Edit tour

Windows Analysis Report
BPD-003777.exe

Overview

General Information

Sample name:	BPD-003777.exe
Analysis ID:	1586799
MD5:	7957ec69d6c945909bc6c0ddb559ea4d
SHA1:	726a35777c75091a453e4f97b0240f0154479e89
SHA256:	dd4adfb0f1f95de3dedd0c8b827da2da21d852248118ff51fa66d989377ab9b1
Tags:	exeuser-lowmal3
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BPD-003777.exe (PID: 7968 cmdline: "C:\Users\user\Desktop\BPD-003777.exe" MD5: 7957EC69D6C945909BC6C0DDB559EA4D)

svchost.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\BPD-003777.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

WerFault.exe (PID: 8128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 560 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BPD-003777.exe", CommandLine: "C:\Users\user\Desktop\BPD-003777.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BPD-003777.exe", ParentImage: C:\Users\user\Desktop\BPD-003777.exe, ParentProcessId: 7968, ParentProcessName: BPD-003777.exe, ProcessCommandLine: "C:\Users\user\Desktop\BPD-003777.exe", ProcessId: 8020, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\BPD-003777.exe", CommandLine: "C:\Users\user\Desktop\BPD-003777.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BPD-003777.exe", ParentImage: C:\Users\user\Desktop\BPD-003777.exe, ParentProcessId: 7968, ParentProcessName: BPD-003777.exe, ProcessCommandLine: "C:\Users\user\Desktop\BPD-003777.exe", ProcessId: 8020, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BPD-003777.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: BPD-003777.exe

ReversingLabs: Detection: 62%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: BPD-003777.exe

Joe Sandbox ML: detected

Source: BPD-003777.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: BPD-003777.exe, 00000000.00000003.1342605000.0000000004330000.00000004.00001000.00020000.00000000.sdmp, BPD-003777.exe, 00000000.00000003.1342161692.0000000004330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BPD-003777.exe, 00000000.00000003.1342605000.0000000004330000.00000004.00001000.00020000.00000000.sdmp, BPD-003777.exe, 00000000.00000003.1342161692.0000000004330000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00464696
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046C93C FindFirstFileW,FindClose,	2_2_0046C93C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0046C9C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046F200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046F35D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0046F65E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00463A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00463A2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00463D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00463D4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0046BF27

Source: global traffic

TCP traffic: 192.168.2.9:61093 -> 162.159.36.2:53

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_004725E2

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: Amcache.hve.5.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0047425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_0047425A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00474458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_00474458

Source: C:\Windows\SysWOW64\svchost.exe

2_2_0047425A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00460219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

2_2_00460219

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0048CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_0048CDAC

System Summary

Binary is likely a compiled AutoIt script file

Source: BPD-003777.exe, 00000000.00000002.1350657292.0000000000902000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_18dc1d61-b
Source: BPD-003777.exe, 00000000.00000002.1350657292.0000000000902000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c1c5fb21-7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00403B4C
Source: svchost.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: svchost.exe, 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_121972e4-f
Source: svchost.exe, 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7c631f11-1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_0048C27C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C220 NtdllDialogWndProc_W,	2_2_0048C220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_0048C49C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_0048C788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C86D SendMessageW,NtdllDialogWndProc_W,	2_2_0048C86D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_0048C8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CB50 NtdllDialogWndProc_W,	2_2_0048CB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CB7F NtdllDialogWndProc_W,	2_2_0048CB7F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CBF9 NtdllDialogWndProc_W,	2_2_0048CBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CBAE NtdllDialogWndProc_W,	2_2_0048CBAE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CC2E ClientToScreen,NtdllDialogWndProc_W,	2_2_0048CC2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CD6C GetWindowLongW,NtdllDialogWndProc_W,	2_2_0048CD6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_0048CDAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,	2_2_00401287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040167D NtdllDialogWndProc_W,	2_2_0040167D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00403633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048D6C6 NtdllDialogWndProc_W,	2_2_0048D6C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004016DE GetParent,NtdllDialogWndProc_W,	2_2_004016DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004016B5 NtdllDialogWndProc_W,	2_2_004016B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_0048D74C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040189B NtdllDialogWndProc_W,	2_2_0040189B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048DA9A NtdllDialogWndProc_W,	2_2_0048DA9A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048BF4D NtdllDialogWndProc_W,CallWindowProcW,	2_2_0048BF4D

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00464021: CreateFileW,DeviceIoControl,CloseHandle,

2_2_00464021

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00458858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74285590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

2_2_00458858

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0046545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_0046545F

Source: C:\Users\user\Desktop\BPD-003777.exe	Code function: 0_2_03B42268	0_2_03B42268
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0048804A	2_2_0048804A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E060	2_2_0040E060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414140	2_2_00414140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00422405	2_2_00422405
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00436522	2_2_00436522
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00480665	2_2_00480665
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0043267E	2_2_0043267E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416843	2_2_00416843
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E800	2_2_0040E800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042283A	2_2_0042283A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004389DF	2_2_004389DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418A0E	2_2_00418A0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00480AE2	2_2_00480AE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00436A94	2_2_00436A94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0045EB07	2_2_0045EB07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00468B13	2_2_00468B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CD61	2_2_0042CD61
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00437006	2_2_00437006
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041710E	2_2_0041710E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413190	2_2_00413190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401287	2_2_00401287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004233C7	2_2_004233C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F419	2_2_0042F419
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004216C4	2_2_004216C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415680	2_2_00415680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004158C0	2_2_004158C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004278D3	2_2_004278D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042DBB5	2_2_0042DBB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00421BB8	2_2_00421BB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00439D05	2_2_00439D05
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE40	2_2_0040FE40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00421FD0	2_2_00421FD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042BFE6	2_2_0042BFE6

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00420D27 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00428B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00407F41 appears 35 times

Source: C:\Windows\SysWOW64\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 560

Source: BPD-003777.exe, 00000000.00000003.1342605000.0000000004453000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BPD-003777.exe
Source: BPD-003777.exe, 00000000.00000003.1343729827.00000000045FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BPD-003777.exe

Source: BPD-003777.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.evad.winEXE@4/6@1/0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0046A2D5 GetLastError,FormatMessageW,

2_2_0046A2D5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00458713 AdjustTokenPrivileges,CloseHandle,		2_2_00458713
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00458CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_00458CC3

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0046B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_0046B59E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0047F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_0047F121

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0046C602 CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0046C602

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00464189 __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

2_2_00464189

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8020

Source: C:\Users\user\Desktop\BPD-003777.exe

File created: C:\Users\user\AppData\Local\Temp\antiprimer

Jump to behavior

Source: C:\Users\user\Desktop\BPD-003777.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BPD-003777.exe

ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\BPD-003777.exe "C:\Users\user\Desktop\BPD-003777.exe"
Source: C:\Users\user\Desktop\BPD-003777.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BPD-003777.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 560
Source: C:\Users\user\Desktop\BPD-003777.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BPD-003777.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: BPD-003777.exe

Static file information: File size 2051584 > 1048576

Source: BPD-003777.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x197e00

Source:	Binary string: wntdll.pdbUGP source: BPD-003777.exe, 00000000.00000003.1342605000.0000000004330000.00000004.00001000.00020000.00000000.sdmp, BPD-003777.exe, 00000000.00000003.1342161692.0000000004330000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BPD-003777.exe, 00000000.00000003.1342605000.0000000004330000.00000004.00001000.00020000.00000000.sdmp, BPD-003777.exe, 00000000.00000003.1342161692.0000000004330000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\BPD-003777.exe

Code function: 0_2_00ABC910 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00ABC910

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00400686 push es; ret	2_2_0040068D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00400B42 push es; ret	2_2_00400B49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00428B85 push ecx; ret	2_2_00428B98

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_00404A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_004855FD

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004233C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_004233C7

Source: C:\Users\user\Desktop\BPD-003777.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BPD-003777.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\BPD-003777.exe

API/Special instruction interceptor: Address: 3B41E8C

Source: C:\Windows\SysWOW64\svchost.exe

API coverage: 1.6 %

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00464696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00464696
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046C93C FindFirstFileW,FindClose,	2_2_0046C93C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0046C9C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046F200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0046F35D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0046F65E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00463A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00463A2B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00463D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00463D4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0046BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0046BF27

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00404AFE

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\BPD-003777.exe	API call chain: ExitProcess graph end node			graph_0-780
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node			graph_2-97648

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004741FD BlockInput,

2_2_004741FD

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00403B4C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00435CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

2_2_00435CCC

Source: C:\Users\user\Desktop\BPD-003777.exe

Code function: 0_2_00ABC910 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00ABC910

Source: C:\Users\user\Desktop\BPD-003777.exe	Code function: 0_2_03B420F8 mov eax, dword ptr fs:[00000030h]	0_2_03B420F8
Source: C:\Users\user\Desktop\BPD-003777.exe	Code function: 0_2_03B40AD8 mov eax, dword ptr fs:[00000030h]	0_2_03B40AD8
Source: C:\Users\user\Desktop\BPD-003777.exe	Code function: 0_2_03B42158 mov eax, dword ptr fs:[00000030h]	0_2_03B42158

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_004581F7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042A364 SetUnhandledExceptionFilter,		2_2_0042A364
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_0042A395

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\BPD-003777.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\BPD-003777.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\BPD-003777.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 317B008

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00458C93 LogonUserW,

2_2_00458C93

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00403B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00403B4C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00404A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

2_2_00404A35

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00464EC9 mouse_event,

2_2_00464EC9

Source: C:\Users\user\Desktop\BPD-003777.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BPD-003777.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

2_2_004581F7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00464C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00464C03

Source: BPD-003777.exe, 00000000.00000002.1350657292.0000000000902000.00000040.00000001.01000000.00000003.sdmp, svchost.exe, 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: svchost.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0042886B cpuid

2_2_0042886B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_004350D7

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00442230 GetUserNameW,

2_2_00442230

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0043418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0043418A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00404AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00404AFE

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: svchost.exe	Binary or memory string: WIN_81
Source: svchost.exe	Binary or memory string: WIN_XP
Source: BPD-003777.exe, 00000000.00000002.1350657292.0000000000902000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: svchost.exe	Binary or memory string: WIN_XPe
Source: svchost.exe	Binary or memory string: WIN_VISTA
Source: svchost.exe	Binary or memory string: WIN_7
Source: svchost.exe	Binary or memory string: WIN_8
Source: svchost.exe, 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00476596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_00476596
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00476A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00476A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	115 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
BPD-003777.exe	62%	ReversingLabs	Win32.Trojan.AutoitInject
BPD-003777.exe	100%	Avira	DR/AutoIt.Gen8
BPD-003777.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
241.42.69.40.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586799
Start date and time:	2025-01-09 16:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BPD-003777.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@4/6@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 13.107.246.45, 20.190.160.17, 4.175.87.197, 40.69.42.241, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: BPD-003777.exe

Simulations

Behavior and APIs

Time	Type	Description
10:35:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	new.bat	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://bryf.atchirlisc.ru/EeMAGvIe/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	13.107.246.45
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	VmjvNTbD5J.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	13.107.246.45
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	13.107.246.45
	EMfRi659Ir.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://laserglow-technologies-industrial-48815730.hubspotpagebuilder.com/laserglow	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	colleague[1].htm	Get hash	malicious	Unknown	Browse	13.107.246.45

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_844ef0ef7d12d9f9e010b6a014ea0d32eb0d68_cabfc704_e8ae02c3-9242-4643-b89c-6fc14e65c71a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8635191137573476
Encrypted:	false
SSDEEP:	192:extH0m9jI0GdsKgjeGGzuiFcXZ24IO8KR:MV0m9GdsKgjGzuiFcXY4IO8KR
MD5:	CE1EC3AD2FEDBF05F34C9805E7BE88F7
SHA1:	CBE883AE319521CB22EC2446D78942A414744EF6
SHA-256:	53BE98072AB9E9169100E8BF4413782740F10B65C1EAC2678DA7A42F3A145075
SHA-512:	3648E9DB2FD1DD2052580DC986C1F3C7C382077B55912544477D52692232CE6F2711F785472A4C9289E975FE4121D3683E991117E5CEEAAEF5F42183BE12B48F
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.1.0.4.9.8.0.5.2.1.5.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.1.0.4.9.8.6.9.2.7.7.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.a.e.0.2.c.3.-.9.2.4.2.-.4.6.4.3.-.b.8.9.c.-.6.f.c.1.4.e.6.5.c.7.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.f.0.2.f.2.d.-.0.6.c.8.-.4.5.c.3.-.b.1.8.6.-.d.7.a.a.d.a.c.a.0.3.7.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.4.-.0.0.0.1.-.0.0.1.4.-.6.d.7.d.-.0.0.0.9.a.c.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.3.1.9.6.f.4.5.b.2.6.9.a.6.1.4.a.3.9.2.6.e.f.c.0.3.2.f.c.9.d.7.5.0.1.7.f.2.7.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C36.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 9 15:34:58 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	234822
Entropy (8bit):	0.7214848529998819
Encrypted:	false
SSDEEP:	192:CklXUVIE6f/6gOYi07FG7S5YG3JYT/EicQZxtLTioR19/D+R07Dzw6L:nlXUVAq3707FGe6GqoicQZxtyoR1w1I
MD5:	4E3020DCE5BD8AB2D9754D5639385953
SHA1:	135A1A8DBDE0C5ECB47F98FE5B821F9DCAA014EE
SHA-256:	1AFBB04405B874094F83959FE380B295D138F656EBAA1FF596C69518DDC5EAB8
SHA-512:	180412AA5D58383C4AF6D7F9F42BC12D8838C3D6BC42E7309724C1C889E56C06A3BDCE1DAFF15E8BE3E4BAE09D09056873B521A9EB264C2D4C9406B0682D4A1C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................4................(..........T.......8...........T...........@...........................................................................................................eJ......T.......GenuineIntel............T.......T......g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DDD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.6926179712789917
Encrypted:	false
SSDEEP:	192:R6l7wVeJNf6Ifyw6YCe6Angmfp7VBwQ2pDB89bZqsfizm:R6lXJF6Ifyw6Yb6AngmfppSQFZJff
MD5:	48CB6F6A8DEB5EBAC9A1A37DB65FC1EB
SHA1:	FCC6BFB4A0EA5945259536B997E88A7B093C74AC
SHA-256:	2F516DD7ACC79F2403EC7F31138D4EFDE8F8B5E630BEC461B7008F923AA8E00F
SHA-512:	72CD9F8AAF7F158E565DA9A74467E382CBD273C86CAFFCE09EAEE53636A8CB520AAD9D62A0FD89ACA63763391A38ADF225A880FA5BDACB89CB35CC2275B30EA5
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DFD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4652
Entropy (8bit):	4.453314062286373
Encrypted:	false
SSDEEP:	48:cvIwWl8zsRJg77aI9k/WpW8VYVYm8M4JCPZFCI+q8jIBDbBd:uIjfjI7Gu7VpJCeIvDbBd
MD5:	C0D63C1F06A427ABA870F95CE3239C12
SHA1:	7D7A51D2FB9F4936E03844C7330160C3A92631C6
SHA-256:	943C1E05B02FE9BEDD5A255E7ED58BF676862FB18DCE2055F042B9099C042906
SHA-512:	E73558FA26D44080A7B266604EE9EC38CD21437767E0FA1A5D85BD3C570356EA7EFA2B25A54B738D03246C80361C9294B53A4485BB00FCDA47DA1CA27692B55F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668557" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\antiprimer

Download File

Process:	C:\Users\user\Desktop\BPD-003777.exe
File Type:	data
Category:	dropped
Size (bytes):	732160
Entropy (8bit):	7.985726078033352
Encrypted:	false
SSDEEP:	12288:Q64o9a/bCDU6kx8Z32Um6oIrJYUunZ1ciWERYZ1WdTrT1Wp7GmGziA:qo9gCDUDxIy6t8Z1b54WtVvzn
MD5:	7658B6D4A23472C4EB434A93B5AF40CB
SHA1:	3B0BE0234C66E6E2B353D2BB38C5657F30E57719
SHA-256:	AC266BCAC9F07D9977535C1E733E304B71404956F023DD0A9917D17E4644ADD4
SHA-512:	9ECE4F48BC0C9CACF396D7A757FE1DE0E735FB725836440FAEDDCD9D94E17D7706CE9AEBBB2DDCE320E4332D84FEA6DEE6F6D2308F1605879F5F177228EED094
Malicious:	false
Reputation:	low
Preview:	...7H1FTCVVC..HC.K1FTGVV.HXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTWWVCFG.M7.8.u.W..i. DkA4; $7.h;)-Y$Ef6"v$6&x!-..~.t92&fUEI.K1FTGVVU;...%...F...Q..\..aT....x..Z...qe.&D....T..Y...K.$Z...]4..F...)'.?Q.cT..$F....U.I#....u..J..h....U...Z3..%...e..Q...T#cT..VVCHXHC7K1FTGVVC..HC{J2F..81CHXHC7K1.TeW]BDXH32K1.QGV.NH..P7K.KTG6ECHX.C7[1FTEVVFHYHC7K1CTFVVCHXHs.K1VTGVVCHZH..K1.TGFVCHX.C7[1FTGVVSHXHC7K1FTGV.]QXlG7K1&GG..FHXHC7K1FTGVVCHXHCOi(FXGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7/cUT.VVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCH....K1FTG.[CHHHC7K1FTCVVCHXHC7K1FTGV.CH...oz1FTGV&FHX.N7KUCTGRVCHXHC7K1FTGVV.HX.mE8C%TGVV.MXH#$K1.QGV>FHXHC7K1FTGVVC.XH.7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVCHXHC7K1FTGVVC{vqr7.a.uJ_^I

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394581024402417
Encrypted:	false
SSDEEP:	6144:Xl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAhOBSqa:V4vF0MYQUMM6VFYShU
MD5:	E0720B671CE369F5235828D0C4968FE8
SHA1:	B53FE891C0F8B07B531E5F8A8710DE63A0C17A20
SHA-256:	1C920DDA96F4A42DEDDB1233F62E9F17EBC50725319D4CD075598C77384A6466
SHA-512:	4A57A46EBC49CC2EC09D3D371279795EECE394FFC1F56990E3D54BF5F539F90A601DA2DCBDD7AAE5843701CB34141DB324674448F9DE24963A8EB332848B44F0
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.>...b...............................................................................................................................................................................................................................................................................................................................................V.=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9915388146284005
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	BPD-003777.exe
File size:	2'051'584 bytes
MD5:	7957ec69d6c945909bc6c0ddb559ea4d
SHA1:	726a35777c75091a453e4f97b0240f0154479e89
SHA256:	dd4adfb0f1f95de3dedd0c8b827da2da21d852248118ff51fa66d989377ab9b1
SHA512:	03cde4581a7cf5c3c54593e95126ef63e792010b063efc4a0c96e3268680ee216eedec7244ee38bf3a7663ce26c547ecf71b57caa47443043826d0d1c9ac6848
SSDEEP:	49152:E/mU/ohubcvSWMmPWmtuTOlGqOe8dW9aNJje1:E+S9bgFMUW2lGBgIV
TLSH:	669533B2BEC5D52DF47716BAA03D1C6140D12371EF28777A8710F7AC2E31722A48A796
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x67c910
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677EF7A5 [Wed Jan 8 22:09:41 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 00620000h
lea edi, dword ptr [esi-0021F000h]
push edi
jmp 00007F23A4E6BE6Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F23A4E6BE4Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F23A4E6BE6Dh
jne 00007F23A4E6BE8Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F23A4E6BE81h
dec eax
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F23A4E6BE36h
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F23A4E6BEB4h
xor ecx, ecx
sub eax, 03h
jc 00007F23A4E6BE73h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F23A4E6BED7h
sar eax, 1
mov ebp, eax
jmp 00007F23A4E6BE6Dh
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F23A4E6BE2Eh
inc ecx
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F23A4E6BE20h
add ebx, ebx
jne 00007F23A4E6BE69h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F23A4E6BE51h
jne 00007F23A4E6BE6Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F23A4E6BE46h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F23A4E6BE70h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x414880	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27d000	0x197880	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x414ca4	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x27caf4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x27cb14	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x21f000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x220000	0x5d000	0x5cc00	288f7d5b39a1c520ee61af8f97905958	False	0.9872836295485176	data	7.9366650553648075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27d000	0x198000	0x197e00	d9359c0e16c3d15f63caba5519c8584a	False	0.9877221881703954	data	7.993854564366474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27d5ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x27d6d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x27d804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x27d930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x27dc1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x27dd48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x27ebf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x27f4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x27fa0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x281fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x283064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	empty	English	Great Britain	0
RT_STRING	0xda4f0	0x594	empty	English	Great Britain	0
RT_STRING	0xdaa84	0x68a	empty	English	Great Britain	0
RT_STRING	0xdb110	0x490	empty	English	Great Britain	0
RT_STRING	0xdb5a0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xdbb9c	0x65c	empty	English	Great Britain	0
RT_STRING	0xdc1f8	0x466	empty	English	Great Britain	0
RT_STRING	0xdc660	0x158	empty	English	Great Britain	0
RT_RCDATA	0x2834d0	0x190e18	data			1.0003108978271484
RT_GROUP_ICON	0x4142ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x414368	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x414380	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x414398	0x14	data	English	Great Britain	1.25
RT_VERSION	0x4143b0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x414490	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:35:26.838901043 CET	61093	53	192.168.2.9	162.159.36.2
Jan 9, 2025 16:35:26.843835115 CET	53	61093	162.159.36.2	192.168.2.9
Jan 9, 2025 16:35:26.843976974 CET	61093	53	192.168.2.9	162.159.36.2
Jan 9, 2025 16:35:26.848843098 CET	53	61093	162.159.36.2	192.168.2.9
Jan 9, 2025 16:35:27.297312021 CET	61093	53	192.168.2.9	162.159.36.2
Jan 9, 2025 16:35:27.302191019 CET	53	61093	162.159.36.2	192.168.2.9
Jan 9, 2025 16:35:27.302243948 CET	61093	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:35:26.838255882 CET	53	63909	162.159.36.2	192.168.2.9
Jan 9, 2025 16:35:27.306386948 CET	59460	53	192.168.2.9	1.1.1.1
Jan 9, 2025 16:35:27.313615084 CET	53	59460	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 16:35:27.306386948 CET	192.168.2.9	1.1.1.1	0x5b28	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 16:34:53.176692009 CET	1.1.1.1	192.168.2.9	0x66eb	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 16:34:53.176692009 CET	1.1.1.1	192.168.2.9	0x66eb	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:35:27.313615084 CET	1.1.1.1	192.168.2.9	0x5b28	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	10:34:55
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\BPD-003777.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BPD-003777.exe"
Imagebase:	0x840000
File size:	2'051'584 bytes
MD5 hash:	7957EC69D6C945909BC6C0DDB559EA4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:34:56
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BPD-003777.exe"
Imagebase:	0x400000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:34:57
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8020 -s 560
Imagebase:	0xa90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	47.7%
Dynamic/Decrypted Code Coverage:	92.6%
Signature Coverage:	12%
Total number of Nodes:	108
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00ABC910 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00ABCA4A
GetProcAddress.KERNEL32(?,00AB5FF9), ref: 00ABCA68
ExitProcess.KERNEL32(?,00AB5FF9), ref: 00ABCA79
VirtualProtect.KERNELBASE(00840000,00001000,00000004,?,00000000), ref: 00ABCAC7
VirtualProtect.KERNELBASE(00840000,00001000), ref: 00ABCADC

Memory Dump Source

Source File: 00000000.00000002.1350961377.0000000000ABC000.00000080.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000000.00000002.1350505392.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350657292.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350657292.0000000000902000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350657292.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350657292.000000000091A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350657292.0000000000AB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1350981553.0000000000ABD000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_840000_BPD-003777.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 7ea4f8353d8ce43f34a49e345eb156afe241d9b57b78feb43bad1090e94fd786
Instruction ID: 6c9800540d750ae1cb71481d2998262818ffec14454e6f9927efccbf3b089607
Opcode Fuzzy Hash: 7ea4f8353d8ce43f34a49e345eb156afe241d9b57b78feb43bad1090e94fd786
Instruction Fuzzy Hash: F951F7B2A443565BE7209FB8CCC0AE1BBA9EB51370728073DD5E6C73C7E7A4580587A4

Function 03B41248 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03B41319
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03B4153F

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: f3e23ae6042f1f5ee5eb0708111ad7187ccca6a3423ef1fddc1605b9a2005ebf
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 1DA11A74E00209EBDB14CFA8D894BEEB7B5FF48308F2481A9E515BB280D7759A80DF55

Function 03B41018 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03B40F08: Sleep.KERNELBASE(000001F4), ref: 03B40F19

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03B41136

Strings

XHC7K1FTGVVCH, xrefs: 03B41199, 03B4119C

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID: CreateFileSleep
String ID: XHC7K1FTGVVCH
API String ID: 2694422964-3315864293
Opcode ID: 5694ffe633bc40b001086397f3b023e0f4905c2e7df3462fa2169730f7619d68
Instruction ID: 0dd36d53baf037f1f858d92570baa66cfa1008901917491832070028bb4195e0
Opcode Fuzzy Hash: 5694ffe633bc40b001086397f3b023e0f4905c2e7df3462fa2169730f7619d68
Instruction Fuzzy Hash: DA519E75E04249EBEF11DBE4C854BEEBB79AF09304F0045A9E609BB2C0D7790B45CBA5

Function 03B3FF08 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03B406C3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03B40759
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03B4077B

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 56e3ea4f67c65637f97591018991d21d1569502de15278dc14b615530e705756
Instruction ID: 08ffe0612d8ad74b1f7b10ba211e5c907d82df1bd30513f0f0eb9aca450b422f
Opcode Fuzzy Hash: 56e3ea4f67c65637f97591018991d21d1569502de15278dc14b615530e705756
Instruction Fuzzy Hash: FC621B30A14258DBEB24DFA4C840BDEB376EF58304F1091A9D20DEB390E7799E85DB59

Function 03B3FF05 Relevance: 1.9, APIs: 1, Instructions: 400
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03B406C3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03B40759
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03B4077B

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 173a12e0826a8e6c4648f93c70ec1c3ee5be85605175e636ec777d1d2aec9320
Instruction ID: a42dbf23c25b74c24a340105744d4227fda0c24a05324890c05fc59fe3855cd1
Opcode Fuzzy Hash: 173a12e0826a8e6c4648f93c70ec1c3ee5be85605175e636ec777d1d2aec9320
Instruction Fuzzy Hash: 1012DF24E14658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A4E77A4F85CF5A

Function 03B40F08 Relevance: 1.3, APIs: 1, Instructions: 18
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000001F4), ref: 03B40F19

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ec9da44278f8ea14e5026e3f642639fdde8df4c153aec3bebd4dff3ba80cf4e0
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 66E0E67494520EDFDB00EFF8D5496DD7BB4EF04301F1001A1FD01D2280D6309D50DA62

Non-executed Functions

Function 03B42268 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ee6faf429aeca98ab11ce08c3ad69868a96f455b9a02d2a1140f400dbe3c95d5
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: B541C171D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB90

Function 03B420F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: f2ad0873c5eee751e84feb3b92930a5b8acd368ed3c35f29d73a5cfe166e9b3d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 23018874A00209EFCB44DF98C5909ADF7B5FB48214F2085D9E915A7341D730AE41EB84

Function 03B42158 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 467726ef6d68260e223eb30151e65f97c63b21a6cca97b1b15d8f4b7919cdd24
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: F8019678A00209EFCB44DF98C5909AEF7B5FB48314F2085E9E909AB341D730AE41EB84

Function 03B40AD8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1357593623.0000000003B3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 03B3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b3e000_BPD-003777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Analysis Process: svchost.exePID: 8020, Parent PID: 7968COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.7%
Total number of Nodes:	550
Total number of Limit Nodes:	41

Executed Functions

Function 00403B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
IsDebuggerPresent.KERNEL32 ref: 00403B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Part of subcall function 00410A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C26,004C62F8,?,?,?), ref: 00410ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B93F0,00000010), ref: 0043D4BC
SetCurrentDirectoryW.KERNEL32(?,004C62F8,?,?,?), ref: 0043D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B5D40,004C62F8,?,?,?), ref: 0043D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D581

Part of subcall function 00403A58: GetSysColorBrush.USER32(0000000F), ref: 00403A62
Part of subcall function 00403A58: LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
Part of subcall function 00403A58: LoadIconW.USER32(00000063), ref: 00403A88
Part of subcall function 00403A58: LoadIconW.USER32(000000A4), ref: 00403A9A
Part of subcall function 00403A58: LoadIconW.USER32(000000A2), ref: 00403AAC
Part of subcall function 00403A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
Part of subcall function 00403A58: RegisterClassExW.USER32(?), ref: 00403B28

Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A15
Part of subcall function 004039E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
Part of subcall function 004039E7: ShowWindow.USER32(00000000,?,?), ref: 00403A4A
Part of subcall function 004039E7: ShowWindow.USER32(00000000,?,?), ref: 00403A53

Part of subcall function 004043DB: _memset.LIBCMT ref: 00404401
Part of subcall function 004043DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004044A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0043D4B4
%I, xrefs: 00403C56
runas, xrefs: 0043D575

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%I
API String ID: 529118366-2806069697
Opcode ID: fb15b91749e5040af8005ee9a6d67726b0c4902e5aa9f3c93b987920ee535e65
Instruction ID: 0f2c37a458a75ddd4165d4490fb1e043a1c32b8e6bc4467291d23e22a2595f58
Opcode Fuzzy Hash: fb15b91749e5040af8005ee9a6d67726b0c4902e5aa9f3c93b987920ee535e65
Instruction Fuzzy Hash: F351B575D08248AADB11AFB5DC05EEE7B78AB45304B1081BFF811B21E1DA7C5645CB2E

Function 00404AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00404B2B

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404BF8
IsWow64Process.KERNEL32(00000000), ref: 00404BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00404C45
FreeLibrary.KERNEL32(00000000), ref: 00404C50
GetSystemInfo.KERNEL32(00000000), ref: 00404C81
GetSystemInfo.KERNEL32(00000000), ref: 00404C8D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 410c06889228b35311a14d44faca9b7780195574a7a817a459ccd777cfc8b322
Instruction ID: a2a37668ba8dc9db7c0339275d8cd71390b5c234514a477f546c7b3e3bed8d02
Opcode Fuzzy Hash: 410c06889228b35311a14d44faca9b7780195574a7a817a459ccd777cfc8b322
Instruction Fuzzy Hash: D591C17194A7C0DAC731CB6894511ABBFE4AF6A300F44496FD1CAA3B41D238F908D72E

Function 004071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C62F8,?,004037C0,?), ref: 00404882

Part of subcall function 0042074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004072C5), ref: 00420771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00407308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043ED32
RegCloseKey.ADVAPI32(?), ref: 0043ED70
_wcscat.LIBCMT ref: 0043EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 004072FE
\, xrefs: 0043EDEC
\Include\, xrefs: 004072C5
Include, xrefs: 0043ECE8, 0043ED29

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 118cb3ff050fbbb02c10eb19e7119e6ea6e2689824d79bbb51778997a341d715
Instruction ID: db50671f6cb5d1f91e5104dddd6ecfd126d9dd3bac4640c277fe0078958ce1d5
Opcode Fuzzy Hash: 118cb3ff050fbbb02c10eb19e7119e6ea6e2689824d79bbb51778997a341d715
Instruction Fuzzy Hash: 1F7169715093019BC314EF26E88195BBBE8FF98344F40487FF445932A1EB74A948CF6A

Function 00403778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bL, xrefs: 0043D44E
CMDLINERAW, xrefs: 0040380D
/AutoIt3ExecuteScript, xrefs: 004038CE
/ErrorStdOut, xrefs: 0040388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004037C0
/AutoIt3OutputDebug, xrefs: 004038A4
/AutoIt3ExecuteLine, xrefs: 004038B9
CMDLINE, xrefs: 00403834

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bL
API String ID: 1825951767-904922308
Opcode ID: 3274081ca50627d5954d4c5d897f3c78523cdb8199693c06bfbb4427cfd54e5f
Instruction ID: 19e95f69b08b63b79e3d7ab90ba78c5cdf699b16ea651e38bdcbe293d35e51ee
Opcode Fuzzy Hash: 3274081ca50627d5954d4c5d897f3c78523cdb8199693c06bfbb4427cfd54e5f
Instruction Fuzzy Hash: BFA129729102299ACB04EFA1DC91AEEBB78BF14305F50453FE412B61D1DB786A09CB69

Function 0040F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004203A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
Part of subcall function 004203A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
Part of subcall function 004203A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401

Part of subcall function 00416259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 004162B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040FB2D
OleInitialize.OLE32(00000000), ref: 0040FBAA
CloseHandle.KERNEL32(00000000), ref: 004449F2

Strings

<gL, xrefs: 0040FA90
%I, xrefs: 0040F8F6, 0040F908, 0040FACE, 0040FBB1
\dL, xrefs: 0040F957
cL, xrefs: 0040F94B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: <gL$\dL$%I$cL
API String ID: 3094916012-4247061687
Opcode ID: 3df32f6e216cb04e6d0986a452832e9027be751ec7911b342b551a7c3bb4d407
Instruction ID: 1cfffd179986f18d43a6ac5aa0dacd7918427e6922d3cb84a31c4b765cbc4a66
Opcode Fuzzy Hash: 3df32f6e216cb04e6d0986a452832e9027be751ec7911b342b551a7c3bb4d407
Instruction Fuzzy Hash: 5B8198B49012909EC7C8EF2AE954E557BE5EB88308312C93FD819C7272EB399409CF5D

Function 00535080 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 005351BA
GetProcAddress.KERNEL32(?,0052EFF9), ref: 005351D8
ExitProcess.KERNEL32(?,0052EFF9), ref: 005351E9
VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,00000000), ref: 00535237
VirtualProtect.KERNELBASE(00400000,00001000), ref: 0053524C

Memory Dump Source

Source File: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 2e99be400e81e7d7ce064433109ce87d8c845843e3a85926cd9284e4f7e24267
Instruction ID: abd17a31cb5b074a5e5fe2aacbfd84a94d6f63cdd5e9c85803762a453274a3f6
Opcode Fuzzy Hash: 2e99be400e81e7d7ce064433109ce87d8c845843e3a85926cd9284e4f7e24267
Instruction Fuzzy Hash: FA513972A50B524BD7258AB8CCC4761BFA0FB41320F281B39C5E1CB3C6F7A5580AC7A0

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNELBASE(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Function 0040492E Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

74BFC8D0.UXTHEME ref: 00404992

Part of subcall function 004235AC: __lock.LIBCMT ref: 004235B2
Part of subcall function 004235AC: RtlDecodePointer.NTDLL(00000001), ref: 004235BE
Part of subcall function 004235AC: RtlEncodePointer.NTDLL(?), ref: 004235C9

Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404A73
Part of subcall function 00404A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404A88

Part of subcall function 00403B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B7A
Part of subcall function 00403B4C: IsDebuggerPresent.KERNEL32 ref: 00403B8C
Part of subcall function 00403B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C62F8,004C62E0,?,?), ref: 00403BFD
Part of subcall function 00403B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 004049D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: f0fdbb26218a1bb658e004d1011d9ada979b51ee7de53ddc263ff604cc63f85f
Instruction ID: 4f3c985aaa7260ea6862a91c50e24ca429db6960d63ed6b712eae347e098ba5b
Opcode Fuzzy Hash: f0fdbb26218a1bb658e004d1011d9ada979b51ee7de53ddc263ff604cc63f85f
Instruction Fuzzy Hash: FA116D716043119BC300EF29E80591AFBF8EB94714F00853FF545932A2DB749945CB9E

Function 00404864 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C62F8,?,004037C0,?), ref: 00404882

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Name$FileFullModulePath_memmove
String ID:
API String ID: 283706267-0
Opcode ID: ae7cc900b0c0809750238d9364d7d9d5a782e683a74abfc077f60a06760c3ed8
Instruction ID: ca31e2ca954b17ab837b8811fe387d2778c4751d05da871ede307af1dad6072a
Opcode Fuzzy Hash: ae7cc900b0c0809750238d9364d7d9d5a782e683a74abfc077f60a06760c3ed8
Instruction Fuzzy Hash: 38E09231A0012D5BDB10E751DC42EFEB36CEF08704F0005BAB909A61D1EEB4BA84CB94

Non-executed Functions

Function 0048CDAC Relevance: 72.4, APIs: 37, Strings: 4, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0048CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CF00
SendMessageW.USER32 ref: 0048CF29
_wcsncpy.LIBCMT ref: 0048CFA1
GetKeyState.USER32(00000011), ref: 0048CFC2
GetKeyState.USER32(00000009), ref: 0048CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CFE5
GetKeyState.USER32(00000010), ref: 0048CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048D018
SendMessageW.USER32 ref: 0048D03F
SendMessageW.USER32(?,00001030,?,0048B602), ref: 0048D145
SetCapture.USER32(?), ref: 0048D177
ClientToScreen.USER32(?,?), ref: 0048D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048D203
ReleaseCapture.USER32 ref: 0048D20E
GetCursorPos.USER32(?), ref: 0048D248
ScreenToClient.USER32(?,?), ref: 0048D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D2B1
SendMessageW.USER32 ref: 0048D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D31C
SendMessageW.USER32 ref: 0048D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D37B
GetCursorPos.USER32(?), ref: 0048D39B
ScreenToClient.USER32(?,?), ref: 0048D3A8
GetParent.USER32(?), ref: 0048D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D431
SendMessageW.USER32 ref: 0048D462
ClientToScreen.USER32(?,?), ref: 0048D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D51A
SendMessageW.USER32 ref: 0048D53D
ClientToScreen.USER32(?,?), ref: 0048D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D5C3

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D65F

Strings

@U=u, xrefs: 0048CE91, 0048CF00, 0048CF29, 0048CFE5, 0048D018, 0048D03F, 0048D145, 0048D2B1, 0048D2DF, 0048D31C, 0048D34B, 0048D431, 0048D462, 0048D51A, 0048D53D
prL, xrefs: 0048D1BD
@GUI_DRAGID, xrefs: 0048D1AA
F, xrefs: 0048D543

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F$prL
API String ID: 302779176-2912933056
Opcode ID: 3c38f9f7deb35b1ba42d88147c88aff7388f468bad2c647939190f87493470b1
Instruction ID: 229d4578051541fcfaeada0f8769b60f9343d3431cda2b16350b0a1bbbc6a0ce
Opcode Fuzzy Hash: 3c38f9f7deb35b1ba42d88147c88aff7388f468bad2c647939190f87493470b1
Instruction Fuzzy Hash: 6842BD30605240AFD720EF28C888F6EBBE5FF48314F144A2EF655972A1D7359845CBAA

Function 00404A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00404A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043DA8E
IsIconic.USER32(?), ref: 0043DA97
ShowWindow.USER32(?,00000009), ref: 0043DAA4
SetForegroundWindow.USER32(?), ref: 0043DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043DAC4
GetCurrentThreadId.KERNEL32 ref: 0043DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043DAF8
SetForegroundWindow.USER32(?), ref: 0043DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB10
keybd_event.USER32(00000012,00000000), ref: 0043DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB25
keybd_event.USER32(00000012,00000000), ref: 0043DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB33
keybd_event.USER32(00000012,00000000), ref: 0043DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043DB42
keybd_event.USER32(00000012,00000000), ref: 0043DB47
SetForegroundWindow.USER32(?), ref: 0043DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0043DB71

