: CloseHandle.KERNEL32(?,00000000,?,10002D29,00000001,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C61
Part of subcall function 10002C10: InterlockedExchange.KERNEL32(?,00000000), ref: 10002C7A
Part of subcall function 10002C10: SetEvent.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C87

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteEventExchangeInterlockedObjectSectionSingleWaitsetsockopt
String ID:
API String ID: 2396390014-0
Opcode ID: 0e393731d353be32b2e127549977796eea19de25533c427b755fcf8894d00bd2
Instruction ID: 8bef55f79c537d903b33c873b7072fcf1dd7577b5910eb1daa6b24c63aa955b4
Opcode Fuzzy Hash: 0e393731d353be32b2e127549977796eea19de25533c427b755fcf8894d00bd2
Instruction Fuzzy Hash: 55214A74104B42DFE310DF78C945BABB7E8EF45760F504A0DE4AA932D1CBB8A549CB62

Function 1000AF80 Relevance: 7.5, APIs: 5, Instructions: 47keyboardsleepwindowCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000000), ref: 1000AFFF

Part of subcall function 1000FCF0: GetCurrentThreadId.KERNEL32 ref: 1000FD2A
Part of subcall function 1000FCF0: GetThreadDesktop.USER32(00000000), ref: 1000FD31
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD58
Part of subcall function 1000FCF0: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 1000FD65
Part of subcall function 1000FCF0: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 1000FD92
Part of subcall function 1000FCF0: lstrcmpiA.KERNEL32(?,?), ref: 1000FDA5
Part of subcall function 1000FCF0: SetThreadDesktop.USER32(00000000), ref: 1000FDB0
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDBC
Part of subcall function 1000FCF0: CloseDesktop.USER32(00000000), ref: 1000FDC3

Part of subcall function 1000B2F0: GetSystemMetrics.USER32(00000000), ref: 1000B2FD
Part of subcall function 1000B2F0: GetSystemMetrics.USER32(00000001), ref: 1000B30A

SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1000AFC5
SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1000AFDC
BlockInput.USER32(?), ref: 1000AFE8
Sleep.KERNEL32(00000064,?), ref: 1000AFEF

Part of subcall function 1000AAD0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AAF6
Part of subcall function 1000AAD0: CloseHandle.KERNEL32(?,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB00
Part of subcall function 1000AAD0: ??2@YAPAXI@Z.MSVCRT(0000010C,?,-000000EF,10018551,000000FF,1000AC98,?,?,?,?,?,?,10018560,000000FF), ref: 1000AB21

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Desktop$CloseInputObjectSystemThread$BlockInformationMetricsUser$??2@CurrentHandleInfoMessageOpenParametersSendSingleSleepWaitlstrcmpi
String ID:
API String ID: 740750373-0
Opcode ID: f435ed74a13a22bef2df247e7da704e24a933c66ef5f27635c3bf10c881b5510
Instruction ID: a0411bbe196c861a255e14ab8482baec7cda1581548584a6b3b51076f21c320f
Opcode Fuzzy Hash: f435ed74a13a22bef2df247e7da704e24a933c66ef5f27635c3bf10c881b5510
Instruction Fuzzy Hash: 2101F434340B6626F815EBB44C13FBE63A68F46F90F500224F641AF1D7CEA0B9828266

Function 100114D0 Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,1001111E,00000000,00000000), ref: 100114D9
InterlockedExchange.KERNEL32(?,00000000), ref: 100114EB
WaitForSingleObject.KERNEL32(?,000000FF,?,?,1001111E,00000000,00000000), ref: 100114F3
CloseHandle.KERNEL32(?,?,?,1001111E,00000000,00000000), ref: 100114FD
InterlockedExchange.KERNEL32(?,00000001), ref: 10011514

Part of subcall function 1000F8C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1000F8E3
Part of subcall function 1000F8C0: _beginthreadex.MSVCRT ref: 1000F914
Part of subcall function 1000F8C0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 1000F925
Part of subcall function 1000F8C0: CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 1000F930

