home

yncoxhp.exe

Crime Watch

Great Apps

This is part of an adware program designed to inject advertising in the web browser (banners, text-links) as well as modify the normal behavior of the browser. Part of the Injekt brand of unwanted programs. The application yncoxhp.exe, “CrimeWatch Service” by Great Apps has been detected as adware by 18 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “yNCOxhp”.
Publisher:
Great Apps  (signed and verified)

Product:
Crime Watch

Description:
CrimeWatch Service

Version:
1.0.0.0

MD5:
aa4a899a92ac80acd722c2fab7011fad

SHA-1:
87c181106c418233aedd657d74426a040efc6db6

SHA-256:
e001a3c218a94cfe05a2ee794821020b381959b5ec060c478e36e4c5dd035d82

Scanner detections:
18 / 68

Status:
Adware

Explanation:
Injects display ads (banner ads), in-text ads, interstitial ads, or other types of ads in the web browser as well as alters the browsers settings (home page, search, DNS, and security protocols).

Analysis date:
4/25/2024 12:25:33 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/Adware.Gen7
3.6.1.96

avast!
Win32:Adware-gen [Adw]
150423-1

AVG
Generic
2016.0.3129

Baidu Antivirus
Adware.MSIL.PullUpdate
4.0.3.15425

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
ApplicUnwnt
21709

Dr.Web
Adware.Yontoo.68
9.0.1.05190

ESET NOD32
MSIL/Adware.PullUpdate.N.gen application
7.0.302.0

Fortinet FortiGate
Adware/PullUpdate
4/25/2015

K7 AntiVirus
Adware
13.202.15544

Kaspersky
not-a-virus:AdWare.MSIL.PullUpdate
15.0.0.543

Malwarebytes
PUP.Optional.CrimeWatch.A
v2015.04.25.03

McAfee
Program.Artemis!AA4A899A92AC
16.8.708.2

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Injekt.GreatApps
15.4.25.2

Sophos
Generic PUA IH
4.98

Trend Micro House Call
Suspicious_GEN.F47V0325
7.2.115

VIPRE Antivirus
Threat.4872425
39354

File size:
2.6 MB (2,731,992 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Great Apps 2015

Original file name:
CrimeWatchService.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\ProgramData\axtbruejq\yncoxhp.exe

Digital Signature
Signed by:
Great Apps

Authority:
Symantec Corporation

Valid from:
2/16/2015 7:00:00 PM

Valid to:
2/17/2016 6:59:59 PM

Subject:
CN=Great Apps, O=Great Apps, L=St. Michael, S=St. Michael, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
18DA5D77283E42E4EA6279778229FFBA

File PE Metadata
Compilation timestamp:
3/22/2015 5:54:45 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:jkFk8CY+D8rxNYq9Y8V1laNt3Lfpq2WdaL3xlh0m2OUPS0k8/BbCrSF+HI4erV8+:+k8CY+qNYX8ibpq2WIZ0CV0kGBbCxRan

Entry address:
0x29ACCE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9996

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
2.6 MB (2,723,328 bytes)

Service
Display name:
yNCOxhp

Type:
Win32OwnProcess

Depends on:
Winmgmt CryptSvc


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com  (54.246.181.97:80)

Remove yncoxhp.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.