Strings

Shell_TrayWnd, xrefs: 0043DA89

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f79b4016a452e3713d3f296b67be0db1888c659ea2cd4af33083302438d8d314
Instruction ID: e7c85a06078abd95958a76b560472cb4de1ee0cbe7850f23b5b82bf1a514fd8d
Opcode Fuzzy Hash: f79b4016a452e3713d3f296b67be0db1888c659ea2cd4af33083302438d8d314
Instruction Fuzzy Hash: 5A31A571E40318BBEB206F619C49F7F7E6CEB48B50F11403AFA00E61D1D6B45D11ABA9

Function 0047425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0048F910), ref: 00474284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00474292
GetClipboardData.USER32(0000000D), ref: 0047429A
CloseClipboard.USER32 ref: 004742A6
GlobalLock.KERNEL32(00000000), ref: 004742C2
CloseClipboard.USER32 ref: 004742CC
GlobalUnlock.KERNEL32(00000000), ref: 004742E1
IsClipboardFormatAvailable.USER32(00000001), ref: 004742EE
GetClipboardData.USER32(00000001), ref: 004742F6
GlobalLock.KERNEL32(00000000), ref: 00474303
GlobalUnlock.KERNEL32(00000000), ref: 00474337
CloseClipboard.USER32 ref: 00474447

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 594e55f249b8f2fb10bdda82559ca4c04e0019e68ec9a0b5cb36cebe0042eeaf
Instruction ID: 082334e5e034a6364df9055b72bce31f15e3661d5fbc7ec5f34bc60242ce87dd
Opcode Fuzzy Hash: 594e55f249b8f2fb10bdda82559ca4c04e0019e68ec9a0b5cb36cebe0042eeaf
Instruction Fuzzy Hash: F451A331204201ABD311AF65DC85FBF77A8AF84B04F10493EF559E21E2DB78D9098B6A

Function 00458858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00458CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00458D0D
Part of subcall function 00458CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458D3A
Part of subcall function 00458CC3: GetLastError.KERNEL32 ref: 00458D47

_memset.LIBCMT ref: 0045889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004588ED
CloseHandle.KERNEL32(?), ref: 004588FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00458915
GetProcessWindowStation.USER32 ref: 0045892E
SetProcessWindowStation.USER32(00000000), ref: 00458938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00458952

Part of subcall function 00458713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458851), ref: 00458728
Part of subcall function 00458713: CloseHandle.KERNEL32(?,?,00458851), ref: 0045873A

Strings

, xrefs: 004588AA
winsta0, xrefs: 00458910
default, xrefs: 0045894D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 7b372a644be77f3f5313eb40cabb9a66cdceb54fd3a95a3fdea66fc4a7f3adc6
Instruction ID: ae404ca8ccb8fb5f7dd2bd2e3b65d1cf0b905714558ed317be623f38cd8f3382
Opcode Fuzzy Hash: 7b372a644be77f3f5313eb40cabb9a66cdceb54fd3a95a3fdea66fc4a7f3adc6
Instruction Fuzzy Hash: FE813971900209AFDF11DFA4DC45AAE7BB8AF04305F18456EFD10B6262DF398E199B68

Function 0046C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C9F8
FindClose.KERNEL32(00000000), ref: 0046CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0046CAAF
__swprintf.LIBCMT ref: 0046CAFB
__swprintf.LIBCMT ref: 0046CB3E

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

__swprintf.LIBCMT ref: 0046CB92

Part of subcall function 004238D8: __woutput_l.LIBCMT ref: 00423931

__swprintf.LIBCMT ref: 0046CBE0

Part of subcall function 004238D8: __flsbuf.LIBCMT ref: 00423953
Part of subcall function 004238D8: __flsbuf.LIBCMT ref: 0042396B

__swprintf.LIBCMT ref: 0046CC2F
__swprintf.LIBCMT ref: 0046CC7E
__swprintf.LIBCMT ref: 0046CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0046CAF5
%4d, xrefs: 0046CB38
%02d, xrefs: 0046CB86, 0046CB90, 0046CBDE, 0046CC2D, 0046CC7C, 0046CCCB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 94528ca72ba5876c231d639e2f66dcaf58c2821765a120ea890e53caa6ddf915
Instruction ID: d2fb6e3d745381a8f06c977d24fbab6bbb709d84a093e08bb2767dfa648d5eca
Opcode Fuzzy Hash: 94528ca72ba5876c231d639e2f66dcaf58c2821765a120ea890e53caa6ddf915
Instruction Fuzzy Hash: C8A130B1508305ABC704EF65C885DAFB7ECEF94704F40492EF585D6192EA38EE48CB66

Function 0048C8EE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C917

Part of subcall function 0048ADF1: ClientToScreen.USER32(?,?), ref: 0048AE1A
Part of subcall function 0048ADF1: GetWindowRect.USER32(?,?), ref: 0048AE90
Part of subcall function 0048ADF1: PtInRect.USER32(?,?,0048C304), ref: 0048AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C9AE
_wcscat.LIBCMT ref: 0048C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0048CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0048CA47
DragFinish.SHELL32(?), ref: 0048CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0048CB41

Strings

@GUI_DROPID, xrefs: 0048CA6E
@U=u, xrefs: 0048C980, 0048C9F5, 0048CA0E, 0048CA25, 0048CA47
prL, xrefs: 0048CA8B
@GUI_DRAGID, xrefs: 0048CAB9
@GUI_DRAGFILE, xrefs: 0048CAF0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$prL
API String ID: 2166380349-642820110
Opcode ID: ec0462c3765f23257754e6840fd532b7aed0d59163fea492d58b583ba902896c
Instruction ID: 9d54b60ae23129ec17e3264f3c4c669362dbaaf1ee08fbcc713ae4d442fb7e93
Opcode Fuzzy Hash: ec0462c3765f23257754e6840fd532b7aed0d59163fea492d58b583ba902896c
Instruction Fuzzy Hash: B6617F71108301AFC701EF65DC85D9FBBF8EF88714F500A2EF591A21A1DB749A49CB6A

Function 0046F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0046F221
_wcscmp.LIBCMT ref: 0046F236
_wcscmp.LIBCMT ref: 0046F24D
GetFileAttributesW.KERNEL32(?), ref: 0046F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0046F279
FindNextFileW.KERNEL32(00000000,?), ref: 0046F291
FindClose.KERNEL32(00000000), ref: 0046F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F2B8
_wcscmp.LIBCMT ref: 0046F2DF
_wcscmp.LIBCMT ref: 0046F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F308
SetCurrentDirectoryW.KERNEL32(004BA5A0), ref: 0046F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F330
FindClose.KERNEL32(00000000), ref: 0046F33D
FindClose.KERNEL32(00000000), ref: 0046F34F

Strings

*.*, xrefs: 0046F2B3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 58bcf13c288eddfd2e692422b01c0418072611c199188e78e98c6afa980456a9
Instruction ID: 0b5727808e6486dbc8ba1fd208fa3d2423740367e5f37dc41973d7f20295688a
Opcode Fuzzy Hash: 58bcf13c288eddfd2e692422b01c0418072611c199188e78e98c6afa980456a9
Instruction Fuzzy Hash: D231F7765012196ACF10DFB0EC58ADF73AC9F48360F5045BBE840D3290E739DA898B2D

Function 00480AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 00480C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480D1D
RegCloseKey.ADVAPI32(?), ref: 0048103D
RegCloseKey.ADVAPI32(00000000), ref: 0048104A

Strings

REG_BINARY, xrefs: 00480FD8
REG_DWORD, xrefs: 00480F0E
REG_EXPAND_SZ, xrefs: 00480CBA
REG_QWORD, xrefs: 00480F8B
REG_MULTI_SZ, xrefs: 00480E05
REG_SZ, xrefs: 00480D5B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b296bf9b2c7ac3a4e5f66719921f1ba7540c2931f11012d23180653fb027a640
Instruction ID: 28c6f411a619af197dfaf8748c0be50b5585ff8e0b7448e963b4b9ec0364d3ae
Opcode Fuzzy Hash: b296bf9b2c7ac3a4e5f66719921f1ba7540c2931f11012d23180653fb027a640
Instruction Fuzzy Hash: 80025E752106119FCB14EF19C841E2AB7E5FF89714F04886EF8899B3A2CB78ED45CB49

Function 0046F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0046F37E
_wcscmp.LIBCMT ref: 0046F393
_wcscmp.LIBCMT ref: 0046F3AA

Part of subcall function 004645C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004645DC

FindNextFileW.KERNEL32(00000000,?), ref: 0046F3D9
FindClose.KERNEL32(00000000), ref: 0046F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F400
_wcscmp.LIBCMT ref: 0046F427
_wcscmp.LIBCMT ref: 0046F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F450
SetCurrentDirectoryW.KERNEL32(004BA5A0), ref: 0046F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F478
FindClose.KERNEL32(00000000), ref: 0046F485
FindClose.KERNEL32(00000000), ref: 0046F497

Strings

*.*, xrefs: 0046F3FB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ec6b9d9e702f045fbfb62a8a4d4bf93f4726aadb3ab887182078068f471a89aa
Instruction ID: b075de1a3a6116e48bb9cf245284ec928ecdd711139cb2480e8db77f57688df7
Opcode Fuzzy Hash: ec6b9d9e702f045fbfb62a8a4d4bf93f4726aadb3ab887182078068f471a89aa
Instruction Fuzzy Hash: 7031C6716011196ACF10AF64FC84ADF77AC9F45364F60417BE890D22A0EB39DA89CB6D

Function 0048C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C4EC
GetFocus.USER32 ref: 0048C4FC
GetDlgCtrlID.USER32(00000000), ref: 0048C507
_memset.LIBCMT ref: 0048C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C65D
GetMenuItemCount.USER32(?), ref: 0048C67D
GetMenuItemID.USER32(?,00000000), ref: 0048C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0048C779

Strings

0, xrefs: 0048C62A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 14931414b7ae2173f0b59e802f225cc80c709f24ae6c7ca33f85dd0a64ddb95b
Instruction ID: 044de7e4dd35a86088de80346c1f5ac2e8e2e031d82544e17b68ab28cbecaa44
Opcode Fuzzy Hash: 14931414b7ae2173f0b59e802f225cc80c709f24ae6c7ca33f85dd0a64ddb95b
Instruction Fuzzy Hash: A1818E70608311AFDB10EF15C984A6FBBE8FB88314F104D2EF995A3291D774D905CBAA

Function 004581F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00458766
Part of subcall function 0045874A: GetLastError.KERNEL32(?,0045822A,?,?,?), ref: 00458770
Part of subcall function 0045874A: GetProcessHeap.KERNEL32(00000008,?,?,0045822A,?,?,?), ref: 0045877F
Part of subcall function 0045874A: RtlAllocateHeap.NTDLL(00000000,?,0045822A), ref: 00458786
Part of subcall function 0045874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045879D

Part of subcall function 004587E7: GetProcessHeap.KERNEL32(00000008,00458240,00000000,00000000,?,00458240,?), ref: 004587F3
Part of subcall function 004587E7: RtlAllocateHeap.NTDLL(00000000,?,00458240), ref: 004587FA
Part of subcall function 004587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00458240,?), ref: 0045880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0045825B
_memset.LIBCMT ref: 00458270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0045828F
GetLengthSid.ADVAPI32(?), ref: 004582A0
GetAce.ADVAPI32(?,00000000,?), ref: 004582DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004582F9
GetLengthSid.ADVAPI32(?), ref: 00458316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00458325
RtlAllocateHeap.NTDLL(00000000), ref: 0045832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0045834D
CopySid.ADVAPI32(00000000), ref: 00458354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00458385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004583AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004583BF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 27d3b1d758ce327bd6ff960f42808705922d37cc0f2b3be1dedc4948f6e72ee5
Instruction ID: d5b260a28bbd50cd38a870094945b07d29d7a3b63504d6cb352bb9851184e42d
Opcode Fuzzy Hash: 27d3b1d758ce327bd6ff960f42808705922d37cc0f2b3be1dedc4948f6e72ee5
Instruction Fuzzy Hash: AE616C71900209AFDF00DFA1DC44AAEBBB9FF04705F14856EFC15A6292DF399A19CB64

Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040375F

Strings

%I, xrefs: 0043D2D1, 0043D31F
TaskbarCreated, xrefs: 00403725

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%I
API String ID: 157504867-1195164674
Opcode ID: 106c8b21554998b053203f3281fdd2964e777a89a2ea72663e4281452c1a374d
Instruction ID: 10ee0b11622f1361c7ec63440bed57d6dff5d427fb300c744ab7812cb175661f
Opcode Fuzzy Hash: 106c8b21554998b053203f3281fdd2964e777a89a2ea72663e4281452c1a374d
Instruction Fuzzy Hash: 6A4117B11101057BDB646F68EC09F7A3A58E744302F10853FFA02A23E1CA7D9D45976E

Function 00480665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00480038,?,?), ref: 004810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480737

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004807D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0048086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480AAD
RegCloseKey.ADVAPI32(00000000), ref: 00480ABA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 785c66ace69bd2c8e6d4e9c2c1b318c2df728bad03be91e343e084cb3050f6f1
Instruction ID: f0685776b061da3febb4d5759a9ab82e159331f6864d6f996855a4051f4b1c00
Opcode Fuzzy Hash: 785c66ace69bd2c8e6d4e9c2c1b318c2df728bad03be91e343e084cb3050f6f1
Instruction Fuzzy Hash: 9CE16F71214210AFCB14EF29C881E6FBBE4EF89714B04886EF449D72A2DB34ED45CB55

Function 00460219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00460241
GetAsyncKeyState.USER32(000000A0), ref: 004602C2
GetKeyState.USER32(000000A0), ref: 004602DD
GetAsyncKeyState.USER32(000000A1), ref: 004602F7
GetKeyState.USER32(000000A1), ref: 0046030C
GetAsyncKeyState.USER32(00000011), ref: 00460324
GetKeyState.USER32(00000011), ref: 00460336
GetAsyncKeyState.USER32(00000012), ref: 0046034E
GetKeyState.USER32(00000012), ref: 00460360
GetAsyncKeyState.USER32(0000005B), ref: 00460378
GetKeyState.USER32(0000005B), ref: 0046038A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ce91828b2830721cd7fb8b4a1e78d29246c37408a82e61dcc3c1647f0e02a60d
Instruction ID: a21790649764f5473492f6fe8ccf9153751a7a7a640c343e9e208889fd979a5a
Opcode Fuzzy Hash: ce91828b2830721cd7fb8b4a1e78d29246c37408a82e61dcc3c1647f0e02a60d
Instruction Fuzzy Hash: B84188345047C96EFF319A6488183A7BEA0AF11345F08449FDDC6467C2F7985DC887AB

Function 0048D74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetSystemMetrics.USER32(0000000F), ref: 0048D78A
GetSystemMetrics.USER32(0000000F), ref: 0048D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048DA24
ShowWindow.USER32(00000003,00000000), ref: 0048DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0048DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0048DA8B

Strings

@U=u, xrefs: 0048DA03, 0048DA24

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID: @U=u
API String ID: 830902736-2594219639
Opcode ID: 23451141e7aaf84fcc41105f243c9b29e3adcfe4fe01e34952ebf4c1a6f2d82c
Instruction ID: eb940e76658434b7ad8eeabe1703afeb33935e81992f953b53c46158808d9c3e
Opcode Fuzzy Hash: 23451141e7aaf84fcc41105f243c9b29e3adcfe4fe01e34952ebf4c1a6f2d82c
Instruction Fuzzy Hash: C9B19B71901215EBDF18EF68C9857BE7BB1FF48700F18847AEC48AB295D738A950CB58

Function 0048C27C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

ReleaseCapture.USER32 ref: 0048C2F0
SetWindowTextW.USER32(?,00000000), ref: 0048C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0048C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0048C48F

Strings

prL, xrefs: 0048C3FD
@GUI_DROPID, xrefs: 0048C3E1
@U=u, xrefs: 0048C3AD
@GUI_DRAGFILE, xrefs: 0048C424
prL, xrefs: 0048C438

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$prL$prL
API String ID: 973565025-2093473232
Opcode ID: 9562f7a23453e422bfff58ba4fbc7020cc6d9c1b64f56d664e174fb834cdc57e
Instruction ID: dc367e10a39d425f30cb391b84f58576d3d09b44280b1156dac04409bcc5156d
Opcode Fuzzy Hash: 9562f7a23453e422bfff58ba4fbc7020cc6d9c1b64f56d664e174fb834cdc57e
Instruction Fuzzy Hash: 7451A170204304AFD700EF24C895F6E77E5FB88314F00892EF555972E1DB78A948DB6A

Function 00464189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0046419D
__swprintf.LIBCMT ref: 004641AA

Part of subcall function 004238D8: __woutput_l.LIBCMT ref: 00423931

FindResourceW.KERNEL32(?,?,0000000E), ref: 004641D4
LoadResource.KERNEL32(?,00000000), ref: 004641E0
LockResource.KERNEL32(00000000), ref: 004641ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0046420D
LoadResource.KERNEL32(?,00000000), ref: 0046421F
SizeofResource.KERNEL32(?,00000000), ref: 0046422E
LockResource.KERNEL32(?), ref: 0046423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 0046429B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 617cfa106917f647481d604454f566daa8b487215408bcc40d4d77f46b5c81fb
Instruction ID: 68d0d4707ff35a66c4c8b16f9f52eea423942b7f780b82ff2ca14d9b92ff7368
Opcode Fuzzy Hash: 617cfa106917f647481d604454f566daa8b487215408bcc40d4d77f46b5c81fb
Instruction Fuzzy Hash: DE31B2B160121AAFCF019F60EC58EBF7BACEF45341F10497AF801D2150E738D9618BAA

Function 00474458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047447F
EmptyClipboard.USER32 ref: 00474485
GlobalAlloc.KERNEL32(00000002,?), ref: 0047449A
CloseClipboard.USER32 ref: 00474539

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 92b3f1e62438dc7ffcc85fda8050e8ed33eaeb0d782a753d95e12b88d80d85a1
Instruction ID: 690fdb2393ba8c455721d93383ebf00db8ed132600f70b1972c2202a928a4a2e
Opcode Fuzzy Hash: 92b3f1e62438dc7ffcc85fda8050e8ed33eaeb0d782a753d95e12b88d80d85a1
Instruction Fuzzy Hash: D3216F35300210AFDB10AF65EC09B6E77A8EF44715F10846AF90AE72A2DB79AD05CB5D

Function 00463A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

Part of subcall function 00464CD3: GetFileAttributesW.KERNEL32(?,00463947), ref: 00464CD4

FindFirstFileW.KERNEL32(?,?), ref: 00463ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00463B87
MoveFileW.KERNEL32(?,?), ref: 00463B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00463BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00463BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00463BF5

Strings

\*.*, xrefs: 00463A8A, 00463A93, 00463AA8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 406ed7933e7b2fbde82e9b6f9d8268ee346425c05384211e0e36a27ede029b77
Instruction ID: a30d93a31dc78191619e65fc742f137fc1fb73af94d3b3548b22cf7447f1242d
Opcode Fuzzy Hash: 406ed7933e7b2fbde82e9b6f9d8268ee346425c05384211e0e36a27ede029b77
Instruction Fuzzy Hash: 7D5160318011489ACF05EFA1CD929EEB774AF14305F2441AEE44177192EF396F09CBAA

Function 0046F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F6AB
Sleep.KERNEL32(0000000A), ref: 0046F6DB
_wcscmp.LIBCMT ref: 0046F6EF
_wcscmp.LIBCMT ref: 0046F70A
FindNextFileW.KERNEL32(?,?), ref: 0046F7A8
FindClose.KERNEL32(00000000), ref: 0046F7BE

Strings

*.*, xrefs: 0046F690

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 86d7007cd6eac572d78f041cd6e6c1c48eec0687648dcf7b56268ebd2fe7ae93
Instruction ID: 4cb3e628fd59122d35bce209c976cda9c2681000f87fc18f1c9b87d69f855452
Opcode Fuzzy Hash: 86d7007cd6eac572d78f041cd6e6c1c48eec0687648dcf7b56268ebd2fe7ae93
Instruction Fuzzy Hash: 7841927190020A9FCF10DF64DC45AEEBBB4FF05315F14456BE855A3290EB389E48CB99

Function 00463D4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

Part of subcall function 00464CD3: GetFileAttributesW.KERNEL32(?,00463947), ref: 00464CD4

FindFirstFileW.KERNEL32(?,?), ref: 00463DC5
DeleteFileW.KERNEL32(?,?,?,?), ref: 00463E15
FindNextFileW.KERNEL32(00000000,00000010), ref: 00463E26
FindClose.KERNEL32(00000000), ref: 00463E3D
FindClose.KERNEL32(00000000), ref: 00463E46

Strings

\*.*, xrefs: 00463D97

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a45b061812ec9c81c8612ceb58170ce40163974b6452172ae31fefa5028469fe
Instruction ID: 7de40cf6e8e0f2681217381ae83dc7d57f0b7a9f393b4fbcac1e0d166934b12f
Opcode Fuzzy Hash: a45b061812ec9c81c8612ceb58170ce40163974b6452172ae31fefa5028469fe
Instruction Fuzzy Hash: E23161314083859BC205EF64D8918AF77E8AE95305F444D2EF4D1921D1EB39AA09CBAB

Function 0046545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00458CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00458D0D
Part of subcall function 00458CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458D3A
Part of subcall function 00458CC3: GetLastError.KERNEL32 ref: 00458D47

ExitWindowsEx.USER32(?,00000000), ref: 0046549B

Strings

SeShutdownPrivilege, xrefs: 0046546B
@, xrefs: 0046548E
, xrefs: 00465489

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 579dbc82c3cff657937c2cc6ad355f0a8cb18a3333d1a6a54e1d22e8bff13c30
Instruction ID: 2a911ff1966252bbcdf17bf9cb72554efa01d6bf79280483f84be4285ba15f08
Opcode Fuzzy Hash: 579dbc82c3cff657937c2cc6ad355f0a8cb18a3333d1a6a54e1d22e8bff13c30
Instruction Fuzzy Hash: E3014C71654A012AE7285774DC4ABBB7258EB04343F2406BBFC06D21C3FD5D0C84429F

Function 00476596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 004765EF
WSAGetLastError.WS2_32(00000000), ref: 004765FE
bind.WS2_32(00000000,?,00000010), ref: 0047661A
listen.WS2_32(00000000,00000005), ref: 00476629
WSAGetLastError.WS2_32(00000000), ref: 00476643
closesocket.WS2_32(00000000), ref: 00476657

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: aac7b1a6e461488d35280cc6e2b63497f567ac7a2cb6f5e78181c7989b7b377c
Instruction ID: e6b78beff1e5acf3df9dda2c3f3869440f41808fdec0f88b9f2d9ee8019ed42f
Opcode Fuzzy Hash: aac7b1a6e461488d35280cc6e2b63497f567ac7a2cb6f5e78181c7989b7b377c
Instruction Fuzzy Hash: B121D0306006009FDB10EF24C849B6EB7AAEF44324F15856EE95AE73D2CB38AD05CB59

Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 004019FA
GetSysColor.USER32(0000000F), ref: 00401A4E
SetBkColor.GDI32(?,00000000), ref: 00401A61

Part of subcall function 00401290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 004012D8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 0acfed8c104553ee0f031015a52969b3383a7e3804369e691b3daa623c5a7133
Instruction ID: 7331066d687c79144e479fa77cb5b53127ed0084e9ebbd02b0941197b1da37a7
Opcode Fuzzy Hash: 0acfed8c104553ee0f031015a52969b3383a7e3804369e691b3daa623c5a7133
Instruction Fuzzy Hash: D9A13670202444BAE639AA6A4C88E7F355CDB85345F14453FF502F62F2CA3C9D0296BE

Function 0046BF27 Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046BF51
_wcscmp.LIBCMT ref: 0046BF81
_wcscmp.LIBCMT ref: 0046BF96
FindNextFileW.KERNEL32(00000000,?), ref: 0046BFA7
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0046BFD7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 497f1adaa3ba5a5acf48135475b604c1fb8c5438382bec87f644fcea3ecea7d1
Instruction ID: 4da5a7c4c91cf2c46906761da39f519bbb4503288612d0db2ff60880db936199
Opcode Fuzzy Hash: 497f1adaa3ba5a5acf48135475b604c1fb8c5438382bec87f644fcea3ecea7d1
Instruction Fuzzy Hash: 9E519C35604602CFC718DF68D890EAAB3E4EF49314F10456EE956D73A1EB38AD05CB9A

Function 00476A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004780A0: inet_addr.WS2_32(00000000), ref: 004780CB

socket.WS2_32(00000002,00000002,00000011), ref: 00476AB1
WSAGetLastError.WS2_32(00000000), ref: 00476ADA
bind.WS2_32(00000000,?,00000010), ref: 00476B13
WSAGetLastError.WS2_32(00000000), ref: 00476B20
closesocket.WS2_32(00000000), ref: 00476B34

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 8ff4a25cdce3a3fd69f90685541766784d6adaa8d918900b62d8163675aec4b5
Instruction ID: ec8af1d64da596956c433e57632250cf5df23c9f0dad71f231007fc3493b681d
Opcode Fuzzy Hash: 8ff4a25cdce3a3fd69f90685541766784d6adaa8d918900b62d8163675aec4b5
Instruction Fuzzy Hash: 7A41D371700610AFEB10AF29CC86F6E77A59B44714F04806EF94ABB3C3CB786D008B99

Function 004855FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0048564C
IsWindowEnabled.USER32 ref: 0048565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00485667
IsIconic.USER32 ref: 00485675
IsZoomed.USER32 ref: 00485683

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 21e4dfcebaa746f194821cf4b74dac9dd0b2a1a6a04e49b2a13d110fbc93a992
Instruction ID: cb23e866adfd6052c9791da1087048ad0a2fbc158b2104f0e12b7289e4a8d3fd
Opcode Fuzzy Hash: 21e4dfcebaa746f194821cf4b74dac9dd0b2a1a6a04e49b2a13d110fbc93a992
Instruction Fuzzy Hash: 1911B6713005116FE7112F26DC44B2F7799EF54721B81483EE80AE7241DB389D028B9D

Function 0046C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046C69D
CoCreateInstance.COMBASE(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C6B5

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

CoUninitialize.COMBASE ref: 0046C922

Strings

.lnk, xrefs: 0046C631, 0046C659, 0046C663

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: a5dd41a604ff6dbf850f92f341ee3d02cf3686de316275f5167b51e390c70133
Instruction ID: 59dbffdf9d75c8959dca0f7b229faa5ec1329e1f3517e1548e1d9fe2393bc20f
Opcode Fuzzy Hash: a5dd41a604ff6dbf850f92f341ee3d02cf3686de316275f5167b51e390c70133
Instruction Fuzzy Hash: BDA13E71204205AFD704EF55C881EABB7E8EF98308F00492EF556A71D2EB74EE49CB56

Function 0047F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047F151
Process32FirstW.KERNEL32(00000000,?), ref: 0047F15F

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Process32NextW.KERNEL32(00000000,?), ref: 0047F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047F22E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 3db92129315f33732f806d5fe3dc6370dc4b4aa7abd047f1d055da0ccfd04164
Instruction ID: a37f8fe04dce5febef69a0a0e80080e31aa126a280dd6e9744eb1fad4ec9a2d0
Opcode Fuzzy Hash: 3db92129315f33732f806d5fe3dc6370dc4b4aa7abd047f1d055da0ccfd04164
Instruction Fuzzy Hash: 66516F715043009FD310EF25DC85EABBBE8FF98714F50482EF59597292EB74A908CB96

Function 0048C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043BBFB,?,?,?,?,?), ref: 0048C7D7
GetCursorPos.USER32(?), ref: 0048C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043BBFB,?,?,?), ref: 0048C85E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: c3880b0d8c903a02a843eb531d215e9a5002e7bc677598effbf297b8893457d7
Instruction ID: 757619bd3f98b372d46f3818d8faf94b3fa09ae1c323e5c89f059bb0ed552e39
Opcode Fuzzy Hash: c3880b0d8c903a02a843eb531d215e9a5002e7bc677598effbf297b8893457d7
Instruction Fuzzy Hash: 00318F35600018AFCB15EF58C898EEF7BB6EB49311F04486AF9058B2A1C7359950DB68

Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 004012D8
GetClientRect.USER32(?,?), ref: 0043B84B
GetCursorPos.USER32(?), ref: 0043B855
ScreenToClient.USER32(?,?), ref: 0043B860

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: ef7600288080b64f3de5fbb6c2441f9088fdebe13a1592defc27a45fee753810
Instruction ID: 88478fa3ad29557ab13713681797212a94603c3b61ccda0d63648654153e7648
Opcode Fuzzy Hash: ef7600288080b64f3de5fbb6c2441f9088fdebe13a1592defc27a45fee753810
Instruction Fuzzy Hash: 82112B39510019EBCB00EF94D8859AE77B8FB05300F1048AAF901F7291D734AA569BA9

Function 0048C86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0043BB8A,?,?,?), ref: 0048C8E1

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0048C8C7

Strings

@U=u, xrefs: 0048C8C7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID: @U=u
API String ID: 1273190321-2594219639
Opcode ID: 49f8d4d74e261a0792667a20f4d8983b878908c5b61fbebbbeb1b3fdb1f74e76
Instruction ID: 2730bb4e99d3e9b783a163bc38e31a920a7dada82b9b67fdad1675d12faecba9
Opcode Fuzzy Hash: 49f8d4d74e261a0792667a20f4d8983b878908c5b61fbebbbeb1b3fdb1f74e76
Instruction Fuzzy Hash: 3701B531241204ABDB217F14CC88E6E3BA6FF85325F14493AF9511B2E1C7755816EBA9

Function 004725E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00471AFE,00000000), ref: 004726D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0047270C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 647ca52cd95cd17ecf1a142e9ecd22894e261798c0abaf00a2e2c65154873321
Instruction ID: 7df48aecdac16079d077ee4482dae0c99d09a727ef6db81992898f8f45f4089a
Opcode Fuzzy Hash: 647ca52cd95cd17ecf1a142e9ecd22894e261798c0abaf00a2e2c65154873321
Instruction Fuzzy Hash: 9B41C871600209BFEB20DA55DE85EFF77BCEB40718F10806FF609A6240DAF99E419658

Function 0046B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B655

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4170edcbd393f58b85cbfc47a26ceb0de5684a51ddd23d53752d3fee15acf1c0
Instruction ID: afdace23335808f55efa9730f0df51a9d188e262fe072cd22f4db7dcc8935507
Opcode Fuzzy Hash: 4170edcbd393f58b85cbfc47a26ceb0de5684a51ddd23d53752d3fee15acf1c0
Instruction Fuzzy Hash: DD214F35A00118EFCB00DF65D884AADBBB8FF49314F1480AEE805AB351DB359D55CF55

Function 00458CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00458D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458D3A
GetLastError.KERNEL32 ref: 00458D47

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c72357074bc1a21b6355a53b9d93858b7857e6f8b546e3a48efecc44696d47fe
Instruction ID: f8041eb50af7dbbfc0cde60679eaa74aa1fb82c582b49c73c0c2fe1d216f5579
Opcode Fuzzy Hash: c72357074bc1a21b6355a53b9d93858b7857e6f8b546e3a48efecc44696d47fe
Instruction Fuzzy Hash: 5111C1B1514208AFE728DF58EC85D6BB7FCFB04711B20852EF84693242EF74AC448B28

Function 00464021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0046404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00464088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00464091

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9adb1a1e81b239645974b83f98cd6b828b732412c9964b92f3583d332f155c02
Instruction ID: 0d159ca6df0eede845a6d4e8df17a9b3dc34993fad287cf776c7f52469128b60
Opcode Fuzzy Hash: 9adb1a1e81b239645974b83f98cd6b828b732412c9964b92f3583d332f155c02
Instruction Fuzzy Hash: BB1156B1D04229BEE7109BE8DC44FBFBBBCEB48750F100556BA04E7191D2785D4547A6

Function 00464C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00464C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00464C43
FreeSid.ADVAPI32(?), ref: 00464C53

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction ID: 10b911d193db4ddcb2d704d9467f516d67823663164fbfa441d12c43b64d2f16
Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction Fuzzy Hash: 86F04F7591130CBFDF04DFF0DC89AAEB7BCEF09201F104879A501E2281E7746A148B54

Function 00464696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043E7C1), ref: 004646A6
FindFirstFileW.KERNEL32(?,?), ref: 004646B7
FindClose.KERNEL32(00000000), ref: 004646C7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction ID: d948841d4539c93f635718a430456d5b2beea82774a4ad5489b04229db4e1113
Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction Fuzzy Hash: 81E0D8318104005B46106738EC4D4EF7B5C9E86335F100B6BFC35C15E0F7B85964869F

Function 004016DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetParent.USER32(?), ref: 0043BA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,004019B3,?,?,?,00000006,?), ref: 0043BA84

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 641c240a2b2efb91d0182c5755a2b596ce211ed6b6cbddfca43c0b906d1fc780
Instruction ID: 3b270f17815e5ad40ac2caaf65597b5a29e41b7d2f30eeb5df0f2cdb03e9475e
Opcode Fuzzy Hash: 641c240a2b2efb91d0182c5755a2b596ce211ed6b6cbddfca43c0b906d1fc780
Instruction Fuzzy Hash: 0521B434201504AFCB209F68C988EAA3BD6EF49324F598276F6156B3F1C7399D12DB5C

Function 0046C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C966
FindClose.KERNEL32(00000000), ref: 0046C996

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2d4554714edd4205186e42fae868aff655069c454dd1f327b13b1559d841f580
Instruction ID: 5b6b88f6211486deb722a6ccad0c379dfb27baad602233fbe21a4992d5fdb120
Opcode Fuzzy Hash: 2d4554714edd4205186e42fae868aff655069c454dd1f327b13b1559d841f580
Instruction Fuzzy Hash: 8E1161726106009FD710EF29D845A2AF7E9FF85325F04896EF8A9D7391DB34AC05CB85

Function 0048CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0043BC66,?,?,?,?,?), ref: 0048CC7A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: ce4ef9df73e36d9258f85331b0236484e53ecbac837d78283e4ad1508e19d4a0
Instruction ID: 394b8451dbae1be2163a0e0061e6c3d100b25cd7338ffada41d3e758d595964c
Opcode Fuzzy Hash: ce4ef9df73e36d9258f85331b0236484e53ecbac837d78283e4ad1508e19d4a0
Instruction Fuzzy Hash: 28F0907240011CFFDF049F45DC08DAE7BB8FB08311F00446EF80152121C3716A64EBA4

Function 0046A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0047977D,?,0048FB84,?), ref: 0046A314

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2b1ef19d9cc0b90717349c923e8ffe700e91dba6fe524be6687ce0cf66479d83
Instruction ID: ec260152526798b71ceb7e6cab33189719a1cd8c4d24e489ae92bbfcc79f14b4
Opcode Fuzzy Hash: 2b1ef19d9cc0b90717349c923e8ffe700e91dba6fe524be6687ce0cf66479d83
Instruction Fuzzy Hash: 1AF0E23154422DABDB109FA4CC48FEA736CBF08361F00416AFC08E6281D6309944CBA6

Function 0048CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0048CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0043BBE5,?,?,?,?), ref: 0048CDA2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 510ce9a18b6258048db2af29fa9103f682d67b8581a6436a26367b24e918182d
Instruction ID: 1f614044ca35c635a986ef611d9f23eb50d2c3a8b6e07578866e1f3a94529592
Opcode Fuzzy Hash: 510ce9a18b6258048db2af29fa9103f682d67b8581a6436a26367b24e918182d
Instruction Fuzzy Hash: 1FE04F70100254BBEB146F19DC49FBE3B94EB04750F408A2AF956D91E1C6749851A764

Function 00458713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458851), ref: 00458728
CloseHandle.KERNEL32(?,?,00458851), ref: 0045873A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 41265c65c0d245b5b55351de1af9972390df9efce4a741894ed39e1f827a307d
Instruction ID: d62c75b1f3e524d892737f0a48d4a12a26ed18abf7c0ca67bc3633a0c12aa49d
Opcode Fuzzy Hash: 41265c65c0d245b5b55351de1af9972390df9efce4a741894ed39e1f827a307d
Instruction Fuzzy Hash: A6E08C32000650EFE7212B61FC08D777BE9EF04354720883EF896C0830CB22AC90DB14

Function 0042A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0042A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A3A3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Function 0048DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0048DB46

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 1180b1d67e6e0f2e9bcc0e463e186fdea6db6fbc6398bc2bee2ceecd3187454b
Instruction ID: 268d9e3b8d7a64a76a2ced2de94424795337ec80064e9aa10fefe297856c926e
Opcode Fuzzy Hash: 1180b1d67e6e0f2e9bcc0e463e186fdea6db6fbc6398bc2bee2ceecd3187454b
Instruction Fuzzy Hash: 3011EB316051157AEB28BE1CCC05F7F3714E745B20F218A1BF9519A2D2CAA86D01935D

Function 0048D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0043BBA2,?,?,?,?,00000000,?), ref: 0048D740

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 0ee1b3b0997ab987e1dd81a52297b63d445f8f98d8ddd51a4528514068964cdd
Instruction ID: 7659672425794ce9fed3051e1722040959a4e6d6e4e00cb3c2c0b7dd1912451f
Opcode Fuzzy Hash: 0ee1b3b0997ab987e1dd81a52297b63d445f8f98d8ddd51a4528514068964cdd
Instruction Fuzzy Hash: B201F935A01014ABDF14AF19C849EBF3751EF45324F04492BF9151B2D1C334AC2197A4

Function 0048BF4D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0048BF93

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: dc972f0ce08bf24a0fa0b796411a7adab6966a5492d7304cde6b8bbeeb23dea5
Instruction ID: 1cf8b364d7a2938ecea94108e4f55cb2a299bfca561048f889acd94f5986b92e
Opcode Fuzzy Hash: dc972f0ce08bf24a0fa0b796411a7adab6966a5492d7304cde6b8bbeeb23dea5
Instruction Fuzzy Hash: E1F03C31104108FFCB05AF54DC44D7E3BA6EB08320B048929FF158A2A1C7369860EFA8

Function 0048C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0043BC4F,?,?,?,?,?,00000001,?), ref: 0048C272

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 1d18a1cdd0958c1a954bbb306124d700b80144f7d94e98180419bdef5c053cd0
Instruction ID: 2d4ccb7920783bb0dee1f6a5251654cc6b0ba3405305eace9731015ec879dbe7
Opcode Fuzzy Hash: 1d18a1cdd0958c1a954bbb306124d700b80144f7d94e98180419bdef5c053cd0
Instruction Fuzzy Hash: B9F08934200128ABDF04AF45CC59EAF3B55EB44754F00446AF9465B2D1C779A860EFE8