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseEventExchangeHandleInterlockedObjectSingleWait$Create_beginthreadex
String ID:
API String ID: 2063638787-0
Opcode ID: 5a6ac7d1b0c436b94483acd6c2cb7d206b3c1862cded722dd60769c6b399e5d5
Instruction ID: 48f237a8366ebc223bc9b97353494f3887643bda8d4ebcaa56c57230d8d261f5
Opcode Fuzzy Hash: 5a6ac7d1b0c436b94483acd6c2cb7d206b3c1862cded722dd60769c6b399e5d5
Instruction Fuzzy Hash: 67F03C76601710BBE220DB65CDC5F57B7A9FB88B50F10491EF646976D0C6B0F8418B64

Function 100104B0 Relevance: 7.5, APIs: 5, Instructions: 34stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 100104C1
??2@YAPAXI@Z.MSVCRT(-00000002), ref: 100104C7
lstrcpyA.KERNEL32(00000001,?), ref: 100104D9
lstrlenA.KERNEL32(?), ref: 100104E0

Part of subcall function 10002CB0: _ftol.MSVCRT ref: 10002CDA
Part of subcall function 10002CB0: ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 10002CEE
Part of subcall function 10002CB0: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002D18

??3@YAXPAX@Z.MSVCRT(00000000,00000000,-00000002), ref: 100104F0

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@??3@lstrlen$_ftollstrcpy
String ID:
API String ID: 3848992645-0
Opcode ID: 468ecd4a064016e0ef7a2722637addccbc0888fc4b662e968d89d86cc543395c
Instruction ID: 0ba9a72fe59971bf147405c93f75d729831222d70f2ac625f431fbc9393c8e4a
Opcode Fuzzy Hash: 468ecd4a064016e0ef7a2722637addccbc0888fc4b662e968d89d86cc543395c
Instruction Fuzzy Hash: E8E0E5B61001146BD321DBA89C86C6FB7ECDE8A6203044039F954C2211DA24FD15C2BB

Function 1000FE20 Relevance: 7.5, APIs: 5, Instructions: 29threadCOMMON

Download Yara Rule

APIs

OpenDesktopA.USER32(?,00000000,00000000,400001CF), ref: 1000FE33
OpenInputDesktop.USER32(00000000,00000000,400001CF,00000000,1000FE8A,Winlogon), ref: 1000FE3B
SetThreadDesktop.USER32(00000000), ref: 1000FE4A
CloseDesktop.USER32(00000000), ref: 1000FE55
CloseDesktop.USER32(00000000), ref: 1000FE5F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Desktop$CloseOpen$InputThread
String ID:
API String ID: 2140737182-0
Opcode ID: 74506eae9ca61d28c03b1ceef52a44e43d7a39fdf1e9496f4cad45f0f906f086
Instruction ID: 3bf1259209ea3a9f73d17ccb82421aded22d26d17ea9a27b29d646ab6c30b87c
Opcode Fuzzy Hash: 74506eae9ca61d28c03b1ceef52a44e43d7a39fdf1e9496f4cad45f0f906f086
Instruction Fuzzy Hash: 33E0DF322051B1BBF766A7B4FD4CBEB36D8DF54B91F120418F801D5869DB20CC83A690

Function 1000FDE0 Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1000FDE2
GetThreadDesktop.USER32(00000000,?,1000F892,?), ref: 1000FDE9
OpenInputDesktop.USER32(?,?,400001CF,?,1000F892,?), ref: 1000FE00
SetThreadDesktop.USER32(?,?,1000F892,?), ref: 1000FE09
CloseDesktop.USER32(?,?,1000F892,?), ref: 1000FE10

