Source: updater.exe |
ReversingLabs: Detection: 26% |
Source: updater.exe |
Virustotal: Detection: 29% |
Perma Link |
Source: updater.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: updater.exe |
Static PE information: certificate valid |
Source: updater.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose, |
0_2_00A8DFB0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AA3DF0 GetLastError,ResetEvent,InternetQueryDataAvailable,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,ResetEvent,InternetReadFile,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,WriteFile,Sleep,GetFileSize,CloseHandle,GetLastError,CloseHandle,DeleteFileW,MoveFileW,CopyFileW,GetLastError,DeleteFileW, |
0_2_00AA3DF0 |
Source: updater.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: updater.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: updater.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: updater.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: updater.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: updater.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: updater.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: updater.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: updater.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: updater.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: updater.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: updater.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: updater.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: updater.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AB8040 |
0_2_00AB8040 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AB6550 |
0_2_00AB6550 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00ADA7F0 |
0_2_00ADA7F0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF09B0 |
0_2_00AF09B0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AB6B10 |
0_2_00AB6B10 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00B02FD5 |
0_2_00B02FD5 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF0FD4 |
0_2_00AF0FD4 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8F220 |
0_2_00A8F220 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AD1260 |
0_2_00AD1260 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AFD30D |
0_2_00AFD30D |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF1346 |
0_2_00AF1346 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00B07430 |
0_2_00B07430 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF5455 |
0_2_00AF5455 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A93590 |
0_2_00A93590 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF15F0 |
0_2_00AF15F0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AA96B0 |
0_2_00AA96B0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF5684 |
0_2_00AF5684 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF7640 |
0_2_00AF7640 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF18B7 |
0_2_00AF18B7 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A99850 |
0_2_00A99850 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF1B72 |
0_2_00AF1B72 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AE9C00 |
0_2_00AE9C00 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AFDD79 |
0_2_00AFDD79 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8FED0 |
0_2_00A8FED0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEDE18 |
0_2_00AEDE18 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AABF10 |
0_2_00AABF10 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AC9F40 |
0_2_00AC9F40 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00A87350 appears 86 times |
|
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00AEE3C2 appears 35 times |
|
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00AEF3D0 appears 34 times |
|
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00A823A0 appears 153 times |
|
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00A871F0 appears 71 times |
|
Source: C:\Users\user\Desktop\updater.exe |
Code function: String function: 00A87430 appears 48 times |
|
Source: updater.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal52.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8CFA0 FormatMessageW,GetLastError, |
0_2_00A8CFA0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AE4170 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,Module32FirstW,CloseHandle,CloseHandle,Process32NextW,CreateToolhelp32Snapshot,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW, |
0_2_00AE4170 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00ABE160 CoCreateInstance, |
0_2_00ABE160 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AE0970 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, |
0_2_00AE0970 |
Source: C:\Users\user\Desktop\updater.exe |
Command line argument: RICHED20.DLL |
0_2_00ADDB80 |
Source: updater.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\updater.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: updater.exe |
ReversingLabs: Detection: 26% |
Source: updater.exe |
Virustotal: Detection: 29% |
Source: updater.exe |
String found in binary or memory: /installservice |
Source: updater.exe |
String found in binary or memory: /install |
Source: updater.exe |
String found in binary or memory: -installready |
Source: updater.exe |
String found in binary or memory: -startappfirst |
Source: updater.exe |
String found in binary or memory: -startminimized |
Source: updater.exe |
String found in binary or memory: @\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\fi-180\li400\b0\f0 {\pntext\f1\'B7\tab}\parlicenseidlanguageid2.1version0x%XLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install.bat: |
Source: updater.exe |
String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding |
Source: updater.exe |
String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding |
Source: updater.exe |
String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\updater.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: updater.exe |
Static PE information: certificate valid |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: updater.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: updater.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe |
Source: updater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: updater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: updater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: updater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: updater.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle, |
0_2_00A8C000 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEEEBC push ecx; ret |
0_2_00AEEECF |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEF416 push ecx; ret |
0_2_00AEF429 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEDE18 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00AEDE18 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A9EA70 |
0_2_00A9EA70 |
Source: C:\Users\user\Desktop\updater.exe |
API coverage: 1.0 % |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A9EA70 |
0_2_00A9EA70 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose, |
0_2_00A8DFB0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEC5D5 VirtualQuery,GetSystemInfo, |
0_2_00AEC5D5 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEC9FE IsDebuggerPresent,OutputDebugStringW, |
0_2_00AEC9FE |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle, |
0_2_00A8C000 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF8AFA mov eax, dword ptr fs:[00000030h] |
0_2_00AF8AFA |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AECD13 mov esi, dword ptr fs:[00000030h] |
0_2_00AECD13 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00B0046A GetProcessHeap, |
0_2_00B0046A |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEE937 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00AEE937 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEF038 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00AEF038 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEF1CB SetUnhandledExceptionFilter, |
0_2_00AEF1CB |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AF34FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00AF34FF |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00AEF220 cpuid |
0_2_00AEF220 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: EnumSystemLocalesW, |
0_2_00B021EA |
Source: C:\Users\user\Desktop\updater.exe |
Code function: EnumSystemLocalesW, |
0_2_00B02104 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: EnumSystemLocalesW, |
0_2_00B0214F |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00B02277 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetLocaleInfoW, |
0_2_00B024C7 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00B025F0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: EnumSystemLocalesW, |
0_2_00AFC5DD |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetLocaleInfoW, |
0_2_00B026F7 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00B027C4 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: GetLocaleInfoW, |
0_2_00AFC982 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_00B01E8C |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A8AC60 GetSystemTime,SystemTimeToFileTime,GetLastError, |
0_2_00A8AC60 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A9ACB0 GetVersionExW,SendMessageW, |
0_2_00A9ACB0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A825A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, |
0_2_00A825A0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A81040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, |
0_2_00A81040 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A818A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSectionAndSpinCount,GetLastError, |
0_2_00A818A0 |
Source: C:\Users\user\Desktop\updater.exe |
Code function: 0_2_00A81940 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, |
0_2_00A81940 |