Function 0040189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00401B04,?,?,?,?,?), ref: 004018E2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 83e42bd6bbfac5ec87afc82de99c3f886ef0525c55ceb651644e28e898ec1f56
Instruction ID: 93c2c4eb9337f611f928324296b999a5b473b37fe02eb456bdfe2d34b65f6479
Opcode Fuzzy Hash: 83e42bd6bbfac5ec87afc82de99c3f886ef0525c55ceb651644e28e898ec1f56
Instruction Fuzzy Hash: 9BF09A34200214AFCB08EF04C864E2A37A2EB40310F00C93AF8525B3E1CB359960AB58

Function 004741FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00474218

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5348a02c0a25b19da91d4eee4c5d608374aceb20892a9845cfe4362b8eec5524
Instruction ID: b23cc063588a306259b86ea8f9a474661f10e5d890b9bf3a5c7b0bdbfe370415
Opcode Fuzzy Hash: 5348a02c0a25b19da91d4eee4c5d608374aceb20892a9845cfe4362b8eec5524
Instruction Fuzzy Hash: 79E01A312402149FD710AF9AD844A9AB7E8AF947A0F00846AF849D7352DA74AC418BA9

Function 0048CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0048CBEE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 5f790f9ba654ce440b9e8aa633e54af861f0353e0efdb2be67a929895ab1a1a6
Instruction ID: 3582824aa5acd4ab28f0171f1111e663ca74ffbb4132c60f8a652a4457cb3530
Opcode Fuzzy Hash: 5f790f9ba654ce440b9e8aa633e54af861f0353e0efdb2be67a929895ab1a1a6
Instruction Fuzzy Hash: 6DF09235241254BFDB21EF58DC05FCA3B95EB09720F058819FA11672E2CB747820EBA8

Function 00464EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00464EEC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e93814ebc846501cb35771f2105315b05d23cebf3def32ff13cd5d2d2650ae1a
Instruction ID: c1836423f7113560d063ef1193e36a36d4b40bb46e0c308692abb0183c679556
Opcode Fuzzy Hash: e93814ebc846501cb35771f2105315b05d23cebf3def32ff13cd5d2d2650ae1a
Instruction Fuzzy Hash: 0BD05EA816060539EC184B20DC5FF770108F380785FD0454BB102891C2F8DA6D55503B

Function 00458C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004588D1), ref: 00458CB3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60

Function 0048CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0043BC0C,?,?,?,?,?,?), ref: 0048CC24

Part of subcall function 0048B8EF: _memset.LIBCMT ref: 0048B8FE
Part of subcall function 0048B8EF: _memset.LIBCMT ref: 0048B90D
Part of subcall function 0048B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C7F20,004C7F64), ref: 0048B93C
Part of subcall function 0048B8EF: CloseHandle.KERNEL32 ref: 0048B94E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 58891f49a7c2d951c7a949059d5566828af3b63b60371e494426b22f8a0e87a6
Instruction ID: 2b986e4fa5c4da1ec2be5b6354e1b81fedef3537944e7d6aaa9483421c1da0b8
Opcode Fuzzy Hash: 58891f49a7c2d951c7a949059d5566828af3b63b60371e494426b22f8a0e87a6
Instruction Fuzzy Hash: 9AE0B635110208EFCB01BF45DD45E9A37A5FB1C355F018866FA05572B2CB35A960EF69

Function 0040167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00401AEE,?,?,?), ref: 004016AB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 2fa642f94d7e2c070b8deb838478818f595e42500aab45051c2b785738a9dd0b
Instruction ID: bb90503c427995b9c477cf66298f54663bf891602eec815e89c509e9abb1aa02
Opcode Fuzzy Hash: 2fa642f94d7e2c070b8deb838478818f595e42500aab45051c2b785738a9dd0b
Instruction Fuzzy Hash: B2E0EC35100208BBCF45AF91DC15E693B2AFB88314F10C82DFA451A2E2CB77A521EB58

Function 0048CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0048CB75

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: f2c52125b41073bb61fa3aa539d79d8600568049dc25b3eb355516305224574b
Instruction ID: 6a5fe3f8da89bfcbff743bb1eb82a9783b8a2519a20c847e0cd3cf06225fd444
Opcode Fuzzy Hash: f2c52125b41073bb61fa3aa539d79d8600568049dc25b3eb355516305224574b
Instruction Fuzzy Hash: 84E04279244249AFDB41EF88D885E9A3BA5AB1D700F014464FA1557362CB71A830EB65

Function 0048CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0048CBA4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ab63bff66957b52d5cc9414e83513636cecbb0700e7863ab7fb32cbdb1ca48b5
Instruction ID: b721417bafe6532c8748facb1a909db480a50713b672d84524614536bca87a10
Opcode Fuzzy Hash: ab63bff66957b52d5cc9414e83513636cecbb0700e7863ab7fb32cbdb1ca48b5
Instruction Fuzzy Hash: 80E0E239200208EFCB01EF88D844D8A3BA5AB1D300F018464FA0547362CB71A830EBA1

Function 004016B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 0040201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
Part of subcall function 0040201B: KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00401AE2,?,?), ref: 004016D4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: d36cd4a53b5e6b8e363770434c06ef723caa89b369a3d5739a4f2803678ea3f3
Instruction ID: c4397c10230325e8c4e2e710a07ebd099991a68138d64028c982fc80a56a9545
Opcode Fuzzy Hash: d36cd4a53b5e6b8e363770434c06ef723caa89b369a3d5739a4f2803678ea3f3
Instruction Fuzzy Hash: 7ED0123014030877DA102F51DD1FF4A3A1D9B94754F40C83ABB04391D3CBB66820A55C

Function 00442230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00442242

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8a249febe551d676a54362e58b36ee3cbdd6c7cccf50f5c22d62ededf723ae2e
Instruction ID: 9fab3e4f47dffe1bb4406c65b0cef95ea93db68453fc608ef19f458391309213
Opcode Fuzzy Hash: 8a249febe551d676a54362e58b36ee3cbdd6c7cccf50f5c22d62ededf723ae2e
Instruction Fuzzy Hash: 55C04CF1800109DBDB05DB90D988DEE77BCAB04304F104466A101F2110D7749B448B76

Function 0042A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A36A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88

Function 00477B1B Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00477B70
DeleteObject.GDI32(00000000), ref: 00477B82
DestroyWindow.USER32 ref: 00477B90
GetDesktopWindow.USER32 ref: 00477BAA
GetWindowRect.USER32(00000000), ref: 00477BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00477CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00477D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477D4A
GetClientRect.USER32(00000000,?), ref: 00477D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00477D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477DD0
GlobalLock.KERNEL32(00000000), ref: 00477DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477DE8
GlobalUnlock.KERNEL32(00000000), ref: 00477DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477DF8
GlobalFree.KERNEL32(00000000), ref: 00477E03
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00477E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00492CAC,00000000), ref: 00477E2B
GlobalFree.KERNEL32(00000000), ref: 00477E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00477E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00477E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0047808F

Strings

@U=u, xrefs: 00477E80, 0047800F
AutoIt v3, xrefs: 00477D42
static, xrefs: 00477D8A, 00477EE1
DISPLAY, xrefs: 00477EF2
, xrefs: 00478015

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: dbc4653a972677e53609990ad40b6c0cf63322c92cba6e77ba978192a45e68e3
Instruction ID: 4027d4b4abb4e188d55970fa8cfcc6921f63087b8bf6fa6cc9ac8d02474ea374
Opcode Fuzzy Hash: dbc4653a972677e53609990ad40b6c0cf63322c92cba6e77ba978192a45e68e3
Instruction Fuzzy Hash: 3A027F71900105EFDB14DFA4CD89EAE7BB9EF48314F14856EF909AB2A1CB749D01CB68

Function 0048A849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A89F
GetSysColorBrush.USER32(0000000F), ref: 0048A8D0
GetSysColor.USER32(0000000F), ref: 0048A8DC
SetBkColor.GDI32(?,000000FF), ref: 0048A8F6
SelectObject.GDI32(?,?), ref: 0048A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A930
GetSysColor.USER32(00000010), ref: 0048A938
CreateSolidBrush.GDI32(00000000), ref: 0048A93F
FrameRect.USER32(?,?,00000000), ref: 0048A94E
DeleteObject.GDI32(00000000), ref: 0048A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A9A0
FillRect.USER32(?,?,?), ref: 0048A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0048A9FD

Part of subcall function 0048AB60: GetSysColor.USER32(00000012), ref: 0048AB99
Part of subcall function 0048AB60: SetTextColor.GDI32(?,?), ref: 0048AB9D
Part of subcall function 0048AB60: GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
Part of subcall function 0048AB60: GetSysColor.USER32(0000000F), ref: 0048ABBE
Part of subcall function 0048AB60: GetSysColor.USER32(00000011), ref: 0048ABDB
Part of subcall function 0048AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
Part of subcall function 0048AB60: SelectObject.GDI32(?,00000000), ref: 0048ABFA
Part of subcall function 0048AB60: SetBkColor.GDI32(?,00000000), ref: 0048AC03
Part of subcall function 0048AB60: SelectObject.GDI32(?,?), ref: 0048AC10
Part of subcall function 0048AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
Part of subcall function 0048AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
Part of subcall function 0048AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B

Strings

@U=u, xrefs: 0048AA4E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 412eddaa58f82ece9c553598873f8765f20bb49c2f8c6868c9234d56bac86d8e
Instruction ID: 452232081cd78e43451fe9d0edc745e4d0d3487f89d4aa1c860563aee330a7d3
Opcode Fuzzy Hash: 412eddaa58f82ece9c553598873f8765f20bb49c2f8c6868c9234d56bac86d8e
Instruction Fuzzy Hash: ACA17D72408301BFD710AF64DC08A6F7BA9FB89321F104E3EF962961A1D774D859CB56

Function 004837F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0048F910), ref: 004838AF
IsWindowVisible.USER32(?), ref: 004838D3

Strings

GETCURRENTCOL, xrefs: 00483BB0
GETCURRENTLINE, xrefs: 00483B75
SHOWDROPDOWN, xrefs: 00483968
GETLINECOUNT, xrefs: 00483B4E
TABLEFT, xrefs: 0048390F
@U=u, xrefs: 00483B6B, 00483B92, 00483C1B
ISCHECKED, xrefs: 00483AC1
SENDCOMMANDID, xrefs: 00483C62
FINDSTRING, xrefs: 004839FE
CHECK, xrefs: 00483AF5
GETCURRENTSELECTION, xrefs: 00483A6B
ADDSTRING, xrefs: 0048399E
ISVISIBLE, xrefs: 004838BF
SELECTSTRING, xrefs: 00483A8E
CURRENTTAB, xrefs: 00483945
ISENABLED, xrefs: 004838F3
GETLINE, xrefs: 00483C23
HIDEDROPDOWN, xrefs: 00483988
SETCURRENTSELECTION, xrefs: 00483A3E
EDITPASTE, xrefs: 00483BE7
TABRIGHT, xrefs: 00483925
GETSELECTED, xrefs: 00483B2B
DELSTRING, xrefs: 004839D1
UNCHECK, xrefs: 00483B0B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: cf48f94bb6b11ab5586d36574852af0532ef661d44b1bc252d737bff85b8ece0
Instruction ID: c6bf011bc8920b3f385404e467a371699bc6c18566bcfe3a2ae0969e2ceda94a
Opcode Fuzzy Hash: cf48f94bb6b11ab5586d36574852af0532ef661d44b1bc252d737bff85b8ece0
Instruction Fuzzy Hash: 0CD162302142059FCB14FF15C451A6E77E1EF54749F10486EB8866B3A3CB79EE0ACB9A

Function 004777BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004777F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004778B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004778EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00477900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477946
GetClientRect.USER32(00000000,?), ref: 00477952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004779A5
GetStockObject.GDI32(00000011), ref: 004779B5
SelectObject.GDI32(00000000,00000000), ref: 004779B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004779C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004779D2
DeleteDC.GDI32(00000000), ref: 004779DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00477A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00477A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00477A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00477A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00477AAE
GetStockObject.GDI32(00000011), ref: 00477AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00477AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00477ACE

Strings

msctls_progress32, xrefs: 00477A4F
@U=u, xrefs: 00477A0D
AutoIt v3, xrefs: 0047793E
static, xrefs: 00477990, 00477AA8
DISPLAY, xrefs: 0047799B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: e805133892257ee3eef660cf6581602469c8e7ab2e2dd119546c6695ddff9b18
Instruction ID: 6f2dc87351e9f44073fe66d28d4e3a5abbc81402cfb86126b8eda0833aba6fd6
Opcode Fuzzy Hash: e805133892257ee3eef660cf6581602469c8e7ab2e2dd119546c6695ddff9b18
Instruction Fuzzy Hash: 8EA19271A00205BFEB14DFA4DC4AFAE7BB9EB44714F118569FA14A72E1C774AD00CB68

Function 0048AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048AB99
SetTextColor.GDI32(?,?), ref: 0048AB9D
GetSysColorBrush.USER32(0000000F), ref: 0048ABB3
GetSysColor.USER32(0000000F), ref: 0048ABBE
CreateSolidBrush.GDI32(?), ref: 0048ABC3
GetSysColor.USER32(00000011), ref: 0048ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048ABE9
SelectObject.GDI32(?,00000000), ref: 0048ABFA
SetBkColor.GDI32(?,00000000), ref: 0048AC03
SelectObject.GDI32(?,?), ref: 0048AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0048AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0048AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0048ACEC
DrawFocusRect.USER32(?,?), ref: 0048ACF7
GetSysColor.USER32(00000011), ref: 0048AD05
SetTextColor.GDI32(?,00000000), ref: 0048AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AD21
SelectObject.GDI32(?,0048A869), ref: 0048AD38
DeleteObject.GDI32(?), ref: 0048AD43
SelectObject.GDI32(?,?), ref: 0048AD49
DeleteObject.GDI32(?), ref: 0048AD4E
SetTextColor.GDI32(?,?), ref: 0048AD54
SetBkColor.GDI32(?,?), ref: 0048AD5E

Strings

@U=u, xrefs: 0048ACA7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 5a2d9b3853a4e0277dcb983e1b4079ab19a424685d8f5ba3f0016e86cf092168
Instruction ID: 2680c5cb8e69463474aeacce461c7d25b1e5fd9f16fef23a59f5f5dba328ec77
Opcode Fuzzy Hash: 5a2d9b3853a4e0277dcb983e1b4079ab19a424685d8f5ba3f0016e86cf092168
Instruction Fuzzy Hash: 88617171900218FFDF11DFA4DC48EAE7B79EB08320F10492AF911AB2A1D7B59D50DB94

Function 0046AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AF89
GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046B066
SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046B1C4

Strings

Removable, xrefs: 0046B0B8
MMC, xrefs: 0046B185
iSCSI, xrefs: 0046B169
PhysicalDrive, xrefs: 0046B012
ATA, xrefs: 0046B13F
CDROM, xrefs: 0046B09A
Virtual, xrefs: 0046B18C
SCSI, xrefs: 0046B131
SSA, xrefs: 0046B14D
USB, xrefs: 0046B15B
Network, xrefs: 0046B0A4
SAS, xrefs: 0046B170
\\.\, xrefs: 0046AFDB
SATA, xrefs: 0046B177
FileBackedVirtual, xrefs: 0046B193
ATAPI, xrefs: 0046B138
Fibre, xrefs: 0046B154
SSD, xrefs: 0046B0F1
1394, xrefs: 0046B146
Fixed, xrefs: 0046B0AE
Unknown, xrefs: 0046B086, 0046B12A
RAMDisk, xrefs: 0046B090
RAID, xrefs: 0046B162

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 916100f2c26f479c16384bf2489b0b5793ab87fcf20d1e86787fe43ad7519d84
Instruction ID: 776fc6ea3dd3f9210f8b2b9a0ff9a4140feb8d65df7228a0847dc19c69f0f078
Opcode Fuzzy Hash: 916100f2c26f479c16384bf2489b0b5793ab87fcf20d1e86787fe43ad7519d84
Instruction Fuzzy Hash: C9519330688205BBCB14EB11C952AFE77B0EB55385730402BE406E7291EB7D9D929B9F

Function 00402C18 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00402CA2
DeleteObject.GDI32(00000000), ref: 00402CE8
DeleteObject.GDI32(00000000), ref: 00402CF3
DestroyCursor.USER32(00000000), ref: 00402CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C68B
750F1630.COMCTL32(?,000000FF,?), ref: 0043C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043CAED

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

SendMessageW.USER32(?,00001053), ref: 0043CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043CB41

Strings

0, xrefs: 0043C981
@U=u, xrefs: 0043C68B, 0043C792, 0043CA6D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF1630InvalidateMoveRect
String ID: 0$@U=u
API String ID: 4019103327-975001249
Opcode ID: 319465118f40a677a1d1414e517c061b3f32768ca008c68f61ff4bf64cba3379
Instruction ID: c5daa602b1da6e2c88f559f2981f7132431180b83a6a7b57709d98132a53226c
Opcode Fuzzy Hash: 319465118f40a677a1d1414e517c061b3f32768ca008c68f61ff4bf64cba3379
Instruction Fuzzy Hash: 9D12B030604201EFDB14DF24C988BAAB7E1BF09314F54557EE885EB2A2C779EC42CB59

Function 00489C8B Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00489D41
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00489DFA
SendMessageW.USER32(?,00001102,00000002,?), ref: 00489E16

Strings

0, xrefs: 00489E53
@U=u, xrefs: 00489DFA, 00489E16, 00489F92, 00489FC5, 0048A025, 0048A06F, 0048A0CF, 0048A0F3, 0048A1AF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: adf286d6e68cce785ecb644c576818994b00a56faf576e649f2c70024ba92196
Instruction ID: 7e606b60c9002f7c4e3c3e4784b9445bff2545e97c27de1bb952dcdf61c871a3
Opcode Fuzzy Hash: adf286d6e68cce785ecb644c576818994b00a56faf576e649f2c70024ba92196
Instruction Fuzzy Hash: 5F02CF30104201AFE725AF14C848BAFBBE4FF49314F08892FF995963A1C7B99855CB5A

Function 00406A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00406A91
__wcsnicmp.LIBCMT ref: 00406AA9
__wcsnicmp.LIBCMT ref: 00406AC1
__wcsnicmp.LIBCMT ref: 00406AD9
__wcsnicmp.LIBCMT ref: 00406AF1
__wcsnicmp.LIBCMT ref: 00406B09
__wcsnicmp.LIBCMT ref: 00406B21
__wcsnicmp.LIBCMT ref: 00406B35
__wcsnicmp.LIBCMT ref: 00406B76
__wcsnicmp.LIBCMT ref: 00406B8A
__wcsnicmp.LIBCMT ref: 00406B9E
__wcsnicmp.LIBCMT ref: 00406BB2

Strings

#include-once, xrefs: 00406AEB
Unterminated group of comments, xrefs: 0043E82C
#include, xrefs: 00406B03
#requireadmin, xrefs: 00406ABB
#comments-end, xrefs: 00406B98
#pragma compile, xrefs: 00406A8B
Bad directive syntax error, xrefs: 0043E743
#OnAutoItStartRegister, xrefs: 00406AD3
#cs, xrefs: 00406B2F, 00406B84
#notrayicon, xrefs: 00406AA3
#ce, xrefs: 00406BAC
Cannot parse #include, xrefs: 0043E819
#comments-start, xrefs: 00406B1B, 00406B70

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 58cc39d77051a73422670d715206fa4ca443a5cb1c1741b34e64545ef3e900b6
Instruction ID: 8187de94c8bffb5aa90f003ee6c2c3bd34f27edaa7f64cb26bdd9306e81e5eb5
Opcode Fuzzy Hash: 58cc39d77051a73422670d715206fa4ca443a5cb1c1741b34e64545ef3e900b6
Instruction Fuzzy Hash: B381F8B0741215A6CB20BB22DD82FAF7768AF15304F14403BF946BA1C1E77CEA55C65D

Function 00488C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488D45
CharNextW.USER32(0000014E), ref: 00488D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488DF9
SetWindowTextW.USER32(?,0000014E), ref: 00488E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00488E8C
_memset.LIBCMT ref: 00488EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488EFA
_memset.LIBCMT ref: 00488F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00488FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00489088
InvalidateRect.USER32(?,00000000,00000001), ref: 004890AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004890F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00489121
DrawMenuBar.USER32(?), ref: 00489130
SetWindowTextW.USER32(?,0000014E), ref: 00489158

Strings

@U=u, xrefs: 00488D34, 00488D45, 00488D7A, 00488DF9, 00488E5B, 00488E8C, 00488EFA, 00488F83, 00488FDB, 00489088
0, xrefs: 004890C2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: d3c7a6b11245a9e731cabdd1cb605b6005b29316865d0d385ecbacc601443254
Instruction ID: 06ae97bc04d9bd9a605fd07afab84948b7726a7264b26731c3a6e1cfb59002d2
Opcode Fuzzy Hash: d3c7a6b11245a9e731cabdd1cb605b6005b29316865d0d385ecbacc601443254
Instruction Fuzzy Hash: 60E1B270900209AADF10AF54CC88EFF7BB8EF05314F54895FF915A6290DB788A85DF69

Function 00484B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00484C51
GetDesktopWindow.USER32 ref: 00484C66
GetWindowRect.USER32(00000000), ref: 00484C6D
GetWindowLongW.USER32(?,000000F0), ref: 00484CCF
DestroyWindow.USER32(?), ref: 00484CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484D68
SendMessageW.USER32(?,00000421,?,?), ref: 00484D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484D90
IsWindowVisible.USER32(?), ref: 00484DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484DDF
GetWindowRect.USER32(?,?), ref: 00484DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00484E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00484E37
CopyRect.USER32(?,?), ref: 00484E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00484EB9

Strings

tooltips_class32, xrefs: 00484D1D
(, xrefs: 00484E2A
0, xrefs: 00484BFC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f331351360268a1b5d7d8b914c2b9c9323f39334a68d66cdc55574e05c4d5c59
Instruction ID: 81ce0c80fb3ce83a9a695b2ca3c7f4fe6b6ee7cd94759bd4250ac35758565499
Opcode Fuzzy Hash: f331351360268a1b5d7d8b914c2b9c9323f39334a68d66cdc55574e05c4d5c59
Instruction Fuzzy Hash: 71B15A71604341AFDB04EF65C844B6EBBE4BF84314F00892EF599AB2A1D778EC05CB99

Function 004027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
GetSystemMetrics.USER32(00000007), ref: 004028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
GetSystemMetrics.USER32(00000008), ref: 004028F7
GetSystemMetrics.USER32(00000004), ref: 0040291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C67B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974
@U=u, xrefs: 004029D5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: ec9e0a668728e5aa275892a4949e6a380bc73807ac62361be819335244ce8f1d
Instruction ID: 34a51bb5a318ae1a344add4034b802b2dd09297663e35ec0c622bb09f95dc302
Opcode Fuzzy Hash: ec9e0a668728e5aa275892a4949e6a380bc73807ac62361be819335244ce8f1d
Instruction Fuzzy Hash: 21B18275600205AFDB14DF68DD89BAE7BB4FB08314F10863AFA15A72D0DB78A851CF58

Function 004646D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0046473C
_wcscmp.LIBCMT ref: 00464747
_wcscat.LIBCMT ref: 0046475D
_wcsstr.LIBCMT ref: 00464768
75381560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464784
_wcscat.LIBCMT ref: 004647CD
_wcscat.LIBCMT ref: 004647D4
_wcsncpy.LIBCMT ref: 004647FF

Strings

04090000, xrefs: 004647BA
StringFileInfo\, xrefs: 00464757
%u.%u.%u.%u, xrefs: 00464862
DefaultLangCodepage, xrefs: 004647E7
\VarFileInfo\Translation, xrefs: 0046477C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcscat$75381560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2056390432-1459072770
Opcode ID: 63107b6ab9c468327d58ca740375c22508ff44841009e46dfdc8024742ead1e1
Instruction ID: f88f6bb759531ccf8b0359daaa379e531abbb6c583277710136eab8ff515ad19
Opcode Fuzzy Hash: 63107b6ab9c468327d58ca740375c22508ff44841009e46dfdc8024742ead1e1
Instruction Fuzzy Hash: 354117326002147ADB14BA65AD42EBF77ACDF81714F50006FF804A6182FB6C9A0197BE

Function 0045C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0045C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045C4E6
SetWindowTextW.USER32(?,?), ref: 0045C4FD
GetDlgItem.USER32(?,000003EA), ref: 0045C512
SetWindowTextW.USER32(00000000,?), ref: 0045C518
GetDlgItem.USER32(?,000003E9), ref: 0045C528
SetWindowTextW.USER32(00000000,?), ref: 0045C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0045C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0045C569
GetWindowRect.USER32(?,?), ref: 0045C572
SetWindowTextW.USER32(?,?), ref: 0045C5DD
GetDesktopWindow.USER32 ref: 0045C5E3
GetWindowRect.USER32(00000000), ref: 0045C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0045C636
GetClientRect.USER32(?,?), ref: 0045C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0045C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0045C693

Strings

@U=u, xrefs: 0045C4E6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: e87f013716cb66209e1fdc9be48e700506287b43d24e7040997972545f066d81
Instruction ID: 3b2bd1e7a7ebd211801f78b3086a02ec173cefa662ab0dc5f88ee9ae4e850772
Opcode Fuzzy Hash: e87f013716cb66209e1fdc9be48e700506287b43d24e7040997972545f066d81
Instruction Fuzzy Hash: 1F518070900709AFDB20DFA8CD85B6FBBF5FF04705F00492DE682A26A1D774A949CB54

Function 00415F88 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

GetForegroundWindow.USER32(0048F910,?,?,?,?,?), ref: 00416042
IsWindow.USER32(?), ref: 00450FFA

Strings

ALL, xrefs: 00450F61
CLASS, xrefs: 00450E24
TITLE, xrefs: 00450F8F
HANDLE, xrefs: 00450DDD
LAST, xrefs: 00450DB1
INSTANCE, xrefs: 00450F39
ACTIVE, xrefs: 00450DC7
REGEXPCLASS, xrefs: 00450E45
REGEXPTITLE, xrefs: 00450DF3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 6d8a6a7f27a75ca62f4992cab0499245dfe3ac76e7061a210c3808b6d8321951
Instruction ID: d84b33950cc9dea91d6c875b386e3144a241cc22e54774cf695bc00c6053f8ee
Opcode Fuzzy Hash: 6d8a6a7f27a75ca62f4992cab0499245dfe3ac76e7061a210c3808b6d8321951
Instruction Fuzzy Hash: CCD10C31104602EFCB14EF11C441A9ABBA0BF54349F504A2FF855536A3DB7CE99ECB9A

Function 00484069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004840F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004841B6

Strings

SELECTCLEAR, xrefs: 00484235
@U=u, xrefs: 004841B6, 004841E8
GETTEXT, xrefs: 0048415F
ISSELECTED, xrefs: 004841C1
GETSELECTEDCOUNT, xrefs: 00484199
SELECT, xrefs: 00484250
DESELECT, xrefs: 004842A4
SELECTALL, xrefs: 0048421D
VIEWCHANGE, xrefs: 00484375
GETSUBITEMCOUNT, xrefs: 00484141
GETITEMCOUNT, xrefs: 00484128
GETSELECTED, xrefs: 004842E4
FINDITEM, xrefs: 00484329
SELECTINVERT, xrefs: 00484286

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: 71a84a331119b1556e37ec1e070573675638364ccf32b69f3f82b434462ef99b
Instruction ID: 9cfe7e01c3492d2b59db2ff75b6cf7b0990ad6aaadf579f18c9153eeadefeee6
Opcode Fuzzy Hash: 71a84a331119b1556e37ec1e070573675638364ccf32b69f3f82b434462ef99b
Instruction Fuzzy Hash: DDA170303142029FCB14FF15C951A6EB3A5AF84318F14496EB8965B3D3DB38ED06CB5A

Function 0048BCED Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0048BD10
GetFileSize.KERNEL32(00000000,00000000), ref: 0048BD27
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0048BD32
CloseHandle.KERNEL32(00000000), ref: 0048BD3F
GlobalLock.KERNEL32(00000000), ref: 0048BD48
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0048BD57
GlobalUnlock.KERNEL32(00000000), ref: 0048BD60
CloseHandle.KERNEL32(00000000), ref: 0048BD67
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0048BD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00492CAC,?), ref: 0048BD91
GlobalFree.KERNEL32(00000000), ref: 0048BDA1
GetObjectW.GDI32(?,00000018,000000FF), ref: 0048BDC5
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0048BDF0
DeleteObject.GDI32(00000000), ref: 0048BE18
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0048BE2E

Strings

@U=u, xrefs: 0048BE2E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 2ef3c73d0ecf62ea383054c8459600fe69dcae0fa81eb6f10a909750517e530a
Instruction ID: 591bd05ee601cdb4eeeaba152367ddfaf644c5d0e7d28595dd03dcf49ad8e52e
Opcode Fuzzy Hash: 2ef3c73d0ecf62ea383054c8459600fe69dcae0fa81eb6f10a909750517e530a
Instruction Fuzzy Hash: 36413675600208BFDB21AF65DC88EAFBBB8FB89711F204869F905DB260D7359D05CB64

Function 004752F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00475309
LoadCursorW.USER32(00000000,00007F8A), ref: 00475314
LoadCursorW.USER32(00000000,00007F00), ref: 0047531F
LoadCursorW.USER32(00000000,00007F03), ref: 0047532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00475335
LoadCursorW.USER32(00000000,00007F01), ref: 00475340
LoadCursorW.USER32(00000000,00007F81), ref: 0047534B
LoadCursorW.USER32(00000000,00007F88), ref: 00475356
LoadCursorW.USER32(00000000,00007F80), ref: 00475361
LoadCursorW.USER32(00000000,00007F86), ref: 0047536C
LoadCursorW.USER32(00000000,00007F83), ref: 00475377
LoadCursorW.USER32(00000000,00007F85), ref: 00475382
LoadCursorW.USER32(00000000,00007F82), ref: 0047538D
LoadCursorW.USER32(00000000,00007F84), ref: 00475398
LoadCursorW.USER32(00000000,00007F04), ref: 004753A3
LoadCursorW.USER32(00000000,00007F02), ref: 004753AE
GetCursorInfo.USER32(?), ref: 004753BE
GetLastError.KERNEL32(00000001,00000000), ref: 004753E9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6a6270ed0b4940824aeabb991483fe1258c9c8061cdaf7958afd48eb47f7a711
Instruction ID: 895aef13bd3dab5c61d690930f62dfa726266ed77347b80580808b7c2f00316e
Opcode Fuzzy Hash: 6a6270ed0b4940824aeabb991483fe1258c9c8061cdaf7958afd48eb47f7a711
Instruction Fuzzy Hash: 64415370E043196ADB109FBA8C499AFFFF8EF51B50B10453FA509EB291DAB894018E55

Function 0045AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045AAA5
__swprintf.LIBCMT ref: 0045AB46
_wcscmp.LIBCMT ref: 0045AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045ABAE
_wcscmp.LIBCMT ref: 0045ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0045AC21
GetDlgCtrlID.USER32(?), ref: 0045AC73
GetWindowRect.USER32(?,?), ref: 0045ACA9
GetParent.USER32(?), ref: 0045ACC7
ScreenToClient.USER32(00000000), ref: 0045ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0045AD48
_wcscmp.LIBCMT ref: 0045AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0045AD82
_wcscmp.LIBCMT ref: 0045AD96

Part of subcall function 0042386C: _iswctype.LIBCMT ref: 00423874

Strings

%s%u, xrefs: 0045AB40

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 4b92ad8b0c6b80a2dfb9578a1e43b2159a4eff4beb40b0b2335c71dd6fe31aaa
Instruction ID: d35ec86bbcbeb73e35131cf7d28b7f07d5205fc7c70a866cb5f2956c045b87af
Opcode Fuzzy Hash: 4b92ad8b0c6b80a2dfb9578a1e43b2159a4eff4beb40b0b2335c71dd6fe31aaa
Instruction Fuzzy Hash: FDA1E471204206ABD715DF20C884BABB7E9FF44306F00462EFD9992252D738E96DCB96

Function 0045B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0045B3DB
_wcscmp.LIBCMT ref: 0045B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0045B414
CharUpperBuffW.USER32(?,00000000), ref: 0045B431
_wcscmp.LIBCMT ref: 0045B44F
_wcsstr.LIBCMT ref: 0045B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B498
_wcscmp.LIBCMT ref: 0045B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B518
_wcscmp.LIBCMT ref: 0045B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0045B550
GetWindowRect.USER32(00000004,?), ref: 0045B5B9

Strings

@, xrefs: 0045B3BC
ThumbnailClass, xrefs: 0045B4A3, 0045B523

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 14214c58a2382f461ec561065851237165fad53e4fcff9b570be27b1f77f4ee0
Instruction ID: 240f2515f7d8b055f070d9f97ff281d4f8d57ffbed57100c70ef1838547da153
Opcode Fuzzy Hash: 14214c58a2382f461ec561065851237165fad53e4fcff9b570be27b1f77f4ee0
Instruction Fuzzy Hash: 2181AD71004209ABDB14DF11C881FAB77E8EF4431AF14856EFD859A193EB38DD49CBA9

Function 0048A428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048A4C8
DestroyWindow.USER32(00000000,?), ref: 0048A542

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A5F1
DestroyWindow.USER32(00000000), ref: 0048A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,00000000), ref: 0048A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A663
GetDesktopWindow.USER32 ref: 0048A67C
GetWindowRect.USER32(00000000), ref: 0048A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A6B3

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

Strings

0, xrefs: 0048A4DE
tooltips_class32, xrefs: 0048A5B5, 0048A643
@U=u, xrefs: 0048A5DE, 0048A5F1, 0048A663, 0048A68D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: ba74acf88bc8afc12da4d1a0b4acd557f342eae14ade622755994d8a017ce3c8
Instruction ID: 86a82787039558be905cb5ee93fd95c55d710ea48d453bde977e80527a28d278
Opcode Fuzzy Hash: ba74acf88bc8afc12da4d1a0b4acd557f342eae14ade622755994d8a017ce3c8
Instruction Fuzzy Hash: 14717171140205AFE710EF18CC45F6B77E5FB88304F08492EF985972A0D7B8E956CB6A

Function 0045B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045B23F

Strings

[ALL, xrefs: 0045B2E5
[LAST, xrefs: 0045B2EC
ALL, xrefs: 0045B2D3
REGEXP=, xrefs: 0045B254
[HANDLE:, xrefs: 0045B24B
LAST, xrefs: 0045B204
CLASSNAME=, xrefs: 0045B27C
[ACTIVE, xrefs: 0045B22C
ACTIVE, xrefs: 0045B21A
[CLASS:, xrefs: 0045B28F
[REGEXPTITLE:, xrefs: 0045B267
HANDLE=, xrefs: 0045B238

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: f874120083bf1d81c9d4e3b548cf2a9c9c7222b01cabae5bed2a3ddfb92a80ce
Instruction ID: 0a4734ff45ec4583e3e81acf795fc21f567cbd392f16838e952200b8ee8254f0
Opcode Fuzzy Hash: f874120083bf1d81c9d4e3b548cf2a9c9c7222b01cabae5bed2a3ddfb92a80ce
Instruction Fuzzy Hash: B5318B30A04205A6DB14EA62CD43BEE77A4DF24756F60006FB941720D2EF6D6E09C9AE

Function 00484619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004846AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004846F6

Strings

SELECT, xrefs: 004848A7
COLLAPSE, xrefs: 0048473C
EXISTS, xrefs: 0048475F
GETTOTALCOUNT, xrefs: 004846DD
@U=u, xrefs: 004846F6
ISCHECKED, xrefs: 00484879
EXPAND, xrefs: 004847A8
GETITEMCOUNT, xrefs: 004847D8
GETTEXT, xrefs: 00484849
CHECK, xrefs: 00484716
GETSELECTED, xrefs: 00484806
UNCHECK, xrefs: 004848D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 64a95ecca5a7531c6b64c85c6d01a575eafbf0ddc76ec485f55780a00bd9b520
Instruction ID: a6b8fb82e4ceb85ef300ce259a46dfdb45366ccd12162413b511f73bb29c4b6b
Opcode Fuzzy Hash: 64a95ecca5a7531c6b64c85c6d01a575eafbf0ddc76ec485f55780a00bd9b520
Instruction Fuzzy Hash: 5E9152742143129FCB14FF15C451A6EB7A1AF84318F00486EE8956B793DB3CED4ACB9A

Function 0048BAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00486D80,?), ref: 0048BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048BC7D
FreeLibrary.KERNEL32(?), ref: 0048BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048BC99
DestroyCursor.USER32(?), ref: 0048BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BCD1

Part of subcall function 0042313D: __wcsicmp_l.LIBCMT ref: 004231C6

Strings

.icl, xrefs: 0048BAE4
.exe, xrefs: 0048BB04
@U=u, xrefs: 0048BCB1
.dll, xrefs: 0048BB27

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 3907162815-1639919054
Opcode ID: 37424d4d7763948733a8dca49077fd2f9633061e04095cbabdff28e088f3a0fe
Instruction ID: 5370879412d3ef42147b43b34bb4041711e9c26008a93505a4a8dcab61b4cfc6
Opcode Fuzzy Hash: 37424d4d7763948733a8dca49077fd2f9633061e04095cbabdff28e088f3a0fe
Instruction Fuzzy Hash: E661CE71600219BEEB14EF65CC45BBF77A8EB08710F10492EF815D61C1DBB8A994DBA8

Function 00467FA4 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00467FE9
VariantCopy.OLEAUT32(00000000,?), ref: 00467FF2
VariantClear.OLEAUT32(00000000), ref: 00467FFE
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004680EC
__swprintf.LIBCMT ref: 0046811C
VarR8FromDec.OLEAUT32(?,?), ref: 00468148
VariantInit.OLEAUT32(?), ref: 004681F9
SysFreeString.OLEAUT32(00000016), ref: 0046828D
VariantClear.OLEAUT32(?), ref: 004682E7
VariantClear.OLEAUT32(?), ref: 004682F6
VariantInit.OLEAUT32(00000000), ref: 00468334

Strings

Default, xrefs: 004681A9
%4d%02d%02d%02d%02d%02d, xrefs: 00468116

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: d0a2a545a9e57ea71eb58458c2f5a9de6cdc2f9f54a6683206fdd82d0ecdcada
Instruction ID: 2682ed8c0086b85f7f7a5589b892ebf4bccd9fa06ddd6521cb48c12ef20c28d5
Opcode Fuzzy Hash: d0a2a545a9e57ea71eb58458c2f5a9de6cdc2f9f54a6683206fdd82d0ecdcada
Instruction Fuzzy Hash: 30D1E330600515DBCB109F66C844B6AB7B4BF04704F158A6FE405AB2C1EF7DAC49EB6B

Function 0046DE85 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0046DF47
SystemTimeToFileTime.KERNEL32(?,?), ref: 0046DF57
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0046DF63
__wsplitpath.LIBCMT ref: 0046DFC1
_wcscat.LIBCMT ref: 0046DFD9
_wcscat.LIBCMT ref: 0046DFEB
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0046E000
SetCurrentDirectoryW.KERNEL32(?), ref: 0046E014
SetCurrentDirectoryW.KERNEL32(?), ref: 0046E046
SetCurrentDirectoryW.KERNEL32(?), ref: 0046E067
_wcscpy.LIBCMT ref: 0046E073
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0046E0B2

Strings

*.*, xrefs: 0046E06D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 60e571fcc24c2b4a3a60574f98f5ba1ae2266eef0ebb0a4fa92a3a824bdcb63e
Instruction ID: f3d54c6dbf8383f42720adc0e47e39a44ecb94d264c17b8113f5383fde8d3d00
Opcode Fuzzy Hash: 60e571fcc24c2b4a3a60574f98f5ba1ae2266eef0ebb0a4fa92a3a824bdcb63e
Instruction Fuzzy Hash: 79617B766043159FCB10EF25C8449AEB3E8FF89314F04482EF98997292EB39E905CB56

Function 0046A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0048FB78), ref: 0046A0FC

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0046A11E
__swprintf.LIBCMT ref: 0046A177
__swprintf.LIBCMT ref: 0046A190
_wprintf.LIBCMT ref: 0046A246
_wprintf.LIBCMT ref: 0046A264

Strings

%I, xrefs: 0046A0C9
Error: , xrefs: 0046A20E
"%s" (%d) : ==> %s:, xrefs: 0046A25F
Line %d (File "%s"):, xrefs: 0046A171, 0046A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0046A241
^ ERROR, xrefs: 0046A1E8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%I
API String ID: 311963372-1791166345
Opcode ID: 4cd43bcf80d0820f65665fea3393de1bcc51a8b0913537eaf14d6fb74990e2d9
Instruction ID: 1303775e7231178a658396c91acb0fa552fc501cd72ad3af750fbe55f2e9d174
Opcode Fuzzy Hash: 4cd43bcf80d0820f65665fea3393de1bcc51a8b0913537eaf14d6fb74990e2d9
Instruction Fuzzy Hash: E9516171940509AACF15EBA1CD42EEEB779AF04304F1041BAF505721A1EB396F58CFAA

Function 00469EA3 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00469EEA

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00469F0B
__swprintf.LIBCMT ref: 00469F64
__swprintf.LIBCMT ref: 00469F7D
_wprintf.LIBCMT ref: 0046A024
_wprintf.LIBCMT ref: 0046A042

Strings

^ ERROR , xrefs: 00469FB9
Error: , xrefs: 00469FEC
Line %d (File "%s"):, xrefs: 00469F5E, 00469F77
"%s" (%d) : ==> %s:, xrefs: 0046A03D
Incorrect parameters to object property !, xrefs: 00469FC6
"%s" (%d) : ==> %s:%s%s, xrefs: 0046A01F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 919a289ee3f523d30e238457d5dcd5ad8f839c127a8fc31a7f0e566c568d85a8
Instruction ID: 29e7590618fc63383b9363bf02462082d3fe4c4574b2377bec111ab1fce9246c
Opcode Fuzzy Hash: 919a289ee3f523d30e238457d5dcd5ad8f839c127a8fc31a7f0e566c568d85a8
Instruction Fuzzy Hash: 34515271900609AADF15EBA1CD42EEEB779AF08304F10017BB50572191EB397F59CFAA

Function 0046A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

CharLowerBuffW.USER32(?,?), ref: 0046A636
GetDriveTypeW.KERNEL32 ref: 0046A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A730

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Strings

set cd door , xrefs: 0046A6D1
open , xrefs: 0046A692
closed, xrefs: 0046A64A, 0046A653
open, xrefs: 0046A65D
wait, xrefs: 0046A6ED
type cdaudio alias cd wait, xrefs: 0046A6AE
close, xrefs: 0046A63C
close cd wait, xrefs: 0046A71B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f4d581a9c425b2a6924f551dc68602a1ba6881c04f01c44f91470c97173245ef
Instruction ID: 6be42100393f5907e158319192f1f81eb493a356fa9d8496d4bade02da62f26d
Opcode Fuzzy Hash: f4d581a9c425b2a6924f551dc68602a1ba6881c04f01c44f91470c97173245ef
Instruction Fuzzy Hash: 74516AB12043049FC700EF25C88196AB3E4EF94308F14496EF885672A2DB39EE0ACF56

Function 0045FDBA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0043E452,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0045FDEF
LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FDF8

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0043E452,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0045FE1A
LoadStringW.USER32(00000000,?,0043E452,00000001), ref: 0045FE1D
__swprintf.LIBCMT ref: 0045FE6D
__swprintf.LIBCMT ref: 0045FE7E
_wprintf.LIBCMT ref: 0045FF27
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045FF3E

Strings

Line %d:, xrefs: 0045FE78
Error: , xrefs: 0045FEF5
%s (%d) : ==> %s: %s %s, xrefs: 0045FF22
Line %d (File "%s"):, xrefs: 0045FE67
^ ERROR, xrefs: 0045FED3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: d334df5f26e450b277bc4fb66a4172c4cdd85e05055212c7998a8ac8a343290a
Instruction ID: b72d063de52a6d97598c11586145e3d3ef420078c9f862c2cdf80dc6d20c8828
Opcode Fuzzy Hash: d334df5f26e450b277bc4fb66a4172c4cdd85e05055212c7998a8ac8a343290a
Instruction Fuzzy Hash: 01414072904209A6CF14FBE1CD86DEE7778AF18705F50007AF501720D2DA386F49CBAA

Function 0046A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A47A
__swprintf.LIBCMT ref: 0046A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A4FE
_memset.LIBCMT ref: 0046A51D
_wcsncpy.LIBCMT ref: 0046A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A58E
CloseHandle.KERNEL32(00000000), ref: 0046A599
RemoveDirectoryW.KERNEL32(?), ref: 0046A5A2
CloseHandle.KERNEL32(00000000), ref: 0046A5AC

Strings

\??\%s, xrefs: 0046A496
:, xrefs: 0046A4BD
\, xrefs: 0046A4B2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5f33faa08cb701eabbd1d6ffb6acf6de227f701ccc96ef5130cbe269c31a5bbd
Instruction ID: 6c28acaa41771e45f4dd62128d4a585676a8276a6c1e95ceaff3c4baf32f5ede
Opcode Fuzzy Hash: 5f33faa08cb701eabbd1d6ffb6acf6de227f701ccc96ef5130cbe269c31a5bbd
Instruction Fuzzy Hash: BF31A271600119ABDB20DFA1DC48FEF73BCEF88701F1040BAF909D2150EB7496548B29

Function 0046DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0046DC7B
_wcscat.LIBCMT ref: 0046DC93
_wcscat.LIBCMT ref: 0046DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0046DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0046DCCE
GetFileAttributesW.KERNEL32(?), ref: 0046DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0046DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0046DD12

Strings

*.*, xrefs: 0046DD51

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 0ada110ba3e936a266dd83dc2973c046b59c34be01d6489e18d29a05dcfaf14e
Instruction ID: f9490e5959290cb0956c410083a53966904df6dcd6624628cec000a7d302a53e
Opcode Fuzzy Hash: 0ada110ba3e936a266dd83dc2973c046b59c34be01d6489e18d29a05dcfaf14e
Instruction Fuzzy Hash: A781A171F042449FCB24EF24C84596BB7E8AB88704F19882FF885CB251F639E945CB5B

Function 004583F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00458766
Part of subcall function 0045874A: GetLastError.KERNEL32(?,0045822A,?,?,?), ref: 00458770
Part of subcall function 0045874A: GetProcessHeap.KERNEL32(00000008,?,?,0045822A,?,?,?), ref: 0045877F
Part of subcall function 0045874A: RtlAllocateHeap.NTDLL(00000000,?,0045822A), ref: 00458786
Part of subcall function 0045874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045879D

Part of subcall function 004587E7: GetProcessHeap.KERNEL32(00000008,00458240,00000000,00000000,?,00458240,?), ref: 004587F3
Part of subcall function 004587E7: RtlAllocateHeap.NTDLL(00000000,?,00458240), ref: 004587FA
Part of subcall function 004587E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00458240,?), ref: 0045880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00458458
_memset.LIBCMT ref: 0045846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0045848C
GetLengthSid.ADVAPI32(?), ref: 0045849D
GetAce.ADVAPI32(?,00000000,?), ref: 004584DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004584F6
GetLengthSid.ADVAPI32(?), ref: 00458513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00458522
RtlAllocateHeap.NTDLL(00000000), ref: 00458529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0045854A
CopySid.ADVAPI32(00000000), ref: 00458551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00458582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004585A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004585BC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 627c0861b54cffdfc9a529a4ed73b197297eeeab106a519f0bcebb365129c94a
Instruction ID: e0118614a4d337cb82eb8ed29ac7d5de28cd502eb863139baceb9309d046dcf4
Opcode Fuzzy Hash: 627c0861b54cffdfc9a529a4ed73b197297eeeab106a519f0bcebb365129c94a
Instruction Fuzzy Hash: D5614971900209BFDF009FA1DC45AAEBBB9FF05305B14856EE815B6292EF359A09CB64

Function 0047762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004776A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004776AE
CreateCompatibleDC.GDI32(?), ref: 004776BA
SelectObject.GDI32(00000000,?), ref: 004776C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0047771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0047777B
SelectObject.GDI32(00000006,?), ref: 00477783
DeleteObject.GDI32(?), ref: 0047778C
DeleteDC.GDI32(00000006), ref: 00477793
ReleaseDC.USER32(00000000,?), ref: 0047779E

Strings

(, xrefs: 00477723

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a48071f6de2e1149a10fc0667779d448dbc0b46ff6984198c5d4739579ce2f31
Instruction ID: 35a76c6371ee925a40e749d113c81bfe70045e9a1f5769368c195ea94eb780e8
Opcode Fuzzy Hash: a48071f6de2e1149a10fc0667779d448dbc0b46ff6984198c5d4739579ce2f31
Instruction Fuzzy Hash: B2514A75904209EFCB15CFA8CC84EAEBBB9EF49310F14892EF949A7210D735A845CB64

Function 00465217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0046521C

Part of subcall function 00420719: timeGetTime.WINMM(?,753DB400,00410FF9), ref: 0042071D

Sleep.KERNEL32(0000000A), ref: 00465248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0046526C
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0046528E
SetActiveWindow.USER32 ref: 004652AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004652BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 004652DA
Sleep.KERNEL32(000000FA), ref: 004652E5
IsWindow.USER32 ref: 004652F1
EndDialog.USER32(00000000), ref: 00465302

Strings

BUTTON, xrefs: 00465280
@U=u, xrefs: 004652BB, 004652DA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 98ddb0703cd61d87628edcf0d98f7d375aff7407ac3e624b6a34ef0c4065cd16
Instruction ID: cd7097472c257bb23b584a981be65a72fabdbfa26ce45d940019a60a8d0d7c0a
Opcode Fuzzy Hash: 98ddb0703cd61d87628edcf0d98f7d375aff7407ac3e624b6a34ef0c4065cd16
Instruction Fuzzy Hash: 2421A474204704BFE7405F20ED88F2A3B69EB4578AF10187EF402922B1EB699C459F2F

Function 004693DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004691E9: __time64.LIBCMT ref: 004691F3

Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D

__wsplitpath.LIBCMT ref: 004694BE

Part of subcall function 0042432E: __wsplitpath_helper.LIBCMT ref: 0042436E

_wcscpy.LIBCMT ref: 004694D1
_wcscat.LIBCMT ref: 004694E4
__wsplitpath.LIBCMT ref: 00469509
_wcscat.LIBCMT ref: 0046951F
_wcscat.LIBCMT ref: 00469532

Part of subcall function 0046922F: _memmove.LIBCMT ref: 00469268
Part of subcall function 0046922F: _memmove.LIBCMT ref: 00469277

_wcscmp.LIBCMT ref: 00469479

Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AAE
Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004696DC
_wcsncpy.LIBCMT ref: 0046974F
DeleteFileW.KERNEL32(?,?), ref: 00469785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0046979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004697AC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004697BE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 7bde44c990673b2af3bc100e7e87403791543089c4b2218ce68508d90e78ae60
Instruction ID: 191076dc936f01cc8c9e86c8f693150e0a9661d95cfde3c8510a733473321b1c
Opcode Fuzzy Hash: 7bde44c990673b2af3bc100e7e87403791543089c4b2218ce68508d90e78ae60
Instruction Fuzzy Hash: 01C12CB1A00229AACF11DFA5CC85ADFB7BDEF44304F0040ABF609E6151EB749E458F69

Function 00406BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00420B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406C6C,?,00008000), ref: 00420BB7

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00406E5A

Part of subcall function 004059CD: _wcscpy.LIBCMT ref: 00405A05

Part of subcall function 0042387D: _iswctype.LIBCMT ref: 00423885

Strings

Error opening the file, xrefs: 0043E866, 0043E8E1
>>>AUTOIT SCRIPT<<<, xrefs: 0043E8BF
Unterminated string, xrefs: 0043EC0D
Bad directive syntax error, xrefs: 0043EBC6
EA06, xrefs: 0043E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0043E84A
AU3!, xrefs: 00406CC1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8ddd441a78d35076e32a957d01a437332a313098eaf865798266cc633cce37bb
Instruction ID: 1e1e50465060d2d049cdecd8729963b67a53d0d5fc41c37d224936f91734444f
Opcode Fuzzy Hash: 8ddd441a78d35076e32a957d01a437332a313098eaf865798266cc633cce37bb
Instruction Fuzzy Hash: DB0272705083419FC714EF25C8419AFBBE5AF98318F14492EF486A72A1DB38D949CB5B

Function 004045DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004045F9
GetMenuItemCount.USER32(004C6890), ref: 0043D7CD
GetMenuItemCount.USER32(004C6890), ref: 0043D87D
GetCursorPos.USER32(?), ref: 0043D8C1
SetForegroundWindow.USER32(00000000), ref: 0043D8CA
TrackPopupMenuEx.USER32(004C6890,00000000,?,00000000,00000000,00000000), ref: 0043D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0043D8E9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 9490ec5a4a562f1e19a84607bd5d48b970607660fc041d08b13ba27c1a5a2ef6
Instruction ID: 6ad6198a349bf1976c625735b1d5f841e5fdeefb3eec3c97a7380737a116b5bf
Opcode Fuzzy Hash: 9490ec5a4a562f1e19a84607bd5d48b970607660fc041d08b13ba27c1a5a2ef6
Instruction Fuzzy Hash: 6B713A70A00205BEEB209F15EC45FAABF64FF48358F200227F525662D1C7B96810DB59

Function 00457D24 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

_memset.LIBCMT ref: 00457DB3
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00457DE8
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00457E04
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00457E20
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00457E4A
CLSIDFromString.COMBASE(?,?), ref: 00457E72
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457E7D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457E82

Strings

\CLSID, xrefs: 00457D6A
\IPC$, xrefs: 00457DCA
SOFTWARE\Classes\, xrefs: 00457D54

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: c679d70348f793a450ebe0110f6d270a3b38b7cbb01f9d68902be52346f3f68d
Instruction ID: 3814ac2c916513ff0b371eef30ce16f10d8cbefcc059b01f2da7bbc569db4400
Opcode Fuzzy Hash: c679d70348f793a450ebe0110f6d270a3b38b7cbb01f9d68902be52346f3f68d
Instruction Fuzzy Hash: CC410B71C14229ABCF11EBA5DC859EEB778FF18744B04457AE901B31A1DB386E09CBA4

Function 004810A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00480038,?,?), ref: 004810BC

Strings

HKEY_CURRENT_CONFIG, xrefs: 00481179
HKCC, xrefs: 0048118A
HKLM, xrefs: 0048113A
HKEY_CURRENT_USER, xrefs: 0048119B
HKU, xrefs: 004811CE
HKCR, xrefs: 00481164
HKCU, xrefs: 004811AC
HKEY_USERS, xrefs: 004811BD
HKEY_LOCAL_MACHINE, xrefs: 00481125
HKEY_CLASSES_ROOT, xrefs: 0048114F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 3b55ed5639f87559ff09b0cce4a6a1ef1db60f5a6f7905995e5de618137d26f7
Instruction ID: 88389359f98c9660e251b743cdbb8ea94c24b57ab6fd2e1b5df4b40edaf02939
Opcode Fuzzy Hash: 3b55ed5639f87559ff09b0cce4a6a1ef1db60f5a6f7905995e5de618137d26f7
Instruction Fuzzy Hash: 7C41A23021025A8FDF10FF91D8909EF3368EF15344F40486BEC91672A2DB78A917CBA9

Function 0048772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004877CD
CreateCompatibleDC.GDI32(00000000), ref: 004877D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004877E7
SelectObject.GDI32(00000000,00000000), ref: 004877EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 004877FA
DeleteDC.GDI32(00000000), ref: 00487803
GetWindowLongW.USER32(?,000000EC), ref: 0048780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00487821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0048782D

Strings

@U=u, xrefs: 004877E7
static, xrefs: 00487765

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 510261274c145c214da60c9b5da5d04f72052e43987e87711cecd4c5b9b1e925
Instruction ID: 789ec3a4cb580d3187b1e0f25c444e25d791e636f2d83489152635d906d596f6
Opcode Fuzzy Hash: 510261274c145c214da60c9b5da5d04f72052e43987e87711cecd4c5b9b1e925
Instruction Fuzzy Hash: DD316E31105115AFDF11AF64DC08FDF3B69EF49324F210A29FA15A61A0D739E815DBA8

Function 0045FCB1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E6C9,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045FCD2
LoadStringW.USER32(00000000,?,0043E6C9,00000010), ref: 0045FCD9

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

_wprintf.LIBCMT ref: 0045FD0C
__swprintf.LIBCMT ref: 0045FD2E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045FD9D

Strings

Error: , xrefs: 0045FD6B
%s (%d) : ==> %s.: %s %s, xrefs: 0045FD07
Line %d:, xrefs: 0045FD28
Line %d (File "%s"):, xrefs: 0045FD43
., xrefs: 0045FD83

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 4fbc1b7f021815ff12a25adb8aec7b58ac0e248120ac0775d1403d64261ba5c8
Instruction ID: 81f1730f4d526a642bfcee5cc6fe39c4b389179dc46090657c4ca9c9ceb2fa3a
Opcode Fuzzy Hash: 4fbc1b7f021815ff12a25adb8aec7b58ac0e248120ac0775d1403d64261ba5c8
Instruction Fuzzy Hash: 5121503290021EABCF12EFA0CC46EEE7735BF18705F04046BF505660E2D679AA5CDB99

Function 00465569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Part of subcall function 00407A84: _memmove.LIBCMT ref: 00407B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004655D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004655E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004655F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0046560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046561C

Strings

close PlayMe, xrefs: 004655E3, 00465610
open , xrefs: 00465581
status PlayMe mode, xrefs: 004655CD
alias PlayMe, xrefs: 004655AB
play PlayMe wait, xrefs: 00465606
play PlayMe, xrefs: 00465617

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 3e5227434511b5dd445ad3b23fb2e73c6086b33e04e40d6c608ad2691cebad84
Instruction ID: 68fb84bb15ae9a695f4df20fb78c4172828bcb64e514a9d34bf5732b9d8ca5cc
Opcode Fuzzy Hash: 3e5227434511b5dd445ad3b23fb2e73c6086b33e04e40d6c608ad2691cebad84
Instruction Fuzzy Hash: FB119030A6016979D720B666CC4AEFF7ABCEF95B04F50042BB805A20D1EA781D05C9BA

Function 004648F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0046490E
gethostname.WS2_32(?,00000100), ref: 00464928
gethostbyname.WS2_32(?), ref: 00464935
_wcscpy.LIBCMT ref: 0046495D
_memmove.LIBCMT ref: 00464970
inet_ntoa.WS2_32(?), ref: 0046497B
_strcat.LIBCMT ref: 00464989
_wcscpy.LIBCMT ref: 004649A0
WSACleanup.WS2_32 ref: 004649AE
_wcscpy.LIBCMT ref: 004649BC

Strings

0.0.0.0, xrefs: 00464957

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 3e644901dee28f1f78e9cc2e3f0c9b527e20158314d878990267789537b01a74
Instruction ID: a415c47feca9f18ccc9aca6889e14e15c95de93dcf3fd0710918b8717f4bba87
Opcode Fuzzy Hash: 3e644901dee28f1f78e9cc2e3f0c9b527e20158314d878990267789537b01a74
Instruction Fuzzy Hash: FE110571A04124ABDB20AB34AD06EDF77ACDF40714F1001BBF40492191FFB89AC9976A

Function 0043BFF2 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetClientRect.USER32(?), ref: 0043C00B
SendMessageW.USER32(?,00001328,00000000,?), ref: 0043C022
GetWindowDC.USER32(?), ref: 0043C02E
GetPixel.GDI32(00000000,?,?), ref: 0043C03D
ReleaseDC.USER32(?,00000000), ref: 0043C04F
GetSysColor.USER32(00000005), ref: 0043C06D

Strings

@U=u, xrefs: 0043C022

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID: @U=u
API String ID: 3430376129-2594219639
Opcode ID: 1bf2c63732afe56eb40a90f078efa9d7f02239ddb0671fcfb63c7c23008006c8
Instruction ID: 802d89892a32490a02705165823103a0381fc92a3b0e4948cdb48aeb982ddee2
Opcode Fuzzy Hash: 1bf2c63732afe56eb40a90f078efa9d7f02239ddb0671fcfb63c7c23008006c8
Instruction Fuzzy Hash: E2218C31100200EFDB216FA4EC4CBAE7B71EB08321F10467AFA25A51E2CB310956EF15

Function 0046D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

CoInitialize.OLE32(00000000), ref: 0046D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0046D8FC
CoCreateInstance.COMBASE(00492D7C,00000000,00000001,004BA89C,?), ref: 0046D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D9B7
CoTaskMemFree.COMBASE(?), ref: 0046DA0F
_memset.LIBCMT ref: 0046DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0046DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046DAAB
CoTaskMemFree.COMBASE(00000000), ref: 0046DAB2
CoTaskMemFree.COMBASE(00000000), ref: 0046DAE9
CoUninitialize.COMBASE ref: 0046DAEB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 54b2470f0bf5c68a0de3bcb23eb209c6bd3dad5c62117cea7b7a5abf44c7abbd
Instruction ID: e15dc4ec29765f5d13c7e8e8e870c09580055c4dc4ade826e40e2e41e7fdb704
Opcode Fuzzy Hash: 54b2470f0bf5c68a0de3bcb23eb209c6bd3dad5c62117cea7b7a5abf44c7abbd
Instruction Fuzzy Hash: ECB11C75A00108AFDB04DFA5C888DAEBBF9FF48304B14846AF805EB261DB34ED45CB55

Function 0046052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004605A7
SetKeyboardState.USER32(?), ref: 00460612
GetAsyncKeyState.USER32(000000A0), ref: 00460632
GetKeyState.USER32(000000A0), ref: 00460649
GetAsyncKeyState.USER32(000000A1), ref: 00460678
GetKeyState.USER32(000000A1), ref: 00460689
GetAsyncKeyState.USER32(00000011), ref: 004606B5
GetKeyState.USER32(00000011), ref: 004606C3
GetAsyncKeyState.USER32(00000012), ref: 004606EC
GetKeyState.USER32(00000012), ref: 004606FA
GetAsyncKeyState.USER32(0000005B), ref: 00460723
GetKeyState.USER32(0000005B), ref: 00460731

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction ID: d70e1bade3edcafa3224126adcd65a49494c39be54c13286bda3ce7ebf6ec1a5
Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction Fuzzy Hash: F551AA60A0479429FB35DBA084557EBAFB49F11380F08459F95C2572C2FA5C9A8CCB5B

Function 0045C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0045C746
GetWindowRect.USER32(00000000,?), ref: 0045C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C7B6
GetDlgItem.USER32(?,00000002), ref: 0045C7C1
GetWindowRect.USER32(00000000,?), ref: 0045C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C827
GetDlgItem.USER32(?,000003E9), ref: 0045C835
GetWindowRect.USER32(00000000,?), ref: 0045C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C889
GetDlgItem.USER32(?,000003EA), ref: 0045C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0045C8C1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction ID: 20628bd5887914f4131c215851d3afbb63228a24f6148e02c9e6462ef7cb0285
Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction Fuzzy Hash: 54517171B00205AFDB08DFA8DD89AAEBBB6EB88311F14853DF915E7291D7709D04CB14

Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9bab39a7b058799e73335b840fbde69c808da43099dfa5b55a8570615694d643
Instruction ID: 47503e6e8c25a14c6d04473920290e3c3a9e3a2f6008e0ea463bb1cae73e411f
Opcode Fuzzy Hash: 9bab39a7b058799e73335b840fbde69c808da43099dfa5b55a8570615694d643
Instruction Fuzzy Hash: FD41D731000140AFDF215FA8DC8CBBA3765EB46331F1446BAFD65AA2E2C7758C86DB59

Function 0046AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0048F910), ref: 0046AB76
GetDriveTypeW.KERNEL32(00000061,004BA620,00000061), ref: 0046AC40
_wcscpy.LIBCMT ref: 0046AC6A

Strings

fixed, xrefs: 0046ABBE
unknown, xrefs: 0046AC01
network, xrefs: 0046ABD4
ramdisk, xrefs: 0046ABEA
all, xrefs: 0046AB7C
removable, xrefs: 0046ABA8
cdrom, xrefs: 0046AB92

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: efd3e1026f26f02111e7aa282294708b87f2baba37ddcc78d45ee78ddc71ed50
Instruction ID: 2da2c5fdb05bccb69e07a9cf036721a3c430aae2bfda7f725a790937263b16ab
Opcode Fuzzy Hash: efd3e1026f26f02111e7aa282294708b87f2baba37ddcc78d45ee78ddc71ed50
Instruction Fuzzy Hash: 3D51A1302183019BC710EF15C881AAFB7A5EF85708F54482FF585672E2EB39ED19CA5B

Function 004888B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0048896E

Strings

@U=u, xrefs: 004889A4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: f8c253ed3f5debe85a30db7477fc5ac9d963030d4e22c30ee24a0a38521f88fc
Instruction ID: ce3ba57332302dd11e88512b1cb2c7dfa5fb76f3510afc4bef344cccc543630f
Opcode Fuzzy Hash: f8c253ed3f5debe85a30db7477fc5ac9d963030d4e22c30ee24a0a38521f88fc
Instruction Fuzzy Hash: A551B530500208BFEF24BF25CC89B6E7B65BB04314FA0492FF515E62E1DF79A9809B59

Function 00402B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C5C0
DestroyCursor.USER32(00000000), ref: 0043C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C5EC
DestroyCursor.USER32(?), ref: 0043C5FB

Part of subcall function 0048A71E: DeleteObject.GDI32(00000000), ref: 0048A757

Strings

@U=u, xrefs: 0043C5C0, 0043C5EC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2975913752-2594219639
Opcode ID: 7ecd359ed3afe08731aa1ed71b6d51185044adc3294aa47f14539e2d842eaf87
Instruction ID: ec079f4291a2db88e8ca5db72d3a048905e4d4933e17b5c0ba9f28e8cd77e0c5
Opcode Fuzzy Hash: 7ecd359ed3afe08731aa1ed71b6d51185044adc3294aa47f14539e2d842eaf87
Instruction Fuzzy Hash: 90515C74600205AFDB24DF25CD89FAA37B5EB58710F10452EF902A72D0DBB8ED91DB68

Function 00409997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004099C2
__swprintf.LIBCMT ref: 00409A0C
__i64tow.LIBCMT ref: 0043FA0F

Strings

True, xrefs: 0043F9D0
%.15g, xrefs: 00409A06
False, xrefs: 0043F9D7
0x%p, xrefs: 0043F9F1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 3f5488ad3a946cab8c056db5eb318d354419bc3af618c4ea88005c1c2f23587b
Instruction ID: cdd8dc89b9c74c658104cf0a760322e4f13a95bb5b846f9aebd24ca3b9163d03
Opcode Fuzzy Hash: 3f5488ad3a946cab8c056db5eb318d354419bc3af618c4ea88005c1c2f23587b
Instruction Fuzzy Hash: DE41D5B1A04219AADB24DF35D841F7773E8EF48304F20447FE549E63D2EA799D428B1A

Function 004873C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004873D9
CreateMenu.USER32 ref: 004873F4
SetMenu.USER32(?,00000000), ref: 00487403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487490
IsMenu.USER32(?), ref: 004874A6
CreatePopupMenu.USER32 ref: 004874B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004874DD
DrawMenuBar.USER32 ref: 004874E5

Strings

0, xrefs: 004873CF
F, xrefs: 004874D1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 52c22e23c74f252828f5091ec4f41fccbfb650d377574ec2eca5ca95968dfe7a
Instruction ID: 469fb1be4590f9541f2c80e88f17ef0f5a107e94f682755a56fb5537772b2935
Opcode Fuzzy Hash: 52c22e23c74f252828f5091ec4f41fccbfb650d377574ec2eca5ca95968dfe7a
Instruction Fuzzy Hash: 08415874A01205EFDB10EF64D898E9EBBB9FF49300F24482AED55A7361D734A914CF68

Function 00459471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004594F6
GetDlgCtrlID.USER32 ref: 00459501
GetParent.USER32 ref: 0045951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00459520
GetDlgCtrlID.USER32(?), ref: 00459529
GetParent.USER32(?), ref: 00459545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459548

Strings

ComboBox, xrefs: 0045947E
@U=u, xrefs: 00459548
ListBox, xrefs: 004594B3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: ef76021f4fde65a738972719661853881b04a9d1098b5ded40d95d14f864c687
Instruction ID: 5a15aa317080d2b3577eb6715e6aca48c40ccb9cf262568b84f0d4fa34887e47
Opcode Fuzzy Hash: ef76021f4fde65a738972719661853881b04a9d1098b5ded40d95d14f864c687
Instruction Fuzzy Hash: 2321C771900108BBCF059B65CC85DFEB774EF49300F50012AF961672E2EB79591DDB28

Function 0045955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004595DF
GetDlgCtrlID.USER32 ref: 004595EA
GetParent.USER32 ref: 00459606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00459609
GetDlgCtrlID.USER32(?), ref: 00459612
GetParent.USER32(?), ref: 0045962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459631

Strings

ComboBox, xrefs: 00459569
@U=u, xrefs: 00459631
ListBox, xrefs: 0045959E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 6535b28d1be099d66d1a712b2491b750d6f0d9110751bd2d84ecfc6d9596f943
Instruction ID: fb1d478c1ab3bfee17ee4a3591baa8024a25a188b4548720a9553176f8a39507
Opcode Fuzzy Hash: 6535b28d1be099d66d1a712b2491b750d6f0d9110751bd2d84ecfc6d9596f943
Instruction Fuzzy Hash: AC21CB75940108BBDF019B61CC85EFEB778EF48300F50012AF911A72E2EB79591EDB28

Function 00459645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00459651
GetClassNameW.USER32(00000000,?,00000100), ref: 00459666
_wcscmp.LIBCMT ref: 00459678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004596F3

Strings

details, xrefs: 004596A1
largeicons, xrefs: 00459687
SHELLDLL_DefView, xrefs: 00459672
list, xrefs: 004596D5
@U=u, xrefs: 004596F3
smallicons, xrefs: 004596BB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 8da25be9963f5362c8281a606c59e80aff7d3ba0eb6a1818d155a44e7ff51480
Instruction ID: bc076bbec5daa4fa657486baf201fb4d95d262ba898abc0a63e9505c33c1a26c
Opcode Fuzzy Hash: 8da25be9963f5362c8281a606c59e80aff7d3ba0eb6a1818d155a44e7ff51480
Instruction Fuzzy Hash: AB110D77284317FAF6112A21EC06DE7779C8B05366F30012BFE00A51D2FE5D5D19565C

Function 00403A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403A62
LoadCursorW.USER32(00000000,00007F00), ref: 00403A71
LoadIconW.USER32(00000063), ref: 00403A88
LoadIconW.USER32(000000A4), ref: 00403A9A
LoadIconW.USER32(000000A2), ref: 00403AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AD2
RegisterClassExW.USER32(?), ref: 00403B28

Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
Part of subcall function 00403041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004030AF
Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2

Strings

0, xrefs: 00403B06
#, xrefs: 00403B0D
AutoIt v3, xrefs: 00403B17

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 552b902710933b60bde5b1c9f8a90c0417f278bdc109eab354c750bae9b27ca4
Instruction ID: 978f5407aac4946dfdf5ae0c6a166f51be6983a452a50cf8635c128c9a375653
Opcode Fuzzy Hash: 552b902710933b60bde5b1c9f8a90c0417f278bdc109eab354c750bae9b27ca4
Instruction Fuzzy Hash: 97213975900304AFEB50AFA4EC09F9D7FB4EB08711F01857AE504A62A0D3BA56548F98

Function 00427040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042707B

Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68

__gmtime64_s.LIBCMT ref: 00427114
__gmtime64_s.LIBCMT ref: 0042714A
__gmtime64_s.LIBCMT ref: 00427167
__allrem.LIBCMT ref: 004271BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004271D9
__allrem.LIBCMT ref: 004271F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042720E
__allrem.LIBCMT ref: 00427225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427243
__invoke_watson.LIBCMT ref: 004272B4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 3a5766166ad995f9d080cadeea3a970d97efeda9365c881e9167125cd7ba6949
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: F3711972B04726EBD7149E79DC82B6BB3A4AF14324F54426FF514E6381E778E9008B98

Function 00462A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A31
GetMenuItemInfoW.USER32(004C6890,000000FF,00000000,00000030), ref: 00462A92
SetMenuItemInfoW.USER32(004C6890,00000004,00000000,00000030), ref: 00462AC8
Sleep.KERNEL32(000001F4), ref: 00462ADA
GetMenuItemCount.USER32(?), ref: 00462B1E
GetMenuItemID.USER32(?,00000000), ref: 00462B3A
GetMenuItemID.USER32(?,-00000001), ref: 00462B64
GetMenuItemID.USER32(?,?), ref: 00462BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462C24

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 638b7d30cc1c27bdbe2d4b3278922b6b7190dbed23476bfa5db6d6130c3c592a
Instruction ID: 18a65889ef34665f5b2b5336e4e6eed4a99801a903535dc72d9624464193ca63
Opcode Fuzzy Hash: 638b7d30cc1c27bdbe2d4b3278922b6b7190dbed23476bfa5db6d6130c3c592a
Instruction Fuzzy Hash: 6461D4B0900649BFDB21CF54CE88DBF7BB8EB41704F14446EE841A7251E7B9AD05DB2A

Function 00487192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00487214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00487217
GetWindowLongW.USER32(?,000000F0), ref: 0048723B
_memset.LIBCMT ref: 0048724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0048725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004872D6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7c0549792cb58a85db63f83a94352240f63381d44f9194f46865063892b0a211
Instruction ID: 92033519db1ee425eec29857b32d50f63e453e63508eb3b516053c7f4a854d7f
Opcode Fuzzy Hash: 7c0549792cb58a85db63f83a94352240f63381d44f9194f46865063892b0a211
Instruction Fuzzy Hash: 83618D75900208AFDB10EFA4CC81EEE77F8EF09704F24456AFA14A73A1D774A945DB68

Function 0045710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00457135
SafeArrayAllocData.OLEAUT32(?), ref: 0045718E
VariantInit.OLEAUT32(?), ref: 004571A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 004571C0
VariantCopy.OLEAUT32(?,?), ref: 00457213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00457227
VariantClear.OLEAUT32(?), ref: 0045723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00457249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00457252
VariantClear.OLEAUT32(?), ref: 00457264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0045726F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 94a2adc6563c5264710b055ecbef086df5183bcefbc423f1cd2a25837ac14fec
Instruction ID: ee6ff97d49ab8f9c2dd167b55ca35aa0841007d9f21f2d6d7be11d351e1905ac
Opcode Fuzzy Hash: 94a2adc6563c5264710b055ecbef086df5183bcefbc423f1cd2a25837ac14fec
Instruction Fuzzy Hash: 61416031A00119AFCB00DFA9D8449AEBBB9FF18755F00847EF955E7362CB34A949CB94

Function 004786D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

CoInitialize.OLE32 ref: 00478718
CoUninitialize.COMBASE ref: 00478723
CoCreateInstance.COMBASE(?,00000000,00000017,00492BEC,?), ref: 00478783
IIDFromString.COMBASE(?,?), ref: 004787F6
VariantInit.OLEAUT32(?), ref: 00478890
VariantClear.OLEAUT32(?), ref: 004788F1

Strings

NULL Pointer assignment, xrefs: 004787C8
Invalid parameter, xrefs: 0047880F
Failed to create object, xrefs: 0047878E, 00478844

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f69b67e10be6b8794f283dbbecf7269235d6d9d3c8e13e64fe9fcb4b679b2545
Instruction ID: 83a2d69f67766b6968c6c0da92f2a013d8975f3f82f5255262cd81a9dced9d59
Opcode Fuzzy Hash: f69b67e10be6b8794f283dbbecf7269235d6d9d3c8e13e64fe9fcb4b679b2545
Instruction Fuzzy Hash: ED61B4706443019FD710EF65C848B9BBBE4AF44714F10881EF9899B291DB78ED48CB9B

Function 00402E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00402EAE

Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45

GetDC.USER32 ref: 0043CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CF95
SelectObject.GDI32(00000000,00000000), ref: 0043CFA3
SelectObject.GDI32(00000000,00000000), ref: 0043CFB8
ReleaseDC.USER32(?,00000000), ref: 0043CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043D04B

Strings

U, xrefs: 0043CF20
@U=u, xrefs: 0043CF95

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: ac078e28f3ea691151e5ef7866497dcbf17aee0d19fba673f73f7b4a748de671
Instruction ID: 2191f090442df1d8b75e7b8316c733f380aeebf8947418e196bed5f94657404b
Opcode Fuzzy Hash: ac078e28f3ea691151e5ef7866497dcbf17aee0d19fba673f73f7b4a748de671
Instruction Fuzzy Hash: 9371E030900204DFCF259F64C884AAB3BB6FF48318F14427BED556A2E6C7398842DB69

Function 00475A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00475AA6
inet_addr.WS2_32(?), ref: 00475AEB
gethostbyname.WS2_32(?), ref: 00475AF7
IcmpCreateFile.IPHLPAPI ref: 00475B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00475B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00475B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00475C00
WSACleanup.WS2_32 ref: 00475C06

Strings

Ping, xrefs: 00475B29

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 80cd69f7e26c5056f8d407801ffec1bb1922090cb0e327fb436240aa22a870fe
Instruction ID: b1956d064655379944453726357a5f8492723158f504fb124a286c6b6697773e
Opcode Fuzzy Hash: 80cd69f7e26c5056f8d407801ffec1bb1922090cb0e327fb436240aa22a870fe
Instruction Fuzzy Hash: 10517D316047009FD710AF25C849B6AB7E4EF48714F14892EF959EB2E1DBB8EC049B4A

Function 0046B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B7B1
GetLastError.KERNEL32 ref: 0046B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0046B828