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Desktop$Thread$CloseCurrentInputOpen
String ID:
API String ID: 3320271406-0
Opcode ID: 31c57c5da1a14052f6a997407f1d3c3dc264658f2a2948afb07cdbd22614321d
Instruction ID: b266ecde92c8bd35eefa4d5b56a92da5e07cb84970874caf002aeb599b866017
Opcode Fuzzy Hash: 31c57c5da1a14052f6a997407f1d3c3dc264658f2a2948afb07cdbd22614321d
Instruction Fuzzy Hash: 46E0EC375024307BF21627A5AD8C8DF3BA9EF992A23160055FD05E3610CB349D4386E1

Function 10007569 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

GetKeyNameTextA.USER32(?,?,00000012), ref: 100076BB
lstrcatA.KERNEL32(?,?,?,?,1001FC0C), ref: 100076D4

Part of subcall function 10007340: GetActiveWindow.USER32 ref: 1000737B
Part of subcall function 10007340: GetWindowTextA.USER32(?,?,00000100), ref: 100073A7
Part of subcall function 10007340: GetLocalTime.KERNEL32(?,?,00000000), ref: 100073B2
Part of subcall function 10007340: wsprintfA.USER32 ref: 1000741A
Part of subcall function 10007340: lstrcatA.KERNEL32(0374FEEF,?,?,00000000), ref: 1000747D

CallNextHookEx.USER32(?,?,?,?), ref: 10007718

Strings

[, xrefs: 100076CF

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: TextWindowlstrcat$ActiveCallHookLocalNameNextTimewsprintf
String ID: [
API String ID: 4084906009-784033777
Opcode ID: 1bb54f8cd9c81fe92c787e8663e0ef886a3df5adc955d8d48d796583404072ea
Instruction ID: fffa581aa1580678c413b45b8af2dd02f6ad1efc5c2b646f9c08680e619892e6
Opcode Fuzzy Hash: 1bb54f8cd9c81fe92c787e8663e0ef886a3df5adc955d8d48d796583404072ea
Instruction Fuzzy Hash: 82418F71A04200ABF704DB58CC85B5B77D9FB44394F208829F94EC7255D679EA45CBA2

Function 1000C190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,1000C290,?,00000000,?), ref: 1000C206
CloseHandle.KERNEL32(00000000), ref: 1000C20D
Sleep.KERNEL32(00000064), ref: 1000C211

Strings

106.54.31.97, xrefs: 1000C1CF

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseCreateHandleSleepThread
String ID: 106.54.31.97
API String ID: 3211747346-1974925957
Opcode ID: a55e30820760fc9d0a90c0ed2dabcf2e4e023acfd5ccc679597a6702a4b4611a
Instruction ID: a4932a84cc72e66aa7c905d1677d74a1375e99490b211b15bb5f2ca354761a9c
Opcode Fuzzy Hash: a55e30820760fc9d0a90c0ed2dabcf2e4e023acfd5ccc679597a6702a4b4611a
Instruction Fuzzy Hash: 3B11E575500318BBF310EFA4DC84FCABBE8FB48790F10841AFE0496191D774AA45CBA5

Function 10008D00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Windows\SysWOW64\svchost.exe.txt,40000000,00000000,00000000,00000004,80000000,00000000), ref: 10008D18
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10008D32

Part of subcall function 10008D70: GetLocalTime.KERNEL32(?,?,?), ref: 10008D7D

CloseHandle.KERNEL32(00000000), ref: 10008D47

Strings

C:\Windows\SysWOW64\svchost.exe.txt, xrefs: 10008D13

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: File$CloseCreateHandleLocalPointerTime
String ID: C:\Windows\SysWOW64\svchost.exe.txt
API String ID: 3016870023-2934787275
Opcode ID: 903df1d9b4c43022d9f70c7be17ec442a381808333c2653c11a1d3c029d19603
Instruction ID: a2712d6d41fdab37e3336db7829309fa3c0058c5b5c3007d8a9724518ff72612
Opcode Fuzzy Hash: 903df1d9b4c43022d9f70c7be17ec442a381808333c2653c11a1d3c029d19603
Instruction Fuzzy Hash: 26F08CF16412207AF220DBB09C4AF477798FB10794F208512F740E61E0DB70A9428668

Function 10009520 Relevance: 6.1, APIs: 4, Instructions: 108sleepnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 10009587
GetLastError.KERNEL32 ref: 100095AF
CloseHandle.KERNEL32(00000000), ref: 10009628
Sleep.KERNEL32(00000002), ref: 1000963E

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseErrorHandleLastSleepsend
String ID:
API String ID: 2824476468-0
Opcode ID: 8f8cc3be5943ba1277a01c5188e3b59e837b480e701ee4138cf675293fd2e916
Instruction ID: 7e7c372dbfe8420b3676c8949a9d1117bdec7cf934df9e9476b985f4172aad53
Opcode Fuzzy Hash: 8f8cc3be5943ba1277a01c5188e3b59e837b480e701ee4138cf675293fd2e916
Instruction Fuzzy Hash: E631E3367003025FE710DF69EC84BAAB7E4FB843A1F50462AF915D7284D736E819CBA1

Function 10009220 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 10009340: wvsprintfA.USER32(?,?,?), ref: 10009359
Part of subcall function 10009340: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10009375

Part of subcall function 10009180: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 10009193
Part of subcall function 10009180: GetModuleFileNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 100091AC

IsBadWritePtr.KERNEL32(?,00000008), ref: 100092C5

Strings

Call stack:, xrefs: 1000922A
%08X %08X %04X:%08X %s, xrefs: 1000929F, 10009318
Address Frame Logical addr Module, xrefs: 10009234

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: FileWrite$ModuleNameQueryVirtualwvsprintf
String ID: Call stack:$%08X %08X %04X:%08X %s$Address Frame Logical addr Module
API String ID: 1534363855-4054790616
Opcode ID: 04aa3042b8c97a28bc2d10742f7280aa3b50163d0a652a71b950d2500b7ea149
Instruction ID: 0697f19badc46e5e4433a19a11c76ee0839bfaed4885947fbb38dc9a1027bcf0
Opcode Fuzzy Hash: 04aa3042b8c97a28bc2d10742f7280aa3b50163d0a652a71b950d2500b7ea149
Instruction Fuzzy Hash: 443146B5204345AFE300CB64CC81EEB77E8EB98394F05492DFA8597245D674BE49CBA2

Function 100069C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10008B50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,100069EA,?,?,?,?,00000000,?,?,10018423,000000FF), ref: 10008B6E

lstrcpyA.KERNEL32(?,?,?,?,?,?,00000000,?,?,10018423,000000FF,1000E7D6,?,?,00000000,?), ref: 10006A14
lstrcpyA.KERNEL32(106.54.31.97,?,?,?,?,?,00000000,?,?,10018423,000000FF,1000E7D6,?,?,00000000,?), ref: 10006A2D
??2@YAPAXI@Z.MSVCRT(00000150,?,?,?,?,00000000,?,?,10018423,000000FF,1000E7D6,?,?,00000000,?,00000000), ref: 10006A5A

Strings

106.54.31.97, xrefs: 10006A28

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrcpy$??2@CreateEvent
String ID: 106.54.31.97
API String ID: 2791942255-1974925957
Opcode ID: e134f13ffb8c24dc2d62397ca16f0c77d1beea33e7439abe65368f7a4ee1bd1a
Instruction ID: 0a2d435b4e485d9abd886ae4408bebd960578bbabb991c64343f8429fd2746cf
Opcode Fuzzy Hash: e134f13ffb8c24dc2d62397ca16f0c77d1beea33e7439abe65368f7a4ee1bd1a
Instruction Fuzzy Hash: E021B6B1644784AFE310DF29CC81AA7F7E9EB88740F50492EF199D3351D774AD448BA2

Function 10002CB0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 10002CDA
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 10002CEE
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002D18

Part of subcall function 10002C10: setsockopt.WS2_32(?,0000FFFF,00000080), ref: 10002C43
Part of subcall function 10002C10: CloseHandle.KERNEL32(?,00000000,?,10002D29,00000001,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C61
Part of subcall function 10002C10: InterlockedExchange.KERNEL32(?,00000000), ref: 10002C7A
Part of subcall function 10002C10: SetEvent.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C87

??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00002000,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002D65

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??3@$??2@CloseEventExchangeHandleInterlocked_ftolsetsockopt
String ID:
API String ID: 3759267959-0
Opcode ID: 4248e9d53b3a9520a3b443af3a0e3625cebfc22e4a92c9b15d03a671eb81b58c
Instruction ID: a82eb89146b91d1c8fcbceb9635cf8c98db54d7d9dd8f27b92d23084ea0aba12
Opcode Fuzzy Hash: 4248e9d53b3a9520a3b443af3a0e3625cebfc22e4a92c9b15d03a671eb81b58c
Instruction Fuzzy Hash: 3E21F97A6003005BE300DF24AC41A9BB7E4FFD4260F04893EE9498B351E635ED1DC7A2

Function 10002200 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 1000223C
_ftol.MSVCRT ref: 10002244
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,00000001,00000000), ref: 10002258

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: AllocVirtual_ftolceil
String ID:
API String ID: 3317677364-0
Opcode ID: c2dca44512219b7fb83611d2f0bce20509e341532632afd9ffe7ee130647b564
Instruction ID: 53ea5523ea8d014f377a144ee01325d09accd38a629327ea26eaee3fc8da2a83
Opcode Fuzzy Hash: c2dca44512219b7fb83611d2f0bce20509e341532632afd9ffe7ee130647b564
Instruction Fuzzy Hash: 8E11B1766047049BE700EF28AC8162AB7E4FBD4761F05853EEE458B385DAB5D80CCA61

Function 10002130 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 1000213E
LeaveCriticalSection.KERNEL32(?,?,?,?,10002B0A,?,00000005,00000005,00000000,?,?,?,00000001,00000000), ref: 10002154
memmove.MSVCRT(00000000,?,00000000,?,?,?,?,10002B0A,?,00000005,00000005,00000000,?,?,?,00000001), ref: 100021A5
LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,10002B0A,?,00000005,00000005,00000000,?,?,?,00000001,00000000), ref: 100021CA

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CriticalSection$Leave$Entermemmove
String ID:
API String ID: 72348100-0
Opcode ID: 02c5881f5de71edd52da51d134f5a3e9d88498508053709be6b1a21358569841
Instruction ID: 9e60299c8b75fe0f169ee7d02d19b55601b482b6c4be828aa03429a2a62f1f3a
Opcode Fuzzy Hash: 02c5881f5de71edd52da51d134f5a3e9d88498508053709be6b1a21358569841
Instruction Fuzzy Hash: D0114F363042155FAB04EF749C954AFB7E9EF58190740447DFA029764AEA65FD088690

Function 1000CF60 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000,?,?,?,00000000,00000000), ref: 1000CFD3
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000), ref: 1000CFDD
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000), ref: 1000CFE9
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000), ref: 1000CFEF

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandle$TerminateThread
String ID:
API String ID: 2297604343-0
Opcode ID: 3180e13c5502522e8b60f32359bc7aea2f23e30ab53254faeb3301ad1e2e4eff
Instruction ID: b9c3adc7f1881e54d8db277d16c14423c0cc9cdfd2a1bb60bbe390163df199f8
Opcode Fuzzy Hash: 3180e13c5502522e8b60f32359bc7aea2f23e30ab53254faeb3301ad1e2e4eff
Instruction Fuzzy Hash: 7E118BB5100751AFD220DFA9CC94A6BB7E9FF88710F508A2DF1A5C3290C774E8068B62

Function 10005980 Relevance: 6.0, APIs: 4, Instructions: 48filestringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,0000006C), ref: 100059D6
lstrlenA.KERNEL32(?), ref: 100059D9
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 100059EE
MoveFileA.KERNEL32(?,?), ref: 100059FD

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: EnvironmentExpandStrings$FileMovelstrlen
String ID:
API String ID: 2348843127-0
Opcode ID: 1e1d96eb826dabbb9d65cbe321661885720f76cfbd22eaa7bdbe460a34f38d72
Instruction ID: 06965ef7cdc0c1b48746ced1b9013d9abdb7d785bbeabbbfa605649088b17061
Opcode Fuzzy Hash: 1e1d96eb826dabbb9d65cbe321661885720f76cfbd22eaa7bdbe460a34f38d72
Instruction Fuzzy Hash: 050128722083487FE721C764CC85EEBB39CEBC8314F00493DE78493180D9B8A4498BA2

Function 10002EB0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 1000FBC0: GetVersionExA.KERNEL32(?), ref: 1000FBE8
Part of subcall function 1000FBC0: GetVersionExA.KERNEL32(0000009C), ref: 1000FBFB

??2@YAPAXI@Z.MSVCRT(00000032), ref: 10002ED0
??2@YAPAXI@Z.MSVCRT(?,?,?,00003C14), ref: 10002F0D
??2@YAPAXI@Z.MSVCRT(00000014,?,?,?,00003C14), ref: 10002F1C

Strings

Administrator, xrefs: 10002ED7

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: ??2@$Version
String ID: Administrator
API String ID: 2225068111-3953216932
Opcode ID: 4d36150f1579c9b8415d2e57d2f002b41dd95c37e4b8b3a2fbc5caa5d94ebde7
Instruction ID: 558d487c31e109d08a9a3e5b9c040e9d154a126ddac5b3d211fb55738699049d
Opcode Fuzzy Hash: 4d36150f1579c9b8415d2e57d2f002b41dd95c37e4b8b3a2fbc5caa5d94ebde7
Instruction Fuzzy Hash: 11015EB16002004BEB1CCF6998967177EE5EB88350F44827DF909CF286DAB4CA55C7A1

Function 10002C10 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080), ref: 10002C43
CloseHandle.KERNEL32(?,00000000,?,10002D29,00000001,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C61
InterlockedExchange.KERNEL32(?,00000000), ref: 10002C7A
SetEvent.KERNEL32(?,?,?,?,?,?,00000000,00000001,00000000,?,?), ref: 10002C87

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CloseEventExchangeHandleInterlockedsetsockopt
String ID:
API String ID: 1964342788-0
Opcode ID: 1265f2bf70ba366a85945ef6a9dbcbe57ea2e9fa8063b0804b078248fc6a55d2
Instruction ID: aa136fb2e82eccb1206609a9b43f21ed24afc0070afd25f5b0d144598ee32008
Opcode Fuzzy Hash: 1265f2bf70ba366a85945ef6a9dbcbe57ea2e9fa8063b0804b078248fc6a55d2
Instruction Fuzzy Hash: 2A012CB5204711AFF760CB74C888F97B7E8AF05750F208A1DF6AA962D0DB70E449CB65

Function 10010AF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(1001C92C,00000000,00000001,Function_0001C89C,?,?,?,1001079C,?,?), ref: 10010B43

Strings

FriendlyName, xrefs: 10010C34

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: CreateInstance
String ID: FriendlyName
API String ID: 542301482-3623505368
Opcode ID: eb25323ec52006bde41c719710f1fb17023c2eb480ecab3671742410b7b31257
Instruction ID: b37ff70fe0b0d6427fd7f0b88af3d422d3385887e600ca9c90beefc1bdb9f24b
Opcode Fuzzy Hash: eb25323ec52006bde41c719710f1fb17023c2eb480ecab3671742410b7b31257
Instruction Fuzzy Hash: 07514675204242AFC300DF54C8C4E5ABBE9FBC9724F508A6DF5998B251C735E886CB62

Function 100040EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindWindowA.USER32(ConsoleWindowClass,?), ref: 10004124
ShowWindow.USER32(00000000,00000000), ref: 1000413B

Strings

ConsoleWindowClass, xrefs: 1000411F

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: Window$FindShow
String ID: ConsoleWindowClass
API String ID: 734913111-1331846550
Opcode ID: 3128ae5fef1927b3f7e6c0b1175190abce9f0e4b448057d3077a552c0386e025
Instruction ID: a1c387c3713c7d61773d8a15329f9209d97afdbceaf4d8f4a64b48846de3c466
Opcode Fuzzy Hash: 3128ae5fef1927b3f7e6c0b1175190abce9f0e4b448057d3077a552c0386e025
Instruction Fuzzy Hash: D2F0E579604342BFFB009BA4CC08BE777E4ABD4700F41882CFA5982290DA3495469712

Function 1000DE30 Relevance: 5.0, APIs: 4, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000007,?,00000000,00000000,1000DF61,?,?,?), ref: 1000DE4A
strchr.MSVCRT ref: 1000DE53
strchr.MSVCRT ref: 1000DE88
atoi.MSVCRT(00000001,?,00000000), ref: 1000DE98

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: strchr$atoilstrlen
String ID:
API String ID: 4225261964-0
Opcode ID: d3bb8a4772320cdef0ce329bb2c3b7911ef0930343e20bcf31dd9d5e547d0ab1
Instruction ID: 240adc4898ca67822d3507122bdb8a60305f516c8a8f6d18a4653e8b105263b6
Opcode Fuzzy Hash: d3bb8a4772320cdef0ce329bb2c3b7911ef0930343e20bcf31dd9d5e547d0ab1
Instruction Fuzzy Hash: 7F01F2366082415BE711DA699C0171BBBE8BFA6221F14412DFA098B280DBB5F905C3B6

Function 10002FC0 Relevance: 5.0, APIs: 4, Instructions: 32stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,1000310E,?,?), ref: 10002FCE
??2@YAPAXI@Z.MSVCRT(-00000002,?,?,1000310E,?,?), ref: 10002FE6
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,10003391,?), ref: 10002FFA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,10003391,?), ref: 10003002

Memory Dump Source

Source File: 00000001.00000002.2907615397.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2907605183.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907631825.0000000010019000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907647906.000000001001F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907661590.0000000010020000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907673112.0000000010021000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2907684502.0000000010024000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_svchost.jbxd

Similarity

API ID: lstrlen$??2@ByteCharMultiWide
String ID:
API String ID: 381304872-0
Opcode ID: e71279506fe58579f93d28621679cd3ee20d586726b107f9b97748cb78056758
Instruction ID: 1f58c3e89723d682c943b1ca80b9d8c7cbc71f3ab9a68266ad0b53e2ad0b0bf3
Opcode Fuzzy Hash: e71279506fe58579f93d28621679cd3ee20d586726b107f9b97748cb78056758
Instruction Fuzzy Hash: FBF030721402116AF324DB598C86F7BB7BCFF89710F04842EF59597250D638E805C376

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7wOqCnSoTo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\5870343.gho

C:\Windows\SysWOW64\ntfastuserswitchingcompatibility.dll (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
7wOqCnSoTo.exe

Function 004014C0 Relevance: 63.4, APIs: 32, Strings: 4, Instructions: 401
COMMON

Function 00403200 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 95
stringsleepCOMMON

Function 00403380 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134
stringCOMMON

Function 004029E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85
servicesleepsynchronizationCOMMON

Function 00401030 Relevance: 12.1, APIs: 8, Instructions: 80
processCOMMON

Function 00402AE0 Relevance: 80.9, APIs: 34, Strings: 12, Instructions: 402
stringregistryserviceCOMMON

Function 00401AC0 Relevance: 70.4, APIs: 28, Strings: 12, Instructions: 355
registryCOMMON

Function 00402750 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 146
stringserviceCOMMON

Function 00402320 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 145
filetimeCOMMON

Function 00402250 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 65
stringCOMMON

Function 0040362E Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00402050 Relevance: 7.6, APIs: 5, Instructions: 146
registryCOMMON

Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Function 004014A0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre