Windows Analysis Report
updater.exe

Overview

General Information

Sample name:	updater.exe
Analysis ID:	1431804
MD5:	e867b82738afc3961e615c098f241923
SHA1:	f6d2a17785021eaf4d3a671a364d57de25e0198b
SHA256:	519527de78b5783744168a78a9d2b9d84da7a49d91eb0d764f515e264eb45380
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: updater.exe	ReversingLabs: Detection: 26%
Source: updater.exe	Virustotal: Detection: 29%			Perma Link

Uses 32bit PE files

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: updater.exe

Static PE information: certificate valid

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose,

0_2_00A8DFB0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AA3DF0 GetLastError,ResetEvent,InternetQueryDataAvailable,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,ResetEvent,InternetReadFile,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,WriteFile,Sleep,GetFileSize,CloseHandle,GetLastError,CloseHandle,DeleteFileW,MoveFileW,CopyFileW,GetLastError,DeleteFileW,

0_2_00AA3DF0

Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: updater.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: updater.exe	String found in binary or memory: http://www.digicert.com/CPS0

Detected potential crypto function

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB8040	0_2_00AB8040
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB6550	0_2_00AB6550
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00ADA7F0	0_2_00ADA7F0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF09B0	0_2_00AF09B0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB6B10	0_2_00AB6B10
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00B02FD5	0_2_00B02FD5
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF0FD4	0_2_00AF0FD4
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A8F220	0_2_00A8F220
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AD1260	0_2_00AD1260
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AFD30D	0_2_00AFD30D
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF1346	0_2_00AF1346
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00B07430	0_2_00B07430
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF5455	0_2_00AF5455
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A93590	0_2_00A93590
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF15F0	0_2_00AF15F0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AA96B0	0_2_00AA96B0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF5684	0_2_00AF5684
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF7640	0_2_00AF7640
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF18B7	0_2_00AF18B7
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A99850	0_2_00A99850
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF1B72	0_2_00AF1B72
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AE9C00	0_2_00AE9C00
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AFDD79	0_2_00AFDD79
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A8FED0	0_2_00A8FED0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEDE18	0_2_00AEDE18
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AABF10	0_2_00AABF10
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AC9F40	0_2_00AC9F40

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A87350 appears 86 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00AEE3C2 appears 35 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00AEF3D0 appears 34 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A823A0 appears 153 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A871F0 appears 71 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A87430 appears 48 times

Uses 32bit PE files

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8CFA0 FormatMessageW,GetLastError,

0_2_00A8CFA0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AE4170 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,Module32FirstW,CloseHandle,CloseHandle,Process32NextW,CreateToolhelp32Snapshot,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW,

0_2_00AE4170

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00ABE160 CoCreateInstance,

0_2_00ABE160

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AE0970 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00AE0970

Source: C:\Users\user\Desktop\updater.exe

Command line argument: RICHED20.DLL

0_2_00ADDB80

Source: updater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\updater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: updater.exe	ReversingLabs: Detection: 26%
Source: updater.exe	Virustotal: Detection: 29%

Source: updater.exe	String found in binary or memory: /installservice
Source: updater.exe	String found in binary or memory: /install
Source: updater.exe	String found in binary or memory: -installready
Source: updater.exe	String found in binary or memory: -startappfirst
Source: updater.exe	String found in binary or memory: -startminimized
Source: updater.exe	String found in binary or memory: @\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\fi-180\li400\b0\f0 {\pntext\f1\'B7\tab}\parlicenseidlanguageid2.1version0x%XLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install.bat:
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding

Source: C:\Users\user\Desktop\updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: msls31.dll	Jump to behavior

Source: updater.exe

Static PE information: certificate valid

Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: updater.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe

Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,

0_2_00A8C000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEEEBC push ecx; ret		0_2_00AEEECF
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF416 push ecx; ret		0_2_00AEF429

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEDE18 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AEDE18

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9EA70

0_2_00A9EA70

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\updater.exe

API coverage: 1.0 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9EA70

0_2_00A9EA70

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose,

0_2_00A8DFB0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEC5D5 VirtualQuery,GetSystemInfo,

0_2_00AEC5D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEC9FE IsDebuggerPresent,OutputDebugStringW,

0_2_00AEC9FE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,

0_2_00A8C000

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF8AFA mov eax, dword ptr fs:[00000030h]		0_2_00AF8AFA
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AECD13 mov esi, dword ptr fs:[00000030h]		0_2_00AECD13

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00B0046A GetProcessHeap,

0_2_00B0046A

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEE937 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AEE937
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF038 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AEF038
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF1CB SetUnhandledExceptionFilter,	0_2_00AEF1CB
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF34FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AF34FF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEF220 cpuid

0_2_00AEF220

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B021EA
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B02104
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B0214F
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B02277
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00B024C7
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B025F0
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00AFC5DD
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00B026F7
Source: C:\Users\user\Desktop\updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B027C4
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00AFC982
Source: C:\Users\user\Desktop\updater.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00B01E8C

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8AC60 GetSystemTime,SystemTimeToFileTime,GetLastError,

0_2_00A8AC60

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9ACB0 GetVersionExW,SendMessageW,

0_2_00A9ACB0

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A825A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A825A0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A81040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A81040
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A818A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSectionAndSpinCount,GetLastError,	0_2_00A818A0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A81940 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A81940

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1431804
Product:	CloudBasic
Start time:	19:57:52
Start date:	25.04.2024
Sample:	updater.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e867b82738afc3961e615c098f241923
SHA1:	f6d2a17785021eaf4d3a671a364d57de25e0198b
SHA256:	519527de78b5783744168a78a9d2b9d84da7a49d91eb0d764f515e264eb45380
Filetype:	Win32 Executable (generic) a (10002005/4) 98.81%

Windows Analysis Report
updater.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report updater.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
updater.exe