Strings

INVALID, xrefs: 0046B7FA
READONLY, xrefs: 0046B7F3
READY, xrefs: 0046B801
NOTREADY, xrefs: 0046B7E7
UNKNOWN, xrefs: 0046B7E0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4b757754c60ad99357749791b00aaae8c2aef472f4a75dde55a965c830f896bc
Instruction ID: 6ede0cc1e191cf7e64ce4b8d34fa7c18aa343ebc901c05dbf6b98b02cbe7136c
Opcode Fuzzy Hash: 4b757754c60ad99357749791b00aaae8c2aef472f4a75dde55a965c830f896bc
Instruction Fuzzy Hash: AC31B435A002059FCB10EF64CC85AEEBBB8FF44705F10402BE501E7291EB799D86CB9A

Function 00486442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0048645A
GetDC.USER32(00000000), ref: 00486462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0048646D
ReleaseDC.USER32(00000000,00000000), ref: 00486479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004864B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004864C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00489299,?,?,000000FF,00000000,?,000000FF,?), ref: 00486500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00486520

Strings

@U=u, xrefs: 004864C6, 00486520

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: a08a4c351fe61229cc76658797f0443f2142c1b396e55029449042c7d66d5f33
Instruction ID: 5c1cc6793609d5e6e0acb9b007d1b286434c541ad31a2caf87ecf1e2a9c9b5d4
Opcode Fuzzy Hash: a08a4c351fe61229cc76658797f0443f2142c1b396e55029449042c7d66d5f33
Instruction Fuzzy Hash: D4319F72201214BFEB109F50DC4AFEB3FA9EF09765F040069FE08AA295D6759C41CB68

Function 00478BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478BEC
CoInitialize.OLE32(00000000), ref: 00478C19
CoUninitialize.COMBASE ref: 00478C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00478D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00478E50
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478E84
CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478EA7
SetErrorMode.KERNEL32(00000000), ref: 00478EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478F3A
VariantClear.OLEAUT32(?), ref: 00478F4A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 54fddc706fddaf7541c4591743543f022392f25ed91f1a4ed9c44c78da9e9bdd
Instruction ID: 22c5d904e23ad896e3453865a061727a73fd10ed6b7a79d4550a4018499a7712
Opcode Fuzzy Hash: 54fddc706fddaf7541c4591743543f022392f25ed91f1a4ed9c44c78da9e9bdd
Instruction Fuzzy Hash: 30C134B1608305AFC700EF25C88896BB7E9BF88348F00896EF589DB251DB75ED05CB56

Function 00467C1A Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00467CF6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: be6f69d038a513a1aa6c41589180e32f6862a8757eef240fe65daae942d4ad4c
Instruction ID: 84cb7d45f9d8793474644a93194044f32f7eba6a2b7a870eb07e14d75927cafd
Opcode Fuzzy Hash: be6f69d038a513a1aa6c41589180e32f6862a8757eef240fe65daae942d4ad4c
Instruction Fuzzy Hash: F2B19071A0421A9FDB10DF94C484BBEB7B4FF08329F24446AE500E7391E7799D45CB9A

Function 004616DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00461700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460778,?,00000001), ref: 00461714
GetWindowThreadProcessId.USER32(00000000), ref: 0046171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460778,?,00000001), ref: 0046172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046173C
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00460778,?,00000001), ref: 00461755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460778,?,00000001), ref: 00461767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460778,?,00000001), ref: 004617AC
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00460778,?,00000001), ref: 004617C1
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00460778,?,00000001), ref: 004617CC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f51c8bfa66544c569d19aaa402eb205ee2878779a81b5281422b9c9027375036
Instruction ID: 25e0562e4a853ce0dffc12f93c3d42453493f01f65cd87b86ec24f904145336b
Opcode Fuzzy Hash: f51c8bfa66544c569d19aaa402eb205ee2878779a81b5281422b9c9027375036
Instruction Fuzzy Hash: 4431B1B5600208BFEB119F15DC84F6A37A9EB15712F14403AF900D63B0EB789D448F5A

Function 0040FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0040FC06
OleUninitialize.OLE32(?,00000000), ref: 0040FCA5
UnregisterHotKey.USER32(?), ref: 0040FDFC
DestroyWindow.USER32(?), ref: 00444A00
FreeLibrary.KERNEL32(?), ref: 00444A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00444A92

Strings

close all, xrefs: 0040FC01

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5a2c5ae0513d21ca36e3ff6d0afaca4401d20b28178c8bbf44a42875671d3b01
Instruction ID: f79c305bce8c495b879b6b3d36d440b666e908b3516d9d6565214aadf1190029
Opcode Fuzzy Hash: 5a2c5ae0513d21ca36e3ff6d0afaca4401d20b28178c8bbf44a42875671d3b01
Instruction Fuzzy Hash: 2BA160307012128FDB29EF15C495B6AF764BF44704F5442BEE80A7B692DB38AD1ACF58

Function 0045A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0045AA64), ref: 0045A9A2

Strings

TEXT, xrefs: 0045A8D9
CLASS, xrefs: 0045A721
NAME, xrefs: 0045A7D4
INSTANCE, xrefs: 0045A8B0
REGEXPCLASS, xrefs: 0045A767
CLASSNN, xrefs: 0045A744

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 32728ffa9addecceeba4514f55319b673c12798ade7192570a046949d5b15eb1
Instruction ID: fef9e380a92afd939488e92735a90e3e03dac4f82d76b1b1da84a970d37b0683
Opcode Fuzzy Hash: 32728ffa9addecceeba4514f55319b673c12798ade7192570a046949d5b15eb1
Instruction Fuzzy Hash: 0491A870A005169BDB08DF61C441BEAF774BF04305F50861BDD99A7243DF38696ECBA9

Function 0048B60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(03618048), ref: 0048B6A5
IsWindowEnabled.USER32(03618048), ref: 0048B6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048B795
SendMessageW.USER32(03618048,000000B0,?,?), ref: 0048B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0048B809
GetWindowLongW.USER32(03618048,000000EC), ref: 0048B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B843

Strings

@U=u, xrefs: 0048B795, 0048B7CC, 0048B843

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 379febfe82af407e3ec2b46d0c3f80398ccf57a829b4271ee30fc920eb6d15d3
Instruction ID: a7d0881697c90ebb8ac62a69b5506f8dd5c31139f9226510073890e22dad6404
Opcode Fuzzy Hash: 379febfe82af407e3ec2b46d0c3f80398ccf57a829b4271ee30fc920eb6d15d3
Instruction Fuzzy Hash: 3A719034600304AFDB20AF64C894FAE7BB9FF49300F15486EE945A7361D739A841DB9D

Function 00486FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00487093
SendMessageW.USER32(?,00001036,00000000,?), ref: 004870A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004870C1
_wcscat.LIBCMT ref: 0048711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00487133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00487161

Strings

@U=u, xrefs: 00487093, 004870A7
SysListView32, xrefs: 00487065

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: b94ec508bdbd92bfc77db7aa8df4161c5d4b177e6850a474fd890b0e84a73c7f
Instruction ID: 8d96cf30731f9aac7b823901c9e083a04a5181feac03be769610aafeab0db2a7
Opcode Fuzzy Hash: b94ec508bdbd92bfc77db7aa8df4161c5d4b177e6850a474fd890b0e84a73c7f
Instruction Fuzzy Hash: 7541B371904308AFDB21AF64CC85BEF77A8EF08354F20092BF544A7292D679DD858B68

Function 00471D09 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00471D44
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00471D70
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00471DB2
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00471DC7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00471DD4
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00471E04
InternetCloseHandle.WININET(00000000), ref: 00471E4B

Part of subcall function 00472777: GetLastError.KERNEL32(?,?,00471B0B,00000000,00000000,00000001), ref: 0047278C
Part of subcall function 00472777: SetEvent.KERNEL32(?,?,00471B0B,00000000,00000000,00000001), ref: 004727A1

Strings

, xrefs: 00471DF5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: b713467dc056d9eb154500fb7af8b8fa664fdc267d4d6522c90bb8bd08f7e9fd
Instruction ID: 61d1ea1969ee6f911ea670744eafb4442b20f37dd9da7051090410b60b263f51
Opcode Fuzzy Hash: b713467dc056d9eb154500fb7af8b8fa664fdc267d4d6522c90bb8bd08f7e9fd
Instruction Fuzzy Hash: A8414DB1500218BFEB129F54CC85FFF77ACEF08754F00812AF9099A251D7789D449BA9

Function 0048653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0048655B
GetWindowLongW.USER32(03618048,000000F0), ref: 0048658E
GetWindowLongW.USER32(03618048,000000F0), ref: 004865C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004865F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0048661F
GetWindowLongW.USER32(?,000000F0), ref: 00486630
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0048664A

Strings

@U=u, xrefs: 0048655B, 004865F5, 0048661F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 7e8e3cbf37106a76f055c8366b844854849938a8df03b0c0084bc4c9dc5da368
Instruction ID: 885ea9d2648f7cf39bc3bf26eacc0d8c5cfc621d480c2aaf8e3cde1e4b1c4fac
Opcode Fuzzy Hash: 7e8e3cbf37106a76f055c8366b844854849938a8df03b0c0084bc4c9dc5da368
Instruction Fuzzy Hash: 65313430601150AFDB60EF18EC84F6A37E1FB4A310F1A4579F5019B2B5CB35AC44DB59

Function 00403015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 75registrywindowclipboardCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004030AF
LoadIconW.USER32(000000A9), ref: 004030F2

Strings

AutoIt v3 GUI, xrefs: 00403090
0, xrefs: 00403056
TaskbarCreated, xrefs: 004030A4
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
Instruction ID: 979edb967f183c55e8c669bfc31fc45122444ef7f147c2a4b30f384e98b85c10
Opcode Fuzzy Hash: b32fe6db03ccba481f670429e5c7b523f4edffb20c87d4c464e52b45bc5e04fc
Instruction Fuzzy Hash: 043149B1941304EFEB40DFA4D884ADDBBF4FB09310F14856EE941EA2A1D3B54545CFA9

Function 00403041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004030AF
LoadIconW.USER32(000000A9), ref: 004030F2

Strings

AutoIt v3 GUI, xrefs: 00403090
0, xrefs: 00403056
TaskbarCreated, xrefs: 004030A4
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
Instruction ID: 0e09ac2d9919322b342d86481b19008a338d121ad3b6117744e7067feae746c8
Opcode Fuzzy Hash: f316edc5448d5b1c0adbc22ddb0f2bed62490a930fea9617621b6011003a6786
Instruction Fuzzy Hash: 4021C9B1911218AFEB40EF94EC49B9DBBF4FB08710F10853AF511A62A0D7B545448FA9

Function 00478F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 0047903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00479071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004791EB
SysFreeString.OLEAUT32(?), ref: 00479215

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: b04b0867597dee5a9e4bc7ed899de829a492c47d6f4e073cd839085c3a2da284
Instruction ID: d823893b77008293a877efc66923c6ca52dd90e804d3cf8965e8a59a88dd0146
Opcode Fuzzy Hash: b04b0867597dee5a9e4bc7ed899de829a492c47d6f4e073cd839085c3a2da284
Instruction Fuzzy Hash: 88F13B71A00109EFDB14DFA4C888EEEB7B9FF49314F10845AF919AB291CB35AD46CB54

Function 0047F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FD90
CloseHandle.KERNEL32(?), ref: 0047FDBF
CloseHandle.KERNEL32(?), ref: 0047FE36

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a5f3824007a749503b6a5a7f5eb81d22f19f1f7e4c72bff90bd02658152d74ed
Instruction ID: 1b9b8e5a807dcbe041a314dc5fa2e233be69bb52cf2b98a2e3215593ab0b3364
Opcode Fuzzy Hash: a5f3824007a749503b6a5a7f5eb81d22f19f1f7e4c72bff90bd02658152d74ed
Instruction Fuzzy Hash: E5E1A5312043419FC714EF25C491AABBBE1BF44314F14846EF8999B3A2DB39EC49CB5A

Function 0040201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32(00000000), ref: 0043BEF6
DeleteObject.GDI32(00000000), ref: 0043BF6C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
Instruction ID: 62d4407ef01395a22b5ebf1233624f5b0999fc02156c59d6ff76a6043205edb2
Opcode Fuzzy Hash: 78cac20c66e0e6767138dba4ab7aa47be9ee332057a729cfcb45c06255a83930
Instruction Fuzzy Hash: 55616B34101610DFD725AF14CE48B2A77F1FF44315F11993EE642A6AE0C7B9A881DF99

Function 00464F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004638D3,?), ref: 004648C7

Part of subcall function 004648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004638D3,?), ref: 004648E0

Part of subcall function 00464CD3: GetFileAttributesW.KERNEL32(?,00463947), ref: 00464CD4

lstrcmpiW.KERNEL32(?,?), ref: 00464FE2
_wcscmp.LIBCMT ref: 00464FFC
MoveFileW.KERNEL32(?,?), ref: 00465017

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ba19efe675873d0c81a9ddd57d43b08cfe129d5363b37745d707531d05513a48
Instruction ID: f050894fd79aefba046d74577e9ad0e0fc5ef4e0dd1a82c25b782c5c6cd9f269
Opcode Fuzzy Hash: ba19efe675873d0c81a9ddd57d43b08cfe129d5363b37745d707531d05513a48
Instruction Fuzzy Hash: FE5164B25087859BC724EB60D8819DFB3ECAF85305F40492FB589D3191EF78A588876B

Function 00459B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045AE77
Part of subcall function 0045AE57: GetCurrentThreadId.KERNEL32 ref: 0045AE7E
Part of subcall function 0045AE57: AttachThreadInput.USER32(00000000,?,00459B65,?,00000001), ref: 0045AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00459B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00459B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00459B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00459B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00459BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00459BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00459BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00459BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00459BDD

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 186f5a4a339b244dea2483338f7b71a3368c4d65e5ecd7b2cf0cf16f5cfcc7d8
Instruction ID: 1060ee3db04237a4cc3f6e3244fd23507871b35e4bea80529f675733977b5495
Opcode Fuzzy Hash: 186f5a4a339b244dea2483338f7b71a3368c4d65e5ecd7b2cf0cf16f5cfcc7d8
Instruction Fuzzy Hash: EA112571550608BEF6102B20DC8EF6E3B1CEB0C755F100829F604AB0A1CAF26C10DBA8

Function 00458E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00458A84,00000B00,?,?), ref: 00458E0C
RtlAllocateHeap.NTDLL(00000000,?,00458A84), ref: 00458E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00458A84,00000B00,?,?), ref: 00458E28
GetCurrentProcess.KERNEL32(?,00000000,?,00458A84,00000B00,?,?), ref: 00458E30
DuplicateHandle.KERNEL32(00000000,?,00458A84,00000B00,?,?), ref: 00458E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00458A84,00000B00,?,?), ref: 00458E43
GetCurrentProcess.KERNEL32(00458A84,00000000,?,00458A84,00000B00,?,?), ref: 00458E4B
DuplicateHandle.KERNEL32(00000000,?,00458A84,00000B00,?,?), ref: 00458E4E
CreateThread.KERNEL32(00000000,00000000,00458E74,00000000,00000000,00000000), ref: 00458E68

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: f61be43bb8a549cd9dad831aeb1a4a8effc801e856b1440697cddf08235fc6c0
Instruction ID: 70dccc8d23a24c8ac5b2d36c23d1fc0ed308eed34d74bf8a4b11e0e697da6625
Opcode Fuzzy Hash: f61be43bb8a549cd9dad831aeb1a4a8effc801e856b1440697cddf08235fc6c0
Instruction Fuzzy Hash: 8E01BBB5240348FFE710ABA5DC8DF6B3BACEB89711F104825FA05DB1A1CA759C14CB24

Function 00479E38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00479EB9, 0047A1DD
Not an Object type, xrefs: 00479E90

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: cf2b23464b3f83508b1fce19c609b5c17108c686b64e863799598979a0c5ac5a
Instruction ID: d1c791fb0e6f22c0c68d958e545617c08fe4ee677592400c8048375e82c93b3c
Opcode Fuzzy Hash: cf2b23464b3f83508b1fce19c609b5c17108c686b64e863799598979a0c5ac5a
Instruction Fuzzy Hash: E1C1A071A0020A9FDF10CF68C884BEEB7B5FB88314F54846AE909EB381E7789D55CB55

Function 00479428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047947C
VariantInit.OLEAUT32(?), ref: 0047954D
VariantInit.OLEAUT32(?), ref: 0047964E
VariantClear.OLEAUT32(?), ref: 00479658
VariantClear.OLEAUT32(?), ref: 004796B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00479631
Null Object assignment in FOR..IN loop, xrefs: 004794DD, 0047960B, 004796C3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 4013e02310124dc19a24c960c86c17278dc50ef420e9ab73daa2bbda93c8a083
Instruction ID: fcebb0c40d61f867c18811628665e3ff882c4d71f35d8502a0dec60dd81a9e36
Opcode Fuzzy Hash: 4013e02310124dc19a24c960c86c17278dc50ef420e9ab73daa2bbda93c8a083
Instruction Fuzzy Hash: 2791AD71A00215ABCF24DFA5C844FEFBBB8EF45714F10851AE519AB280D778AD05CFA8

Function 00479A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00457652: CLSIDFromProgID.COMBASE ref: 0045766F
Part of subcall function 00457652: ProgIDFromCLSID.COMBASE(?,00000000), ref: 0045768A
Part of subcall function 00457652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
Part of subcall function 00457652: CoTaskMemFree.COMBASE(00000000), ref: 004576A8

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00479B1B
_memset.LIBCMT ref: 00479B28
_memset.LIBCMT ref: 00479C6B
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00479C97
CoTaskMemFree.COMBASE(?), ref: 00479CA2

Strings

NULL Pointer assignment, xrefs: 00479CF0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: cd0c4945cab944238e38c4269edd6285e479b187d3e7b43d85f4390cb4b6e855
Instruction ID: 2d6b15105bf64f0131cde1211130cdd8d67b212e7fca3fe919add89d64974377
Opcode Fuzzy Hash: cd0c4945cab944238e38c4269edd6285e479b187d3e7b43d85f4390cb4b6e855
Instruction Fuzzy Hash: FF913A71D00219ABDF10DFA5DC80EDEBBB9EF08714F20816AF519A7281DB746A45CFA4

Function 0047EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00463E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
Part of subcall function 00463E91: Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
Part of subcall function 00463E91: CloseHandle.KERNEL32(00000000), ref: 00463F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047ECB8
GetLastError.KERNEL32 ref: 0047ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047ED77
GetLastError.KERNEL32(00000000), ref: 0047ED82
CloseHandle.KERNEL32(00000000), ref: 0047EDB7

Strings

SeDebugPrivilege, xrefs: 0047ECD6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d210f5fba0b77d67c3e10e65e148b4b3e5ca715f1fd353a27fcbe2172b4d1d1e
Instruction ID: 4cf0eb32de62198d0c9cb5bf7051436c97b1413fca3c9407eb77a24df7e76fd2
Opcode Fuzzy Hash: d210f5fba0b77d67c3e10e65e148b4b3e5ca715f1fd353a27fcbe2172b4d1d1e
Instruction Fuzzy Hash: 364180712002019FD724EF15CC95FAEB7A5AF44718F04846EF8469B2C2DB79AC09CB9A

Function 0048B958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C67B0,00000000,03618048,?,?,004C67B0,?,0048B862,?,?), ref: 0048B9CC
EnableWindow.USER32(?,00000000), ref: 0048B9F0
ShowWindow.USER32(004C67B0,00000000,03618048,?,?,004C67B0,?,0048B862,?,?), ref: 0048BA50
ShowWindow.USER32(?,00000004,?,0048B862,?,?), ref: 0048BA62
EnableWindow.USER32(?,00000001), ref: 0048BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048BAA9

Strings

@U=u, xrefs: 0048BAA9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction ID: 4bbfffa5aca34bc284a6f875752b5b7a56a0dd7a11c68d007de5de2d50af2dcc
Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction Fuzzy Hash: 6E416470600241EFDB25DF14C489B9A7BE0FF05314F1846BAEE589F3A2C735A84ADB95

Function 00463226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004632C5

Strings

warning, xrefs: 004632AE
stop, xrefs: 00463296
info, xrefs: 00463266
question, xrefs: 0046327E
blank, xrefs: 00463247

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
Instruction ID: bd39f8208ce013f69ee2957a59db9678c91d00ade58264490e67fb22ecbd3877
Opcode Fuzzy Hash: 77fe609f7d7df2f5dc9ffe3ad1bea5ae7a1829eac4f59a579a3ff1f305724edc
Instruction Fuzzy Hash: F41138313083967AA7015E55EC62DABB3ACDF19766F2000ABF40056281F67D5B1106BF

Function 00404FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00404FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404EEE,?,?,00000000,00000000), ref: 00405010
LoadResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD60
SizeofResource.KERNEL32(?,00000000,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F), ref: 0043DD75
LockResource.KERNEL32(N@,?,?,00404EEE,?,?,00000000,00000000,?,?,?,?,?,?,00404F8F,00000000), ref: 0043DD88

Strings

N@, xrefs: 0043DD85
SCRIPT, xrefs: 00405006

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N@
API String ID: 3051347437-2499734412
Opcode ID: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
Instruction ID: 67856c902de3f53bc3f8eb18af461e19ea0094fb9f07ee8290f0089f1c16aac3
Opcode Fuzzy Hash: 5ec92892c76f8d1a0b25561ef3fd13e1900f32b078569a65020aaf11a3c9a4ea
Instruction Fuzzy Hash: 33115A75200700AFD7218B65EC58F6B7BB9EBC9B11F20457DF406D62A0DB72E8048A69

Function 00464534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0046454E
LoadStringW.USER32(00000000), ref: 00464555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046456B
LoadStringW.USER32(00000000), ref: 00464572
_wprintf.LIBCMT ref: 00464598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004645B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00464593

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: cf1f71f02d618412e5e4011ee75cbf7dd1c2efdd86ab7fdc5ff900bbdf96f69c
Instruction ID: 26d6b9379a34e5b6735d9e290e406bfe10dd0a5cb8e1345d55a1fd9b07754018
Opcode Fuzzy Hash: cf1f71f02d618412e5e4011ee75cbf7dd1c2efdd86ab7fdc5ff900bbdf96f69c
Instruction Fuzzy Hash: 2F0167F2500208BFE750A790DD89EEB776CEB08301F5009BABB45E2051E6789E894B79

Function 0047FF9C Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 004810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00480038,?,?), ref: 004810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480079

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 04c4ee905d970194be813c8c4484ab6fc3a08ddc9a4af4784202f2bd280ce2d5
Instruction ID: 7b90789ad95a70882a2795d98a9191818ca36fbb588b3d08be409243f7b0ea78
Opcode Fuzzy Hash: 04c4ee905d970194be813c8c4484ab6fc3a08ddc9a4af4784202f2bd280ce2d5
Instruction Fuzzy Hash: 8EA1A1302142019FCB10EF15C885B6EB7E5EF85318F14882EF89697292DB79ED49CF4A

Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 0043C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C417,00000004,00000000,00000000,00000000), ref: 0043C4D6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cc9363aabae7086835388f6fac964adb9b6e6a44cb4f9c66e83ace92c37c9c99
Instruction ID: 8b6c8ed304f0763f3ef54d0254f4868818f2511668e6adff05f7a0ccbdd179e1
Opcode Fuzzy Hash: cc9363aabae7086835388f6fac964adb9b6e6a44cb4f9c66e83ace92c37c9c99
Instruction Fuzzy Hash: 7E41DC307046809ADB754B288EDC67B7B91AB95314F14883FE046B66E0CABDA846DB1D

Function 00467368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0046737F

Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004673B6
RtlEnterCriticalSection.NTDLL(?), ref: 004673D2
_memmove.LIBCMT ref: 00467420
_memmove.LIBCMT ref: 0046743D
RtlLeaveCriticalSection.NTDLL(?), ref: 0046744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00467461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00467480

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a93959b5eab6d66bd816ed57b65c3f2f3041b6f2f9c1d1e2b51b4be0591b1caa
Instruction ID: 65819b3e7115d32fcddc7406d2ba819fbe47c506c600941c259629cf32f05e9e
Opcode Fuzzy Hash: a93959b5eab6d66bd816ed57b65c3f2f3041b6f2f9c1d1e2b51b4be0591b1caa
Instruction Fuzzy Hash: EF31F231A00205EBCF10DF55DC89AAF7BB8EF44300B1441BAF900AB246DB749E14CBA8

Function 0045C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0045C087
_memcmp.LIBCMT ref: 0045C0A9
_memcmp.LIBCMT ref: 0045C0C1
_memcmp.LIBCMT ref: 0045C0D4
_memcmp.LIBCMT ref: 0045C0EE
_memcmp.LIBCMT ref: 0045C101
_memcmp.LIBCMT ref: 0045C119
_memcmp.LIBCMT ref: 0045C134

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 67c4006fc8fa138b32c55a7ddf4fbe61174b86215d9d9baf03c2bef74c4d5b06
Instruction ID: 8f6e91b1e4720ecad257f2cf2dc14f3fbb0a29693890e67cd3f0965bf550c4ac
Opcode Fuzzy Hash: 67c4006fc8fa138b32c55a7ddf4fbe61174b86215d9d9baf03c2bef74c4d5b06
Instruction Fuzzy Hash: 58214561700315BFD610A5229D86FAF279CAF2079AB140027FE05867D3E75CDD1986AE

Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
Instruction ID: 504086b8ac0d12f7a80c9a28070c24604f60f8592932f63d6c8978218f7d0df9
Opcode Fuzzy Hash: 09c15824ac63a65c0734988e0de1478892bca8845b386477e243a1c01ae4827c
Instruction Fuzzy Hash: CF718170900109EFCB04DF94CC84EBFBB74FF85314F10816AF915AA2A1C738AA11CBA9

Function 0047F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F75C
_memset.LIBCMT ref: 0047F825
ShellExecuteExW.SHELL32(?), ref: 0047F86A

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9

GetProcessId.KERNEL32(00000000), ref: 0047F8E1
CloseHandle.KERNEL32(00000000), ref: 0047F910

Strings

@, xrefs: 0047F839

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3401e9a6f71de25120dcd5da19c74f843eaac24a4f681f06644c7158455fb10e
Instruction ID: 1ebb2d383b77566c64692166f8b5d4dc5c82307fe06e73241e304cbf50fef34f
Opcode Fuzzy Hash: 3401e9a6f71de25120dcd5da19c74f843eaac24a4f681f06644c7158455fb10e
Instruction Fuzzy Hash: 0061A0B4A00619DFCB14EF55C5809AEBBB4FF48314B15846EE849BB391CB38AD44CF98

Function 0046145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0046149C
GetKeyboardState.USER32(?), ref: 004614B1
SetKeyboardState.USER32(?), ref: 00461512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00461540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 004615A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004615C8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction ID: 1ad2f9c427477234de6172a5734c88337e52b537abe48fa8ba5ad4ac1d5a2b9b
Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction Fuzzy Hash: A451F4A0A043D53EFB324634CC45BBBBEA95B46304F0C848FE1D6569E2E69CDC84D75A

Function 00461276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004612B5
GetKeyboardState.USER32(?), ref: 004612CA
SetKeyboardState.USER32(?), ref: 0046132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00461357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00461374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004613B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004613D9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction ID: b99961755fe5fc4aaf7fc08d4f592ff79c76eb46e067809845c5d5ed139ad427
Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction Fuzzy Hash: 625114A09043C53DFB3282248C41B7B7FA95B06304F0C448BE4D596AE2F798ACC8D75A

Function 0046589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004658AC
_wcsncpy.LIBCMT ref: 004658E1
_wcsncpy.LIBCMT ref: 00465913
_wcsncpy.LIBCMT ref: 00465946
_wcsncpy.LIBCMT ref: 00465988
_wcsncpy.LIBCMT ref: 004659C2
_wcsncpy.LIBCMT ref: 004659F1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
Instruction ID: 239261fae8d9192360add67fc14eaad88e6f5f5f9fe45dd7678ebb12787c5eaa
Opcode Fuzzy Hash: 7a73a9d8b045da8df5336bb66c02e39a5d5c0cabf30c4969930a264d4c6a1f2d
Instruction Fuzzy Hash: 514193A5D2012476CB10EBB598869CFB3A89F45710F90885BE518E3111F638E754C7AE

Function 0048A2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0048A3BE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: f3053dfce972360621ebc067b93fae9a4803b235720fd213c609bc488b71fb7e
Instruction ID: 27f25d5971d4d65c6ff1b26a422dd0493a54250996370e31a1df588395131043
Opcode Fuzzy Hash: f3053dfce972360621ebc067b93fae9a4803b235720fd213c609bc488b71fb7e
Instruction Fuzzy Hash: EF41E335901104AFE710FB28CC48FAEBBA4EB09310F154977EC15A72E1D7B89D61DB5A

Function 004638AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004648AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004638D3,?), ref: 004648C7

Part of subcall function 004648AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004638D3,?), ref: 004648E0

lstrcmpiW.KERNEL32(?,?), ref: 004638F3
_wcscmp.LIBCMT ref: 0046390F
MoveFileW.KERNEL32(?,?), ref: 00463927
_wcscat.LIBCMT ref: 0046396F
SHFileOperationW.SHELL32(?), ref: 004639DB

Strings

\*.*, xrefs: 00463969

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 23f2438bf2f1947a69540230873a8e1b10c36a558cbe34af18feaea4af643d1d
Instruction ID: 2b247b45c35498576e4f5c769069253896ee45310ec86603c536ea1ec2fbf65f
Opcode Fuzzy Hash: 23f2438bf2f1947a69540230873a8e1b10c36a558cbe34af18feaea4af643d1d
Instruction Fuzzy Hash: 7A41A3B15083849AC751EF65D4419DFB7E8AF88345F40082FB489C3261FA79D68CCB5B

Function 00487500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00487519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004875C0
IsMenu.USER32(?), ref: 004875D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00487620
DrawMenuBar.USER32 ref: 00487633

Strings

0, xrefs: 0048750D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: a0e848d2816564b77e3541e417d45c5ea5f81237a21e4ec9dff92fc557af208d
Instruction ID: 244ebd32b8f97b81259969125f729c00c6f494ffb7d64cbbbf547a27778ec249
Opcode Fuzzy Hash: a0e848d2816564b77e3541e417d45c5ea5f81237a21e4ec9dff92fc557af208d
Instruction Fuzzy Hash: 29414775A05608EFDB10EF58D894E9EBBB8FB04320F14882AE915A7390D734ED51CFA4

Function 0048122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0048125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00481286
FreeLibrary.KERNEL32(00000000), ref: 0048133D

Part of subcall function 0048122D: RegCloseKey.ADVAPI32(?), ref: 004812A3
Part of subcall function 0048122D: FreeLibrary.KERNEL32(?), ref: 004812F5
Part of subcall function 0048122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481318

RegDeleteKeyW.ADVAPI32(?,?), ref: 004812E0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 59a0954294989c9cc7baee405be50d69b665d4c8366daf6602a98d2433ad7fc6
Instruction ID: c705425fdb16329370bfebf572505c6039bd2b495d774f44f1cf002bfd069236
Opcode Fuzzy Hash: 59a0954294989c9cc7baee405be50d69b665d4c8366daf6602a98d2433ad7fc6
Instruction Fuzzy Hash: 4C311E71901109BFEB15AF90DC899FFB7BCEB09300F10097BE905E2251D6745E8A9BA8

Function 0045DFDC Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E01F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E045
SysAllocString.OLEAUT32(00000000), ref: 0045E048
SysAllocString.OLEAUT32(?), ref: 0045E066
SysFreeString.OLEAUT32(?), ref: 0045E06F
StringFromGUID2.COMBASE(?,?,00000028), ref: 0045E094
SysAllocString.OLEAUT32(?), ref: 0045E0A2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9d7ae1e0de16f778dda2965d4098e8be9b1419331666f34a8595c87c9f580ac9
Instruction ID: fbe12215b172cbe6580b201520ad06bb2c18ee563901ca4c8b5bde41da82146e
Opcode Fuzzy Hash: 9d7ae1e0de16f778dda2965d4098e8be9b1419331666f34a8595c87c9f580ac9
Instruction Fuzzy Hash: 7021B432600129AF9B109FA9DC88DBF73ECEB08760B10843AFD14DB291D6B49D498768

Function 00476486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004780A0: inet_addr.WS2_32(00000000), ref: 004780CB

socket.WS2_32(00000002,00000001,00000006), ref: 004764D9
WSAGetLastError.WS2_32(00000000), ref: 004764E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00476521
connect.WSOCK32(00000000,?,00000010), ref: 0047652A
WSAGetLastError.WS2_32 ref: 00476534
closesocket.WS2_32(00000000), ref: 0047655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00476576

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 74c6652e652a631785c3cf5e66c26abcdfc8c244c4b2312955181242269b2fac
Instruction ID: 88e8d7ad7378523e1ee53271d3cbf6d364baabb8775fd53d7e5544776c6eccb5
Opcode Fuzzy Hash: 74c6652e652a631785c3cf5e66c26abcdfc8c244c4b2312955181242269b2fac
Instruction Fuzzy Hash: 3B31D331600118AFDB10AF24DC85BFE7BA9EB44714F01803EFD09A7291CB78AD08CB69

Function 00459372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004593F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00459409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00459439

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Strings

ComboBox, xrefs: 00459380
@U=u, xrefs: 004593F6, 00459409, 00459439
ListBox, xrefs: 004593B5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 93e7c1aedcc11a95bb443b0371d6cafc8d7f3fec94e5ae2729e15677f2ef145b
Instruction ID: c00c561ba6da329c47fc9231c9d51ea779790e0de9441c917b22281e101d07b1
Opcode Fuzzy Hash: 93e7c1aedcc11a95bb443b0371d6cafc8d7f3fec94e5ae2729e15677f2ef145b
Instruction Fuzzy Hash: B0210471A44108BADB14AB71DC858FFB768DF06354B20412FFD21A72E2DB3C1D0E9A28

Function 0045E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045E120
SysAllocString.OLEAUT32(00000000), ref: 0045E123
SysAllocString.OLEAUT32 ref: 0045E144
SysFreeString.OLEAUT32 ref: 0045E14D
StringFromGUID2.COMBASE(?,?,00000028), ref: 0045E167
SysAllocString.OLEAUT32(?), ref: 0045E175

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ecfb87cbb810f75c8a0aac5f2f8121e9879a68bf9245c77e1246510dbfef703c
Instruction ID: 3a502a6ae8d305f9b651b9d3386196c099983abe0a10d70971b35180c26ce8e7
Opcode Fuzzy Hash: ecfb87cbb810f75c8a0aac5f2f8121e9879a68bf9245c77e1246510dbfef703c
Instruction Fuzzy Hash: A821D371200518BFDB14AFA9DC88CAB77ECEB09760B10813AFD54CB2A1DB74DD458B68

Function 0045FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045FB81
__wcsnicmp.LIBCMT ref: 0045FBA2
__wcsnicmp.LIBCMT ref: 0045FBBC

Strings

#requireadmin, xrefs: 0045FB9C
#notrayicon, xrefs: 0045FB79
#OnAutoItStartRegister, xrefs: 0045FBB6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: babb35e8ee24ed1c14ab90af87c25c466edfe5a70fc718ea23d9f4c0a04d716c
Instruction ID: 566f03899e7f3434533f03e94b1724d4296a521f6068b5759495cbded75bf72e
Opcode Fuzzy Hash: babb35e8ee24ed1c14ab90af87c25c466edfe5a70fc718ea23d9f4c0a04d716c
Instruction Fuzzy Hash: 17214B32200264A6D231A621ED12FA77398AF51305F50403BFD8587683E75CAD8E929F

Function 0045B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0045B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B742
_wcsstr.LIBCMT ref: 0045B74C

Strings

@U=u, xrefs: 0045B6E4, 0045B71C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 7436da7a859b67d6deb9bf5509ee44ea8d25a752d9ed83b146eb44c1ff20bff4
Instruction ID: 92905fa91f0919fd0663971f7b16c7770949424b3f2b88b14ccf821531dff383
Opcode Fuzzy Hash: 7436da7a859b67d6deb9bf5509ee44ea8d25a752d9ed83b146eb44c1ff20bff4
Instruction Fuzzy Hash: 22210731204244BAEB255B39AC49E7F7BA8DF49711F10403FFC05DA2A2EB69DC4593A9

Function 004597E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459802

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459834
__itow.LIBCMT ref: 0045984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459874
__itow.LIBCMT ref: 00459885

Strings

@U=u, xrefs: 00459802, 00459834, 00459874

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: bb64f573451de55776081106e2077a40154a86783a365389064d38d76cf6ab36
Instruction ID: aeeddb3b223d654d5ac6f79e157a026aded2de9f9537dafa1f076d0ba1bb685a
Opcode Fuzzy Hash: bb64f573451de55776081106e2077a40154a86783a365389064d38d76cf6ab36
Instruction Fuzzy Hash: 4B21D871B10204EBDB10AB61CC86EEE3BA9EF49715F14403AFD04A7382D6789D4997D6

Function 0048783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004878A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004878AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004878B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004878C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004878D4

Strings

Msctls_Progress32, xrefs: 00487872

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 521e1264683aec45ec588e50e47250bff2fe7330e07d986e850df4f2a6ea1db9
Instruction ID: c0e5e83d8caaffed66c3671765ff495ed8936c55081b1a71fa7d1f8dd9a4b5cd
Opcode Fuzzy Hash: 521e1264683aec45ec588e50e47250bff2fe7330e07d986e850df4f2a6ea1db9
Instruction Fuzzy Hash: 5311C8B2510119BFEF15AF60CC85EEB7F5DEF08758F114125F604A2090C775AC21DBA4

Function 00425FDC Relevance: 10.5, APIs: 7, Instructions: 48threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00425FDD

Part of subcall function 00429C04: GetLastError.KERNEL32(?,00421013,00428D6D,004259D3,00000001,?,00421013,?,00000000,%I,?,00409FEC,?,?,?,?), ref: 00429C06
Part of subcall function 00429C04: __calloc_crt.LIBCMT ref: 00429C27
Part of subcall function 00429C04: __initptd.LIBCMT ref: 00429C49
Part of subcall function 00429C04: GetCurrentThreadId.KERNEL32 ref: 00429C50
Part of subcall function 00429C04: SetLastError.KERNEL32(00000000,00421013,?,00000000,%I,?,00409FEC,?,?,?,?), ref: 00429C68

CloseHandle.KERNEL32(?,?,00425FBC), ref: 00425FF1
__freeptd.LIBCMT ref: 00425FF8
RtlExitUserThread.NTDLL(00000000,?,00425FBC), ref: 00426000
GetLastError.KERNEL32(?,?,00425FBC), ref: 00426030
RtlExitUserThread.NTDLL(00000000,?,?,00425FBC), ref: 00426037
__freefls@4.LIBCMT ref: 00426053

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
String ID:
API String ID: 3304096619-0
Opcode ID: 08d2eb8f35e0c2ac84c0c8712e69f82d26bb0ba4bf5acd84931f0a9d6c38518b
Instruction ID: f28d8b9c623d0fc2b94d076db2cf8ea84253f1e49d1cb44a6f3a27c13c43e758
Opcode Fuzzy Hash: 08d2eb8f35e0c2ac84c0c8712e69f82d26bb0ba4bf5acd84931f0a9d6c38518b
Instruction Fuzzy Hash: 1A01B574601B219BC728ABB5E80991E7794BF04318B50852EF804C7692DF38DC018749

Function 00429D26 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00429D26

Part of subcall function 004233C7: RtlEncodePointer.NTDLL(00000000), ref: 004233CA
Part of subcall function 004233C7: __initp_misc_winsig.LIBCMT ref: 004233E5
Part of subcall function 004233C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0042A0E0
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042A0F4
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042A107
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042A11A
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042A12D
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0042A140
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0042A153
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0042A166
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0042A179
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0042A18C
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0042A19F
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0042A1B2
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0042A1C5
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0042A1D8
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0042A1EB
Part of subcall function 004233C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0042A1FE

__mtinitlocks.LIBCMT ref: 00429D2B
__mtterm.LIBCMT ref: 00429D34

Part of subcall function 00429D9C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00429E96
Part of subcall function 00429D9C: _free.LIBCMT ref: 00429E9D
Part of subcall function 00429D9C: RtlDeleteCriticalSection.NTDLL(0BL), ref: 00429EBF

__calloc_crt.LIBCMT ref: 00429D59
__initptd.LIBCMT ref: 00429D7B
GetCurrentThreadId.KERNEL32 ref: 00429D82

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e59763a18dd9db20392e5a07e5263167a23315f3fae20b2a70b6a8260dbba2e9
Instruction ID: 3a4ad7869198ffd9109903b6ff0dd43e1d919ab51d7ec4b7e1e30be07ee80a48
Opcode Fuzzy Hash: e59763a18dd9db20392e5a07e5263167a23315f3fae20b2a70b6a8260dbba2e9
Instruction Fuzzy Hash: EEF06D727297316AF6347B7ABC0668A2694DF01738FA04A2FF458D51E2EF1C8C41559C

Function 004039E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A36
ShowWindow.USER32(00000000,?,?), ref: 00403A4A
ShowWindow.USER32(00000000,?,?), ref: 00403A53

Strings

edit, xrefs: 00403A30
AutoIt v3, xrefs: 00403A0D, 00403A12, 00403A13

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c5a73eedef5a2465e8ab68d3bd5040811d5becc50fb1d01bf63cd94d759b155d
Instruction ID: 2cecf371cb078c9d5b9832381e7f464e31ed9d63f24175115e8a4ea464a317ab
Opcode Fuzzy Hash: c5a73eedef5a2465e8ab68d3bd5040811d5becc50fb1d01bf63cd94d759b155d
Instruction Fuzzy Hash: B3F03A706002907EEA702723AC48E2B2E7DD7C6F50B02807EB900A2171C2B90841CAB8

Function 004241C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004241E3
GetProcAddress.KERNEL32(00000000), ref: 004241EA
RtlEncodePointer.NTDLL(00000000), ref: 004241F6
RtlDecodePointer.NTDLL(00000001), ref: 00424213

Strings

RoInitialize, xrefs: 004241D2
combase.dll, xrefs: 004241DE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: ddfa7ecf956035a75bb873e4545af4f7585191630ec01220704f4d047e2aa69d
Instruction ID: c49f78410c04fde3648442f996d7962f385baa81e21f20bc912104f4af3013fa
Opcode Fuzzy Hash: ddfa7ecf956035a75bb873e4545af4f7585191630ec01220704f4d047e2aa69d
Instruction Fuzzy Hash: 23E01AB0690300AEEF615BB1ED1DF193AA4B7A0B02F544939B851D51A0DBF944999F1C

Function 0042429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004241B8), ref: 004242B8
GetProcAddress.KERNEL32(00000000), ref: 004242BF
RtlEncodePointer.NTDLL(00000000), ref: 004242CA
RtlDecodePointer.NTDLL(004241B8), ref: 004242E5

Strings

RoUninitialize, xrefs: 004242A7
combase.dll, xrefs: 004242B3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
Instruction ID: 15b1a5aa7e18a967cd8893ea7d93c869ab9a07ceb3ae99f86fd7b01cca389b21
Opcode Fuzzy Hash: 38a029e66ea7d27f7a9163d1d7d860f5c65e6d37c153c2e42146312fef8db417
Instruction Fuzzy Hash: 71E04F78681300EFDB409B21FE0CF493AA4F750742F140539F041D11A0CFB84644CB1C

Function 00401DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00401DDC
GetWindowRect.USER32(?,?), ref: 00401E1D
ScreenToClient.USER32(?,?), ref: 00401E45
GetClientRect.USER32(?,?), ref: 00401F74
GetWindowRect.USER32(?,?), ref: 00401F8D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
Instruction ID: ed51bef88b18f13e8c67287d0da0124a028b815528b7051244985eeafb7c58ca
Opcode Fuzzy Hash: d137a9c50dddbd1c864f695680de21518bce5053a59fcecd0cad3697e154db73
Instruction Fuzzy Hash: 6BB14E7990024ADBDF10CFA8C5807EEB7B1FF08310F14952AED59AB361DB34A951CB99

Function 00476E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00476F14
WSAGetLastError.WS2_32(00000000), ref: 00476F48
htons.WS2_32(?), ref: 00476FFE
inet_ntoa.WS2_32(?), ref: 00476FBB

Part of subcall function 0045AE14: _strlen.LIBCMT ref: 0045AE1E
Part of subcall function 0045AE14: _memmove.LIBCMT ref: 0045AE40

_strlen.LIBCMT ref: 00477058
_memmove.LIBCMT ref: 004770C1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 6ab083c5adbce74e04bc1d970efacb3a57605b8fcd07aa6b55b936ef9d706070
Instruction ID: 17faa9dd7ded59eafe06aa6fc4fe4fc7440cd0719e375698d2b57dfaf69d4e3a
Opcode Fuzzy Hash: 6ab083c5adbce74e04bc1d970efacb3a57605b8fcd07aa6b55b936ef9d706070
Instruction Fuzzy Hash: 96810731504300ABD710EF25CC85EABB3E9AF84718F50852EF549A72D2DB789D05CB5A

Function 0046675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004668AD
_memmove.LIBCMT ref: 004667E8

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

_memmove.LIBCMT ref: 0046685B
_memmove.LIBCMT ref: 00466942
_memmove.LIBCMT ref: 0046695B
_memmove.LIBCMT ref: 00466977

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: cb70ab89cfc0b73ff244500bb0ea0b43be10df4e1a5ff53e3e773aca427e3c73
Instruction ID: 6f91ede795408b0bfae053ebd451bddb5c2729c6fb0f0f0f08a4ed72ad27e223
Opcode Fuzzy Hash: cb70ab89cfc0b73ff244500bb0ea0b43be10df4e1a5ff53e3e773aca427e3c73
Instruction Fuzzy Hash: C9619F7060025A9BDF11EF66C881EFE37A4AF0430CF45452EF8556B2D2EB38AD05CB5A

Function 0048046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 004810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00480038,?,?), ref: 004810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004805AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004805D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00480617
RegCloseKey.ADVAPI32(00000000), ref: 00480624

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f882c777cc3bc4277bbab36f8223b30cfdcb9cadfc833a27e9bd04dcf1e507f4
Instruction ID: b84270fded324d951e7523c32ca62a415ab9193bd248edf919504d3f3afdc4c8
Opcode Fuzzy Hash: f882c777cc3bc4277bbab36f8223b30cfdcb9cadfc833a27e9bd04dcf1e507f4
Instruction Fuzzy Hash: F3516D31618200AFC714EF15C885E6FBBE8FF85318F04492EF445972A1DB35E909CB5A

Function 00485A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00485A82
GetMenuItemCount.USER32(00000000), ref: 00485AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00485AE1
GetMenuItemID.USER32(?,?), ref: 00485B50
GetSubMenu.USER32(?,?), ref: 00485B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00485BAF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 38a8253cefbc93c74ccce548d012e8240d5aa5aaae8c6840dfedb1cb753b7fce
Instruction ID: c9ca8b8726438513afe2720f1a288169c3e90a9b7cee580165c83d3fb24cc843
Opcode Fuzzy Hash: 38a8253cefbc93c74ccce548d012e8240d5aa5aaae8c6840dfedb1cb753b7fce
Instruction Fuzzy Hash: E751B131A00615EFCF15EFA5C881AAEB7B4EF18314F10486AE811B7351DB78BE418B99

Function 0045F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045F3F7
VariantClear.OLEAUT32(00000013), ref: 0045F469
VariantClear.OLEAUT32(00000000), ref: 0045F4C4
_memmove.LIBCMT ref: 0045F4EE
VariantClear.OLEAUT32(?), ref: 0045F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F569

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
Instruction ID: 2e2eaad49763833bbcfc7c68f572f088d5f8d2798b4c1c5c41ffca29e6c5e6c5
Opcode Fuzzy Hash: e0e4c2a5e8745864faa56e5889f7aed8dc9d36647b4b934b0d9476528ef57ffe
Instruction Fuzzy Hash: E6517BB5A00209EFCB10CF58D880AAAB7B8FF4C354B15856AED59DB301E734E915CFA5

Function 004626F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462792
IsMenu.USER32(00000000), ref: 004627B2
CreatePopupMenu.USER32 ref: 004627E6
GetMenuItemCount.USER32(000000FF), ref: 00462844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462875

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: ae907cd3f2aa1f5fb6f168798142b7ed047680f4cd9d897be70698fd7a4ddbb7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: FD51B270A00705FFDF14DF68CE88AAEBBF4AF44314F10462EE4119B291E7B88904CB56

Function 00401765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
GetWindowRect.USER32(?,?), ref: 004017FE
ScreenToClient.USER32(?,?), ref: 0040181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
EndPaint.USER32(?,?), ref: 00401876

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 51c970da4a239bb1c67884811704bc71b1d929fa63eec6c1036212803b378d54
Instruction ID: f496b0d24a919446a821901bb08c967343d20a2d6e91284dadc4af8012d8984c
Opcode Fuzzy Hash: 51c970da4a239bb1c67884811704bc71b1d929fa63eec6c1036212803b378d54
Instruction Fuzzy Hash: F8418C71100200AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C7359946DB6A

Function 004773B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00475134,?,?,00000000,00000001), ref: 004773BF

Part of subcall function 00473C94: GetWindowRect.USER32(?,?), ref: 00473CA7

GetDesktopWindow.USER32 ref: 004773E9
GetWindowRect.USER32(00000000), ref: 004773F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00477422

Part of subcall function 004654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E

GetCursorPos.USER32(?), ref: 0047744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004774AC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 1bbe2dab67a06001c52ae2f9a22043e2ef62813232fffdc4d3db5c9dfcd07594
Instruction ID: 451e44952bf497c2b349903a2f13307d0e496186b9ded03a72eae34462921b73
Opcode Fuzzy Hash: 1bbe2dab67a06001c52ae2f9a22043e2ef62813232fffdc4d3db5c9dfcd07594
Instruction Fuzzy Hash: AB31C172508305ABD720DF14D849F9BBBA9FF88318F40492EF588A7191DA34E9098B96

Function 0046ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9

_wcstok.LIBCMT ref: 0046EEFF
_wcscpy.LIBCMT ref: 0046EF8E
_memset.LIBCMT ref: 0046EFC1

Strings

X, xrefs: 0046EFFE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0b7fbd7c76bbc26c94c2cc43a027ffda8d0249d127e66c750e289aa4f9ed7d78
Instruction ID: e5faa3e43e2d4f2b39f1221ea160a1343461ec5a37f38ef29422b0ed6a717957
Opcode Fuzzy Hash: 0b7fbd7c76bbc26c94c2cc43a027ffda8d0249d127e66c750e289aa4f9ed7d78
Instruction Fuzzy Hash: 8FC161756083009FC714EF25D885A5BB7E4EF85314F00492EF899972A2EB38ED45CB9B

Function 00458D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004585F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00458608
Part of subcall function 004585F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00458612
Part of subcall function 004585F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00458621
Part of subcall function 004585F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00458628
Part of subcall function 004585F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0045863E

GetLengthSid.ADVAPI32(?,00000000,00458977), ref: 00458DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00458DB8
RtlAllocateHeap.NTDLL(00000000), ref: 00458DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00458DD8
GetProcessHeap.KERNEL32(00000000,00000000,00458977), ref: 00458DEC
HeapFree.KERNEL32(00000000), ref: 00458DF3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 00f70540977adc48f825812fcb131cdb4b0eb531280d4edd44eca526df0130b7
Instruction ID: 1202f83664b48131ef9e99016bda2dd279946cd9251d5692b32c9786c7e1d679
Opcode Fuzzy Hash: 00f70540977adc48f825812fcb131cdb4b0eb531280d4edd44eca526df0130b7
Instruction Fuzzy Hash: 5B119A71500605FFDB109BA4CC49BAF7BB9EB55316F10442EE845A7252DF3AA90CCB68

Function 0048C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0048C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0048C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0048C1F6
EndPath.GDI32(00000000), ref: 0048C206
StrokePath.GDI32(00000000), ref: 0048C216

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bc183b863d25148f1850e921a38b1f50aaa057c6c296e3ddc5a0a673332eb76c
Instruction ID: ccdd2b6199ca87c5987ba8fb438783b6dd83c6b3b3853e6015e3ed05b8f1b088
Opcode Fuzzy Hash: bc183b863d25148f1850e921a38b1f50aaa057c6c296e3ddc5a0a673332eb76c
Instruction Fuzzy Hash: FD111B7640010CBFDF11AF90DC88EAE7FADEB08354F048476BE185A1A1D7719D59DBA4

Function 0045BC53 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0045BC78
GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BC89
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BC90
ReleaseDC.USER32(00000000,00000000), ref: 0045BC98
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045BCAF
MulDiv.KERNEL32(000009EC,?,?), ref: 0045BCC1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction ID: f30eaf0c3aa886d43f7d9f778ada49afbf2d8babdd65a2cac19e3cb530870d53
Opcode Fuzzy Hash: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction Fuzzy Hash: AB017175A00608BBEB109FA69D49A5EBFA8EB48361F10407AFE04A7291D6309C15CF94

Function 004203A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004203D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 004203DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004203E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004203F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004203F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00420401

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5

Function 0046568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0046569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004656B1
GetWindowThreadProcessId.USER32(?,?), ref: 004656C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004656CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004656D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004656E0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction ID: 8f6901114866ca14cd986ee1e292bd4770a5f34436d5c21ea24a7dc2b3a2ed97
Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction Fuzzy Hash: 13F01231641558BBD7215B92DC0DEAF7A7CEFC6B11F00067DFA04D1050E7A51A1587B9

Function 004674D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004674E5
RtlEnterCriticalSection.NTDLL(?), ref: 004674F6
TerminateThread.KERNEL32(00000000,000001F6,?,00411044,?,?), ref: 00467503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00411044,?,?), ref: 00467510

Part of subcall function 00466ED7: CloseHandle.KERNEL32(00000000,?,0046751D,?,00411044,?,?), ref: 00466EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00467523
RtlLeaveCriticalSection.NTDLL(?), ref: 0046752A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction ID: 9734b5ccd6540a82fb48e8287cb809d44fcf662c2da7f217d7ce71899fdcd72b
Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction Fuzzy Hash: 9EF0823A140A12EBDB111B64FC8C9EF773AFF45312B5009BAF203914B0EB7A5815CB59

Function 00478902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478928
CharUpperBuffW.USER32(?,?), ref: 00478A37
VariantClear.OLEAUT32(?), ref: 00478BAF

Part of subcall function 00467804: VariantInit.OLEAUT32(00000000), ref: 00467844
Part of subcall function 00467804: VariantCopy.OLEAUT32(00000000,?), ref: 0046784D
Part of subcall function 00467804: VariantClear.OLEAUT32(00000000), ref: 00467859

Strings

Incorrect Parameter format, xrefs: 00478960, 00478B22
AUTOIT.ERROR, xrefs: 00478A3D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 318fd00513afdafd0ff9fc92e97aced0b0b99a2afeae3878386655570a7fe711
Instruction ID: fe893c211d290caf4c1edec6ac9143816d1416bbb96a5f03f5a21eb01c423c59
Opcode Fuzzy Hash: 318fd00513afdafd0ff9fc92e97aced0b0b99a2afeae3878386655570a7fe711
Instruction Fuzzy Hash: 8B916DB16043019FC710DF25C48499BBBE4EF89318F14896FF89A9B3A2DB35E905CB56

Function 00462F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9

_memset.LIBCMT ref: 00463077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004630A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00463159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00463187

Strings

0, xrefs: 00463063

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d28bbc1387e709850f7c6813bdba92bb5a88c0f6c8cb81dd674c5c4ab6bdcb07
Instruction ID: 5f8f8906756aa80e7caec182ea647f193b7f32e8aa59a0add1d918dcf171f5cd
Opcode Fuzzy Hash: d28bbc1387e709850f7c6813bdba92bb5a88c0f6c8cb81dd674c5c4ab6bdcb07
Instruction Fuzzy Hash: FA51E2316083809AD715DF28D845AABB7E8EF56315F04492FF885D32D1EB78CE48879B

Function 00489A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00489AD2
ScreenToClient.USER32(00000002,00000002), ref: 00489B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00489B72

Strings

@U=u, xrefs: 00489BCD

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: eab6e7512a8478ae3c31ffb502bec9390e6d77077a36ac5797bb03ab36ff8834
Instruction ID: 83a32f27effb1c0e9225a5450d6387a379812c061b1dd1f9dd249746571fe159
Opcode Fuzzy Hash: eab6e7512a8478ae3c31ffb502bec9390e6d77077a36ac5797bb03ab36ff8834
Instruction Fuzzy Hash: C1512D74A00649AFCF14EF58D8809BE7BB5FF44324F188A6AF8159B390D734AD41CB98

Function 00459F62 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00459FB4
__itow.LIBCMT ref: 00459FE5

Part of subcall function 0045A235: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0045A2A0

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0045A04E
__itow.LIBCMT ref: 0045A0A5

Strings

@U=u, xrefs: 00459FB4, 0045A04E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 169fcdd22a18a7d601f2e3f9c09d202a297389bb1e2dfbd4b59bdddcbfbb6c11
Instruction ID: 3515bc24300b6a467bcabe874439c5d37ce54581fe93465fab3cecad097ec5b7
Opcode Fuzzy Hash: 169fcdd22a18a7d601f2e3f9c09d202a297389bb1e2dfbd4b59bdddcbfbb6c11
Instruction Fuzzy Hash: E7418370A00208ABDF21DF51C845BEE7BB5EF44715F04006EBD05A72D2DB789E59CBA6

Function 00459CD7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004619CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459778,?,?,00000034,00000800,?,00000034), ref: 004619F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00459D21

Part of subcall function 00461997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004597A7,?,?,00000800,?,00001073,00000000,?,?), ref: 004619C1

Part of subcall function 004618EE: GetWindowThreadProcessId.USER32(?,?), ref: 00461919
Part of subcall function 004618EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045973C,00000034,?,?,00001004,00000000,00000000), ref: 00461929
Part of subcall function 004618EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045973C,00000034,?,?,00001004,00000000,00000000), ref: 0046193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00459D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00459DDB

Strings

@, xrefs: 00459DF3
@U=u, xrefs: 00459D21, 00459D8E, 00459DDB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 2e8eb4011b6b44079a608d3534e2a2410c0b682b5a3fae808fc13cf589435091
Instruction ID: f802e40040d5933568d6548ee37601c822e2bd82ac9302598c2c3bc410ea05e6
Opcode Fuzzy Hash: 2e8eb4011b6b44079a608d3534e2a2410c0b682b5a3fae808fc13cf589435091
Instruction Fuzzy Hash: 7C414276900118AFDB10DFA4CC41ADEBBB8EF09304F14409AF945B7191DA746E49DF65

Function 0045DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0045DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045DB8E

Strings

DllGetClassObject, xrefs: 0045DB01

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bd04dc08d3ae7bfadbe53b5410b67b02ab652c227152baabf1e45b2858894097
Instruction ID: bdd2be2ff8fd35e167879badfa90f04c80079ac5dfc6a7bed9592843198ac637
Opcode Fuzzy Hash: bd04dc08d3ae7bfadbe53b5410b67b02ab652c227152baabf1e45b2858894097
Instruction Fuzzy Hash: FC418271A00204EFDB25CF55C884A9A7BBAEF44311F1581AEED059F207D7B9ED48CBA4

Function 00462C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462CAF
GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00462CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00462D11
DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,004C6890,00000000), ref: 00462D5A

Strings

0, xrefs: 00462CA4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 0ba1456fd131f45ac79e83895ae1ccd7d82afcfcc3e6ebc7136bcd4d9a7bd99d
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F8419130204702AFD720DF25C944B5BB7E4AF85324F14462EF96597291E7B8E904CBAB

Function 00488AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00488B4D

Strings

@U=u, xrefs: 00488B9C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 6699b31c520405ad2b4610510c1f9538b8245166342defbf1afa73a81b7e239f
Instruction ID: 6017366305c22272e93e48bc594278956003a9b2b994b7244c35f7a79524baaf
Opcode Fuzzy Hash: 6699b31c520405ad2b4610510c1f9538b8245166342defbf1afa73a81b7e239f
Instruction Fuzzy Hash: F1319074640204BEEB24BA58CC45FAE3764EB85310FA44D2BFA51D62A1DF38B9409B59

Function 0047DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047DAD9

Part of subcall function 004079AB: _memmove.LIBCMT ref: 004079F9

Strings

stdcall, xrefs: 0047DB5B
winapi, xrefs: 0047DB4A
cdecl, xrefs: 0047DB30
none, xrefs: 0047DBB4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 581809269a7dfdfeddc9555b95d936074b4ed0ad140d9d90996dbf0b54da1229
Instruction ID: a8638b0df0228535fab177acacf4a9995d3a54798f321b9b19110b30cd1a555d
Opcode Fuzzy Hash: 581809269a7dfdfeddc9555b95d936074b4ed0ad140d9d90996dbf0b54da1229
Instruction Fuzzy Hash: 76318370A102159FCF00EF55C8819EEB3B4FF05314B10862BA865A76D1DB79B906CB98

Function 0040410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D5EC

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

_memset.LIBCMT ref: 0040418D
_wcscpy.LIBCMT ref: 004041E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1

Strings

Line: , xrefs: 0043D615

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c05aed40b8ac0bd79daeefb462f94e2ce308d8429c1c2c427e9dfe5b5a668b54
Instruction ID: 58a74a7614972f0f445e6137c0dd90b430b5bf5ec00f8e3566b7ff54c1cdf52a
Opcode Fuzzy Hash: c05aed40b8ac0bd79daeefb462f94e2ce308d8429c1c2c427e9dfe5b5a668b54
Instruction Fuzzy Hash: 8B31C171408304AAD761EB60DC45FDB73E8AF44304F10497FB184A21D1EB78A649C79F

Function 00471B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00471B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00471B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00471B96
InternetCloseHandle.WININET(00000000), ref: 00471BDD

Part of subcall function 00472777: GetLastError.KERNEL32(?,?,00471B0B,00000000,00000000,00000001), ref: 0047278C
Part of subcall function 00472777: SetEvent.KERNEL32(?,?,00471B0B,00000000,00000000,00000001), ref: 004727A1

Strings

, xrefs: 00471B87

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d9ac3558636909731b0b3a236f17b9df6e42c5e20a1b71d5a4cc2f93b1b10254
Instruction ID: ee56afe60ffdfdfde2582bf5a9ce9740fcc5a13e0c995de85fa6f6029e89fcc2
Opcode Fuzzy Hash: d9ac3558636909731b0b3a236f17b9df6e42c5e20a1b71d5a4cc2f93b1b10254
Instruction Fuzzy Hash: 6B21C5716002087FEB119F659CC5EFF76ECEB89748F10812FF409E6250EB68AD095769

Function 00486656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004866D0
LoadLibraryW.KERNEL32(?), ref: 004866D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004866EC
DestroyWindow.USER32(?), ref: 004866F4

Strings

SysAnimate32, xrefs: 004866AB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 49ba697defebaeff7bf3c6ed2474ef9451a394873102f99e0ceafb0c30f968ce
Instruction ID: 4db44445907f2aaf5c84c958528420195b0187cfe800e99e3e12bc9784e60b19
Opcode Fuzzy Hash: 49ba697defebaeff7bf3c6ed2474ef9451a394873102f99e0ceafb0c30f968ce
Instruction Fuzzy Hash: 7A21D171100205AFEF506F64EC80EBF37ADEF59328F124A2AF910A2290E779CC419769

Function 0046703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0046705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00467091
GetStdHandle.KERNEL32(0000000C), ref: 004670A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004670DD

Strings

nul, xrefs: 004670D8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 01e20ca06717229d7de1ec3cf3768b9798ae8679633ac96eb37df0490b00c094
Instruction ID: 9202ab078a4c3a503da059fcda44fa11a597938485d0537d731b61e6695388f4
Opcode Fuzzy Hash: 01e20ca06717229d7de1ec3cf3768b9798ae8679633ac96eb37df0490b00c094
Instruction Fuzzy Hash: B2219574504205ABDB209F39DC05A9A77B4BF44728F204A2AFDA0D73D0F7759850CB6A

Function 0046710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0046712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0046715D
GetStdHandle.KERNEL32(000000F6), ref: 0046716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004671A8

Strings

nul, xrefs: 004671A3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 563ae3597cc525712e01c8339508356707790848640d06020bee104cb4be4cb4
Instruction ID: fde4513149a148a3dd0ed9eecfc4b4dffc20060bf443cc96dc0213e778ed6211
Opcode Fuzzy Hash: 563ae3597cc525712e01c8339508356707790848640d06020bee104cb4be4cb4
Instruction Fuzzy Hash: CF21A475504205ABDB209F699C04ADA77A8AF56738F200A1FFDF0D33D0E77498418B5A

Function 0046AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046AF13
__swprintf.LIBCMT ref: 0046AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046AF6A

Strings

%lu, xrefs: 0046AF26

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b4a1864f75e20243d00835f8143e9eef298a103f2737fbdecb280991b98b6b22
Instruction ID: b4b9151bd391a1a00ee024e1154eb3d57cc719af83fa6b4482faf86d322b87cd
Opcode Fuzzy Hash: b4a1864f75e20243d00835f8143e9eef298a103f2737fbdecb280991b98b6b22
Instruction Fuzzy Hash: 50217430600109AFCB10EF65C885DAE77B8EF49704B10407EF905EB252DB35EE45CB25

Function 0045A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Part of subcall function 0045A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0045A399
Part of subcall function 0045A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A3AC
Part of subcall function 0045A37C: GetCurrentThreadId.KERNEL32 ref: 0045A3B3
Part of subcall function 0045A37C: AttachThreadInput.USER32(00000000), ref: 0045A3BA

GetFocus.USER32 ref: 0045A554

Part of subcall function 0045A3C5: GetParent.USER32(?), ref: 0045A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0045A59D
EnumChildWindows.USER32(?,0045A615), ref: 0045A5C5
__swprintf.LIBCMT ref: 0045A5DF

Strings

%s%d, xrefs: 0045A5D9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: c4eabb98d72f631e76238eaeaa1ec41441e5a8ca6b9faac201d5bfdf75b8b20c
Instruction ID: 751a8b7b0c5b57c291529cd136f6623689df8672639a0acf52c1b212b8b34187
Opcode Fuzzy Hash: c4eabb98d72f631e76238eaeaa1ec41441e5a8ca6b9faac201d5bfdf75b8b20c
Instruction Fuzzy Hash: BA11A5716002086BDF10BF61DC85FEE3778AF48705F14417ABE08AA193DA78595A8B7A

Function 00401D35 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
GetStockObject.GDI32(00000011), ref: 00401D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

Strings

@U=u, xrefs: 00401D91

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
Instruction ID: bcc18056a9f9bf7612c1f1802b6de8f9928d6a82d4ed00d2f4876380ead3997e
Opcode Fuzzy Hash: 6ef78ac23a4bd727a3300ca9299958f8ec95875dc6640e3e56f2f55486011c29
Instruction Fuzzy Hash: 0D11A172501108BFEF018F90DC44EEB7B69FF48354F440126FA0462160C739EC60DBA4

Function 00462017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00462048

Strings

APPEND, xrefs: 00462081
KEYS, xrefs: 0046205F
EXISTS, xrefs: 00462070
REMOVE, xrefs: 0046204E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: dd31cd9aefc8b763a9e2cf33df9d2f079fc5b1a6198b63f7c56e783849481f3b
Instruction ID: 77c5c7308804efc11e7610265b9817465ac0eb28ad2bd014a144432403cec0ba
Opcode Fuzzy Hash: dd31cd9aefc8b763a9e2cf33df9d2f079fc5b1a6198b63f7c56e783849481f3b
Instruction Fuzzy Hash: F511A130D1012AEFCF00EFA4D9404EEB3B4FF15304B50846AD951A7352EB3A690ACB59

Function 0047EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047F07E
CloseHandle.KERNEL32(?), ref: 0047F0FF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9895d5f400ce381446d6b32e4ef20b1d2e104e97af49aea48b51b9c51eda27fe
Instruction ID: 3fe6ad2c0d9549654d5aeb1e74c9589e22947f5369bd7a7a210fad0d8dbecfab
Opcode Fuzzy Hash: 9895d5f400ce381446d6b32e4ef20b1d2e104e97af49aea48b51b9c51eda27fe
Instruction Fuzzy Hash: F58193716043009FD720DF29C846B6AB7E5AF48714F04882EF999EB3D2D778AC048B99

Function 0042564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004256AB
_memcpy_s.LIBCMT ref: 0042571D
__read_nolock.LIBCMT ref: 0042577B
__filbuf.LIBCMT ref: 0042579E
_memset.LIBCMT ref: 004257E2

Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: 8f486d84be92ee44d8014861303fa160b6b430e9f344387c801a4323594451c0
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: B951D930B00B25DBDB248F79E88466F77B1AF40324FA4832FF829962D0D7789D518B49

Function 004802C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 004810A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00480038,?,?), ref: 004810BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004803C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0048040E
RegCloseKey.ADVAPI32(?,?), ref: 0048043A
RegCloseKey.ADVAPI32(00000000), ref: 00480447

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 2cbbd982f23dc294019c1552f7a10f6d03bd9ea8b3ceaf6dcbd301aab30ddb5e
Instruction ID: 7badc380548c35aea7f7f809b9a1a6f3aba300e4843666839c15b29f7f22ac14
Opcode Fuzzy Hash: 2cbbd982f23dc294019c1552f7a10f6d03bd9ea8b3ceaf6dcbd301aab30ddb5e
Instruction Fuzzy Hash: DC514E31214204AFD704EF55C881E6FB7E8FF84708F44492EB59597292DB38ED09CB56

Function 0047DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0047DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0047DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0047DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047DD35

Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467B20,?,?,00000000), ref: 00405B8C
Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467B20,?,?,00000000,?,?), ref: 00405BB0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 68b6ec52fa762b3fe681da63514c151608478cdf85ef6454210874749514cfe0
Instruction ID: c61c6b43bc70afb9d3e84a1531022f1a83b1380635668ac81304b0fc5ff18549
Opcode Fuzzy Hash: 68b6ec52fa762b3fe681da63514c151608478cdf85ef6454210874749514cfe0
Instruction Fuzzy Hash: 23512735A00205DFDB01EFA9C4849AEB7F4EF48314B14C06AE819AB352DB38AD45CF99

Function 0046E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E8F2

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E91F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: cc7c73aa7590f306fe45df67e2fc11c70c24e137b033aee06ee51c4b79bdf3c5
Instruction ID: eb2a6769bbfa44e6484f4cd1c5b7e7a31a5b3f962ab33e5677d97931e88bbd57
Opcode Fuzzy Hash: cc7c73aa7590f306fe45df67e2fc11c70c24e137b033aee06ee51c4b79bdf3c5
Instruction Fuzzy Hash: 91512C75A00205DFCB01EF65C9819AEBBF5EF08314B1480AAE849AB3A2DB35ED15CB55

Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C67B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c76f3a7eb3a7e5f2f568019e782d44b37e0a37506ab22c4545a606d670b0c8a
Instruction ID: 2447c90426a38808cbef6312e0f9f8f6ce7d60f79d30bdc6c495824b4ec10740
Opcode Fuzzy Hash: 0c76f3a7eb3a7e5f2f568019e782d44b37e0a37506ab22c4545a606d670b0c8a
Instruction Fuzzy Hash: 2A416031904119FBDF159F65C888AEEBB74FB09324F20436BF824A22D0C7785954DF99

Function 00456920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045695D
TranslateAcceleratorW.USER32(?,?,?), ref: 004569A9
TranslateMessage.USER32(?), ref: 004569D2
DispatchMessageW.USER32(?), ref: 004569DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004569EB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 78944cadfa5f658e5d3a29197c4c53d74067a31d2e738c011e6355e338db77b1
Instruction ID: d2d2e048b48428a59b764f729d5fd62b0118f84c124f9056e951ba18ffc78b82
Opcode Fuzzy Hash: 78944cadfa5f658e5d3a29197c4c53d74067a31d2e738c011e6355e338db77b1
Instruction Fuzzy Hash: B03109715041029ADB60DF74CC44FB7BBACAB05306F52857BEC11D3162D738984ED798

Function 00458F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00458F12
PostMessageW.USER32(?,00000201,00000001), ref: 00458FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00458FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458FDA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction ID: f3feba45afbb173b7df5408e217b9ce9224db61ab9081f89c3f31a24f6b31fdf
Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction Fuzzy Hash: 9531DF72500219EBDB00CF68D94CA9E7BB6EB48316F10422EFD25E62D1CBB49918CB95

Function 0048B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetWindowLongW.USER32(?,000000F0), ref: 0048B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B489
GetSystemMetrics.USER32(00000004), ref: 0048B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00471184,00000000), ref: 0048B4D0

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9f6b41f635e178f29ff9823cebf15882d99b9441cfd153f4dbfb99a020f8f6ee
Instruction ID: 4d453164610f07825c255fc9dd53b5462fd2bb911a73659e8130ccaca7f2bf79
Opcode Fuzzy Hash: 9f6b41f635e178f29ff9823cebf15882d99b9441cfd153f4dbfb99a020f8f6ee
Instruction Fuzzy Hash: B1219131510215AFCB10AF388C05A6E3BA4FB05B24F158F3AF926D22E2E7349811DB98

Function 00475D60 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00475D81
GetForegroundWindow.USER32 ref: 00475D98
GetDC.USER32(00000000), ref: 00475DD4
GetPixel.GDI32(00000000,?,00000003), ref: 00475DE0
ReleaseDC.USER32(00000000,00000003), ref: 00475E1B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fc673c5ac505aad3ad5abe3363aea2e9b6591e8e9e4a366fb874368d95fc5e5a
Instruction ID: a7c85ea72732e1c5087ee6a9c035ac2ddccd6de3192ce5a361dbb4475c39e31d
Opcode Fuzzy Hash: fc673c5ac505aad3ad5abe3363aea2e9b6591e8e9e4a366fb874368d95fc5e5a
Instruction Fuzzy Hash: 8C216F75A00104AFD714EF69C988AAEB7E5EF48710F04C87EE849A7262DB74AD05CB54

Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
SelectObject.GDI32(?,00000000), ref: 0040135C
BeginPath.GDI32(?), ref: 00401373
SelectObject.GDI32(?,00000000), ref: 0040139C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ebd5db839387be117ed7d3fbb214bec0919e75378db44ca2cc759e7a000b0216
Instruction ID: 01809ca1199762821c7ccc43aba1927c018ed3358b57c1522327ad2857708082
Opcode Fuzzy Hash: ebd5db839387be117ed7d3fbb214bec0919e75378db44ca2cc759e7a000b0216
Instruction Fuzzy Hash: 9B213070801304EFEB11AF65DC04B6A7BB8FB00321F55863BF810A62F0D7799995DBA9

Function 0045C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0045C176
_memcmp.LIBCMT ref: 0045C194
_memcmp.LIBCMT ref: 0045C1A7
_memcmp.LIBCMT ref: 0045C1BF
_memcmp.LIBCMT ref: 0045C1D7

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 88f9144be28b093df22f2f3dc76d088da861ef142c81cf8349dfe7a3594bd74b
Instruction ID: 5fe845b08b4d243abe880bae0f86b0ab52380ccf05b4d0d437a3e7d93a26434e
Opcode Fuzzy Hash: 88f9144be28b093df22f2f3dc76d088da861ef142c81cf8349dfe7a3594bd74b
Instruction Fuzzy Hash: F20126617047157FE600A5215D86F6F374C9F20399B544027FD0096353EA5C9E0586ED

Function 00464D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00464D5C
__beginthreadex.LIBCMT ref: 00464D7A
MessageBoxW.USER32(?,?,?,?), ref: 00464D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464DAC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 9a322c1cdd5e0a6c12338506eb066ae180f8c54d82c0008625fa69e03bdf94fe
Instruction ID: 0819fc12fe5724ab96ebf4294b1419f29c00e38ef056b8eae01a1cb4f58a9b66
Opcode Fuzzy Hash: 9a322c1cdd5e0a6c12338506eb066ae180f8c54d82c0008625fa69e03bdf94fe
Instruction Fuzzy Hash: 0811E5B2904204BBCB11ABA8DC08ADF7BACEB85324F1442BAF915D3350E6798D4487A5

Function 0045874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00458766
GetLastError.KERNEL32(?,0045822A,?,?,?), ref: 00458770
GetProcessHeap.KERNEL32(00000008,?,?,0045822A,?,?,?), ref: 0045877F
RtlAllocateHeap.NTDLL(00000000,?,0045822A), ref: 00458786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045879D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction ID: 6cc8d7d5e4e0d4770d63651d33da719a3d54cfafac7baedd574211c687e01efd
Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction Fuzzy Hash: 0C014B75200604EFDB204FA6DC88D6B7BADFF89756720097EFC49D2260DA318C18CB64

Function 004654E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
Instruction ID: 904bb0919bfdc2718e962a82bb6b112c9c46cd464800c0dd09bb372580e459e7
Opcode Fuzzy Hash: 72de52679d9368bff63ea29de6d144572b9e7e287c6a07ba23d639df65210cf3
Instruction Fuzzy Hash: 1A016131D00A19EBCF00DFE8E84D6EDBB78FB09711F04046AE502F2154EB345954C7AA

Function 00457652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 0045766F
ProgIDFromCLSID.COMBASE(?,00000000), ref: 0045768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0045758C,80070057,?,?), ref: 00457698
CoTaskMemFree.COMBASE(00000000), ref: 004576A8
CLSIDFromString.COMBASE(?,?), ref: 004576B4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction ID: 2835faaf4413c363fa1ba4ee9e64f4df3655ad9e5f4e5c2265302ab3b3ce24e2
Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction Fuzzy Hash: 29018472601614BBDB105F58EC44BAE7BADEB44762F140439FD08D2212E735DD4997A4

Function 004585F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00458608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00458612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00458621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00458628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0045863E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction ID: b254a1de749970eb350751d9d46ef18a572f1fe096513f8760851dcb275af81e
Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction Fuzzy Hash: 0DF03C31201204AFEB100FA5DCCDE6F3BACEF8A755B10083EF94596261DF659C49DB64

Function 00458652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00458673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00458689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045869F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction ID: 619a58c91ecffcacb0c4c72c0e529b68c3fe02445c7328d4e1caf024910930dc
Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction Fuzzy Hash: 0BF0AF70200304EFEB111FA4EC88E6B3BACEF8A755B14043EF905D2251DF649C18DB64

Function 0045C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0045C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C6D1
MessageBeep.USER32(00000000), ref: 0045C6E9
KillTimer.USER32(?,0000040A), ref: 0045C705
EndDialog.USER32(?,00000001), ref: 0045C71F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ef350aab00c4addea5b29d025b6c6e34dc14d5866bb1b6e489a2aa35f3095eed
Instruction ID: 3003470e8657fa6b09e994d0b3a149c3862edb7236d9b7275a5f5f596171c00c
Opcode Fuzzy Hash: ef350aab00c4addea5b29d025b6c6e34dc14d5866bb1b6e489a2aa35f3095eed
Instruction Fuzzy Hash: F40144305007049BEB215B60DD8EB9A7778BF04706F00066EF942B15E1EBE4695D8F59

Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004013BF
StrokeAndFillPath.GDI32(?,?,0043BAD8,00000000,?), ref: 004013DB
SelectObject.GDI32(?,00000000), ref: 004013EE
DeleteObject.GDI32 ref: 00401401
StrokePath.GDI32(?), ref: 0040141C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
Instruction ID: f812cb0b4e4429ed7f7e618ed03f07a0aa621b4c15f073e4694ef7f498b4602e
Opcode Fuzzy Hash: 61c54fb263eb1c5a127bc7e68abcd113e5aa2c7f8e8059b9e487d898b006b3c2
Instruction Fuzzy Hash: 67F01930001208EFDB516F26EC4CB593BA4AB41326F15C639E829941F1C7358999DF28

Function 00458E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00458E7F
CloseHandle.KERNEL32(?), ref: 00458E94
CloseHandle.KERNEL32(?), ref: 00458E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00458EA5
HeapFree.KERNEL32(00000000), ref: 00458EAC

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58

Function 00412E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00420FF6: std::exception::exception.LIBCMT ref: 0042102C
Part of subcall function 00420FF6: __CxxThrowException@8.LIBCMT ref: 00421041

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 00407BB1: _memmove.LIBCMT ref: 00407C0B

__swprintf.LIBCMT ref: 0041302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412EC6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3f5778217ffe035dbeb9e6aa7ced6736151df79c6a332150587001cdd6fb919c
Instruction ID: ac5d20322bd74122a014bec98a7753125429af1de25079be9997f852fb03dfb2
Opcode Fuzzy Hash: 3f5778217ffe035dbeb9e6aa7ced6736151df79c6a332150587001cdd6fb919c
Instruction Fuzzy Hash: B7917E716082019FD714EF25D985CAF7BE4EF85704F00492FF485A72A1DA38EE49CB5A

Function 0046BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

CoInitialize.OLE32(00000000), ref: 0046BC26
CoCreateInstance.COMBASE(00492D6C,00000000,00000001,00492BDC,?), ref: 0046BC3F
CoUninitialize.COMBASE ref: 0046BC5C

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

Strings

.lnk, xrefs: 0046BC08, 0046BC16

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: fac3638a6a86fcb1ec7bbf16d27df0de60ef628b8aabada6315deb39c6aee254
Instruction ID: 038a0dac91eadc7f8d151fd3961caeb3378ad9cb536dade050a2aa4d4a1657ab
Opcode Fuzzy Hash: fac3638a6a86fcb1ec7bbf16d27df0de60ef628b8aabada6315deb39c6aee254
Instruction Fuzzy Hash: 1EA153716042019FCB00DF15C484E5ABBE5FF88318F14899EF899AB3A2DB35ED45CB96

Function 004069CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00404F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404F6F

_free.LIBCMT ref: 0043E68C
_free.LIBCMT ref: 0043E6D3

Part of subcall function 00406BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0043E462
Bad directive syntax error, xrefs: 0043E6BB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: bd752e85f288cf1628c9de883f2987332688c766a8300617757adf3fc65c633d
Instruction ID: 2258a68d981662f44974eb8b497df540c6efdf5e7203b7320ea2560545df3755
Opcode Fuzzy Hash: bd752e85f288cf1628c9de883f2987332688c766a8300617757adf3fc65c633d
Instruction Fuzzy Hash: 92915E71910219AFCF04EFA6C8819EEB7B4BF18318F54446FE815AB2D1DB38A905CB59

Function 0045B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0045B981

Strings

%I, xrefs: 0045BA24
Container, xrefs: 0045B8FE
AutoIt3GUI, xrefs: 0045B8F9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%I
API String ID: 3565006973-4251005282
Opcode ID: 3fb9462b56e9f1d5454c220b2fa8cf2dcf07b88f42d582d5af6a27e28d50940d
Instruction ID: fb3361167640a3393b05a66091946d0b3b2d9ad6d528c81b3883d5ecba530668
Opcode Fuzzy Hash: 3fb9462b56e9f1d5454c220b2fa8cf2dcf07b88f42d582d5af6a27e28d50940d
Instruction Fuzzy Hash: 66914B70600601AFDB24DF24C885B6ABBE8FF48711F24856EED49CB392DB74E845CB94

Function 0042524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004252DD

Part of subcall function 00430340: __87except.LIBCMT ref: 0043037B

Strings

pow, xrefs: 004252B5, 004252D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
Instruction ID: af649323224186c0ce66bda7a16df25405c3c0d3a13ea4765fd3bccd6769ca7e
Opcode Fuzzy Hash: c0169014571c8a50f035cbb27ee8a623963b058b02fd8f6767b6d6d046ddd236
Instruction Fuzzy Hash: AC517C21B1C60197C710B724E92137F27949F14350FA0ABABE885823E6EE7C8DD4DA5E

Function 0042023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00420277
#, xrefs: 00420280

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 6c84bd09f90cc6f7fd4790ed73ef919812a749d09bf865de6b9f713a90276cf2
Instruction ID: 37aff8002e02ada0918aa30981c6d68896c3d675e4df38188cf454e749cffd85
Opcode Fuzzy Hash: 6c84bd09f90cc6f7fd4790ed73ef919812a749d09bf865de6b9f713a90276cf2
Instruction Fuzzy Hash: EB513232200215CBCB14DF28D4986FA7BB0EF55310F548067EC80AB3A2D7389C4ACB69

Function 00413297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004133D7
_memmove.LIBCMT ref: 00413470
_free.LIBCMT ref: 00413496
_memmove.LIBCMT ref: 00413549

Strings

OaA, xrefs: 00413482

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove$_free
String ID: OaA
API String ID: 2620147621-4189730831
Opcode ID: 739b659de271c5a831d55285b954ba7a3523ea3166d48d6d30b4bb3e5c3a1fe7
Instruction ID: b445b8fa1597fd77ac91e8f36571279a65bd22c4855345799867881e3280ac98
Opcode Fuzzy Hash: 739b659de271c5a831d55285b954ba7a3523ea3166d48d6d30b4bb3e5c3a1fe7
Instruction Fuzzy Hash: 58518AB16083519FDB24CF29C440B6BBBE1BF85304F45496EE88987351DB39D941CB8A

Function 004162F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004163A8
_memmove.LIBCMT ref: 00416446
_memset.LIBCMT ref: 0041646A

Strings

ERCP, xrefs: 00416313

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 25dc1189b28c8648ea83cdad9136b95fe85d6ab8f80ab522c9aa2e22ef6a070d
Instruction ID: 5033df5f12e9d93d71518abbe4fce8200a660ff7c3ad8cb2f73575c85904d8e6
Opcode Fuzzy Hash: 25dc1189b28c8648ea83cdad9136b95fe85d6ab8f80ab522c9aa2e22ef6a070d
Instruction Fuzzy Hash: 9551C0719007199BCB24CF65C881BEBBBF4EF08314F20856FE94AC6251E778D985CB58

Function 00487BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0048F910,00000000,?,?,?,?), ref: 00487C4E
GetWindowLongW.USER32 ref: 00487C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00487C7B

Strings

SysTreeView32, xrefs: 00487C20

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 177043e0096a6338498c49af35321a7d1fa24e2f9e5b94d0aad5231c5ccee2ec
Instruction ID: 396bf68d4a42e6562a5606780666b8eb1b1202c22cd254422b80c8fe13e0d72b
Opcode Fuzzy Hash: 177043e0096a6338498c49af35321a7d1fa24e2f9e5b94d0aad5231c5ccee2ec
Instruction Fuzzy Hash: D631D231204205ABDB11AF34CC45BDB77A9FF44328F204B2AF875A32E0C739E8559B58

Function 00487648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004876D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004876E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00487708

Strings

SysMonthCal32, xrefs: 0048769B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 48ced059ccaca18a31bf9734e89f21d61143e7f73e3f118914c4c81aacdb26e5
Instruction ID: b11ebb0591133ad0ceca22569c350ac422542bbf5e6f42f70d3245ea3f349615
Opcode Fuzzy Hash: 48ced059ccaca18a31bf9734e89f21d61143e7f73e3f118914c4c81aacdb26e5
Instruction Fuzzy Hash: 3321AD32500218ABDF119FA4CC42FEF3B69EF48724F210619FA157B1D0DAB9E8559BA4

Function 00487E02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00487EB9
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00487EC7
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00487ECE

Strings

msctls_updown32, xrefs: 00487E33

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2904327e902c7bfe1989253cc9c64ac4461eb3afc2572be253709f452dd615a8
Instruction ID: 1ee83c8879250f7bff40692ff96a07f85f8deef5ef77c2fb66b85819d0c631c9
Opcode Fuzzy Hash: 2904327e902c7bfe1989253cc9c64ac4461eb3afc2572be253709f452dd615a8
Instruction Fuzzy Hash: F1216DB5604208AFDB10EF18DC91D7B37ACEF49398B15486AF900973A1CB75EC518B78

Function 00486F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486FDF

Strings

Listbox, xrefs: 00486F77

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 50f4d73c5b6d16030b768c105e68ad76c3469d1e98ef9a13d2c05636ed066bfe
Instruction ID: 0ce34a500377e520db2c9b3f5edb2fec5616d4ee1fe5b53d930dc8dde0b0bcbf
Opcode Fuzzy Hash: 50f4d73c5b6d16030b768c105e68ad76c3469d1e98ef9a13d2c05636ed066bfe
Instruction Fuzzy Hash: 4321D032610118BFDF51AF54DC84EAF37AAEF89754F028529FB049B290CA75EC518BA4

Function 00473CDD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00473D5A

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00473D4C
%I, xrefs: 00473CE8
, $, xrefs: 00473D9A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%I
API String ID: 3506404897-3751216540
Opcode ID: 743b270eaeda19e7c26223885a7bf0383aa669190de2dd5b096a03cc1b9e736d
Instruction ID: 991e62ca2d85527952959e0cb6d74c1b8c3b79d2a13ecd2fa9961f4cfe28b1de
Opcode Fuzzy Hash: 743b270eaeda19e7c26223885a7bf0383aa669190de2dd5b096a03cc1b9e736d
Instruction Fuzzy Hash: DE218671600219AACF10EF65CC81AED7764BF44704F5044AFF409A7281D738EE55DBAA

Function 0045912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0045914F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00459166
SendMessageW.USER32(?,0000000D,?,00000000), ref: 0045919E

Strings

@U=u, xrefs: 0045919E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d6795b1dd408d7ee46a558c45afcf07be8c9455ceefc0a85c9c2663bd441b3c4
Instruction ID: bc452910099fe68286eb3a03db0f599059096e3509b0e06beef28d7a73df4eca
Opcode Fuzzy Hash: d6795b1dd408d7ee46a558c45afcf07be8c9455ceefc0a85c9c2663bd441b3c4
Instruction Fuzzy Hash: B0210731600219FBDF10DB68DC459AFB7BDEF44340F15045BE904E3291DA756D058B54

Function 004760EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 0047613B
SendMessageW.USER32(0000000C,00000000,?), ref: 0047617C
SendMessageW.USER32(0000000C,00000000,?), ref: 004761A4

Strings

@U=u, xrefs: 0047613B, 0047617C, 004761A4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 417cfdf4ad3cc78a5aa1147354c5e26680f2ab6c017fd43cafd87de5c6560e3e
Instruction ID: d183b464372dd173c413b5dd48f20cd8345a6942ba7efaff71545a183595c39a
Opcode Fuzzy Hash: 417cfdf4ad3cc78a5aa1147354c5e26680f2ab6c017fd43cafd87de5c6560e3e
Instruction Fuzzy Hash: 97216D71210901AFEB10EF15DD89D6AB7E6FF49314742856AF809AB672CB34BC51CB88

Function 0048797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004879E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004879F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487A03

Strings

msctls_trackbar32, xrefs: 004879B8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7d4f79ef56ba87ecbde27f57f64b9d34404bab4822e94b49ae9255db5ebe1ead
Instruction ID: 72fa7abb3685bd86e690d6358780c5c9723b29a5f6cc907360f57c26010fc8b2
Opcode Fuzzy Hash: 7d4f79ef56ba87ecbde27f57f64b9d34404bab4822e94b49ae9255db5ebe1ead
Instruction Fuzzy Hash: BB112772244208BEEF14AF60CC05FDF37ADEF88764F11492EF601A2190D275D811DB64

Function 00486B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00486C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00486C20

Strings

edit, xrefs: 00486BF5
@U=u, xrefs: 00486C20

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 0ee778e15671e51e222ddf6b494b90a822ca39a2f7f3572f5c0e2ac18639bf76
Instruction ID: b0ee5d61ad9eb474c31c7c598f165b0da72494184ac180eda5d14d3501cef6af
Opcode Fuzzy Hash: 0ee778e15671e51e222ddf6b494b90a822ca39a2f7f3572f5c0e2ac18639bf76
Instruction Fuzzy Hash: 3B119D71501118ABEB506E649C41AAF3769EF04378F614B2AF960D72E0C739EC919B68

Function 004592E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00459355

Strings

ComboBox, xrefs: 004592F4
@U=u, xrefs: 00459355
ListBox, xrefs: 0045931F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 081a347d53af5db02297991ae98fc4ae6ec17b504d5259b2d97367f275c4f3e1
Instruction ID: 6620effe564b75a25fa02a736a26139334114495a10e04aac7c18130fab69908
Opcode Fuzzy Hash: 081a347d53af5db02297991ae98fc4ae6ec17b504d5259b2d97367f275c4f3e1
Instruction Fuzzy Hash: EF01D671A41214EBCB04EB61CC918FE7369FF09310B10061EFD32672D2DA395C0C8659

Function 004591DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0045924D

Strings

ComboBox, xrefs: 004591EC
@U=u, xrefs: 0045924D
ListBox, xrefs: 00459217

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 56daa4005e3d4a6db2a3215e2f17c3a89defa85a16b469da9e2336cd0d18ce57
Instruction ID: 1bae8beb06e11a3a3c25d4cdb8b0a3748c736b1d327c5f25b64b5c832a8fa69b
Opcode Fuzzy Hash: 56daa4005e3d4a6db2a3215e2f17c3a89defa85a16b469da9e2336cd0d18ce57
Instruction Fuzzy Hash: A901DD71A41104B7CB15E7A1C852DFF7398DF05301F14006FB912772C2DA286E0C9679

Function 00459264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F41: _memmove.LIBCMT ref: 00407F82

Part of subcall function 0045B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0045B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 004592D0

Strings

ComboBox, xrefs: 00459271
@U=u, xrefs: 004592D0
ListBox, xrefs: 0045929C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 25b225cc288e4f3a30ede1ac21948d545f93e27b85ae05057f1b43de75bd42c0
Instruction ID: ec6f3d5737f0e0d30d2369f9c6c2f429bc5a5c658118d26cb771477774c35381
Opcode Fuzzy Hash: 25b225cc288e4f3a30ede1ac21948d545f93e27b85ae05057f1b43de75bd42c0
Instruction Fuzzy Hash: 4501D871A81108B7CB01E6A1C841AEF73589B04301F24056BBD01732C2DA295E0C967A

Function 0048AF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,004C67B0,0048DB17,000000FC,?,00000000,00000000,?,?,?,0043BBB9,?,?,?,?,?), ref: 0048AF8B
GetFocus.USER32 ref: 0048AF93

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 0048B005

Strings

@U=u, xrefs: 0048B005

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 0ecd1e1a7da1389697b65e818d7c02a8af581da44cd7768338b7023882e0532e
Instruction ID: 2fc886fed9e5f09cec1edbe60cc3e8418443125a6e2f2d9c90153a0919fccab7
Opcode Fuzzy Hash: 0ecd1e1a7da1389697b65e818d7c02a8af581da44cd7768338b7023882e0532e
Instruction Fuzzy Hash: DC0188352019009FC724AB28D884A6B37E5EF8A314B194A7EE411D73A1DB356C47CF54

Function 004161C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004161B1

SendMessageW.USER32(?,0000000C,00000000,?), ref: 004161DF
GetParent.USER32(?), ref: 0045111F
InvalidateRect.USER32(00000000,?,00413BAF,?,00000000,00000001), ref: 00451126

Strings

@U=u, xrefs: 004161DF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 94d54cd9fcb172c63212de8bdadc9aac10f25db1826d72f187f4058654f842e1
Instruction ID: e6ad5178274ce5e838139f8508ad10f312153a65d06928a718ff3a7489e850dd
Opcode Fuzzy Hash: 94d54cd9fcb172c63212de8bdadc9aac10f25db1826d72f187f4058654f842e1
Instruction Fuzzy Hash: 4DF0E531100204FBEF201F60DC09FD67B68AF15344F2144BEF941AA1B3D6BA989AAB58

Function 0047C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00441D88,?), ref: 0047C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0047C324

Strings

kernel32.dll, xrefs: 0047C30D
GetSystemWow64DirectoryW, xrefs: 0047C31E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
Instruction ID: 448837d343b809a7a747f76761528a7c57238ea74050f81ad14c4a4b07cc8ac9
Opcode Fuzzy Hash: 8f6b8fbc5ae0276c8692dd60ba773bbd6744e56ae64103a06af9cbd1890bf6c2
Instruction Fuzzy Hash: FFE08C70200303CFCB205F25C848B8B76D4EB08714B90C83FE899C2310E778D880CBA8

Function 00404C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404C2E), ref: 00404CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404CB5

Strings

kernel32.dll, xrefs: 00404C9E
GetNativeSystemInfo, xrefs: 00404CAF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction ID: 04ac41d75f1c9d427c50c0ff68074fa7ac0788071283bd8ed0c5af36185ae805
Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction Fuzzy Hash: 77D01270510723CFD720AF31D91874A76D5AF45751F218C3F9885D6690D678D8C4C758

Function 00404D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404D2E,?,00404F4F,?,004C62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404D7B
kernel32.dll, xrefs: 00404D6A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
Instruction ID: 138340c1bb7cbddbf6dc8479dd470e83836704d62684dbb944a4f44490343f19
Opcode Fuzzy Hash: fc980e23cb8f5420eddcc0b614f2834b55be2bd1e6444ffbd0018dc10b9e249f
Instruction Fuzzy Hash: FED01770610713CFD720AF31D80875A76E8AF55762B218D3FD886E6690E678D8C4CB68

Function 00404D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404CE1,?), ref: 00404DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404DB4

Strings

kernel32.dll, xrefs: 00404D9D
Wow64RevertWow64FsRedirection, xrefs: 00404DAE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 5f018ec53565a5f854ca009f39446564a5e562c2ecce425f19b837535b5d9e77
Instruction ID: c07e40ce446ef711e38c2592c227d3dcacdcaf999f73730374c34c972243728b
Opcode Fuzzy Hash: 5f018ec53565a5f854ca009f39446564a5e562c2ecce425f19b837535b5d9e77
Instruction Fuzzy Hash: FCD08270600312CFCB20AF30C808B8A72E4AF04350B208C3FD882E2290E778D8808BA8

Function 00481072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004812C1), ref: 00481080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00481092

Strings

advapi32.dll, xrefs: 0048107B
RegDeleteKeyExW, xrefs: 0048108C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5432263b595bc88e73955ff6abb87fff0dce376b2d0410ec06021eb204bdef28
Instruction ID: 5e15114a56d8aa9444be57a811800652e6f894b744c13089c9d7ea1a68ee7c5c
Opcode Fuzzy Hash: 5432263b595bc88e73955ff6abb87fff0dce376b2d0410ec06021eb204bdef28
Instruction Fuzzy Hash: 58D0EC30510712CFD7215B35D81C65B76E8AF05751B118D7FA485D6660D7B8C8C08754

Function 004793F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00479009,?,0048F910), ref: 00479403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479415

Strings

kernel32.dll, xrefs: 004793FE
GetModuleHandleExW, xrefs: 0047940F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f46959386ec8eaee520539439fd1a652cf0d80df6da373f870bd47e602d76f14
Instruction ID: 89bc650762a107f9f6904b3bf3589b9947f4ec562fbb3dff71b805a81f67d5c0
Opcode Fuzzy Hash: f46959386ec8eaee520539439fd1a652cf0d80df6da373f870bd47e602d76f14
Instruction Fuzzy Hash: AAD0E234654722CFD7209B31D90968B76E5AF05751B21CC3EA48AD6A50E678D8848B68

Function 00441B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00441B42
__swprintf.LIBCMT ref: 00441B73

Strings

WIN_XPe, xrefs: 00441BB2
%.3d, xrefs: 00441B4D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: c18ac069e1d6eb3ecd6810b2c64f4779c8ba0f418c5f4b219093c25649736dfb
Instruction ID: 41f1b97e473b991b9022892c38b55fdedc2d4ba70ca61e7e94cb44e346d53a61
Opcode Fuzzy Hash: c18ac069e1d6eb3ecd6810b2c64f4779c8ba0f418c5f4b219093c25649736dfb
Instruction Fuzzy Hash: 78D0EC71804158EADA449A9098449F9737CE708301F6005A3B506A2450F23DABD69B2F

Function 004576C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction ID: 5f60346f4440b9fe6298feee7a8cd4ef23557f5833b865c9cfb6b317c071e1ce
Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction Fuzzy Hash: 35C19E74A04216EFDB14CF94D884EAEB7B5FF48311B1085AAE805EB352D734ED85CBA4

Function 0047E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0047E3D2
CharLowerBuffW.USER32(?,?), ref: 0047E415

Part of subcall function 0047DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E615
_memmove.LIBCMT ref: 0047E628

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 48e981bf62c635b570148dfa2affe7247a6971d3e032606c3bb20cc041e0bd07
Instruction ID: 80b051cf2ab951ccf297da5510636163c0a0dc3ae66239572b6f960bcb05a383
Opcode Fuzzy Hash: 48e981bf62c635b570148dfa2affe7247a6971d3e032606c3bb20cc041e0bd07
Instruction Fuzzy Hash: B2C16C716083119FC714DF29C48095ABBE4FF89318F148AAEF8999B352D774E906CF86

Function 004783A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004783D8
CoUninitialize.COMBASE ref: 004783E3

Part of subcall function 0045DA5D: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0045DAC5

VariantInit.OLEAUT32(?), ref: 004783EE
VariantClear.OLEAUT32(?), ref: 004786BF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 065c990e65d06595cae4a9ed6318db3f2964fcdf530f3ec32a6142663b0ff495
Instruction ID: 78c33319c2be2a516549ee273f6aef3c6ebb19b695401cb4f907ce4bdffe06cf
Opcode Fuzzy Hash: 065c990e65d06595cae4a9ed6318db3f2964fcdf530f3ec32a6142663b0ff495
Instruction Fuzzy Hash: 1BA15E75244701AFDB10DF55C485B5AB7E4BF88318F14845EF99AAB3A2CB38ED04CB4A

Function 00457A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 00457C32
CoTaskMemFree.COMBASE(00000000), ref: 00457C4A
CLSIDFromProgID.COMBASE(?,?), ref: 00457C6F
_memcmp.LIBCMT ref: 00457C90

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 511b95a9eecb747f9843946adb616e2a46cbfe7e4f1297cea05db2c543a9a1f7
Instruction ID: f139bf706871657843ff4518930df34df8ed479ad379568e6a589584bca42520
Opcode Fuzzy Hash: 511b95a9eecb747f9843946adb616e2a46cbfe7e4f1297cea05db2c543a9a1f7
Instruction Fuzzy Hash: 6A814F71A00109EFCB00DF94C984EEEB7B9FF89315F2041A9F905AB251DB75AE09CB64

Function 00456DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00456E04
SysAllocString.OLEAUT32(00000000), ref: 00456EAD
VariantCopy.OLEAUT32 ref: 00456EDC
VariantClear.OLEAUT32(?), ref: 00456F03

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 820f0dba6bd42301275a6265192ce254452f04d0cefef6a0a2b4fef47df2d656
Instruction ID: 493451d42fa2cf72034c46684ab61465e33aa78788b401b925ba93198380c5c1
Opcode Fuzzy Hash: 820f0dba6bd42301275a6265192ce254452f04d0cefef6a0a2b4fef47df2d656
Instruction Fuzzy Hash: EB510D316047019BDB209F66E881A2EB3E59F48715F60883FED46C72D3DB789849DB0D

Function 004697E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00405045: _fseek.LIBCMT ref: 0040505D

Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AAE
Part of subcall function 004699BE: _wcscmp.LIBCMT ref: 00469AC1

_free.LIBCMT ref: 0046992C
_free.LIBCMT ref: 00469933
_free.LIBCMT ref: 0046999E

Part of subcall function 00422F95: HeapFree.KERNEL32(00000000,00000000,?,00429C64), ref: 00422FA9
Part of subcall function 00422F95: GetLastError.KERNEL32(00000000,?,00429C64), ref: 00422FBB

_free.LIBCMT ref: 004699A6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 88e032742d06d326e4d6d5cc1431d5dcb2cd90c0f8f7e6ce6201bb629da5c016
Instruction ID: aea911c9e8d6c7baa485eb259c959778deb43e5282718a6a3eaa8d141b9c537f
Opcode Fuzzy Hash: 88e032742d06d326e4d6d5cc1431d5dcb2cd90c0f8f7e6ce6201bb629da5c016
Instruction Fuzzy Hash: 2B512DB1A04218AFDF249F65DC41A9EBB79EF48314F1004AEB609A7281DB755E80CF5D

Function 0042493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004249D0
__flush.LIBCMT ref: 004249F0
__write.LIBCMT ref: 00424A23
__flsbuf.LIBCMT ref: 00424A51

Part of subcall function 00428D68: __getptd_noexit.LIBCMT ref: 00428D68

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction ID: 44f2cbb3ea973b2da694034fd3275bff3404365078f258258cd20a66cb2e0f27
Opcode Fuzzy Hash: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction Fuzzy Hash: FE41E5B07006259BDB288EB9E88096F77A6EFC0360B64816FE85587740D7799D818B4C

Function 0046BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0046BB09
GetLastError.KERNEL32(?,00000000), ref: 0046BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0046BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0046BB80

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7d4c3f819cdbef438a43595e79e481deff2ae3b7a43f21d398b0a19bb563e8ae
Instruction ID: 49076c1f2e021a37f8aa73fa151b50ed520da2b4e34a445023821da6fd8ec2a5
Opcode Fuzzy Hash: 7d4c3f819cdbef438a43595e79e481deff2ae3b7a43f21d398b0a19bb563e8ae
Instruction Fuzzy Hash: B7412F39600510DFCB10EF59C58495DBBE1EF49314B05849EEC4AAB7A2DB38FD41CB95

Function 0048ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AE1A
GetWindowRect.USER32(?,?), ref: 0048AE90
PtInRect.USER32(?,?,0048C304), ref: 0048AEA0
MessageBeep.USER32(00000000), ref: 0048AF11

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
Instruction ID: 20aafe120d683b7536ec1c361d9cbfa3becb7b0e8fd9f7a68ee45a873ef900b5
Opcode Fuzzy Hash: 6a18ba18eb21849e9a78bd79b6f84d7a3cce87d2be61423b7a6c01e025f158a7
Instruction Fuzzy Hash: 72419A70A001099FEB11EF58C884A6D7BF1FF48340F1889BBEA049B351D7B4A812DF5A

Function 00460FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00461037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00461053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 004610B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0046110B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction ID: 858596a3270a81407411c1b9f6ce7b0733e7ce38917833693a8278b9945e91ef
Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction Fuzzy Hash: 33312C70E40688AEFF308A668C05BFBBBA9AB45310F0C421BE54152AF1E37D49C5975B

Function 00461121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00461176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00461192
PostMessageW.USER32(00000000,00000101,00000000), ref: 004611F1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00461243

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction ID: 7fc8b11940ae94cab915bb0129d7889fd94765dd41f44bc06aee23e8cda00f34
Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction Fuzzy Hash: 3031093094064C6EEF308A65C8157FF7BA9AB4A310F0C475FE580922E1E73C4955975B

Function 00436415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043644B
__isleadbyte_l.LIBCMT ref: 00436479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004364DD

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
Instruction ID: 00bfbab79281597f36fe53e4f64e7450777474697505dafcb940073344e51601
Opcode Fuzzy Hash: f95d2081635511957ee21cbff85720af553d1923269aba5ee5c8224bed042a40
Instruction Fuzzy Hash: 4A31F030A00257BFDB218F65CC44BAB7BA9FF59310F16802AE8548B290D738E850DB9C

Function 00485175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00485189

Part of subcall function 0046387D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00463897
Part of subcall function 0046387D: GetCurrentThreadId.KERNEL32 ref: 0046389E
Part of subcall function 0046387D: AttachThreadInput.USER32(00000000,?,004652A7), ref: 004638A5

GetCaretPos.USER32(?), ref: 0048519A
ClientToScreen.USER32(00000000,?), ref: 004851D5
GetForegroundWindow.USER32 ref: 004851DB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3c9b5327ebac13a768b74175cc57b937fb41fc61521e6e08e719a121656fbf4d
Instruction ID: 9097aa05944612f658a49df0936e4ce841ce621ee0b45c22d7eaa76826a8875f
Opcode Fuzzy Hash: 3c9b5327ebac13a768b74175cc57b937fb41fc61521e6e08e719a121656fbf4d
Instruction Fuzzy Hash: 2D311071E00108AFDB04EFA6C8459EFB7F9EF98304F10447AE515E7242EA799E05CBA5

Function 00463E91 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00463EB6
Process32FirstW.KERNEL32(00000000,?), ref: 00463EC4
Process32NextW.KERNEL32(00000000,?), ref: 00463EE4
CloseHandle.KERNEL32(00000000), ref: 00463F8E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 77522329a44347bbf8fc348e764358a789e0c4bc50511c7c73329d42e89b5663
Instruction ID: bc57a40dc23490dc388bdabf7fd9d7894261e16e4d08916f741d4787c1592c25
Opcode Fuzzy Hash: 77522329a44347bbf8fc348e764358a789e0c4bc50511c7c73329d42e89b5663
Instruction Fuzzy Hash: B731C2715083419FD304EF21C885AAFBBF8EF99344F10093EF481921A1EB75AA49CB57

Function 00420BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00420BF2

Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467B20,?,?,00000000), ref: 00405B8C
Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467B20,?,?,00000000,?,?), ref: 00405BB0

_fprintf.LIBCMT ref: 00420C29
OutputDebugStringW.KERNEL32(?), ref: 00456331

Part of subcall function 00424CDA: _flsall.LIBCMT ref: 00424CF3

__setmode.LIBCMT ref: 00420C5E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 6e4a94b772ac4b967d42855e17e29d997ab8debf4d15677bffba9a114a18faf8
Instruction ID: 67bbc7bd6f20af13a6fc8561dd9091ed48981cac713344a594c0177f25e59198
Opcode Fuzzy Hash: 6e4a94b772ac4b967d42855e17e29d997ab8debf4d15677bffba9a114a18faf8
Instruction Fuzzy Hash: 2F1157B2B042146ACB0873B6BC429BE7B68DF85324F94012FF104672C2DE3C5D86479D

Function 00458B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00458652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458669
Part of subcall function 00458652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00458673
Part of subcall function 00458652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458682
Part of subcall function 00458652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00458689
Part of subcall function 00458652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00458BEB
_memcmp.LIBCMT ref: 00458C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00458C44
HeapFree.KERNEL32(00000000), ref: 00458C4B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 208746fd2fd5bb64d0a45fedb2500164b8e59e11485687c400f91a0a1fe06eee
Instruction ID: 355716cb9054a60584b648ac7031298a29ad9af9abb204e3e16fc33d6d38b673
Opcode Fuzzy Hash: 208746fd2fd5bb64d0a45fedb2500164b8e59e11485687c400f91a0a1fe06eee
Instruction Fuzzy Hash: 31216B71E01208EFDB10DFA4C949BAEB7B8EF44356F14406EE954A7241DF35AE0ACB64

Function 00471A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00471A97

Part of subcall function 00471B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00471B40
Part of subcall function 00471B21: InternetCloseHandle.WININET(00000000), ref: 00471BDD

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction ID: 6bca59068395d17cc9b1d6ecd79d505e916fe66dc72e7fe7cd3c40e7ad3efc68
Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction Fuzzy Hash: 1521C235200600BFEB119F648C01FFBB7ADFF44700F10842FF90996660E775A815A798

Function 00463C66 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0048FAC0), ref: 00463CA0
GetLastError.KERNEL32 ref: 00463CAF
CreateDirectoryW.KERNEL32(?,00000000), ref: 00463CBE
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0048FAC0), ref: 00463D1B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 226eca39ff9fab9d9c3ddc31e8351b68e142fb169fb48af01f4ee84a0453fa14
Instruction ID: 61e4bd82c17615ed810ca328f47ad916d02fe1ba3e4930d0acb2c488528ce3dd
Opcode Fuzzy Hash: 226eca39ff9fab9d9c3ddc31e8351b68e142fb169fb48af01f4ee84a0453fa14
Instruction Fuzzy Hash: BA2191705082419FD300DF24C88085BB7E4EE5A369F104A6EF499972E1E7389E0ACB9B

Function 00485F98 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00486007
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00486021
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0048602F
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 0048603D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a452ecf2e2f7128d1cb9823ccf7871977d88e398699769c7bfe7a1047f297024
Instruction ID: 9fad1ecab75304ddfdc5242209ac9128f42f3e7ce572142d6f5ac2d669a18743
Opcode Fuzzy Hash: a452ecf2e2f7128d1cb9823ccf7871977d88e398699769c7bfe7a1047f297024
Instruction Fuzzy Hash: 13119D31204510AFDB04AB15DC05FBE7799AF46324F05492EF916D72E2CB78AD01879D

Function 0045E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0045E1C4,?,?,?,0045EFB7,00000000,000000EF,00000119,?,?), ref: 0045F5BC
Part of subcall function 0045F5AD: lstrcpyW.KERNEL32(00000000,?,?,0045E1C4,?,?,?,0045EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0045F5E2
Part of subcall function 0045F5AD: lstrcmpiW.KERNEL32(00000000,?,0045E1C4,?,?,?,0045EFB7,00000000,000000EF,00000119,?,?), ref: 0045F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0045EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0045E1DD
lstrcpyW.KERNEL32(00000000,?,?,0045EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0045E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0045EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0045E237

Strings

cdecl, xrefs: 0045E22E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 31cfb41ccb7c23ac5b8fcd508dd3950c82ea28f1eac7b7edeeb55994133d908f
Instruction ID: 22506efb5713b37d7609f33c51d8cac2a6d840cd6fd28f90ee3cef950c18954c
Opcode Fuzzy Hash: 31cfb41ccb7c23ac5b8fcd508dd3950c82ea28f1eac7b7edeeb55994133d908f
Instruction Fuzzy Hash: 6611E136200344EFCB28AF65D84997A37A8FF44310B40402BFC06CB265EB759959C7A8

Function 00435332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00435351

Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(03220000,00000000,00000001), ref: 0042598F

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 36e0ef2bc8f4de4ef9d5c069e1c89809c79411b9c9b7202b80a2f6c50a7f8c24
Instruction ID: ca36ded951c5b74dcd14922bdbfcb28a3672708b69dba933c6c60362b96cb12c
Opcode Fuzzy Hash: 36e0ef2bc8f4de4ef9d5c069e1c89809c79411b9c9b7202b80a2f6c50a7f8c24
Instruction Fuzzy Hash: 7211C132605A25AECB212F71B84565E37A89F183B4F60182FFD049A290DABD8941879D

Function 00404531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404560

Part of subcall function 0040410D: _memset.LIBCMT ref: 0040418D
Part of subcall function 0040410D: _wcscpy.LIBCMT ref: 004041E1
Part of subcall function 0040410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004041F1

KillTimer.USER32(?,00000001,?,?), ref: 004045B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004045C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D6CE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c13075680287430ca24cb56ce9613c291e384b8b49fca2b8204c578aded441ca
Instruction ID: ee13d0e14117257c6e1bf6a2afa9c18cb2a9610526be340c73f4befcf8864d37
Opcode Fuzzy Hash: c13075680287430ca24cb56ce9613c291e384b8b49fca2b8204c578aded441ca
Instruction Fuzzy Hash: 14210AB0904784AFE7328B24DC45BE7BBEC9F45308F0000AFE79E66281C7781A858B59

Function 004640B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004640D1
_memset.LIBCMT ref: 004640F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00464144
CloseHandle.KERNEL32(00000000), ref: 0046414D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 93ad936bbe24fc676184c576e2b1c9cddc1e4430d0fb4d96de81dc3ab4865bcc
Instruction ID: 719960fe0c07852591d665f043a0fedc98cd4db8602d9c77da6a269475ac241c
Opcode Fuzzy Hash: 93ad936bbe24fc676184c576e2b1c9cddc1e4430d0fb4d96de81dc3ab4865bcc
Instruction Fuzzy Hash: 2C11EB759012287AD7309BA5AC4DFABBB7CEF84760F1045AAF908D7180D6744E848BA9

Function 00458AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00458B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00458B31
CloseHandle.KERNEL32(00000004), ref: 00458B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458B7A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction ID: ed19e33b2e557f2e2ca8f62c6805ad1c4b171ce5596787009a0f785d8ccbcb68
Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction Fuzzy Hash: 47115EB250020DABDF018F94DD49FDE7BADEF08305F144069FE04A2161CB759D68AB65

Function 0047667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467B20,?,?,00000000), ref: 00405B8C
Part of subcall function 00405B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467B20,?,?,00000000,?,?), ref: 00405BB0

gethostbyname.WS2_32(?), ref: 004766AC
WSAGetLastError.WS2_32(00000000), ref: 004766B7
_memmove.LIBCMT ref: 004766E4
inet_ntoa.WS2_32(?), ref: 004766EF

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 0f335439a31508d61bee4739c29b6b413051689d13716f5ea1bafdb3b9125b1e
Instruction ID: 219db731095ee8e89c2d9fb5854f64a06ec78ed701087f43f44ef8eec96bb078
Opcode Fuzzy Hash: 0f335439a31508d61bee4739c29b6b413051689d13716f5ea1bafdb3b9125b1e
Instruction Fuzzy Hash: 06114F75500508ABCB04FBA5D986DEE77B8EF44314B14407EF506B72A2DB34AE14CB69

Function 00459023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00459043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00459055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0045906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00459086

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction ID: ea11c295a1b5830ac64b7cd386b9bd11a908e5797feff80cff23e6c095b925d2
Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction Fuzzy Hash: 84115E79900218FFDB10DFA5CC84E9EBBB4FB48710F2040A6EA04B7291D6716E55DB94

Function 00461652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004601FD,?,00461250,?,00008000), ref: 0046166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,004601FD,?,00461250,?,00008000), ref: 00461694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004601FD,?,00461250,?,00008000), ref: 0046169E
Sleep.KERNEL32(?,?,?,?,?,?,?,004601FD,?,00461250,?,00008000), ref: 004616D1

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0b4158977cd20458f831617008364a677d5e8f004bfccfd560a8846e3b24cbac
Instruction ID: 3f0d788a5ca093e10d78b07811411c4065f6d909a54a70e169c6da1dd9049ef0
Opcode Fuzzy Hash: 0b4158977cd20458f831617008364a677d5e8f004bfccfd560a8846e3b24cbac
Instruction Fuzzy Hash: E6115A35D0052DE7CF009FA5D948AEEBB78FF09701F08446BE940B2250DB3459608B9B

Function 0045DD22 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0045DD3E
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0045DD55
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0045DD6A
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0045DD88

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction ID: 2ccaf94210031e5a4a241784dbbecc0afafc613e3b0373c782b97d99be6d998e
Opcode Fuzzy Hash: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction Fuzzy Hash: 7F117CB1601304ABE730CF10DC48BA6BBB8EF00B05F10896EA916C6151D7B4E94DDBA5

Function 00437207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043722B

Part of subcall function 00437912: __fltout2.LIBCMT ref: 0043793B

__cftog_l.LIBCMT ref: 00437251
__cftoe_l.LIBCMT ref: 00437283

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 99b9b692cf18fd2280f287716e5b4489036060bef9d5190ceb0c0b5b499c977f
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 71016DB204418EBBCF225E84CC018EE3F22BF1D354F089656FE9858121C23AC9B1AB85

Function 0048B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0048B59E
ScreenToClient.USER32(?,?), ref: 0048B5B6
ScreenToClient.USER32(?,?), ref: 0048B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B5F5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction ID: c1ec13a6a315efdf6b243f43d6614c5161e9ce39f19ad1524a172358c11b1c05
Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction Fuzzy Hash: 261146B5D00209EFDB41DF99C444AEEFBB5FF18310F104566E914E3620D735AA558F94

Function 0048B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048B8FE
_memset.LIBCMT ref: 0048B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C7F20,004C7F64), ref: 0048B93C
CloseHandle.KERNEL32 ref: 0048B94E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: aef966b7f9c6a9e5f3feef3a5550379141bbff02af3ee6c922963a207ea2d008
Instruction ID: 82d0d7306074909859a51e75144c9fe9cb012601897826516f2148835353e407
Opcode Fuzzy Hash: aef966b7f9c6a9e5f3feef3a5550379141bbff02af3ee6c922963a207ea2d008
Instruction Fuzzy Hash: DDF05EB26443107BE2506B61AC85FBB3A5CEB08358F00443AFB08D5296D77959008BBC

Function 00466E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00466E88

Part of subcall function 0046794E: _memset.LIBCMT ref: 00467983

_memmove.LIBCMT ref: 00466EAB
_memset.LIBCMT ref: 00466EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00466EC8

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 96c74954bd685c91258ce5faf6c7e6a13a1bde22689a5f724bac7d52161ac13a
Instruction ID: bbce83c9927a19e41ef43a21b535888cba676bcad77ccd860fdc48b39629558a
Opcode Fuzzy Hash: 96c74954bd685c91258ce5faf6c7e6a13a1bde22689a5f724bac7d52161ac13a
Instruction Fuzzy Hash: 77F0547A200210ABCF016F55EC85E49BB29EF45324B048069FE085E22AD739A915CBB9

Function 0048C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004012F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040135C
Part of subcall function 004012F3: BeginPath.GDI32(?), ref: 00401373
Part of subcall function 004012F3: SelectObject.GDI32(?,00000000), ref: 0040139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0048C030
LineTo.GDI32(00000000,?,?), ref: 0048C03D
EndPath.GDI32(00000000), ref: 0048C04D
StrokePath.GDI32(00000000), ref: 0048C05B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
Instruction ID: 674b4468024ad211d301666b20e3bfa7de505a3549e2e29f62cfbf593809ea28
Opcode Fuzzy Hash: edfbcd623de5c465fbf958c9dabb36f9443974b16c1799f8a50be9d4dd4f4236
Instruction Fuzzy Hash: BAF0BE31001219BBDB127F90AC09FCE3F58AF06310F148429FA11210E287794564DBAD

Function 0045A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0045A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A3AC
GetCurrentThreadId.KERNEL32 ref: 0045A3B3
AttachThreadInput.USER32(00000000), ref: 0045A3BA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 59fde793fe6ed64e4cc0a9af18dd4c6470d45542e5beb6ebbb22759278acb506
Instruction ID: ed216a13ff48d043802f8fe8c2a36ac0c7a485d78d52065609e6dcc2b31109e9
Opcode Fuzzy Hash: 59fde793fe6ed64e4cc0a9af18dd4c6470d45542e5beb6ebbb22759278acb506
Instruction Fuzzy Hash: 86E03931141228BBDB201BA2DC0CEDB3F1CEF167A2F008639F90894061D7798969DBA9

Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetWindowDC.USER32(?,00000000), ref: 0043C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0043C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0043C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0043C112
GetPixel.GDI32(00000000,?,?), ref: 0043C132
ReleaseDC.USER32(?,00000000), ref: 0043C13D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
Instruction ID: 007a7e945b926db1975f0eb4024d1954444be121fda63f18d3fd7a61cce91000
Opcode Fuzzy Hash: 27b2581c254cdff319ff0ea5d8f2be35128cc34943b3abbe395981e759962590
Instruction Fuzzy Hash: 58E03932100244EADB215FA8EC4D7DD3B20AB05332F10837AFAA9580E287764994DB15

Function 00458C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00458C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0045882E), ref: 00458C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0045882E), ref: 00458C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0045882E), ref: 00458C7E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction ID: 148d01963af32c2189f656cf55398bdaca1906d37348cb6d923cd77144567ac4
Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction Fuzzy Hash: 12E04F366422119BE7205FB46D0CB5B3BA8AF55792F144C3CA645D9041DA3884498B65

Function 00442187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00442187
GetDC.USER32(00000000), ref: 00442191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
ReleaseDC.USER32(?), ref: 004421D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5bbe9da29bb028000d041de13fcf9ef3459c43b5ca73f2136cb50eb93e1f9c3e
Instruction ID: e80bcdaed25015b38fc075b9af120d0661f73bd954452babf2cca2976e4e6e99
Opcode Fuzzy Hash: 5bbe9da29bb028000d041de13fcf9ef3459c43b5ca73f2136cb50eb93e1f9c3e
Instruction Fuzzy Hash: 8BE01A75900204EFDB019FA0C808A9D7BF1EF5C350F108A3AF95AE7260DB7885569F49

Function 0044219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044219B
GetDC.USER32(00000000), ref: 004421A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004421B1
ReleaseDC.USER32(?), ref: 004421D2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 759070b2aa7e70da72d0065fe67b3aad0a5dd84fe2bb9f944ae5bc76f43ec042
Instruction ID: 0585887194f83d5896a0f01572a955ee9a0ca529f388d05c95cdd3c21f880870
Opcode Fuzzy Hash: 759070b2aa7e70da72d0065fe67b3aad0a5dd84fe2bb9f944ae5bc76f43ec042
Instruction Fuzzy Hash: 98E01A75900204EFCB019FB0C80869D7BF1EF5C310F108939F95AA7260DB3895569F48

Function 004063A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 004063AE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: 10bc22d3a36bae35ab1d4e8ed8fa07b7d8aaa2106dbbc3f79f194b17351ec6b0
Instruction ID: 84bc00bdb2e4020951578f3af3c94fec4ee35539559d4017637e04890254edec
Opcode Fuzzy Hash: 10bc22d3a36bae35ab1d4e8ed8fa07b7d8aaa2106dbbc3f79f194b17351ec6b0
Instruction Fuzzy Hash: 25B18F71900109AACF14EB99C8819EEB7B4EF44314F51403BE903B72D5DA3C9D96CB5E

Function 0047B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0047B2C3

Strings

xrL, xrefs: 0047B2F9
xrL, xrefs: 0047B325

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __itow_s
String ID: xrL$xrL
API String ID: 3653519197-2396213246
Opcode ID: 6cdbd28f4cd270a4002642e91cc7d34447675df6c538d3934ab11c2a8ded0c4f
Instruction ID: 4c2ee0b4774e11ecebc09a0e1e0789bfe42c2a3eae228ceffcb4cbd5da8c123d
Opcode Fuzzy Hash: 6cdbd28f4cd270a4002642e91cc7d34447675df6c538d3934ab11c2a8ded0c4f
Instruction Fuzzy Hash: 0AB17270A00109AFCB14DF55C880EEAB7B9FF58304F14C46EF949AB292D739E941CB99

Function 0046B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FEC6: _wcscpy.LIBCMT ref: 0041FEE9

Part of subcall function 00409997: __itow.LIBCMT ref: 004099C2
Part of subcall function 00409997: __swprintf.LIBCMT ref: 00409A0C

__wcsnicmp.LIBCMT ref: 0046B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B361

Strings

LPT, xrefs: 0046B292

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 01571d4d798ddf623d071679f25f561ba2b6068ad9e5d812ef22a095581f7af3
Instruction ID: 470a0d0963c7ecdb4e7e4c6b87fbca8e0adaa882601d46e1d6dd049f56f32c7c
Opcode Fuzzy Hash: 01571d4d798ddf623d071679f25f561ba2b6068ad9e5d812ef22a095581f7af3
Instruction Fuzzy Hash: 61619375A00214AFCB14DF94C855EAEB7B4EB08310F11406FF946EB391E778AE85CB99

Function 00448A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00448B1E
_memmove.LIBCMT ref: 00448B78

Strings

OaA, xrefs: 00448BF2, 0044E39A, 0044E3B6

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove
String ID: OaA
API String ID: 4104443479-4189730831
Opcode ID: eac606b9c50b6ed376460228ada23af1934c05934f650784fb345cb0aa555a59
Instruction ID: d3fee3364ca9afcf12c1e92d5c5d747a73912d83b3585dc8c9cc0e8530f715e4
Opcode Fuzzy Hash: eac606b9c50b6ed376460228ada23af1934c05934f650784fb345cb0aa555a59
Instruction Fuzzy Hash: 3C5170B0A00609DFDB24CF69C580AAEBBF1FF45304F14452EE85AE7350EB34A996CB55

Function 00412AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00412AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00412AE1

Strings

@, xrefs: 00412AD5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b558b19cd7410ff0673be4cd2c30f66381e90844ad9ecc940d55a87096154234
Instruction ID: 198fa7249bf4a10115936ac5cec7f523fb376c2af7af020f0510a7a60b6fc721
Opcode Fuzzy Hash: b558b19cd7410ff0673be4cd2c30f66381e90844ad9ecc940d55a87096154234
Instruction Fuzzy Hash: 28517A715187449BD320AF15DC85BAFBBE8FFC4314F42486DF2D9510A2DB749828CB2A

Function 00404DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404E1A

Strings

AU3!P/I, xrefs: 00404E14
EA06, xrefs: 0043DCF5

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/I$EA06
API String ID: 4104443479-1914660620
Opcode ID: d969dd4a7eea65083e86d3435cfacbc98095f4ff81872ec92481d382e1eb92da
Instruction ID: e4f2d0695f8a23f075e311890a29d80e38cea7919c4102c3fad58ec67193dbe6
Opcode Fuzzy Hash: d969dd4a7eea65083e86d3435cfacbc98095f4ff81872ec92481d382e1eb92da
Instruction Fuzzy Hash: 11417BB1A041546BCF214B64C8517BF7FA6EB85304F28407BEE42BA2C2C57C8D41C7EA

Function 004699BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0040506B: __fread_nolock.LIBCMT ref: 00405089

_wcscmp.LIBCMT ref: 00469AAE
_wcscmp.LIBCMT ref: 00469AC1

Strings

FILE, xrefs: 004699FA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 913557f42899b454e3398d4417c7e449758ebc8e92cd5274a0a693f87ad72ef3
Instruction ID: e31db8beb822ec11b54c8bdfd4ea193dbe28da2a1d31aa862f0484787fe8da7c
Opcode Fuzzy Hash: 913557f42899b454e3398d4417c7e449758ebc8e92cd5274a0a693f87ad72ef3
Instruction Fuzzy Hash: 1A41B771A006197ADF209AA1DC45FEF77BDDF45714F00007FB904B7181D6B9AE058BA9

Function 0044099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004409A9

Strings

DtL, xrefs: 0040A2B1
DtL, xrefs: 0040A477

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClearVariant
String ID: DtL$DtL
API String ID: 1473721057-1281546423
Opcode ID: 19febfa92f57afbf359320828b3173b57b8b23593b68444a158a0123a3479ca9
Instruction ID: da1fff8ce702562cff1de6885822424690271d2b2b1ac71984817684a9cead06
Opcode Fuzzy Hash: 19febfa92f57afbf359320828b3173b57b8b23593b68444a158a0123a3479ca9
Instruction Fuzzy Hash: B7510578608341CFD754CF19C480A1ABBF1BB99344F54886EE9859B3A1D339EC91CF4A

Function 00472882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004728C8

Strings

|, xrefs: 00472899

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 6bfd8055975739be4da4883fff9a0b7fb4c73ec68fd6209e545aacd54e72607d
Instruction ID: 71942d2c2ebdffcb5d7eb079603bfd464bbd1c903d5dd81d818fc26d01b4b6dc
Opcode Fuzzy Hash: 6bfd8055975739be4da4883fff9a0b7fb4c73ec68fd6209e545aacd54e72607d
Instruction Fuzzy Hash: FC313A71D00119AFDF01EFA1CC85EEEBFB8FF08304F04402AF915A6266DA395A56DB65

Function 00487CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00487DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00487DE5

Strings

', xrefs: 00487D39

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8835cbb57834287d10c281f3bd4ec9c068fc8bd0d74c0f079d1ea5658e337c8b
Instruction ID: 328d5bcbb3cf08758e4d911b796ff69d1e719dddb0393c30bca7554e08939aec
Opcode Fuzzy Hash: 8835cbb57834287d10c281f3bd4ec9c068fc8bd0d74c0f079d1ea5658e337c8b
Instruction Fuzzy Hash: 2E411774A052099FDB50DF68D891BEEBBF5FF09300F20456AE905AB381D734A941CFA4

Function 00486CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00486D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486DC2

Strings

static, xrefs: 00486D22

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 52495995fedef96d6e440aedbf186300563ef6923ea44e62e30b871b1e1830ba
Instruction ID: ac4952246417f6e5eabf139c329a91c40342bfa59b822e976b0221753ab176b8
Opcode Fuzzy Hash: 52495995fedef96d6e440aedbf186300563ef6923ea44e62e30b871b1e1830ba
Instruction Fuzzy Hash: 22319271200204AEDB10AF64DC40BFF73A8FF48714F11892EF89597190DA35AC51DB68

Function 00459E2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00459E47
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00459E81

Strings

@U=u, xrefs: 00459E47, 00459E81

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: b6c372cfdc13f1101f102f5a6d676373a52ff67516d29a7cc167b5a9fcf1bac4
Instruction ID: d1f6b8a00a173943862a6b406d785c8f18c3307739ec320fc3776098de81419e
Opcode Fuzzy Hash: b6c372cfdc13f1101f102f5a6d676373a52ff67516d29a7cc167b5a9fcf1bac4
Instruction Fuzzy Hash: 4821D932D00205ABCB14EB65C881DAFB779DF88715B10406EFE05B72D1EA38AD45C798

Function 00462D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00462E3B

Strings

0, xrefs: 00462DF9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 34a82e1949361ec8b401b70c35d668a93ea1be3be40261f62c440cefb7cb729b
Instruction ID: e4ba473186a04a1089063113a0bb1d7291b3d5251d5722f0dc03b867bbbebbbc
Opcode Fuzzy Hash: 34a82e1949361ec8b401b70c35d668a93ea1be3be40261f62c440cefb7cb729b
Instruction Fuzzy Hash: DD31D431A00715BBEB248F48DA45BAFBBB5EF05300F14443FE985962A1F7B99944CB1A

Function 0045AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004161B1

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B03B
_strlen.LIBCMT ref: 0045B046

Strings

@U=u, xrefs: 0045B03B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 633fb5953ff61aec25af0353718cd17d17fb153a77c5c40b97b046e87818652b
Instruction ID: f4ea14c83b9f5feea61bb3248e1195d1fe2e8241d0ff3ecfc3264af9ec5b5c32
Opcode Fuzzy Hash: 633fb5953ff61aec25af0353718cd17d17fb153a77c5c40b97b046e87818652b
Instruction Fuzzy Hash: 9311C63160420566CB14AE79DC82ABF67A9DF45B05F10003FFE05A72D3DE2D994A86A9

Function 00486AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046589F: GetLocalTime.KERNEL32 ref: 004658AC
Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 004658E1
Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465913
Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465946
Part of subcall function 0046589F: _wcsncpy.LIBCMT ref: 00465988

SendMessageW.USER32(?,00001002,00000000,?), ref: 00486B6E

Strings

@U=u, xrefs: 00486B6E
SysDateTimePick32, xrefs: 00486B2C

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 7beca27052bb186dd1af0f2014c4602f8ea00ee078e793b0e2ce43be1190d7f8
Instruction ID: 9ab44323a0546823f81fbb911ecea78f0dd5443879c2975d6fdc9eef7ee9a0ca
Opcode Fuzzy Hash: 7beca27052bb186dd1af0f2014c4602f8ea00ee078e793b0e2ce43be1190d7f8
Instruction Fuzzy Hash: 9E210A313402186FEF11AE14CC82FEF7369EB44768F11492AF954E72D0D6B9AC5197A4

Function 00459707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459720

Part of subcall function 004618EE: GetWindowThreadProcessId.USER32(?,?), ref: 00461919
Part of subcall function 004618EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045973C,00000034,?,?,00001004,00000000,00000000), ref: 00461929
Part of subcall function 004618EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045973C,00000034,?,?,00001004,00000000,00000000), ref: 0046193F

Part of subcall function 004619CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459778,?,?,00000034,00000800,?,00000034), ref: 004619F6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00459787

Part of subcall function 00461997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004597A7,?,?,00000800,?,00001073,00000000,?,?), ref: 004619C1

Strings

@U=u, xrefs: 00459720, 00459787

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: cafc18475bf229dafea254f0760588cf38577532fd117a0a35f2989a49e6547e
Instruction ID: c969fc8c3c35ffbddd0e2b75ea1aa346ca61a4b8aa4c84fa60b28072c6e4b7c7
Opcode Fuzzy Hash: cafc18475bf229dafea254f0760588cf38577532fd117a0a35f2989a49e6547e
Instruction Fuzzy Hash: 14215131901129EBDF11AFA5CC41FDDBBB4FF08354F1001AAF944A71A1EA745E48DB95

Function 00486943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004869D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004869DB

Strings

Combobox, xrefs: 0048699D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bcfd4814bd11f60ceb698292fccd5a8b961f0c50819f1fee78ff055a4f109a5e
Instruction ID: 6041aa2516f7a9dd56df650238f776de4a8a29a273b23500d66360a3029cdda3
Opcode Fuzzy Hash: bcfd4814bd11f60ceb698292fccd5a8b961f0c50819f1fee78ff055a4f109a5e
Instruction Fuzzy Hash: 4711B6B16002086FEF51AF14CC80EAF376EEB843A4F12452AF958973D0D6799C5187A4

Function 00489962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 004899E7, 00489A10

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: dc19d23d51189454ee69fc15af4cd96e9734f31d0032d072dfff8b551060118d
Instruction ID: 634aec6ed363f9b4f0649c7537ccbd66799b82029504702c5a0a60eb5e78e7b8
Opcode Fuzzy Hash: dc19d23d51189454ee69fc15af4cd96e9734f31d0032d072dfff8b551060118d
Instruction Fuzzy Hash: A321D271100548BFDB15AF54CC45FBE33A8EB09300F08492BFA12EA2D0D678DD019B69

Function 00486E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

GetWindowRect.USER32(00000000,?), ref: 00486EE0
GetSysColor.USER32(00000012), ref: 00486EFA

Strings

static, xrefs: 00486EBD

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f2d810d17fd63640c0199e69d22ca8f20409b6ce86d908634d9821f1fc52f206
Instruction ID: 29a9b64aecc222300d436bcd3a63065e5534f5b76e47b581503888c6130dc53c
Opcode Fuzzy Hash: f2d810d17fd63640c0199e69d22ca8f20409b6ce86d908634d9821f1fc52f206
Instruction Fuzzy Hash: 39215C72610209AFDB05EFA8DC45EFE7BB8FB08314F014A29FD55D3250D638E8619B54

Function 004073E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043EE62
7722D0D0.COMDLG32(?), ref: 0043EEAC

Part of subcall function 004048AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004048A1,?,?,004037C0,?), ref: 004048CE

Part of subcall function 004209D5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004209F4

Strings

X, xrefs: 0043EE7A

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: NamePath$7722FullLong_memset
String ID: X
API String ID: 1752364830-3081909835
Opcode ID: 1395729b3b8d09a4c68be62c9cd7dc45bd9a059d505c17e7ff7ed98a051a2262
Instruction ID: 5559bcc2e5b0ce129e075af18a443fb14fc0140c0908acbd47f5bc3bdc75694c
Opcode Fuzzy Hash: 1395729b3b8d09a4c68be62c9cd7dc45bd9a059d505c17e7ff7ed98a051a2262
Instruction Fuzzy Hash: CF21F671A142589BCB01DF95C845BEE7BF89F49314F00802BE508F7281DBBC598A8FA9

Function 00462E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462F30

Strings

0, xrefs: 00462F07

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 59c6d4ecc96d51423ef45e6653d6fa471026e206ed0dca041fc37bebb9bef4a2
Instruction ID: 7f1890bb511fc1dfd3e8fa5b970c3ad2342b96576484a3509b411f34f36085a9
Opcode Fuzzy Hash: 59c6d4ecc96d51423ef45e6653d6fa471026e206ed0dca041fc37bebb9bef4a2
Instruction Fuzzy Hash: DE11B131901A14BBCB24DE58DE04FAA73B9EB01310F0540B7EC54E72A1E7FAAD04979A

Function 004724CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00472520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472549

Strings

<local>, xrefs: 00472511

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b4e2ad384fd7c601628b52258e18064e8563b109b01ba46a19230f2044734790
Instruction ID: 671247dd43dff78d3ba65fd013137b1b80bf3ca9b363514825ab6a5c38d559c9
Opcode Fuzzy Hash: b4e2ad384fd7c601628b52258e18064e8563b109b01ba46a19230f2044734790
Instruction Fuzzy Hash: 0C110270500225BAEB248F618D98EFBFF68FF06355F10C12BF90952240D2B86955DAF9

Function 00488752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0048879F

Strings

@U=u, xrefs: 0048879F, 004887DB

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3a9f013d989c21e10f7d128a3f3fed9cdbde56131269692e90032f48d51fd8fc
Instruction ID: d1251c33da84eb50c704d5da5f93472b58098ec4d34eec6340968d7d9a25b725
Opcode Fuzzy Hash: 3a9f013d989c21e10f7d128a3f3fed9cdbde56131269692e90032f48d51fd8fc
Instruction Fuzzy Hash: 0321E77960010AEF8B15DF94DC80CAEBBB5FB4C340B51456AFD05A3360DB35AD61DBA4

Function 00486825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 0048689B

Strings

button, xrefs: 00486872
@U=u, xrefs: 0048689B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 53cc89aba0dbc22d1d045412913e2180648df8091e7a700c1d53b3bbad3e168a
Instruction ID: a850d0b023350f3d2b0314e2d56366c7ada9f22c18c3016ba64188fb2de4c294
Opcode Fuzzy Hash: 53cc89aba0dbc22d1d045412913e2180648df8091e7a700c1d53b3bbad3e168a
Instruction Fuzzy Hash: 7F11E532151205ABDF01AF60CC41FEF376AEF48314F120919FE58A6290C77AE891AB54

Function 00487AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00487B47

Strings

@U=u, xrefs: 00487B47

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 806ea523a5ff418293e074e62a8710eb0d15cbf2ce72f7ae5e8bebce7c55f03f
Instruction ID: d1d1c731fb5a5cffcdda5b0fdf895d4bdfa0f4256758d147a763ac0290278071
Opcode Fuzzy Hash: 806ea523a5ff418293e074e62a8710eb0d15cbf2ce72f7ae5e8bebce7c55f03f
Instruction Fuzzy Hash: 1F110330504344AFD720EF34C8A1AEBB7E9FF05314F20891EE8AA57391D73578419B60

Function 004780A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,004780C8,?,00000000,?,?), ref: 00478322

inet_addr.WS2_32(00000000), ref: 004780CB
htons.WS2_32(00000000), ref: 00478108

Strings

255.255.255.255, xrefs: 004780E3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: ad35214146a89cf04d155a3b779ef8b621468eca1c07e45d6c2da25cb2ff26f5
Instruction ID: 53d89c5d81ffa0f8ae8b01e320c1c86537ed70fd6efd8479dd932b7ce01561ea
Opcode Fuzzy Hash: ad35214146a89cf04d155a3b779ef8b621468eca1c07e45d6c2da25cb2ff26f5
Instruction Fuzzy Hash: 0F118274640205ABDB10AF64CC4ABEEB364EF04714F10C52FF91597292DA76A815CB59

Function 00459989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004619CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459778,?,?,00000034,00000800,?,00000034), ref: 004619F6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 004599EB
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00459A10

Strings

@U=u, xrefs: 004599EB, 00459A10

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 1e8ea34d0e3547e35292d7e765ab08e2da4e76f9381f8ad026145f0c19912ff3
Instruction ID: 35d8dbc8c67dd22b1ff29fc68f41701681622a68166a95138f4bcb0dc7de8d18
Opcode Fuzzy Hash: 1e8ea34d0e3547e35292d7e765ab08e2da4e76f9381f8ad026145f0c19912ff3
Instruction Fuzzy Hash: BC012B72900118EBDB21AF65DC86EEEBB78DB04320F10016FF911A71D1DB745D99DB64

Function 00410A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C26,004C62F8,?,?,?), ref: 00410ACE

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

_wcscat.LIBCMT ref: 004450E1

Strings

cL, xrefs: 00410B0E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cL
API String ID: 257928180-3582697795
Opcode ID: 34737a3f4a6ae8724214f4d8246d70ca6db942ee522baaf8dda44bac6b792bb3
Instruction ID: 2465f5f3d6d9b56aaa1727fbd9bec47b8e94431a8bb344f3d239a1b9bc18dd85
Opcode Fuzzy Hash: 34737a3f4a6ae8724214f4d8246d70ca6db942ee522baaf8dda44bac6b792bb3
Instruction Fuzzy Hash: CA11A9359042089BCB40EBA5CC01EDD77B8EF08354B0140ABBD48D7291EA7CFAC9871D

Function 0046901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00469036
__fread_nolock.LIBCMT ref: 0046904B

Strings

EA06, xrefs: 0046907D

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
Instruction ID: 69ed26fe311b0cc63e55e163675035c3f2ff08f97f20fd5c9232a639071a0922
Opcode Fuzzy Hash: 0ffa3d434e5b6a956c6ed572106e06fd0ca4870dbeab2ecb47157eb41c369f2b
Instruction Fuzzy Hash: 50014971904228AEDB28C6A8D816FFE7BFC8B11301F00419FF152D2181E4B8EA188B64

Function 00459AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00459ADD
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00459B10

Part of subcall function 00461997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004597A7,?,?,00000800,?,00001073,00000000,?,?), ref: 004619C1

Part of subcall function 00407D2C: _memmove.LIBCMT ref: 00407D66

Strings

@U=u, xrefs: 00459ADD, 00459B10

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 97abbc7f2ab4eb3392a9dc241ee8dad6270ed87471a7baf62a57b1465bf096cb
Instruction ID: 8aae90985773df24eb41c9448f11e634710b9c305c262bb408993a762326c0b4
Opcode Fuzzy Hash: 97abbc7f2ab4eb3392a9dc241ee8dad6270ed87471a7baf62a57b1465bf096cb
Instruction Fuzzy Hash: FA01AD71800118EFDB10EF60DC81EE977BCFF14344F8080AABA89A2150EE345E89CF94

Function 00426DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00426DD0
__calloc_crt.LIBCMT ref: 00426DE9

Strings

@RL, xrefs: 00426E00

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: __calloc_crt
String ID: @RL
API String ID: 3494438863-2017224383
Opcode ID: 6a6e30e2bdeb8c19a8e3ebcf2cc8afd1092bc55311528fa0e480a1492eec75cf
Instruction ID: bbd8b9fab33c61190424cec5909bf4a4914ceb41b768b9a47a746c2f3f0f3bb9
Opcode Fuzzy Hash: 6a6e30e2bdeb8c19a8e3ebcf2cc8afd1092bc55311528fa0e480a1492eec75cf
Instruction Fuzzy Hash: 87F0C8713142269BF764EF29BC01BB66795EB00724B53807FE504CB2D0EB788841469C

Function 00420FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042594C: __FF_MSGBANNER.LIBCMT ref: 00425963
Part of subcall function 0042594C: __NMSG_WRITE.LIBCMT ref: 0042596A
Part of subcall function 0042594C: RtlAllocateHeap.NTDLL(03220000,00000000,00000001), ref: 0042598F

std::exception::exception.LIBCMT ref: 0042102C
__CxxThrowException@8.LIBCMT ref: 00421041

Part of subcall function 004287DB: RaiseException.KERNEL32(?,?,00000000,004BBAF8,?,00000001,?,?,?,00421046,00000000,004BBAF8,00409FEC,00000001), ref: 00428830

Strings

bad allocation, xrefs: 00421021

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 93e56a4e8165e5574fe3227c17407f14ee93b54994d0cde3d4809bdca964514d
Instruction ID: 7ef10c6c1173b09cd5bea89a6eb30a235393a82e45e25364796afe6b045364de
Opcode Fuzzy Hash: 93e56a4e8165e5574fe3227c17407f14ee93b54994d0cde3d4809bdca964514d
Instruction Fuzzy Hash: BAF0F93470127DB6CB20AA55FD059DF7BA89F00354F90402FF804A2691EFF88A8082EC

Function 00459A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459A2E
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459A46

Strings

@U=u, xrefs: 00459A2E, 00459A46

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8f2d6edb6c4ec2e49ef8baf40380da20a27740f090c0f24f0dd26b5b08eee89f
Instruction ID: 7fa259700fd48ce45c0e05ebc56fedd356cd1b6052f0bddd7270ff7c7954a6d4
Opcode Fuzzy Hash: 8f2d6edb6c4ec2e49ef8baf40380da20a27740f090c0f24f0dd26b5b08eee89f
Instruction Fuzzy Hash: E0E0E535341391B6F62015228C4AFD71F49DB88B62F20003ABF01A92D2DAD10C4A92B4

Function 0045A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0045A1BA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0045A1EA

Strings

@U=u, xrefs: 0045A1BA, 0045A1EA

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 849bcbc22ff99cf2751181be076de45e2c8ee01a3083f0245c9e764e6c29b709
Instruction ID: 644acd58d8663e483d4e091195c44a223268ddb4dab828b589e1bb03fd74b714
Opcode Fuzzy Hash: 849bcbc22ff99cf2751181be076de45e2c8ee01a3083f0245c9e764e6c29b709
Instruction Fuzzy Hash: E2F02731240304BBFA112A50DC46FEE3B1DEF08751F100039F7006A0E1D9E61C549368

Function 0045A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00459E47
Part of subcall function 00459E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00459E81

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 0045A34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0045A35B

Strings

@U=u, xrefs: 0045A34B, 0045A35B

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9b8e2756be12946d9c1900c64c38d863d527029ae6b4832c66ec5534794ee14c
Instruction ID: 4db017e310f15198481368ac0eaf139b7dd225bccb5cab1b534638a201765101
Opcode Fuzzy Hash: 9b8e2756be12946d9c1900c64c38d863d527029ae6b4832c66ec5534794ee14c
Instruction Fuzzy Hash: F7E0D8752043057FFA251A61DC4BE9B375CDB48756F21053EBB00550A1EFA68C65A628

Function 004651CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004651E8
_wcscmp.LIBCMT ref: 004651FA

Strings

#32770, xrefs: 004651F4

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 0454c7a05c7065af6ed21b67043410d2e5ae63a1c6cebe1df2925b82de440770
Instruction ID: 7d105c29b468cb4688b2677bef2d9c9738779b451877c89abcd65d6599e0448c
Opcode Fuzzy Hash: 0454c7a05c7065af6ed21b67043410d2e5ae63a1c6cebe1df2925b82de440770
Instruction Fuzzy Hash: 5FE06832A0022C2BE7209A99AC0AFA7F7ACEB40771F0000ABFD10D3140E5649A048BE9

Function 004581BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004581CA

Part of subcall function 00423598: _doexit.LIBCMT ref: 004235A2

Strings

AutoIt, xrefs: 004581BE
Error allocating memory., xrefs: 004581C3

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f00ef3b85699ee1fd2af03a0b06a9530dc68d43ac6398f370365b0e1732b6dad
Instruction ID: 372d5128de35d502a090e5452165ba50a974b5f0ee4ea7530394d89cc60aac93
Opcode Fuzzy Hash: f00ef3b85699ee1fd2af03a0b06a9530dc68d43ac6398f370365b0e1732b6dad
Instruction Fuzzy Hash: 1DD0123238536832D21432A56D06BCA6A484B15B5AF50443BBB08755D38DDD598242ED

Function 0043B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0043B564: _memset.LIBCMT ref: 0043B571

Part of subcall function 00420B84: InitializeCriticalSectionAndSpinCount.KERNEL32(004C5158,00000000,004C5144,0043B540,?,0040100A), ref: 00420B89

IsDebuggerPresent.KERNEL32(?,0040100A), ref: 0043B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,0040100A), ref: 0043B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B54E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
Instruction ID: bbad548b5aabf2add28ed68359945d9081cd17edac9c4c9c4009ad7997521b12
Opcode Fuzzy Hash: cfdba6c3f5d1c47e0915195a6a61c30b6b4130fea4c9ebe93c9a57294c91e8a4
Instruction Fuzzy Hash: 7EE06DB02003108BD720DF69E5047467BE0EB14748F00C97EE946C6251D7BCE448CBA9

Function 00441D5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00441B9F

Part of subcall function 0047C304: LoadLibraryA.KERNEL32(kernel32.dll,?,00441D88,?), ref: 0047C312
Part of subcall function 0047C304: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0047C324

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00441D97

Strings

WIN_XPe, xrefs: 00441BB2

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: af0a56820825745426f4d03bb04c2b0f0d3c287a6387f6cce3cf7a492779281f
Instruction ID: c8091f0db7e28bb6b7c32348aacfe7bcbdcf0e89efc274199b4bea7c31e24fe9
Opcode Fuzzy Hash: af0a56820825745426f4d03bb04c2b0f0d3c287a6387f6cce3cf7a492779281f
Instruction Fuzzy Hash: D3F03970800049DFEB15DB91C988AECBBF8EB08300F5044ABE102B21A0E7386F85CF29

Function 00469B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00469B82
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00469B99

Strings

aut, xrefs: 00469B93

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ef7b029a5636c4efbf44f16e0290ae816bffbefd076ffddc08468feff711a527
Instruction ID: 013d5e7a62e72ac985b73f0284bae01e590d9c4b17d6e127dcf3942213dc9704
Opcode Fuzzy Hash: ef7b029a5636c4efbf44f16e0290ae816bffbefd076ffddc08468feff711a527
Instruction Fuzzy Hash: 73D05E7954030DABDB509B90DC4EFDA772CE704700F004AF1BE54D10A1DEB665A88BA9

Function 00485BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00485BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00485C08

Part of subcall function 004654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E

Strings

Shell_TrayWnd, xrefs: 00485BEE

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e7f4bdf397475172de9a563981df35a0547720abd061d190681d3d1820635f26
Instruction ID: 2ade09667328b1b94c0535c00af31867d2a18255db6fcb0bb85e87ed9834ab31
Opcode Fuzzy Hash: e7f4bdf397475172de9a563981df35a0547720abd061d190681d3d1820635f26
Instruction Fuzzy Hash: FFD0C931788311B6E764AB70AC0BFDB6A14AB10B51F100C3AB745AA1D1E9E85805C758

Function 00485C1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00485C35
PostMessageW.USER32(00000000), ref: 00485C3C

Part of subcall function 004654E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0046555E

Strings

Shell_TrayWnd, xrefs: 00485C2E

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cbfbf1570455aef4eaef911a3a5d9d2f193b3033894f62171bd9755d4abc59bc
Instruction ID: 5429a253650449d9564dde4df1b2690422fd7c95008f26ead3e6b365f4dc0f57
Opcode Fuzzy Hash: cbfbf1570455aef4eaef911a3a5d9d2f193b3033894f62171bd9755d4abc59bc
Instruction Fuzzy Hash: DDD0A9313843007AE364AB30AC0BFCB2610AB00B00F000C3AB301AA0D0E8E86801C318

Function 004598BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004598CB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 004598D9

Strings

@U=u, xrefs: 004598CB, 004598D9

Memory Dump Source

Source File: 00000002.00000002.1613357439.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1613357439.00000000004B5000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004BF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.00000000004CE000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000002.00000002.1613357439.000000000052F000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: f14ef54e6ac06783e3020be50d8c7fabb5e3548cc3f0f88169c8863a1058f551
Instruction ID: 4e705fb1bcf9204ccfd4b1eb5bde97d05f165e23fc7654a9b130ab9a92496177
Opcode Fuzzy Hash: f14ef54e6ac06783e3020be50d8c7fabb5e3548cc3f0f88169c8863a1058f551
Instruction Fuzzy Hash: B8C00231151180BAEA211B77AC0DD8B3E3DE7CAF52761066CB211A50B59665009AE628

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BPD-003777.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_844ef0ef7d12d9f9e010b6a014ea0d32eb0d68_cabfc704_e8ae02c3-9242-4643-b89c-6fc14e65c71a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C36.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DDD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DFD.tmp.xml

C:\Users\user\AppData\Local\Temp\antiprimer

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
BPD-003777.exe

Function 00ABC910 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 03B41248 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 03B41018 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
fileCOMMON

Function 03B3FF08 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 03B3FF05 Relevance: 1.9, APIs: 1, Instructions: 400
processthreadCOMMON

Function 03B40F08 Relevance: 1.3, APIs: 1, Instructions: 18
sleepCOMMON

Function 00403B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00404AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 004071EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00403778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0040F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00535080 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Function 0040492E Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Function 00404864 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre