Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample name:	updater.exe
Analysis ID:	1431804
MD5:	e867b82738afc3961e615c098f241923
SHA1:	f6d2a17785021eaf4d3a671a364d57de25e0198b
SHA256:	519527de78b5783744168a78a9d2b9d84da7a49d91eb0d764f515e264eb45380
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

updater.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\updater.exe" MD5: E867B82738AFC3961E615C098F241923)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: updater.exe	ReversingLabs: Detection: 26%
Source: updater.exe	Virustotal: Detection: 29%			Perma Link

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: updater.exe

Static PE information: certificate valid

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose,

0_2_00A8DFB0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AA3DF0 GetLastError,ResetEvent,InternetQueryDataAvailable,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,ResetEvent,InternetReadFile,GetLastError,GetLastError,Sleep,WaitForSingleObject,SetEvent,WriteFile,Sleep,GetFileSize,CloseHandle,GetLastError,CloseHandle,DeleteFileW,MoveFileW,CopyFileW,GetLastError,DeleteFileW,

0_2_00AA3DF0

Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: updater.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: updater.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: updater.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: updater.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: updater.exe	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB8040	0_2_00AB8040
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB6550	0_2_00AB6550
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00ADA7F0	0_2_00ADA7F0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF09B0	0_2_00AF09B0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AB6B10	0_2_00AB6B10
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00B02FD5	0_2_00B02FD5
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF0FD4	0_2_00AF0FD4
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A8F220	0_2_00A8F220
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AD1260	0_2_00AD1260
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AFD30D	0_2_00AFD30D
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF1346	0_2_00AF1346
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00B07430	0_2_00B07430
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF5455	0_2_00AF5455
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A93590	0_2_00A93590
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF15F0	0_2_00AF15F0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AA96B0	0_2_00AA96B0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF5684	0_2_00AF5684
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF7640	0_2_00AF7640
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF18B7	0_2_00AF18B7
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A99850	0_2_00A99850
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF1B72	0_2_00AF1B72
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AE9C00	0_2_00AE9C00
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AFDD79	0_2_00AFDD79
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A8FED0	0_2_00A8FED0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEDE18	0_2_00AEDE18
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AABF10	0_2_00AABF10
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AC9F40	0_2_00AC9F40

Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A87350 appears 86 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00AEE3C2 appears 35 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00AEF3D0 appears 34 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A823A0 appears 153 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A871F0 appears 71 times
Source: C:\Users\user\Desktop\updater.exe	Code function: String function: 00A87430 appears 48 times

Source: updater.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8CFA0 FormatMessageW,GetLastError,

0_2_00A8CFA0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AE4170 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,Module32FirstW,CloseHandle,CloseHandle,Process32NextW,CreateToolhelp32Snapshot,CloseHandle,CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW,

0_2_00AE4170

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00ABE160 CoCreateInstance,

0_2_00ABE160

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AE0970 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00AE0970

Source: C:\Users\user\Desktop\updater.exe

Command line argument: RICHED20.DLL

0_2_00ADDB80

Source: updater.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\updater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: updater.exe	ReversingLabs: Detection: 26%
Source: updater.exe	Virustotal: Detection: 29%

Source: updater.exe	String found in binary or memory: /installservice
Source: updater.exe	String found in binary or memory: /install
Source: updater.exe	String found in binary or memory: -installready
Source: updater.exe	String found in binary or memory: -startappfirst
Source: updater.exe	String found in binary or memory: -startminimized
Source: updater.exe	String found in binary or memory: @\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent0{\pntxtb\'B7}}\fi-180\li400\b0\f0 {\pntext\f1\'B7\tab}\parlicenseidlanguageid2.1version0x%XLastModifiedClientConfigPath.datServerConfigPathJustDownloadUpdatesStartMinimizedURLrestartapprestartappcmdstartappfirstNoGUIReducedGUIForceMSIBasicUIchecknowsilentsilentallsilentcritical/install.bat:
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding
Source: updater.exe	String found in binary or memory: installUpdate "" installer runned. Exit code: . Return code: Removed cached update installer.\?"\|><:/*<=Installing using helper service.Service detected.Service started.Unable to start service: Support service not configured in updates.ini.Service running from path: "LegacyIpcObjectBaseName: <b>%s</b><b><font color = "#FF0000">%s</font></b><b><font color = "#B84401">%s</font></b>\pard\li144\b\f2\par %s\par/qbUpdater finished. Mode: updater.logRunning updater. Mode: Updater wizard ended. Return code: retryattemptsrememberpasswordloglevelautoupdatepolicyUpdater-comproxystub.dllSoftware\Caphyon\Advanced Updater\SettingsConfigFilePathNoAutoUpdateCheckNextUpdateCheck/checknow/silent/silentall/silentcritical-nofreqcheck-url-minuseractions-licensecheckurl-licenseid-justdownload-startminimized-restartapp-restartappcmd-nogui-reducedgui-showaitdlg-forcemsibasicui-startappfirst/configure/clean/justcheck-dumpdetected-critical-installready-licensendate/runservice/debugservice/installservice/configservice-name/uninstallservice/runserverIPCObjNameBase/set/automation-clsid-registerproxystub-Embedding

Source: C:\Users\user\Desktop\updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\updater.exe	Section loaded: msls31.dll	Jump to behavior

Source: updater.exe

Static PE information: certificate valid

Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: updater.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: updater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: updater.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\JobRelease\win\Release\stubs\x86\Updater.pdb source: updater.exe

Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: updater.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,

0_2_00A8C000

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEEEBC push ecx; ret		0_2_00AEEECF
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF416 push ecx; ret		0_2_00AEF429

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEDE18 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AEDE18

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9EA70

0_2_00A9EA70

Source: C:\Users\user\Desktop\updater.exe

API coverage: 1.0 %

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9EA70

0_2_00A9EA70

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8DFB0 FindFirstFileW,GetLastError,FindClose,

0_2_00A8DFB0

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEC5D5 VirtualQuery,GetSystemInfo,

0_2_00AEC5D5

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEC9FE IsDebuggerPresent,OutputDebugStringW,

0_2_00AEC9FE

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8C000 ShellExecuteExW,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,CloseHandle,

0_2_00A8C000

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF8AFA mov eax, dword ptr fs:[00000030h]		0_2_00AF8AFA
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AECD13 mov esi, dword ptr fs:[00000030h]		0_2_00AECD13

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00B0046A GetProcessHeap,

0_2_00B0046A

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEE937 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AEE937
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF038 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AEF038
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AEF1CB SetUnhandledExceptionFilter,	0_2_00AEF1CB
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00AF34FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AF34FF

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00AEF220 cpuid

0_2_00AEF220

Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B021EA
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B02104
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00B0214F
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B02277
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00B024C7
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B025F0
Source: C:\Users\user\Desktop\updater.exe	Code function: EnumSystemLocalesW,	0_2_00AFC5DD
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00B026F7
Source: C:\Users\user\Desktop\updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B027C4
Source: C:\Users\user\Desktop\updater.exe	Code function: GetLocaleInfoW,	0_2_00AFC982
Source: C:\Users\user\Desktop\updater.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00B01E8C

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A8AC60 GetSystemTime,SystemTimeToFileTime,GetLastError,

0_2_00A8AC60

Source: C:\Users\user\Desktop\updater.exe

Code function: 0_2_00A9ACB0 GetVersionExW,SendMessageW,

0_2_00A9ACB0

Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A825A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A825A0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A81040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A81040
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A818A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSectionAndSpinCount,GetLastError,	0_2_00A818A0
Source: C:\Users\user\Desktop\updater.exe	Code function: 0_2_00A81940 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,__ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	0_2_00A81940

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
updater.exe	26%	ReversingLabs	Win32.Adware.Blazer
updater.exe	29%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431804
Start date and time:	2024-04-25 19:57:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	updater.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 7 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.429858226831477
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	updater.exe
File size:	906'048 bytes
MD5:	e867b82738afc3961e615c098f241923
SHA1:	f6d2a17785021eaf4d3a671a364d57de25e0198b
SHA256:	519527de78b5783744168a78a9d2b9d84da7a49d91eb0d764f515e264eb45380
SHA512:	3747f6f678992b371763e94e8cdf0943e28a9912634121b7b8e5e48edd60d3e21536fd7c97cd55e35ce4710ba66d64af15806596a2cf24ad3ba80bc3b6f18aeb
SSDEEP:	12288:gurjZeiIdqWKFQvjawfhVw5YJ91pK2wT1F6tVWEWvlxjn3NrABHB/5j3S+ochRzh:rhSvuKapI1S+NRzVFxiL8FgW7Z//
TLSH:	E6154B2175C7C03AC5714433957CEA6A147A7F320F35A6D76AD837AD5AB8CC20E32E29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0..Atz..tz..tz....[.zz....Y..z....X.iz..&...lz..&...Wz..&...8z..}.).rz..}.9.kz..tz...{.......z....U.uz......uz..Richtz.........

File Icon


Icon Hash:	2b698e8c88c8690f

Static PE Info

General

Entrypoint:	0x46ee7f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C929AB6 [Wed Mar 20 19:55:34 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5ccbe2358d553f39631d054e6b744c77

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/02/2022 00:00:00 28/02/2023 23:59:59
Subject Chain	CN=Millennial Media Inc., O=Millennial Media Inc., L=Panama City, S=Panama, C=PA, SERIALNUMBER=155704409, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=PA
Version:	3
Thumbprint MD5:	CBD12A57009372827876A8D307FF14CB
Thumbprint SHA-1:	A00D344BDC112328D1969ADF9DECBE8A96035DC3
Thumbprint SHA-256:	420B0B9BD9773EBB3D9632019283CA919929C8A4A1F94B8B390493F55AB17442
Serial:	0A253234E29F318F9B6846682E99078D

Entrypoint Preview

Instruction
call 00007FD384CECD89h
jmp 00007FD384CEC5BFh
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FD384CECE7Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FD384CECE69h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004C4074h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004C4074h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
int3
int3
int3
int3
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1f2c	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0xda08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xda400	0x2f40	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd5000	0x8b24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaf2b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xaf320	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9cb88	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9a000	0x51c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc1a0c	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9886f	0x98a00	3fe23e419deef303b0b5a01fa295772a	False	0.4579190340909091	data	6.530435313404647	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9a000	0x29b8a	0x29c00	6847aeec4f54da0d8582db5aa941ef14	False	0.38988819236526945	data	4.813350074450152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc4000	0x2764	0x1200	8665948c893ec0f26461b5d9de423061	False	0.22591145833333334	data	2.8032525317785923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0xda08	0xdc00	750c069a6eaed5109c2635a074aea42a	False	0.2719637784090909	data	4.645629358752017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd5000	0x8b24	0x8c00	0a009cfce5f27066a51cd8c114ff6cba	False	0.5798828125	data	6.565088947001966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0xc7668	0x1910	data	English	United States	0.4198877805486284
RT_ICON	0xc8f78	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.20376712328767124
RT_ICON	0xcd1a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.25404564315352696
RT_ICON	0xcf748	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2905722326454034
RT_ICON	0xd07f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3360655737704918
RT_ICON	0xd1178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5141843971631206
RT_MENU	0xd15e0	0x2a	data	English	United States	1.0714285714285714
RT_MENU	0xd160c	0x4c	data	English	United States	0.9210526315789473
RT_DIALOG	0xd1658	0xd0	data	English	United States	0.7211538461538461
RT_DIALOG	0xd1728	0x1e8	data	English	United States	0.5348360655737705
RT_DIALOG	0xd1910	0x3b4	data	English	United States	0.4282700421940928
RT_DIALOG	0xd1cc4	0x19a	data	English	United States	0.5658536585365853
RT_DIALOG	0xd1e60	0xf6	data	English	United States	0.6747967479674797
RT_DIALOG	0xd1f58	0x1b4	data	English	United States	0.5527522935779816
RT_DIALOG	0xd210c	0x1a4	data	English	United States	0.6071428571428571
RT_DIALOG	0xd22b0	0xbc	data	English	United States	0.6648936170212766
RT_DIALOG	0xd236c	0x6c	data	English	United States	0.7407407407407407
RT_STRING	0xd23d8	0x300	data	English	United States	0.4036458333333333
RT_STRING	0xd26d8	0x186	data	English	United States	0.5025641025641026
RT_STRING	0xd2860	0x1a0	data	English	United States	0.5144230769230769
RT_STRING	0xd2a00	0x23c	data	English	United States	0.458041958041958
RT_STRING	0xd2c3c	0x3d2	data	English	United States	0.36912065439672803
RT_STRING	0xd3010	0x356	data	English	United States	0.43559718969555034
RT_STRING	0xd3368	0x55e	data	English	United States	0.41120815138282385
RT_STRING	0xd38c8	0x660	data	English	United States	0.2922794117647059
RT_RCDATA	0xd3f28	0x3	ASCII text, with no line terminators	English	United States	3.6666666666666665
RT_GROUP_ICON	0xd3f2c	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0xd3f78	0x314	data	English	United States	0.4403553299492386
RT_MANIFEST	0xd428c	0x77b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WININET.dll	InternetCloseHandle, InternetSetStatusCallbackW, InternetCrackUrlW, InternetOpenW, InternetGetLastResponseInfoW, InternetReadFile, InternetQueryDataAvailable, FtpGetFileSize, InternetQueryOptionW, InternetSetOptionW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, InternetErrorDlg, FtpCommandW
msi.dll
CRYPT32.dll	CertFreeCertificateContext, CertNameToStrW
MPR.dll	WNetAddConnection2W
KERNEL32.dll	EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetFileType, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCommandLineA, GetStdHandle, CopyFileExW, GetLastError, FileTimeToSystemTime, SystemTimeToFileTime, CompareFileTime, DeleteFileW, MoveFileW, CopyFileW, CreateFileW, CloseHandle, FindFirstFileW, RemoveDirectoryW, FindNextFileW, GetFileSize, CreateDirectoryW, SetFileAttributesW, GetFileTime, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, ReadFile, FindClose, GetTempPathW, GetTempFileNameW, GetProcAddress, GetSystemDirectoryW, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, LoadLibraryExW, LoadLibraryW, CreateToolhelp32Snapshot, Process32FirstW, OpenProcess, Process32NextW, GetCurrentProcess, GetCurrentProcessId, GetExitCodeProcess, WaitForSingleObject, FreeLibrary, GetModuleHandleW, Sleep, RaiseException, LocalFree, GetCommandLineW, GetUserDefaultUILanguage, GetSystemTime, FileTimeToLocalFileTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateProcessW, SetFilePointer, MultiByteToWideChar, WideCharToMultiByte, FormatMessageW, SetLastError, WriteFile, GetEnvironmentVariableW, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, lstrcmpiW, GetVersionExW, lstrlenW, CompareStringW, GetTickCount, GetExitCodeThread, TerminateThread, CreateThread, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, GetCurrentThreadId, OutputDebugStringW, GetLocalTime, FlushFileBuffers, GetStringTypeW, ResetEvent, CreateEventW, SetEvent, GlobalFree, MulDiv, InterlockedIncrement, InterlockedDecrement, QueryPerformanceFrequency, QueryPerformanceCounter, GetSystemDefaultLangID, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, UnmapViewOfFile, ReleaseMutex, CreateFileMappingW, MapViewOfFile, CreateMutexW, OpenFileMappingW, OpenEventW, lstrcpynW, DecodePointer, GetACP, Module32FirstW, TerminateProcess, GetEnvironmentStringsW, VirtualFree, VirtualAlloc, IsProcessorFeaturePresent, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, FreeEnvironmentStringsW, EncodePointer, IsDebuggerPresent, LoadLibraryExA, VirtualQuery, VirtualProtect, GetSystemInfo, SetStdHandle, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, LocalAlloc, GetCPInfo, GetModuleHandleExW, ExitProcess, RtlUnwind, GetStartupInfoW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, LCMapStringW, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter
USER32.dll	GetSubMenu, LoadMenuW, ModifyMenuW, GetMessagePos, SetCursorPos, RemovePropW, SetPropW, GetWindowDC, DrawEdge, GetActiveWindow, DialogBoxParamW, MoveWindow, GetSystemMenu, DrawMenuBar, RegisterWindowMessageW, GetMessageW, GetDesktopWindow, PostQuitMessage, SetMenuDefaultItem, GetMenuItemID, GetPropW, MonitorFromPoint, SetForegroundWindow, MessageBoxW, GetDlgCtrlID, FillRect, TrackMouseEvent, DestroyWindow, EndPaint, BeginPaint, SetCursor, SetCapture, PostMessageW, ReleaseCapture, GetCapture, GetClassInfoExW, EndDialog, MonitorFromWindow, GetMonitorInfoW, IsWindowVisible, GetWindowRect, MapWindowPoints, EnableWindow, GetDlgItem, GetWindow, RegisterClassExW, PtInRect, ScreenToClient, GetCursorPos, UpdateWindow, InvalidateRect, CharNextW, OffsetRect, ReleaseDC, GetDC, IsWindow, SetRectEmpty, GetWindowTextW, GetWindowTextLengthW, CreateWindowExW, SystemParametersInfoW, LoadCursorW, GetClassNameW, GetClientRect, DrawFocusRect, GetFocus, DrawTextW, GetSysColor, IsWindowEnabled, RedrawWindow, SetWindowPos, TrackPopupMenu, EnableMenuItem, DestroyMenu, PostThreadMessageW, LockWindowUpdate, UnregisterClassW, CallWindowProcW, DefWindowProcW, SetWindowLongW, GetSystemMetrics, ShowWindow, SetFocus, LoadImageW, DispatchMessageW, PeekMessageW, LoadStringW, SetWindowTextW, SendMessageW, GetWindowLongW, GetWindowThreadProcessId, EnumWindows, GetForegroundWindow, GetParent
GDI32.dll	PatBlt, CreateBitmap, SetTextColor, SetBkMode, GetStockObject, DeleteObject, DeleteDC, CreateFontIndirectW, SelectObject, GetObjectW, CreatePatternBrush
SHELL32.dll	Shell_NotifyIconW, ShellExecuteW, SHBrowseForFolderW, ShellExecuteExW, SHGetFolderPathW, SHGetPathFromIDListW
ole32.dll	CoCreateGuid, CoInitializeEx, CoTaskMemFree, CoUninitialize, CoCreateInstance, CoRevokeClassObject, CoRegisterClassObject, CoAddRefServerProcess, CoReleaseServerProcess, CLSIDFromString, CoResumeClassObjects, CoTaskMemRealloc, CoTaskMemAlloc
OLEAUT32.dll	RevokeActiveObject, DispGetIDsOfNames, SysAllocString, LoadTypeLib, VarUI4FromStr, SysFreeString, DispInvoke
SHLWAPI.dll	PathFileExistsW, PathAppendW
COMCTL32.dll	PropertySheetW, InitCommonControlsEx, DestroyPropertySheetPage, CreatePropertySheetPageW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	19:58:44
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\updater.exe"
Imagebase:	0xa80000
File size:	906'048 bytes
MD5 hash:	E867B82738AFC3961E615C098F241923
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	213
Total number of Limit Nodes:	8

Executed Functions

Function 00ADDB80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002,C956CA52,?,?,00B16B50,000000FF), ref: 00ADDBCF
DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,?,00B16B50,000000FF), ref: 00ADDBDD
InitCommonControlsEx.COMCTL32(?,?,?,00B16B50,000000FF), ref: 00ADDBF5
LoadLibraryW.KERNELBASE(RICHED20.DLL,?,?,00B16B50,000000FF), ref: 00ADDC00

Part of subcall function 00ADE0A0: GetCurrentThreadId.KERNEL32 ref: 00ADE0FF

Strings

RICHED20.DLL, xrefs: 00ADDBFB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CommonControlsCurrentInitInitializeLibraryLoadProcThreadWindow
String ID: RICHED20.DLL
API String ID: 3423013785-992299850
Opcode ID: b7d62337234de11f8794f3106c5ff84df2766c360a4b42022dc5596600fc90d4
Instruction ID: a7342c0ac98be29d44cc347e9dd7f84e801ab37137c73df7e75093231e14fb47
Opcode Fuzzy Hash: b7d62337234de11f8794f3106c5ff84df2766c360a4b42022dc5596600fc90d4
Instruction Fuzzy Hash: 80314F71940149AFDB10EFA8CD59BDEBBB4BF04310F508259E516AB2D1DF746B08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A8DFB0 Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?), ref: 00A8E04D
FindClose.KERNEL32(00000000), ref: 00A8E0AF

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Find$CloseException@8FileFirstThrow
String ID:
API String ID: 721412918-0
Opcode ID: 0426af028cac98583029840a6f17244152691ec55cdcf90fe266adfb358a0730
Instruction ID: 49fb424b8a998518b271667ef13a954e2ccfff516df2017bf467ed4e8e39a23e
Opcode Fuzzy Hash: 0426af028cac98583029840a6f17244152691ec55cdcf90fe266adfb358a0730
Instruction Fuzzy Hash: 2F31C370944218DBDB24FF68DD49B69B7F4EB08324F10869EE519E7280D7B16D44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8AFA Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,?,00AF8AD0,00000000,00B41630,0000000C,00AF8C27,00000000,00000002,00000000), ref: 00AF8B1B
TerminateProcess.KERNEL32(00000000,?,00AF8AD0,00000000,00B41630,0000000C,00AF8C27,00000000,00000002,00000000), ref: 00AF8B22
ExitProcess.KERNEL32 ref: 00AF8B34

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e2ce13a6d762ba78fc8687b8ae9d2705edccbf4428dd20cb632bbe44aa23d79e
Instruction ID: 6d13c53c22cecfbc6f8e7a6ae7979bb7d5edc48422170f6ee3d6cc7417db3253
Opcode Fuzzy Hash: e2ce13a6d762ba78fc8687b8ae9d2705edccbf4428dd20cb632bbe44aa23d79e
Instruction Fuzzy Hash: 9EE09271101208ABCB126BA4DE09AAD3B69EB55792F404414FA099B122CF3AED52CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD65C0 Relevance: 34.6, APIs: 14, Strings: 5, Instructions: 1312COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 00AD6A0F
PathFileExistsW.SHLWAPI(?,updater.log,0000000B), ref: 00AD6FEB
InitializeCriticalSection.KERNEL32(00000000,updater.log,0000000B), ref: 00AD7023
EnterCriticalSection.KERNEL32(?,updater.log,0000000B), ref: 00AD7033
LeaveCriticalSection.KERNEL32(?), ref: 00AD70DC
InitializeCriticalSection.KERNEL32(00000000), ref: 00AD7104
EnterCriticalSection.KERNEL32(?), ref: 00AD7117
LeaveCriticalSection.KERNEL32(?), ref: 00AD7142
InitializeCriticalSection.KERNEL32(00000000), ref: 00AD716A
EnterCriticalSection.KERNEL32(?), ref: 00AD717D
LeaveCriticalSection.KERNEL32(?), ref: 00AD71A4
GetActiveWindow.USER32 ref: 00AD736A
GetWindowTextW.USER32(?,?,00000104), ref: 00AD7388

Part of subcall function 00AD8220: PostThreadMessageW.USER32(8B0C428D,00B159A2,00000001,?), ref: 00AD831A
Part of subcall function 00AD8220: GetLastError.KERNEL32 ref: 00AD8324

GetActiveWindow.USER32 ref: 00AD7743

Strings

updater.log, xrefs: 00AD6FBB
- , xrefs: 00AD7676
!, xrefs: 00AD7790
Software\Caphyon\Advanced Updater\%s, xrefs: 00AD69C1
Running updater. Mode: , xrefs: 00AD7201

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveWindow$ActiveFile$ErrorExistsLastMessageModuleNamePathPostTextThread
String ID: - $!$Running updater. Mode: $Software\Caphyon\Advanced Updater\%s$updater.log
API String ID: 1176948131-3539604923
Opcode ID: 1d1986847f38dd2c971599d83972487fb14eda7c2172e88e4f847e0cb82d7b22
Instruction ID: 806491e25abc187b4e3972c715e217cf94c4a86a2b868ade83878c10d6860853
Opcode Fuzzy Hash: 1d1986847f38dd2c971599d83972487fb14eda7c2172e88e4f847e0cb82d7b22
Instruction Fuzzy Hash: B5C2BCB09006558FDB24DF28C944BAEB7B4EF45314F1481DEE55AAB392EB30AE84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00AD63C0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00AD645E

Strings

open, xrefs: 00AD6457
. Return code: , xrefs: 00AD64C9
Updater finished. Mode: , xrefs: 00AD64B0
<, xrefs: 00AD643F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ExecuteShell
String ID: . Return code: $<$Updater finished. Mode: $open
API String ID: 587946157-3707118139
Opcode ID: c7009ebb9170c978a347be45edcabc7f6e8cca26036751d86e86c9983906acb4
Instruction ID: ad64fdde76f0eda6236de023c71f1c5d1badc9efa56cfd6907fa5468dfe91541
Opcode Fuzzy Hash: c7009ebb9170c978a347be45edcabc7f6e8cca26036751d86e86c9983906acb4
Instruction Fuzzy Hash: EF512671A006089BDB24DFACC949BAEF7B1FF45314F14466EE016AB391DB349D40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD9F0 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(?,C956CA52), ref: 00ADDA19
EnterCriticalSection.KERNEL32(?,?,C956CA52), ref: 00ADDA37
DestroyWindow.USER32(00000000,?,C956CA52), ref: 00ADDA55
LeaveCriticalSection.KERNEL32(?,?,C956CA52), ref: 00ADDA9E
CoUninitialize.OLE32(?,C956CA52), ref: 00ADDB64

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$DestroyEnterFreeLeaveLibraryUninitializeWindow
String ID:
API String ID: 1669412380-0
Opcode ID: 116a6e5e3d1f768bf5c8cf97d2419629b1a6ae937b21f389e994f811c4208767
Instruction ID: 931e5a5e4077dbab8b6cee177bc2ec24fd292fc0b1e4ec87b544bd7c27386a50
Opcode Fuzzy Hash: 116a6e5e3d1f768bf5c8cf97d2419629b1a6ae937b21f389e994f811c4208767
Instruction Fuzzy Hash: C941AC71901200DBEB30DF68D944B5ABBF4FF02715F05496EE856A73A0DBB4A940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A87BF0 Relevance: 1.6, APIs: 1, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 00A87CA3

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 03d91882a3b4c8cdbe6c7302f11edd865e5c7494bd2411bfc6ad8bb911b6050c
Instruction ID: 176cc18c9cfef9df665924165ac7c84d40d1b262db2619752c68aa98e8b8d742
Opcode Fuzzy Hash: 03d91882a3b4c8cdbe6c7302f11edd865e5c7494bd2411bfc6ad8bb911b6050c
Instruction Fuzzy Hash: D0219DB1204306AFD714DF18D884FAEB7A4FF85711F20891EF5599B291D770E948CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00ADA7F0 Relevance: 80.4, Strings: 62, Instructions: 2940COMMON

Download Yara Rule

Strings

RealUpdaterPath, xrefs: 00ADADA0, 00ADBAAD
-restartappcmd, xrefs: 00ADC524
NoGUI, xrefs: 00ADB1C8
URL, xrefs: 00ADAF96
-startminimized, xrefs: 00ADC3E3, 00ADC3F3
-url, xrefs: 00ADB67F, 00ADC08A, 00ADC09A
/debugservice, xrefs: 00ADB84F
-licenseid, xrefs: 00ADC281, 00ADC291
silentall, xrefs: 00ADABE8
UninstallFilePath, xrefs: 00ADAD2C, 00ADBA3B
-forcemsibasicui, xrefs: 00ADC76D
/checknow, xrefs: 00ADA9C1
silentcritical, xrefs: 00ADAC04
3, xrefs: 00ADC822
/clean, xrefs: 00ADB55D
-licensecheckurl, xrefs: 00ADC1F3, 00ADC203
General, xrefs: 00ADAC58, 00ADACCC, 00ADAD40, 00ADADB4, 00ADAE34, 00ADAEF6, 00ADAFAA, 00ADB021, 00ADB098, 00ADB11B, 00ADB1D9, 00ADB297, 00ADB356, 00ADB9DA, 00ADBA4F, 00ADBAC1, 00ADBB33
startappfirst, xrefs: 00ADB10A
/installservice, xrefs: 00ADB87D
-clsid, xrefs: 00ADBDBE
restartappcmd, xrefs: 00ADB084
/configure, xrefs: 00ADAAC6
-restartapp, xrefs: 00ADC4B7, 00ADC4C7
/configservice, xrefs: 00ADB8AB
autoupdatepolicy, xrefs: 00ADBD5A
-startappfirst, xrefs: 00ADC815
-licensendate, xrefs: 00ADB763
-dumpdetected, xrefs: 00ADB5E9
-nogui, xrefs: 00ADC57E
retryattempts, xrefs: 00ADBD3A
/automation, xrefs: 00ADBD84
IPCObjNameBase, xrefs: 00ADBB1F
/silent, xrefs: 00ADAA03, 00ADBEAF
-installready, xrefs: 00ADB73B
StartMinimized, xrefs: 00ADAEE5
silent, xrefs: 00ADABCC, 00ADB58C
/runserver, xrefs: 00ADB989
/set, xrefs: 00ADBBA0
/justcheck, xrefs: 00ADB5AA
loglevel, xrefs: 00ADBD4A
true, xrefs: 00ADAE97, 00ADAF59, 00ADB17E, 00ADB23C, 00ADB2FA, 00ADB3B9
-minuseractions, xrefs: 00ADC116, 00ADC126
-reducedgui, xrefs: 00ADC625
-critical, xrefs: 00ADB715
JustDownloadUpdates, xrefs: 00ADAE23
-nofreqcheck, xrefs: 00ADBFB5, 00ADBFC5
rememberpassword, xrefs: 00ADBC9C
-Embedding, xrefs: 00ADBE8F
restartapp, xrefs: 00ADB00D
/runservice, xrefs: 00ADB821
-registerproxystub, xrefs: 00ADBE6A
-showaitdlg, xrefs: 00ADC6C9
/silentall, xrefs: 00ADAA43, 00ADBEF4
-justdownload, xrefs: 00ADC30C, 00ADC31C
ClientConfigPath, xrefs: 00ADAC47, 00ADB9C9
ServerConfigPath, xrefs: 00ADACB8
/uninstallservice, xrefs: 00ADB95B
-name, xrefs: 00ADB8D1
/silentcritical, xrefs: 00ADAA83, 00ADBF3B
ReducedGUI, xrefs: 00ADB286
/install, xrefs: 00ADABA0
ForceMSIBasicUI, xrefs: 00ADB345

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: PrivateProfile$String$NamesSection$FindResourceWrite
String ID: -Embedding$-clsid$-critical$-dumpdetected$-forcemsibasicui$-installready$-justdownload$-licensecheckurl$-licenseid$-licensendate$-minuseractions$-name$-nofreqcheck$-nogui$-reducedgui$-registerproxystub$-restartapp$-restartappcmd$-showaitdlg$-startappfirst$-startminimized$-url$/automation$/checknow$/clean$/configservice$/configure$/debugservice$/install$/installservice$/justcheck$/runserver$/runservice$/set$/silent$/silentall$/silentcritical$/uninstallservice$3$ClientConfigPath$ForceMSIBasicUI$General$IPCObjNameBase$JustDownloadUpdates$NoGUI$RealUpdaterPath$ReducedGUI$ServerConfigPath$StartMinimized$URL$UninstallFilePath$autoupdatepolicy$loglevel$rememberpassword$restartapp$restartappcmd$retryattempts$silent$silentall$silentcritical$startappfirst$true
API String ID: 3643586408-1792387188
Opcode ID: 68adc72610246d66a8c1e0ea26c934355179a7cac3bf1c65fa79079391fd98a4
Instruction ID: 218cb20a2f76eb29468a2bcab4899341ab69011da20a35fa975f5b627b2a4a71
Opcode Fuzzy Hash: 68adc72610246d66a8c1e0ea26c934355179a7cac3bf1c65fa79079391fd98a4
Instruction Fuzzy Hash: 98330730A00505CFDB10DFA8C984BAEF7B5AF51324F65826AE4179B3A2EB31DD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3DF0 Relevance: 58.6, APIs: 26, Strings: 7, Instructions: 894filenetworksleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00AA417E
ResetEvent.KERNEL32(?,0000C800), ref: 00AA42AD
InternetQueryDataAvailable.WININET(00000000,C000008C,00000000,00000000), ref: 00AA42CA
GetLastError.KERNEL32(?,?,?,00B285E8,00000000), ref: 00AA42D8
GetLastError.KERNEL32(?,?,?,00B285E8,00000000), ref: 00AA42F5
Sleep.KERNEL32(0000000A), ref: 00AA4328
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00AA434B
ResetEvent.KERNEL32(?), ref: 00AA43C5
InternetReadFile.WININET(00000000,00000000,00000005,00000000), ref: 00AA43E2
GetLastError.KERNEL32 ref: 00AA43F0
CloseHandle.KERNEL32(00000005), ref: 00AA4696
GetLastError.KERNEL32 ref: 00AA46EE

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

CloseHandle.KERNEL32(00000005), ref: 00AA4805
DeleteFileW.KERNEL32(?), ref: 00AA4816
MoveFileW.KERNEL32(?,?), ref: 00AA4822
CopyFileW.KERNEL32(?,?,00000000), ref: 00AA4835
GetLastError.KERNEL32 ref: 00AA483F
DeleteFileW.KERNEL32(?), ref: 00AA485A

Strings

Creation of file to download on disk failed, xrefs: 00AA40E4
), xrefs: 00AA47B3
CreateSubFolders() failed, xrefs: 00AA3FC9
Failed to saved in file the bytes read, xrefs: 00AA4740
Before reading in loop, xrefs: 00AA41F8
Before FileSystemUtil::CreateSubFolders(), xrefs: 00AA3ED8
AsyncDownloadThread read 0 bytes., xrefs: 00AA4582

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$File$CloseCriticalCurrentDeleteEventHandleInternetProcessResetSection$AvailableCopyDataEnterHeapInitializeMoveObjectQueryReadSingleSleepThreadWait
String ID: )$AsyncDownloadThread read 0 bytes.$Before FileSystemUtil::CreateSubFolders()$Before reading in loop$CreateSubFolders() failed$Creation of file to download on disk failed$Failed to saved in file the bytes read
API String ID: 142098678-3070757707
Opcode ID: f2e9b02839788cdf7dff2ab8050307d41efda74c3d011c3e454fa9837b2c053b
Instruction ID: 4b1b4a40fbb5b016b364858ccf662c1db41ef225fd8b024a865c73351fcc20d3
Opcode Fuzzy Hash: f2e9b02839788cdf7dff2ab8050307d41efda74c3d011c3e454fa9837b2c053b
Instruction Fuzzy Hash: 7072C4706012459FEF10EFA8C984BAEBBA4EF4A310F148168F915DB2E2DB74DD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8040 Relevance: 45.6, APIs: 30, Instructions: 643windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,-00007F84), ref: 00AB808E
GetSystemMetrics.USER32(-00000020), ref: 00AB80AC
GetWindowLongW.USER32(?,000000EC), ref: 00AB80C9
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 00AB8129
GetMessagePos.USER32 ref: 00AB81AD
ScreenToClient.USER32(?,?), ref: 00AB81CD
GetCapture.USER32 ref: 00AB8236
UpdateWindow.USER32(?), ref: 00AB8298

Part of subcall function 00AB9290: GetWindowRect.USER32(?,?), ref: 00AB92FD
Part of subcall function 00AB9290: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00AB930D
Part of subcall function 00AB9290: OffsetRect.USER32(?,?,?), ref: 00AB9323
Part of subcall function 00AB9290: GetWindowDC.USER32(00000000), ref: 00AB9340
Part of subcall function 00AB9290: SelectObject.GDI32(00000000,?), ref: 00AB9370
Part of subcall function 00AB9290: PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00AB9398
Part of subcall function 00AB9290: SelectObject.GDI32(?,00000000), ref: 00AB93A3
Part of subcall function 00AB9290: DeleteObject.GDI32(?), ref: 00AB93B6

Part of subcall function 00AB96A0: MulDiv.KERNEL32(000000FF,?,7FFFFFFF), ref: 00AB96DD
Part of subcall function 00AB96A0: MulDiv.KERNEL32(?,7FFFFFFF,?), ref: 00AB979B

Part of subcall function 00AB9290: ReleaseDC.USER32(?,00000000), ref: 00AB93D8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Object$RectSelectSystem$CaptureClientCursorDeleteInfoLoadLongMessageMetricsOffsetParametersPointsReleaseScreenUpdate
String ID:
API String ID: 2297393119-0
Opcode ID: 6191c32749139e257efa560d47c39c0d3d13d9e7a81e796256cefe14b5464bd7
Instruction ID: 69028ff2054479063d236d31f72d9c15a3df292ac28910133bb56a2504a6f7d8
Opcode Fuzzy Hash: 6191c32749139e257efa560d47c39c0d3d13d9e7a81e796256cefe14b5464bd7
Instruction Fuzzy Hash: 42328A716043458FDB24DF28D945AAEB7E9FF89310F404A1EF886C7291DB38E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A99850 Relevance: 43.9, APIs: 29, Instructions: 432windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A9987D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A99895
IsWindow.USER32(?), ref: 00A998D3
DestroyWindow.USER32(?), ref: 00A998E0
DeleteObject.GDI32(?), ref: 00A998F7
DeleteObject.GDI32(?), ref: 00A99912
GetCapture.USER32 ref: 00A9993F
ReleaseCapture.USER32 ref: 00A9994E
PtInRect.USER32(?,?,?), ref: 00A99968

Part of subcall function 00A994B0: GetClassNameW.USER32(?,?,00000008), ref: 00A99513
Part of subcall function 00A994B0: lstrcmpiW.KERNEL32(?,static), ref: 00A99526
Part of subcall function 00A994B0: GetWindowLongW.USER32(?,000000F0), ref: 00A9953B
Part of subcall function 00A994B0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A9954F
Part of subcall function 00A994B0: GetWindowLongW.USER32(?,000000F0), ref: 00A9955A
Part of subcall function 00A994B0: LoadCursorW.USER32(00000000,00007F89), ref: 00A9959C
Part of subcall function 00A994B0: SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 00A995D1

IsWindow.USER32 ref: 00A999C9
SendMessageW.USER32(?,00000407,00000000,?), ref: 00A999EE
InvalidateRect.USER32(?,00000000,00000001), ref: 00A99A6A
PtInRect.USER32(?,?,00000000), ref: 00A99AF5
SetCursor.USER32(00000000,?,00000000), ref: 00A99B02
InvalidateRect.USER32(?,?,00000001,?,00000000), ref: 00A99B26
UpdateWindow.USER32(?), ref: 00A99B2F
TrackMouseEvent.USER32 ref: 00A99B59

Part of subcall function 00A9A320: InvalidateRect.USER32(?,00000000,00000001), ref: 00A9A32D

InvalidateRect.USER32(?,?,00000001,?,00000000), ref: 00A99B92
UpdateWindow.USER32(?), ref: 00A99B9B
PtInRect.USER32(?,?,?), ref: 00A99BFD
SetFocus.USER32(?,?,?), ref: 00A99C0E
SetCapture.USER32(?,?,?), ref: 00A99C17
GetCursorPos.USER32(00000000), ref: 00A99C94
ScreenToClient.USER32(?,00000000), ref: 00A99CA2
PtInRect.USER32(?,?,?), ref: 00A99CC4
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00A99CEF
UpdateWindow.USER32(?), ref: 00A99CF8
DeleteObject.GDI32(?), ref: 00A99D37
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00A99D90

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Rect$Invalidate$Long$CaptureCursorDeleteObjectUpdate$ClassClientDestroyEventFocusInfoLoadMessageMouseNameParametersReleaseScreenSendSystemTracklstrcmpi
String ID:
API String ID: 2119648657-0
Opcode ID: 1d32c83a6de5be5e576dd05dade8490b1656a920d4a6d1d2a9c7f26fccb5ebdd
Instruction ID: aeb7001da26ca34a0cb719b075b83c8ecbfbd06401cf9d2c88615572caf19f0f
Opcode Fuzzy Hash: 1d32c83a6de5be5e576dd05dade8490b1656a920d4a6d1d2a9c7f26fccb5ebdd
Instruction Fuzzy Hash: 76E1D031700304AFDF319F1DE8847ABB7E5EB85325F40852EF896876A0CB76A855CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4170 Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 415processlibraryloaderCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AE41B9
Process32FirstW.KERNEL32(00000000,00000000), ref: 00AE4202
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,-00000010,00000000), ref: 00AE4227
LoadLibraryW.KERNEL32(Kernel32.dll,?,?,?,?,-00000010,00000000), ref: 00AE4251
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00AE4281
FreeLibrary.KERNEL32(00000000,?,?,?,?,-00000010,00000000), ref: 00AE4297
CloseHandle.KERNEL32(00000000,?,?,?,?,-00000010,00000000), ref: 00AE4316
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AE4347
CloseHandle.KERNEL32(00000000,?,-00000010,00000000), ref: 00AE436A
Process32NextW.KERNEL32(?,-00000001), ref: 00AE4455
CloseHandle.KERNEL32(00000000,?,-00000010,00000000), ref: 00AE448F

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

GetWindowThreadProcessId.USER32(?,?), ref: 00AE4525
GetWindowTextW.USER32(?,?,00000104), ref: 00AE4540
GetWindowLongW.USER32(?,000000F0), ref: 00AE4552
GetWindowLongW.USER32(?,000000EC), ref: 00AE455B

Strings

QueryFullProcessImageNameW, xrefs: 00AE427B
Kernel32.dll, xrefs: 00AE424C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$CloseHandle$CreateLibraryLongProcessProcess32SnapshotToolhelp32$AddressException@8FirstFreeLoadNextOpenProcTextThreadThrow
String ID: Kernel32.dll$QueryFullProcessImageNameW
API String ID: 176431746-1170590071
Opcode ID: 6fb39b730e199a761f2f3fb82fa56e0dd6b30fb14c889cbaa3fdf831ec585cf4
Instruction ID: 619f445245d3da8865f97cbb35d650a37b71d4da5b9899c826ea9ab37498ac4b
Opcode Fuzzy Hash: 6fb39b730e199a761f2f3fb82fa56e0dd6b30fb14c889cbaa3fdf831ec585cf4
Instruction Fuzzy Hash: E0F1E471901258DFDB10DFA9C948BEEBBF8FF09314F148159E919AB291DB749A04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6550 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 374windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000109D,00000001,00000000), ref: 00AB6631
SendMessageW.USER32(?,00001091,000000FF,00000028), ref: 00AB668E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB66DC
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AB6733
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00AB6776
GetClientRect.USER32(?,?), ref: 00AB6839
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 00AB6854
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 00AB6867
SendMessageW.USER32(?,0000101E,00000002,00000000), ref: 00AB6885
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6896
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00AB68EA
SendMessageW.USER32(?,0000102B,-00000001,?), ref: 00AB694B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6965
GetWindowLongW.USER32(?,000000F0), ref: 00AB6977
SendMessageW.USER32(?,?,?,0000102B), ref: 00AB69CC
SendMessageW.USER32(?,?,?,0000102B), ref: 00AB6A19
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00AB6A2E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6A3F
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00AB6A95
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00AB6AE2

Strings

(, xrefs: 00AB6655

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$ClientLongRectWindow
String ID: (
API String ID: 3446042433-3887548279
Opcode ID: 26d2df29558de390ed911e903a9d0c84e03bb057645e7e15c637027b86dc7a3e
Instruction ID: 88a8c3a9e2e56957ae8acc11c730f57c95c7bc414a0938a03990c79ba3eca920
Opcode Fuzzy Hash: 26d2df29558de390ed911e903a9d0c84e03bb057645e7e15c637027b86dc7a3e
Instruction Fuzzy Hash: 84F19E31A04746ABE710CF60CD84BEAFBF5FF8A714F205719F55466291DBB4A8808F82

Uniqueness

Uniqueness Score: -1.00%

Function 00AD1260 Relevance: 34.0, APIs: 12, Strings: 7, Instructions: 791synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8DDF0: _wcsrchr.LIBVCRUNTIME ref: 00A8DE29

SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,-00000010), ref: 00AD135A
PathAppendW.SHLWAPI(00000000,WindowsPowerShell\v1.0\powershell.exe), ref: 00AD136D
PathFileExistsW.SHLWAPI(00000000), ref: 00AD137B
ShellExecuteExW.SHELL32(?), ref: 00AD14EA
GetLastError.KERNEL32 ref: 00AD14F8
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AD1512
GetModuleFileNameW.KERNEL32(00000000,?,00000104,C956CA52,-00000001,00000000,-00000001), ref: 00AD161A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00B28C0C,00B14960,000000FF), ref: 00AD1624
GetExitCodeProcess.KERNEL32(?,?), ref: 00AD151E

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Strings

Removed cached update installer., xrefs: 00AD1BAA
install, xrefs: 00AD1850
open, xrefs: 00AD14A7
Caphyon, xrefs: 00AD1D35, 00AD1DAB
WindowsPowerShell\v1.0\powershell.exe, xrefs: 00AD1364
.appx, xrefs: 00AD12B9
Add-AppxPackage -Path "%s" exit $error.count, xrefs: 00AD12F8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Path$ErrorFileLastProcess$AppendCodeExecuteExistsExitFolderHeapModuleNameObjectShellSingleWait_wcsrchr
String ID: .appx$Add-AppxPackage -Path "%s" exit $error.count$Caphyon$Removed cached update installer.$WindowsPowerShell\v1.0\powershell.exe$install$open
API String ID: 2512937196-1474570992
Opcode ID: 77acd39d8bc7f55861ede2e3d10aad13dc1d13ea4ec8989cad014622652913b6
Instruction ID: af6b278412ddba03604a9752cac05f0ef908ca6226d5a1eb37f84571f2cc7d12
Opcode Fuzzy Hash: 77acd39d8bc7f55861ede2e3d10aad13dc1d13ea4ec8989cad014622652913b6
Instruction Fuzzy Hash: 9262D171A01249EFDB10DFA8C944BEEB7F5FF44314F14866AE816AB392DB309905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6B10 Relevance: 18.3, APIs: 12, Instructions: 280windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABAE30: SendMessageW.USER32 ref: 00ABAE79

SendMessageW.USER32 ref: 00AB6BF5
SendMessageW.USER32(?,0000102B,?,?), ref: 00AB6CBF

Part of subcall function 00AEB570: GetSystemMetrics.USER32(00000000), ref: 00AEB57D
Part of subcall function 00AEB570: GetSystemMetrics.USER32(00000001), ref: 00AEB587

ScreenToClient.USER32(?,?), ref: 00AB6D90
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AB6DC8
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00AB6DE3
LoadMenuW.USER32(0000006F), ref: 00AB6E09
ModifyMenuW.USER32(?,00000000,00000400,00009C44,?), ref: 00AB6E41
ModifyMenuW.USER32(?,00009C45,00000000,00009C45,?), ref: 00AB6E59
EnableMenuItem.USER32(?,00009C44,00000001), ref: 00AB6E6F
EnableMenuItem.USER32(?,00009C45,00000001), ref: 00AB6E87
TrackPopupMenu.USER32(?,00000042,?,?,00000000,00000001,00000000), ref: 00AB6E9C
DestroyMenu.USER32(00000000), ref: 00AB6EAE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Menu$MessageSend$EnableItemMetricsModifySystem$ClientDestroyLoadPopupScreenTrack
String ID:
API String ID: 2816409297-0
Opcode ID: a801659b405b5329f86b58fdc3fe2e2f7f2df8ceb640f9b65cca93b35bc09610
Instruction ID: a29880e452669da005f7949f81e045fe369500aec4496b302c979c20ba4f30f5
Opcode Fuzzy Hash: a801659b405b5329f86b58fdc3fe2e2f7f2df8ceb640f9b65cca93b35bc09610
Instruction Fuzzy Hash: FDA1E431A00349ABDB20CF64DD85BEEBBF5FF89310F104629F945A7292DB75A940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A8C000 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 247libraryloaderCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00A8C203
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00A8C22E
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00A8C25D
FreeLibrary.KERNEL32(00000000), ref: 00A8C273
FreeLibrary.KERNEL32(00000000), ref: 00A8C28E
CloseHandle.KERNEL32(00000000), ref: 00A8C2A8

Strings

open, xrefs: 00A8C092
GetProcessId, xrefs: 00A8C257
<, xrefs: 00A8C06D
kernel32.dll, xrefs: 00A8C229

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Library$Free$AddressCloseExecuteHandleLoadProcShell
String ID: <$GetProcessId$kernel32.dll$open
API String ID: 34176698-2576792382
Opcode ID: 25f866f1c85f2b405c3ee54d7074a5006229984f8a4e38ed5075c826014feece
Instruction ID: 71321fb402d638b0b4e46f9a014781495c78c79b072b26b77ee50dcf34550824
Opcode Fuzzy Hash: 25f866f1c85f2b405c3ee54d7074a5006229984f8a4e38ed5075c826014feece
Instruction Fuzzy Hash: A6A18F71A01609CFDB10DFA8C888BAEBBF4FF59324F148659E415A7291DB74A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AE0970 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060,C956CA52,8007000E,00000000,?,?,?,?,?,?,?,?,00B17190,000000FF), ref: 00AE09F2
LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,?,?,?,?,00B17190,000000FF), ref: 00AE0A01
FindResourceW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00B17190,000000FF), ref: 00AE0A1F
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00B17190,000000FF), ref: 00AE0A37

Part of subcall function 00ADF050: GetLastError.KERNEL32(C956CA52,00000000,00B08030,000000FF,?,00AE0CFD), ref: 00ADF072

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00B17190,000000FF), ref: 00AE0B1A

Strings

REGISTRY, xrefs: 00AE0F2F, 00AE0F62
Module, xrefs: 00AE0E6A
Module_Raw, xrefs: 00AE0EE3

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID: Module$Module_Raw$REGISTRY
API String ID: 328770362-549000027
Opcode ID: 729be567243e26b16d7c59dff5fc1ba45e0191de8295aaa3fcbd6f9f992b369b
Instruction ID: 235f3d7115b926982dbc304f068dfbddbf06dfb914749c8964790cc2433cbbc4
Opcode Fuzzy Hash: 729be567243e26b16d7c59dff5fc1ba45e0191de8295aaa3fcbd6f9f992b369b
Instruction Fuzzy Hash: EB51B47190028DEFDB20DF55CD45FEE77B4FF58314F108129E905AB281EBB49A848BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA96B0 Relevance: 10.7, APIs: 3, Strings: 2, Instructions: 1965processCOMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00AA9743

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

_wcsrchr.LIBVCRUNTIME ref: 00AAA811
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000010,?,?), ref: 00AAA973

Strings

AutoCloseApplication, xrefs: 00AAAA9F
"%s" %s, xrefs: 00AAA927

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateException@8ProcessThrow_wcschr_wcsrchr
String ID: "%s" %s$AutoCloseApplication
API String ID: 1904553066-1081483964
Opcode ID: 34ee25be66ac71bb6a8cdc97bee8dc8a2897e724ce19842fa64d153e728b9810
Instruction ID: c90af04283561c42ed78b67c926d05770915c7b1289b47dab74da6a2d5663bfe
Opcode Fuzzy Hash: 34ee25be66ac71bb6a8cdc97bee8dc8a2897e724ce19842fa64d153e728b9810
Instruction Fuzzy Hash: EBF29C71A006069FDB14DFA8C984BAEF7F1FF59310F148169E815EB2A1DB35AD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B02FD5 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B0311B

Strings

1#QNAN, xrefs: 00B04321
1#IND, xrefs: 00B04313
1#SNAN, xrefs: 00B0431A
1#INF, xrefs: 00B04328

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3606cffbb47bf8005dcc4e1d2035299fb386467bd7508b69353d550a6a43bdea
Instruction ID: 9bd40238c78bf7f8984d4d2133ab2c2756751431b60e9d79dcb2bec79009f363
Opcode Fuzzy Hash: 3606cffbb47bf8005dcc4e1d2035299fb386467bd7508b69353d550a6a43bdea
Instruction Fuzzy Hash: 98C23A71E086288FDB25CE28DD447EABBF9EB44705F1441EAD54EE7280E775AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 00AECD13 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00AECC2F,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD15
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,00AECC2F,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD3B
HeapAlloc.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD42
InitializeSListHead.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD4F
GetProcessHeap.KERNEL32(00000000,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD64
HeapFree.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD6B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 598b514ed43a8f6a2df3f4f851f5081be00abbc6c77e19348859e2be0100edc9
Instruction ID: 79cee33f417544cd8b8c50d80959e3d2b8e74d65759c6b474c033e6a05292eff
Opcode Fuzzy Hash: 598b514ed43a8f6a2df3f4f851f5081be00abbc6c77e19348859e2be0100edc9
Instruction Fuzzy Hash: 31F0C235201A029BD7209FBAEC48B567BA9FB89721F00847DF985C3380EE3594018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B025F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00B02689
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00B026B2
GetACP.KERNEL32 ref: 00B026C7

Strings

OCP, xrefs: 00B02644
ACP, xrefs: 00B0260E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 48b9a1494fb0104296f8a236a720cfa9f6516a039a291e60e993c6be4d601bee
Instruction ID: 5cdd31925c741cc064c1e3d1ce89203e02f20ea6d631815bc4293e2ef2ae7087
Opcode Fuzzy Hash: 48b9a1494fb0104296f8a236a720cfa9f6516a039a291e60e993c6be4d601bee
Instruction Fuzzy Hash: 9821C532A00100AADB349F54D90DAA77BE6FB55B64F5684E4ED0ADB290EB33DD48C790

Uniqueness

Uniqueness Score: -1.00%

Function 00B027C4 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF29
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF36

GetUserDefaultLCID.KERNEL32 ref: 00B028D0
IsValidCodePage.KERNEL32(00000000), ref: 00B0292B
IsValidLocale.KERNEL32(?,00000001), ref: 00B0293A
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00B02982
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00B029A1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: a47747f508ebaab7784a5e98399b00d92bac65515cf963d48e5682f0ca59d9a5
Instruction ID: 5465791c354f4b8e7dba9802dba542f7fcbfec1547f7e462f26f7404dcad089c
Opcode Fuzzy Hash: a47747f508ebaab7784a5e98399b00d92bac65515cf963d48e5682f0ca59d9a5
Instruction Fuzzy Hash: FE516075A00319ABEF10EBA5CC49ABE7BF8FF14700F1485A9E905E71D1EB709948C761

Uniqueness

Uniqueness Score: -1.00%

Function 00A9EA70 Relevance: 7.6, APIs: 5, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00A9EABC
GetTickCount.KERNEL32 ref: 00A9EADD
Sleep.KERNEL32(000001F4), ref: 00A9EAF5
GetTickCount.KERNEL32 ref: 00A9EB16

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CountTick$ErrorLastSleep
String ID:
API String ID: 1403765585-0
Opcode ID: f57cb24a05113f60ead9e9c0e587371d02abc11a6890b701e01e0d7a48d8bd0b
Instruction ID: 82445ea359a2cfff7048cc391042e17e5d6388365566545226e4451b9865dabd
Opcode Fuzzy Hash: f57cb24a05113f60ead9e9c0e587371d02abc11a6890b701e01e0d7a48d8bd0b
Instruction Fuzzy Hash: 1821DF366083419FD310EB66EC41A6FF7E8FF98711F80892AF58997190DB30A9488A53

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9C00 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

General, xrefs: 00AE9D19

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID: General
API String ID: 0-26480598
Opcode ID: 4bb26dc3e2b31fc84456c360ec0364358032dd5af22ba0c5c5212b549d871c6a
Instruction ID: 063879e6febe1a2a35755c14f198325afbc8f563f99057dfc06f0c31a32f8e47
Opcode Fuzzy Hash: 4bb26dc3e2b31fc84456c360ec0364358032dd5af22ba0c5c5212b549d871c6a
Instruction Fuzzy Hash: D5B1AA71A003958FCF14DF6ACA80BEABBB5EF54354F114169E90AAB342DB31ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC9FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A9AE10: InitializeCriticalSectionAndSpinCount.KERNEL32(00B45098,00000000,C956CA52,00A80000,00B08030,000000FF,?,00AECA2D,?,00A81C76,80004005,C956CA52,?,?,00B187C8,000000FF), ref: 00A9AE35
Part of subcall function 00A9AE10: GetLastError.KERNEL32(?,00AECA2D,?,00A81C76,80004005,C956CA52,?,?,00B187C8,000000FF), ref: 00A9AE3F

IsDebuggerPresent.KERNEL32(?,00A81C76,80004005,C956CA52,?,?,00B187C8,000000FF), ref: 00AECA31
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,00A81C76,80004005,C956CA52,?,?,00B187C8,000000FF), ref: 00AECA40

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AECA3B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: cff2a38e97d87c0b4801077d9e4b6766cc1d46b298cb47b2716c08839263bb40
Instruction ID: 4c4444268461aff79ba81636ff068681cae8ae85f3928274c3ad7c4cd307036e
Opcode Fuzzy Hash: cff2a38e97d87c0b4801077d9e4b6766cc1d46b298cb47b2716c08839263bb40
Instruction Fuzzy Hash: F3E09270602750CFC370EF29D9083827AF5BF14750F40886DE496C3241DBB4E4488B93

Uniqueness

Uniqueness Score: -1.00%

Function 00B02277 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF29
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B022CB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B0231C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B023DC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 134f3e243bb17892d22711e0e541b4574df99de864e083e28b8391e4c5acc991
Instruction ID: ce839401343e33c16544aa2229e37de077a5a19e1e46313596efc05e632d3ffb
Opcode Fuzzy Hash: 134f3e243bb17892d22711e0e541b4574df99de864e083e28b8391e4c5acc991
Instruction Fuzzy Hash: E4618F7150021B9FEB289F24CD8ABBA7BE8EF04310F1040F9EA05C66C5EB799959DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AF34FF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000004), ref: 00AF35F7
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000004), ref: 00AF3601
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000004), ref: 00AF360E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8d77b63cef6b7d2d6308c008b14645bc26d92418e61b7b84921e74c7452b5b43
Instruction ID: c012cfbe9a628111301fc58091e5310ea76699a0c71bc7f237a759eaa2a20b29
Opcode Fuzzy Hash: 8d77b63cef6b7d2d6308c008b14645bc26d92418e61b7b84921e74c7452b5b43
Instruction Fuzzy Hash: 1431C37590121CABCB21DF64DD897DDB7B8EF08310F5082EAE90CA7250EB709B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AC60 Relevance: 4.5, APIs: 3, Instructions: 43timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00A8AC84
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A8AC9D
GetLastError.KERNEL32 ref: 00A8ACA7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Time$System$ErrorFileLast
String ID:
API String ID: 2409880431-0
Opcode ID: 207ceb58357d8928b9c8c9b393ba433096f37ac202d04eb10c3e3c9cf2fecda6
Instruction ID: 18f6e16f46e75de4fbfec62aa016cefeab5e7f720031484b22074b0ff8ec008f
Opcode Fuzzy Hash: 207ceb58357d8928b9c8c9b393ba433096f37ac202d04eb10c3e3c9cf2fecda6
Instruction Fuzzy Hash: 37018471A083059F8300DF79E84559BB7E8EF8D224F50871FF889D7250EB30A5808B83

Uniqueness

Uniqueness Score: -1.00%

Function 00A81040 Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

list<T> too long, xrefs: 00A81827
$, xrefs: 00A81761
[\d.]*, xrefs: 00A81862

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: HeapProcess__onexit
String ID: $$[\d.]*$list<T> too long
API String ID: 2210869276-3562612184
Opcode ID: 4aa0d1a6011eda135a8a01aed5f125676f6a4fc416babecc85e86f199ad7471c
Instruction ID: febc992136c68a7a51bcc6dd1b88bae9905d94ae2d71556cdee1fa49deb11a16
Opcode Fuzzy Hash: 4aa0d1a6011eda135a8a01aed5f125676f6a4fc416babecc85e86f199ad7471c
Instruction Fuzzy Hash: 1A126EB1901259DFEB24DF54CD59BDEBBB4BB05304F1082D8D109AB291DBB95B88CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC982 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00AF9968,?,00000006), ref: 00AFC9D5

Strings

GetLocaleInfoEx, xrefs: 00AFC993, 00AFC99D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 4cbae5caba0145f3737a3b6d6c6e19aba636d78d50d5c5a1321672a2c4312ca2
Instruction ID: 51e3e8c064da43ceece21af9a3c4f5c0551627983223f4b0e6497adc3fa9b22a
Opcode Fuzzy Hash: 4cbae5caba0145f3737a3b6d6c6e19aba636d78d50d5c5a1321672a2c4312ca2
Instruction Fuzzy Hash: DFF0963164120CBBCB11AFA2DD06EBE7F65EF15B20F404055F905672A1CE719920D695

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7640 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b30553277d8134a71840edc259169d39997ea819dc2e92d490f3162f47a5fc
Instruction ID: 63f680d766702873712becf2dff904f7e45b2ec23977f95edd1a294df92f2741
Opcode Fuzzy Hash: 22b30553277d8134a71840edc259169d39997ea819dc2e92d490f3162f47a5fc
Instruction Fuzzy Hash: 66022D71E042199BDF14DFA9C9806AEFBF1EF48314F258169E915E7344D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8CFA0 Relevance: 3.1, APIs: 2, Instructions: 111windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

FormatMessageW.KERNEL32(00001B00,00000000,?,00000400,?,00000000,00000000,C956CA52), ref: 00A8D087
GetLastError.KERNEL32(?,00000400,?,00000000,00000000,C956CA52), ref: 00A8D091

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorFormatHeapLastMessageProcess
String ID:
API String ID: 3953027386-0
Opcode ID: 8ce0f4190b632ef463c79ae67866728d5b9f8f8c5a11b08dfc2ee9c503be379b
Instruction ID: d6dfdb26dabff88c0fe5e6af5fd781410591088e24315989b8859f78b10e1f4e
Opcode Fuzzy Hash: 8ce0f4190b632ef463c79ae67866728d5b9f8f8c5a11b08dfc2ee9c503be379b
Instruction Fuzzy Hash: BA31C471A04208ABDB10EF59DD05B9FBBF8EB44B14F10412AF819E77C0DB75990487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9ACB0 Relevance: 3.1, APIs: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?,00000110,?,?), ref: 00A9AD09
SendMessageW.USER32 ref: 00A9AD71

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSendVersion
String ID:
API String ID: 1627742332-0
Opcode ID: 6dbe57214f9120a8aae949043b905bdacb63a87d517a5f4ee87f35a3312c8fad
Instruction ID: 62b0a9b03d4e71ac957af134ad57c03c2926ad1809e43253d78efa9c5ad99f4d
Opcode Fuzzy Hash: 6dbe57214f9120a8aae949043b905bdacb63a87d517a5f4ee87f35a3312c8fad
Instruction Fuzzy Hash: 5921AE716083459FD710CF24D945B9ABBE4FB99304F009A1EF98897290EBB4E684CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00A818A0 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00B46108,00000000,C956CA52,?,00B0B87F,000000FF), ref: 00A818E4
GetLastError.KERNEL32(?,00B0B87F,000000FF), ref: 00A818EE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID:
API String ID: 439134102-0
Opcode ID: 0eccf1cf33b9488377a7de30ec5f679ece2a2790e30d11f14eb8d040b44d529d
Instruction ID: a8d65ea43b43c97e9d74037ea9e7b88736aeeabc1462816fdbf5f2bcae2e2c89
Opcode Fuzzy Hash: 0eccf1cf33b9488377a7de30ec5f679ece2a2790e30d11f14eb8d040b44d529d
Instruction Fuzzy Hash: 4A0144B0A44384EBEB00CF65ED06B55BBE8F707714F008268E954E73E2DB79A2048702

Uniqueness

Uniqueness Score: -1.00%

Function 00A81940 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

file://, xrefs: 00A81A26, 00A81A36
file:///, xrefs: 00A81986, 00A81996

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Exception@8FindHeapProcessResourceThrow__onexit
String ID: file://$file:///
API String ID: 3841198793-3202756431
Opcode ID: 0cbcc78b689c94e1d10eab2d78736c859a0309ed8a479fee6fe046e94c29f487
Instruction ID: 09d90e87c64a63a7bfccbc6a3b435f41588318edb3a347d29de572d17df2ecbc
Opcode Fuzzy Hash: 0cbcc78b689c94e1d10eab2d78736c859a0309ed8a479fee6fe046e94c29f487
Instruction Fuzzy Hash: 8F315972A04604ABCB24FF68ED16B5C73E4EB01710F1002ADF93A9BBD2DF3196018752

Uniqueness

Uniqueness Score: -1.00%

Function 00ABE160 Relevance: 1.8, APIs: 1, Instructions: 334comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00B1A630,00000000,00000001,00B1A620,?), ref: 00ABE293

Part of subcall function 00A88E90: GetUserDefaultUILanguage.KERNEL32 ref: 00A88EFB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateDefaultInstanceLanguageUser
String ID:
API String ID: 1015267844-0
Opcode ID: 1fcdbdd4b049ca2ce82d6e147acb0d543dffd79d794cc6d12c7c8d7299cc39a8
Instruction ID: 8238c191e9fa60ded3010cb51ff58703029f32a11ce958a8d7654935e9b309ca
Opcode Fuzzy Hash: 1fcdbdd4b049ca2ce82d6e147acb0d543dffd79d794cc6d12c7c8d7299cc39a8
Instruction Fuzzy Hash: 78E16570601606EFDB14DF28C544BDABBE0FF05318F14869DE8589B392DB75AA18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD30D Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00AFD308,00000000,?,00000008,?,?,00B04FE8,00000000), ref: 00AFD53A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cafb72b97105f5e1fe933601ea452a356edf6f75af9978ce4726c1d733c41031
Instruction ID: 9d5581e7d8ed9938ce54d8f94d6ff2323b7efae4627dfcec24f5a7e1d7d87ac5
Opcode Fuzzy Hash: cafb72b97105f5e1fe933601ea452a356edf6f75af9978ce4726c1d733c41031
Instruction Fuzzy Hash: 61B15C31210609DFD716CF68C48AB657BE2FF45369F258658FA9ACF2A1C335E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B024C7 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF29
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B0251B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: dff4bc912cb7f62aa65f57f6388c84540d067e878205a38d47d78cfc890f15f4
Instruction ID: b1f33ec314e5443f1b9748188e3c62a1bec2d0385214466b3023b1be22a73161
Opcode Fuzzy Hash: dff4bc912cb7f62aa65f57f6388c84540d067e878205a38d47d78cfc890f15f4
Instruction Fuzzy Hash: 6C21C57261020AABDB249F64DC5ABBA7BECEF25310F1041BAFD01D7181EB759E48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B0214F Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

EnumSystemLocalesW.KERNEL32(00B02277,00000001), ref: 00B021C1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: f18334f0a4bb48c801b9bb012afe1a4be403ed6c5d981e22d26db824ea77f8eb
Instruction ID: 016fe7ee2f3cad73d24e29356d9c03c72b5b8ae1fa36e037428ba947a826d1dd
Opcode Fuzzy Hash: f18334f0a4bb48c801b9bb012afe1a4be403ed6c5d981e22d26db824ea77f8eb
Instruction Fuzzy Hash: 9111293B2003059FDB189F78C8955BABBD2FF84358B14442CEA8657A80D771B907C740

Uniqueness

Uniqueness Score: -1.00%

Function 00B026F7 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B02495,00000000,00000000,?), ref: 00B02723

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 76836452a6fec796233e1e1cca3f7961dce1ad781b036e80b33032e263ab6f2b
Instruction ID: d0becd64cbe5f5b5382a14a33ea379ccee27f3a66349d31d21ef0d13d505824d
Opcode Fuzzy Hash: 76836452a6fec796233e1e1cca3f7961dce1ad781b036e80b33032e263ab6f2b
Instruction Fuzzy Hash: B7F0F932A00116BBDB245B64C84DABA7F98EB40754F1444A9ED19A3180EA71BD16C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B021EA Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

EnumSystemLocalesW.KERNEL32(00B024C7,00000001), ref: 00B02236

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 0a4c0ea34d0635b508bf92cf78a3562f14bebda3c95338b90d89fbe43f31db48
Instruction ID: 1f5690b4cea61a166129cf8c2ddee690806ae3077f5c9f3ebef8db1a710fbf02
Opcode Fuzzy Hash: 0a4c0ea34d0635b508bf92cf78a3562f14bebda3c95338b90d89fbe43f31db48
Instruction Fuzzy Hash: 3DF046323003045FDB146FB9DC89A7A7FD5FF81368B05846CFA058B690D6B1EC06C600

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC5DD Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00AF819A: EnterCriticalSection.KERNEL32(?,?,00AF91C8,00A83E56,00B41658,0000000C), ref: 00AF81A9

EnumSystemLocalesW.KERNEL32(Function_0007C597,00000001,00B41798,0000000C), ref: 00AFC615

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4d5ef4db584971357908cc2e11a983eacf4bc6e2a9cdfe47128ff6fbfe906087
Instruction ID: 4df443b1dc2aba46ac565c59c6ca78b03ef0f4521fbd906e7b1b8569953dfb82
Opcode Fuzzy Hash: 4d5ef4db584971357908cc2e11a983eacf4bc6e2a9cdfe47128ff6fbfe906087
Instruction Fuzzy Hash: BEF04F76A50608DFD710EFA8DA06B6D37E1FB05720F004655F610DB2A2CFB59A548B41

Uniqueness

Uniqueness Score: -1.00%

Function 00B02104 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

EnumSystemLocalesW.KERNEL32(00B0205B,00000001), ref: 00B0213B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d77a36e28c39a6dd1a5d29aa977ff36b91a47ec609870db8583ea77d577bbf66
Instruction ID: 18067d031f3e033e6911beb49a4101f4ebff02ced5414d7dcb97d77333a476e6
Opcode Fuzzy Hash: d77a36e28c39a6dd1a5d29aa977ff36b91a47ec609870db8583ea77d577bbf66
Instruction Fuzzy Hash: 57F0E53630020597CB049F75D8597BA7F94EFC2724B064098EB0A8B2A1C671A947C750

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF1CB Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006F1D7,00AEECF6), ref: 00AEF1D0

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 134c04724249b8228bfb800db12afe143085f806e47dc48bbe5b8858d362e6e4
Instruction ID: 84e690a35c8f098262a699e678170f366899f0cae91b7d20a10b000437231793
Opcode Fuzzy Hash: 134c04724249b8228bfb800db12afe143085f806e47dc48bbe5b8858d362e6e4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00AF5455 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00AF55C5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1fb028ab5fd346c2bc6cdf677255538467cb143e20742cbdf445576efcfea7db
Instruction ID: c6f2db9b25e3990e5010a3e82b393aa6b36501e63e1a5120ead4fe73aa633f8f
Opcode Fuzzy Hash: 1fb028ab5fd346c2bc6cdf677255538467cb143e20742cbdf445576efcfea7db
Instruction Fuzzy Hash: C7518971E04E4C5BDB384BF8865A7BF27EB9B42351F180509F783CB282DA15DD819362

Uniqueness

Uniqueness Score: -1.00%

Function 00B0046A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B0046A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 09dbe5d6ca487492599b965422f516c89e3cfded3307430bebec5f6edb3735a2
Instruction ID: 5e0a6be055f347f6115f0ba62fc4919545a185f26e7d2074aa19c6db3fb7d3da
Opcode Fuzzy Hash: 09dbe5d6ca487492599b965422f516c89e3cfded3307430bebec5f6edb3735a2
Instruction Fuzzy Hash: C2A02430101501CF53004F35DD0C30C35D475051C0344C05D5000C3170DF344040C703

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F220 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6631b8339a7209ee5060c91b8c7f4ba4a25e73ac8a96c57ae6f2de7b2435907
Instruction ID: b625cc4557b7355d52010637f7248a68e35f71bb7ceb96a0ddcfef2a97689668
Opcode Fuzzy Hash: f6631b8339a7209ee5060c91b8c7f4ba4a25e73ac8a96c57ae6f2de7b2435907
Instruction Fuzzy Hash: C222B4B3B547144BD70CCE1DCCA23A9B2D3ABD4218F0E853DB48AC3341EA7DE9198685

Uniqueness

Uniqueness Score: -1.00%

Function 00B07430 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47025b0183ad3c929be3687c2a8b0696bffef34a58ef484fc87662db2f01ef50
Instruction ID: 662eb3d8e7fa627b5f7dd292d128e3a64852c1b0db8980eb831e167dd29c60b7
Opcode Fuzzy Hash: 47025b0183ad3c929be3687c2a8b0696bffef34a58ef484fc87662db2f01ef50
Instruction Fuzzy Hash: CB321221D69F024DD7339634C862336A698AFB73C4F55C737F81AB6AA6EF2994C34100

Uniqueness

Uniqueness Score: -1.00%

Function 00AF18B7 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: faf4924d31f93cfec0ba2da85aabc4499fec85cc61e5c6228c2d225e05f0a625
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 089183322090A78ADB2947BA857443EFFE15A923E131A079EF5F2CB1C1FE20C564D720

Uniqueness

Uniqueness Score: -1.00%

Function 00AF1B72 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3507502d736f57ba3ea82683797833ffb63443ea432914575d09e8fc07a0e2f3
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: C49183722080E78ADB6943BA847443DFFF19A523A131A079DF5F2CB1C5FE24C965E620

Uniqueness

Uniqueness Score: -1.00%

Function 00AF15F0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 30c09947d2c00d899be020a3248ecd946896456f0ddac83e33061c2b391e7ecc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: B49182326090A78ADB6D43BA857443EFFF15A923A131E079DF5F2CA0C1EE24C554EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00AF5684 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf83f6afdb736e5238073847137506684c7d0f5e59ebf6a8676ff27b79f4e22
Instruction ID: 5bbd0857688f43f81d955bcb29c293ed2d84e6b73ab32f2c67d3c90ea8192263
Opcode Fuzzy Hash: bbf83f6afdb736e5238073847137506684c7d0f5e59ebf6a8676ff27b79f4e22
Instruction Fuzzy Hash: 27613671E00F0CA7DE38ABF88995BBE63A5DB41340F640D19FB82DB281D6119D429795

Uniqueness

Uniqueness Score: -1.00%

Function 00AF1346 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6b9ae459d1ead109547f2d37af441690f7700f0131c8eb7d0d6762a73297a8df
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1B8172722080A78ADB6D83BA853443EFFE15A923A231A079DF5F3CF1C5EE24C554D620

Uniqueness

Uniqueness Score: -1.00%

Function 00A93590 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f789597bb34ba56a9ecd3186ea3b4f5e343e2994ddfd73723ad6d0572b0ad0fa
Instruction ID: 7ec219f558a63c9f71f8e9527622627741109e4b8bd1c5cca559d21f92fcf092
Opcode Fuzzy Hash: f789597bb34ba56a9ecd3186ea3b4f5e343e2994ddfd73723ad6d0572b0ad0fa
Instruction Fuzzy Hash: BD6149B27042069FCF18CF1DC88056AB7F2ABD4350F5A8A2DE956CB754D730EA15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A825A0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc5b76180c7b0d2c58f491b57635cfc463dc480595061d74ac1efef9d3da871
Instruction ID: cc3bb35b1b08792aa4409349aeee046d84ec4b3919f9c2bc4957705710da92f3
Opcode Fuzzy Hash: 2fc5b76180c7b0d2c58f491b57635cfc463dc480595061d74ac1efef9d3da871
Instruction Fuzzy Hash: 6D219D75200A009FC325DF28D944F66B3F9FF85720B10866AE46AC7B90EB35EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AF09B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6f6201024af1e3fbb9c7bebdd4ca57f8a55a21afe1b104dd5720700ad84a9d8e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 9B117B7B24028A87E61497BDC8F4EB7E395EAC536172C4369F2428B61BD132D8409900

Uniqueness

Uniqueness Score: -1.00%

Function 00ABB550 Relevance: 51.5, APIs: 34, Instructions: 453
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,?,00000000,75C08FAC), ref: 00AC467D
Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,FFFFFFFF,00000000,?), ref: 00AC46AA

GetParent.USER32(?), ref: 00ABB5B6
GetWindowLongW.USER32(00000000,000000EC), ref: 00ABB5C1
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00ABB5DD
GetParent.USER32(?), ref: 00ABB5E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00ABB5ED
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00ABB603
GetParent.USER32(?), ref: 00ABB60E
GetParent.USER32(?), ref: 00ABB6DF
SendMessageW.USER32(?,00000478,00000000,?), ref: 00ABB703
SetWindowTextW.USER32(?,?), ref: 00ABB70E
GetParent.USER32(?), ref: 00ABB755
GetDlgItem.USER32(?,00000417), ref: 00ABB775
GetWindowLongW.USER32(00000000,000000F0), ref: 00ABB780
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ABB79B
SetWindowTextW.USER32(?,?), ref: 00ABB7C4
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ABB7D8
GetObjectW.GDI32(00000000,0000005C,?), ref: 00ABB7E8
CreateFontIndirectW.GDI32(?), ref: 00ABB80B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00ABB822
GetDlgItem.USER32(?,0000041C), ref: 00ABB87F
GetWindowLongW.USER32(00000000,000000F0), ref: 00ABB886
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00ABB89C
SetWindowTextW.USER32(00000000,?), ref: 00ABB8AD
GetDlgItem.USER32(?,000003F6), ref: 00ABB8B7
SetWindowTextW.USER32(?,?), ref: 00ABB8E3
GetDlgItem.USER32(?,000003F7), ref: 00ABB8ED
SetWindowTextW.USER32(?,?), ref: 00ABB913
EnableWindow.USER32(?,00000000), ref: 00ABB929
GetDlgItem.USER32(?,000003F5), ref: 00ABB937
SetWindowTextW.USER32(?,?), ref: 00ABB95D
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00ABB96E
GetDlgItem.USER32(?,00000412), ref: 00ABB97C
SetWindowTextW.USER32(00000000,?), ref: 00ABB999
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?), ref: 00ABB9B2

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$Text$Item$Parent$MessageSend$Create$Thread$EnableException@8FontIndirectObjectShowThrow
String ID:
API String ID: 2128065999-0
Opcode ID: 855f70c005d7ab536641a1127b8ef03c173abc6a6179bacd6195afe2cef9febf
Instruction ID: d75c149268c878bb0296ac038a6b73525680b4bc8ae045673ce5cb6c147d0e2e
Opcode Fuzzy Hash: 855f70c005d7ab536641a1127b8ef03c173abc6a6179bacd6195afe2cef9febf
Instruction Fuzzy Hash: CE028D30A01205DFDB11DF68CD88B99BBB5FF45310F1882A8E9199B2A6DF74AD44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB50F0 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 446
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,?,00000000,75C08FAC), ref: 00AC467D
Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,FFFFFFFF,00000000,?), ref: 00AC46AA

GetParent.USER32(?), ref: 00AB5148

Part of subcall function 00AA94E0: GetWindowLongW.USER32(8B0C428D,000000F0), ref: 00AA9527
Part of subcall function 00AA94E0: GetParent.USER32(8B0C428D), ref: 00AA9539
Part of subcall function 00AA94E0: GetWindowRect.USER32(8B0C428D,?), ref: 00AA955B
Part of subcall function 00AA94E0: GetWindowLongW.USER32(00000000,000000F0), ref: 00AA956E
Part of subcall function 00AA94E0: MonitorFromWindow.USER32(8B0C428D,00000002), ref: 00AA9586

Part of subcall function 00AB5DA0: GetParent.USER32(?), ref: 00AB5DF9
Part of subcall function 00AB5DA0: SendMessageW.USER32(00000000,00000478,00000000,?), ref: 00AB5E14

GetSystemMetrics.USER32(00000000), ref: 00AB51D1
GetSystemMetrics.USER32(00000001), ref: 00AB51DC
SetLastError.KERNEL32(0000000E), ref: 00AB525C
SendMessageW.USER32(?,00001036,00000000,00000024), ref: 00AB5271
GetSystemMetrics.USER32(00000000), ref: 00AB5372
GetSystemMetrics.USER32(00000001), ref: 00AB537D
GetCurrentThreadId.KERNEL32 ref: 00AB53DF
EnterCriticalSection.KERNEL32(00B46108), ref: 00AB53FF
LeaveCriticalSection.KERNEL32(00B46108), ref: 00AB5423
CreateWindowExW.USER32(?,?,00000000,5600880D,80000000,80000000,00000000,00000000,?,?,00000000), ref: 00AB5469
SetLastError.KERNEL32(0000000E,?,?,00000050,?,?,00000050,?,?,00000118), ref: 00AB54C1
GetCurrentThreadId.KERNEL32 ref: 00AB54F4
EnterCriticalSection.KERNEL32(00B46108,?,?,00000050,?,?,00000050,?,?,00000118), ref: 00AB5514
LeaveCriticalSection.KERNEL32(00B46108,?,?,00000050,?,?,00000050,?,?,00000118), ref: 00AB5538
CreateWindowExW.USER32(?,?,00000000,56200804,80000000,80000000,00000000,00000000,?,?,00000000), ref: 00AB557D
SendMessageW.USER32(?,000000CB,00000003,00000000), ref: 00AB5598
SendMessageW.USER32(?,0000043B,00000000,00000000), ref: 00AB55A9
SendMessageW.USER32(?,00000445,00000000,00000000), ref: 00AB55BE
SendMessageW.USER32(?,0000045B,00000000,00000000), ref: 00AB55CF
GetSystemMetrics.USER32(00000000), ref: 00AB55F1
GetSystemMetrics.USER32(00000001), ref: 00AB55F8
GetSystemMetrics.USER32(00000000), ref: 00AB5669
GetSystemMetrics.USER32(00000001), ref: 00AB5670
IsWindowVisible.USER32(?), ref: 00AB5698
ShowWindow.USER32(?,00000005), ref: 00AB56AD
ShowWindow.USER32(?,00000000), ref: 00AB56B4

Part of subcall function 00AB7ED0: InvalidateRect.USER32(?,?,00000001,?,75C04920,?,?,?,?,?,?,?,?,?,?,00AB564E), ref: 00AB7F2C
Part of subcall function 00AB7ED0: SetWindowPos.USER32(00000000,00000000,?,00000000,?,?,00000004,00000000,?,?,75C04920,?), ref: 00AB7F7F

Strings

SysListView32, xrefs: 00AB5215
RichEdit20W, xrefs: 00AB5482

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$MetricsSystem$MessageSend$CreateCriticalSectionThread$Parent$CurrentEnterErrorLastLeaveLongRectShow$FromInvalidateMonitorVisible
String ID: RichEdit20W$SysListView32
API String ID: 599618206-580473029
Opcode ID: 826f5e816f75380dd48fe78a81647cc29de3e536da1181706816a5531ea45250
Instruction ID: 006c55248795876acbbdc2bfaad6fb0857fbeb53fbeb883ffb3b9d29ad2534bf
Opcode Fuzzy Hash: 826f5e816f75380dd48fe78a81647cc29de3e536da1181706816a5531ea45250
Instruction Fuzzy Hash: A302B070A006059FDB10DF68CD8ABEEBBF5FF45700F148169E905AB292DBB4A940CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABED40 Relevance: 42.2, APIs: 28, Instructions: 200COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ABED77
GetParent.USER32(00000000), ref: 00ABED7A
GetParent.USER32(00000000), ref: 00ABED7D
GetParent.USER32(?), ref: 00ABED81
GetParent.USER32(?), ref: 00ABED95
ShowWindow.USER32(?,00000000,?,00000000,?), ref: 00ABEDCD
GetDlgItem.USER32(?,0000040E), ref: 00ABEDE0
GetDlgItem.USER32(?,000003F0), ref: 00ABEDEF
GetDlgItem.USER32(?,000003F0), ref: 00ABEDFE
GetDlgItem.USER32(?,0000040E), ref: 00ABEE09
GetWindowLongW.USER32(00000000,000000F0), ref: 00ABEE1E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ABEE3C
GetDlgItem.USER32(?,000003EC), ref: 00ABEE6C
ShowWindow.USER32(00000000,00000000,?,?,00000000,?), ref: 00ABEE71
GetDlgItem.USER32(?,0000041A), ref: 00ABEE7E
ShowWindow.USER32(00000000,00000000,?,?,00000000,?), ref: 00ABEE83
GetDlgItem.USER32(?,0000040F), ref: 00ABEE90
GetWindowRect.USER32(00000000,?), ref: 00ABEEA8
GetWindowRect.USER32(?,?), ref: 00ABEEBD
ShowWindow.USER32(00000000,00000000,?,?,00000000,?), ref: 00ABEECA
GetClientRect.USER32(?,?), ref: 00ABEEE3
MapWindowPoints.USER32(?,?,?,00000002), ref: 00ABEEFF
OffsetRect.USER32(?,00000000,?), ref: 00ABEF15
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 00ABEF41
GetClientRect.USER32(?,?), ref: 00ABEF52
MapWindowPoints.USER32(?,?,?,00000002), ref: 00ABEF6F
OffsetRect.USER32(?,00000000,?), ref: 00ABEF7C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 00ABEFA2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Item$Rect$Parent$Show$ClientLongMoveOffsetPoints
String ID:
API String ID: 1575171589-0
Opcode ID: c72b514ff51a3611ebbdcebc6ce1b0b51f63e8fc77158439c4904a3172aaf2b1
Instruction ID: 583ce22d266b4b4c7077eb64ea201e3eded64ebb6301825f7aafccfa4cd9140b
Opcode Fuzzy Hash: c72b514ff51a3611ebbdcebc6ce1b0b51f63e8fc77158439c4904a3172aaf2b1
Instruction Fuzzy Hash: 74718071504205AFEB01DF64CC45FEABBE9FF88310F048629F9449B265DB70A951CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A81DC0 Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 415filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,C956CA52), ref: 00A81E20
GetLastError.KERNEL32 ref: 00A81E3E
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 00A81E6B
GetLastError.KERNEL32 ref: 00A81E75
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A81F03
GetLastError.KERNEL32 ref: 00A81F0D
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A81F4E
SystemTimeToFileTime.KERNEL32(00000000,00B285D0), ref: 00A81F6F
CompareFileTime.KERNEL32(00B285D0,?), ref: 00A81F81
PathFileExistsW.SHLWAPI(?,00000005), ref: 00A8205D
CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000002,00000080,00000000,S-1-5-18,10000000,?,S-1-1-0,10000000), ref: 00A820F1
GetLastError.KERNEL32(?,S-1-1-0,10000000), ref: 00A82101
CloseHandle.KERNEL32(00000000,?,S-1-1-0,10000000), ref: 00A8210D
CopyFileExW.KERNEL32(?,?,Function_00001CE0,?,00000000,00000000,00000005), ref: 00A82150
GetLastError.KERNEL32(?,00000000,00000000,00000005), ref: 00A8215A
DeleteFileW.KERNEL32(?,?,00000000,00000000,00000005), ref: 00A821CF
MoveFileW.KERNEL32(?,?), ref: 00A821D7
CopyFileW.KERNEL32(?,?,00000000,?,00000000,00000000,00000005), ref: 00A821E8
GetLastError.KERNEL32(?,00000000,00000000,00000005), ref: 00A821F2

Part of subcall function 00A888E0: LoadLibraryW.KERNEL32(Advapi32.dll,C956CA52), ref: 00A88966
Part of subcall function 00A888E0: GetLastError.KERNEL32 ref: 00A88994

Part of subcall function 00A888E0: GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00A889AA
Part of subcall function 00A888E0: FreeLibrary.KERNEL32(00000000), ref: 00A889C3
Part of subcall function 00A888E0: GetLastError.KERNEL32 ref: 00A889D0

Part of subcall function 00A88D20: LocalFree.KERNEL32(?,?,?), ref: 00A88D39
Part of subcall function 00A88D20: LocalFree.KERNEL32(?,?,?), ref: 00A88D49
Part of subcall function 00A88D20: GetLastError.KERNEL32 ref: 00A88D87

DeleteFileW.KERNEL32(?,?,00000000,00000000,00000005), ref: 00A82209

Strings

S-1-5-18, xrefs: 00A820BE
S-1-1-0, xrefs: 00A820AB
.part, xrefs: 00A82009

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$ErrorLast$Time$FreeSystem$CopyCreateDeleteLibraryLocal$AddressCloseCompareExistsHandleLoadMovePathProc
String ID: .part$S-1-1-0$S-1-5-18
API String ID: 1651364885-2727065896
Opcode ID: 4017efb3c624253bbd575838027722d3fd8ed7a1556e3f8d27c3cbabb681967b
Instruction ID: 5fecb43c81e048d64bd1098ee765dc2d601eca77b0c5485fa51792ec04b64f80
Opcode Fuzzy Hash: 4017efb3c624253bbd575838027722d3fd8ed7a1556e3f8d27c3cbabb681967b
Instruction Fuzzy Hash: 80F19E71A01605AFDB21EFA4CD88BEABBF4FF08310F104259E519A76D0DB74AD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD570 Relevance: 37.8, APIs: 25, Instructions: 326windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,?,00000000,75C08FAC), ref: 00AC467D
Part of subcall function 00AC4660: CreateThread.KERNEL32(00000000,00000000,00AC4D00,FFFFFFFF,00000000,?), ref: 00AC46AA

GetParent.USER32(?), ref: 00ABD5C8
GetWindowLongW.USER32(00000000,000000EC), ref: 00ABD5D3
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00ABD5EF
GetParent.USER32(?), ref: 00ABD5F4
GetWindowLongW.USER32(00000000,000000F0), ref: 00ABD5FF
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00ABD615
GetDlgItem.USER32(?,000003F5), ref: 00ABD61F
SetWindowTextW.USER32(00000000,?), ref: 00ABD63F
GetDlgItem.USER32(?,000003F6), ref: 00ABD671
SetWindowTextW.USER32(00000000,?), ref: 00ABD691
GetDlgItem.USER32(?,000003F7), ref: 00ABD6C0
SetWindowTextW.USER32(00000000,?), ref: 00ABD6E0
GetDlgItem.USER32(?,000003F7), ref: 00ABD71B
ShowWindow.USER32(00000000,00000000,?,?,?), ref: 00ABD724
GetParent.USER32(?), ref: 00ABD733
GetParent.USER32(?), ref: 00ABD7FC
SendMessageW.USER32(00000000,00000478,00000000,?), ref: 00ABD817
SetWindowTextW.USER32(00000000,?), ref: 00ABD820
GetParent.USER32(?), ref: 00ABD877
GetDlgItem.USER32(?), ref: 00ABD8A1
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00ABD8B6
SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 00ABD8F2
GetWindowLongW.USER32(?,000000F0), ref: 00ABD90E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ABD926
ShowWindow.USER32(?,00000000), ref: 00ABD958

Part of subcall function 00AECD7E: GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
Part of subcall function 00AECD7E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ItemParent$Text$CreateHeapMessageSendShowThread$AllocProcess
String ID:
API String ID: 2780611897-0
Opcode ID: 9f38bb5198957cd810c9488ff948ceaf9760cbe7c20cbcfe281b520229d0ec21
Instruction ID: 8327adeed380d29790e855ea496185bb0eddd2ad21252d54b0f3692031586a5c
Opcode Fuzzy Hash: 9f38bb5198957cd810c9488ff948ceaf9760cbe7c20cbcfe281b520229d0ec21
Instruction Fuzzy Hash: B2D19F74601602AFDB15DF74CD49B9AFBB9FF05320F108228F529977A2DB74A850CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A991D0 Relevance: 37.7, APIs: 25, Instructions: 240windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 00A9927A
SetBkMode.GDI32(?,00000001), ref: 00A99285
SelectObject.GDI32(?,?), ref: 00A99297
DrawTextW.USER32(?,00000000,00000000,?,00000001), ref: 00A992BF
IsWindowEnabled.USER32(00000000), ref: 00A992C8
SetTextColor.GDI32(?,00000000), ref: 00A992EE
SelectObject.GDI32(?,?), ref: 00A99317
DrawTextW.USER32(?,00000000,00000000,?,?), ref: 00A99329
SetTextColor.GDI32(?,00000000), ref: 00A99335
SelectObject.GDI32(?,?), ref: 00A99341
DrawTextW.USER32(?,00000000,00000000,?,?), ref: 00A99370
GetFocus.USER32 ref: 00A99376
DrawFocusRect.USER32(?,?), ref: 00A99388
SetBkMode.GDI32(?,00000001), ref: 00A9939B
IsWindowEnabled.USER32(00000000), ref: 00A993A4
SetTextColor.GDI32(?,00000000), ref: 00A993CA
SelectObject.GDI32(?,?), ref: 00A993F9
GetWindowLongW.USER32(00000000,000000F0), ref: 00A99413
DrawTextW.USER32(?,?,000000FF,?,00000000), ref: 00A9944E
GetFocus.USER32 ref: 00A99454
DrawFocusRect.USER32(?,?), ref: 00A99466
SetTextColor.GDI32(?,?), ref: 00A99472
SelectObject.GDI32(?,?), ref: 00A9947E

Part of subcall function 00A99E90: lstrlenW.KERNEL32(?,?,?,?,?,00A9926C,00000000,00000000,00000000,?,C956CA52,?), ref: 00A99EDB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Text$Draw$ObjectSelect$ColorFocus$RectWindow$EnabledMode$ClientLonglstrlen
String ID:
API String ID: 3266203255-0
Opcode ID: 2c06333bd71308139f19374c9dfbc429b338d0a0a3c836d54756c1a3877c3c90
Instruction ID: 73272e1acd73dbb6c84617d1bdc075e1719420fa44cd7e4865715b06bd7db661
Opcode Fuzzy Hash: 2c06333bd71308139f19374c9dfbc429b338d0a0a3c836d54756c1a3877c3c90
Instruction Fuzzy Hash: 55A13C71900608EFDF21DF98CD88AAEBBF5FF08310F54812DE946A6660DB71A845DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F360 Relevance: 35.2, APIs: 1, Strings: 19, Instructions: 220registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00A9F3D0

Strings

BackOffice, xrefs: 00A9F4F2
EmbeddedNT, xrefs: 00A9F556
ProductSuite, xrefs: 00A9F47B
WinNT, xrefs: 00A9F411
Small Business(Restricted), xrefs: 00A9F53D
ProductType, xrefs: 00A9F400
Security Appliance, xrefs: 00A9F5CE
Enterprise, xrefs: 00A9F4D9
Blade, xrefs: 00A9F5A0
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00A9F3C6
Personal, xrefs: 00A9F589
ServerNT, xrefs: 00A9F434
Small Business, xrefs: 00A9F4C0
Compute Server, xrefs: 00A9F5FC
DataCenter, xrefs: 00A9F56F
Terminal Server, xrefs: 00A9F524
Storage Server, xrefs: 00A9F5E5
CommunicationServer, xrefs: 00A9F50B
Embedded(Restricted), xrefs: 00A9F5B7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Open
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 71445658-3149529848
Opcode ID: 2819504e34dafb68ed48b51ad1c581453396011a10e2195212088836b075e799
Instruction ID: 008fb559766cbcb963bf05e451928db4f12256495783c3c59ab291da50d5ed37
Opcode Fuzzy Hash: 2819504e34dafb68ed48b51ad1c581453396011a10e2195212088836b075e799
Instruction Fuzzy Hash: 5471B3357003988FDF20DB34EE90BAA72F5AB56344F1140B9AA0EEB6D1EB34DD458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00ADF190 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 326memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(?,C956CA52,00000000,00000000), ref: 00ADF21B
_wcsstr.LIBVCRUNTIME ref: 00ADF286
CharNextW.USER32(?,00000000), ref: 00ADF299
CharNextW.USER32(00000000,?,00000000), ref: 00ADF29E
CharNextW.USER32(00000000,?,00000000), ref: 00ADF2A3
CharNextW.USER32(00000000,?,00000000), ref: 00ADF2A8
CharNextW.USER32(?,?,00000000,00000001,C956CA52,00000000,00000000), ref: 00ADF2F3
CharNextW.USER32(?,?,00000000,00000001,C956CA52,00000000,00000000), ref: 00ADF303
CharNextW.USER32(00000000,}},00000009,?,00000000,00000001,C956CA52,00000000), ref: 00ADF37F
CharNextW.USER32(?,00000000,00000001,C956CA52,00000000,00000000), ref: 00ADF3A8
CharNextW.USER32(00000000,?,00000000,00000001,C956CA52,00000000), ref: 00ADF3DC
EnterCriticalSection.KERNEL32(-00000005,00000001,C956CA52,00000000), ref: 00ADF42C
lstrcmpiW.KERNEL32(0000000B,?), ref: 00ADF44A
LeaveCriticalSection.KERNEL32(?), ref: 00ADF462
CharNextW.USER32(?,00000000,-00000002), ref: 00ADF4B2
CoTaskMemFree.OLE32(?,C956CA52,00000000,00000000), ref: 00ADF509

Strings

HKCR, xrefs: 00ADF280
HKCU{Software{Classes, xrefs: 00ADF2BC
}}, xrefs: 00ADF358

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CharNext$CriticalSectionTask$AllocEnterFreeLeave_wcsstrlstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3513475275-1142484189
Opcode ID: cf7c8cddc47d9d311cb4b17949979cf569890a719b4b17887b674fbb9514c4cd
Instruction ID: 7a1030487dccdb33572a93b879f041d937b3191213e2a21c2aca61876ca45c7c
Opcode Fuzzy Hash: cf7c8cddc47d9d311cb4b17949979cf569890a719b4b17887b674fbb9514c4cd
Instruction Fuzzy Hash: 03C1DC749003949FDF209FA8C894BAFBBF4AF05310F25816AE817AF395EB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AA11E0 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 245fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,C956CA52,00000000), ref: 00AA123F
_wcsrchr.LIBVCRUNTIME ref: 00AA129D
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,C956CA52,00000000), ref: 00AA12EA
GetLastError.KERNEL32 ref: 00AA1314
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 00AA1335
WriteFile.KERNEL32(00000000,?,00000000,0000FEFF,00000000), ref: 00AA1362
FlushFileBuffers.KERNEL32(00000000), ref: 00AA1367
WriteFile.KERNEL32(000000FF,0000FEFF,00000002,?,00000000), ref: 00AA13CF
FlushFileBuffers.KERNEL32(000000FF), ref: 00AA13DA
WriteFile.KERNEL32(00000000,00000002,?,0000FEFF,00000000,,00000004), ref: 00AA147E
FlushFileBuffers.KERNEL32(00000000), ref: 00AA1487

Strings

Logger, xrefs: 00AA128B
workstation, xrefs: 00AA1419
server, xrefs: 00AA141E, 00AA1426
x86, xrefs: 00AA13F3
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00AA1445
.log, xrefs: 00AA12C7
, xrefs: 00AA145B
x64, xrefs: 00AA13FF, 00AA1418

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$BuffersFlushWrite$CreateErrorLastModuleNamePointer_wcsrchr
String ID: $.log$Logger$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 109117540-1263981905
Opcode ID: 4960f987f660e7ef635956e5f7dee11a02c2eed13a54f434b05348e7bb9e4618
Instruction ID: 586468b6238505c64e404230e814ce540abdd68535ed51721db92f21a952098d
Opcode Fuzzy Hash: 4960f987f660e7ef635956e5f7dee11a02c2eed13a54f434b05348e7bb9e4618
Instruction Fuzzy Hash: 7691AD71640219AFDF24DF68CC89BA977B8FF09714F5042A8E909AB2D1DB74AD44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00AE9690 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 349windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00AE96BD
GetWindowLongW.USER32(00000000,000000F0), ref: 00AE96D2
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AE96E9

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

GetWindowLongW.USER32(00000000,000000EC), ref: 00AE9702
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00AE9716
SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 00AE9724
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AE9737
IsWindow.USER32(00000000), ref: 00AE9752
DestroyWindow.USER32(00000000), ref: 00AE976E
GetClientRect.USER32(?,?), ref: 00AE97C6
IsWindow.USER32(00000000), ref: 00AE9807
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5400001C,?,?,?,?,?,0000E801,00000000), ref: 00AE984C
IsWindow.USER32(00000000), ref: 00AE9855
GetClientRect.USER32(?,?), ref: 00AE98E3
SendMessageW.USER32(?,00000467,00000001,?), ref: 00AE9A8B
SendMessageW.USER32(?,0000046A,00000000,?), ref: 00AE9AAE
SendMessageW.USER32(?,0000046A,00000001,?), ref: 00AE9AC7

Strings

SCROLLBAR, xrefs: 00AE9845

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongMessageSend$ClientRect$CreateDestroyExceptionRaise
String ID: SCROLLBAR
API String ID: 1610637866-324577739
Opcode ID: 6c88f3559a0a666c28aacaba98d01dd13e7d446b4c3721003924f3dfb6052abd
Instruction ID: 1e18470edeb01704048937a601887c2e13585efb7e04a25bb6b34e511114d856
Opcode Fuzzy Hash: 6c88f3559a0a666c28aacaba98d01dd13e7d446b4c3721003924f3dfb6052abd
Instruction Fuzzy Hash: 5ED13A70609341AFE710CF29C888B6BBBE5FF85754F104A2DF595972A0DB71E844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FBE0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 335COMMON

Download Yara Rule

Strings

D, xrefs: 00A9FD80
txt, xrefs: 00A9FCB3
Unable to retrieve exit code from process., xrefs: 00A9FF79
Unable to get a temp file for script output, temp path: , xrefs: 00A9FCEF
ps1, xrefs: 00A9FC8F, 00A9FC9F
Unable to retrieve PowerShell output from file: , xrefs: 00A9FF5C
Unable to create process: , xrefs: 00A9FDF2
Unable to find file , xrefs: 00A9FC19
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00A9FD40

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID: D$Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-2137955053
Opcode ID: 35470e728f5ad849eddf7227d62ed0f2532c4b205f6ae863e459173a4b177713
Instruction ID: 27d5d32b88b78a2fb78c327a771e86ef1329932f8eac81c20e5d737883ad773f
Opcode Fuzzy Hash: 35470e728f5ad849eddf7227d62ed0f2532c4b205f6ae863e459173a4b177713
Instruction Fuzzy Hash: 4BD1BD31A01209EFDF00DFA8C945BAEBBF4FF09324F248259E515EB291DB74AA04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AE7BB0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000001,?), ref: 00AE7BD8
GetDlgItem.USER32(00000001,00003027), ref: 00AE7BFA
GetWindowRect.USER32(00000000,?), ref: 00AE7C08
GetDlgItem.USER32(00000001,00003026), ref: 00AE7C12
GetWindowRect.USER32(00000000,?), ref: 00AE7C1A
ScreenToClient.USER32(00000001,?), ref: 00AE7C2A
ScreenToClient.USER32(00000001,?), ref: 00AE7C38
ScreenToClient.USER32(00000001,?), ref: 00AE7C42
ScreenToClient.USER32(00000001,?), ref: 00AE7C50
GetPropW.USER32(?,IsExterior), ref: 00AE7C58
SendMessageW.USER32(00000001,00000474,00000000,00000000), ref: 00AE7CAF
SendMessageW.USER32(00000001,00000481,?,00000000), ref: 00AE7CBE
SendMessageW.USER32(00000000,0000130A,00000000,?), ref: 00AE7CCC
GetWindowRect.USER32(00000000,?), ref: 00AE7CD4
ScreenToClient.USER32(00000001,?), ref: 00AE7CE8
ScreenToClient.USER32(00000001,?), ref: 00AE7CF6
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,?), ref: 00AE7D27

Strings

IsExterior, xrefs: 00AE7C52

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Client$Screen$RectWindow$MessageSend$Item$Prop
String ID: IsExterior
API String ID: 2803908811-3989742051
Opcode ID: 84e09fd543b4ce8b60f59ed5df2284b155bca0af123e61a4f6d7e28556545751
Instruction ID: e02bb38f30799acbd16ab56dadf835362e44c38280a43738414427498ca0f0a0
Opcode Fuzzy Hash: 84e09fd543b4ce8b60f59ed5df2284b155bca0af123e61a4f6d7e28556545751
Instruction Fuzzy Hash: B441BB71604205AFEB00DF64DD85E6BBBECEF88710F048529F945AB195CB60EC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A994B0 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 263stringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000008), ref: 00A99513
lstrcmpiW.KERNEL32(?,static), ref: 00A99526
GetWindowLongW.USER32(?,000000F0), ref: 00A9953B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A9954F
GetWindowLongW.USER32(?,000000F0), ref: 00A9955A
LoadCursorW.USER32(00000000,00007F89), ref: 00A9959C
SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 00A995D1
CreateFontIndirectW.GDI32(?), ref: 00A995DE
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,80000000,80000000,00000000,00000000,?,00000000,00000000), ref: 00A9962F
GetWindowTextLengthW.USER32(?), ref: 00A9964D
GetWindowTextW.USER32(?,?,00000001), ref: 00A996CC

Strings

static, xrefs: 00A9951D
Anchor Color Visited, xrefs: 00A997DD
Anchor Color, xrefs: 00A997A4
Software\Microsoft\Internet Explorer\Settings, xrefs: 00A9976A
tooltips_class32, xrefs: 00A99628

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$CreateText$ClassCursorFontIndirectInfoLengthLoadNameParametersSystemlstrcmpi
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static$tooltips_class32
API String ID: 1715782676-2451883503
Opcode ID: c702bd0593c5a99e837ba14aca6269e4e33a63fb13287cf5920270b0fa3cbd91
Instruction ID: 941b6cf8fbcfea0e1079cd88ca13c4d3d4103168dd8746663baa93c8230b2549
Opcode Fuzzy Hash: c702bd0593c5a99e837ba14aca6269e4e33a63fb13287cf5920270b0fa3cbd91
Instruction Fuzzy Hash: 39A191B0A01215BFEF21CF68DD45BAAB7E4FB09310F104259E519E72D0DB70AD94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9DA0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 241sleepwindowmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AD9E17
QueryPerformanceFrequency.KERNEL32(00B46740), ref: 00AD9E5F
QueryPerformanceCounter.KERNEL32(00B46748), ref: 00AD9E6A

Part of subcall function 00AEE57C: EnterCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE586
Part of subcall function 00AEE57C: LeaveCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE5B9

CLSIDFromString.OLE32(00000000,00000000), ref: 00AD9ED6
SysFreeString.OLEAUT32(00000000), ref: 00ADA0D4

Part of subcall function 00AEE5C6: EnterCriticalSection.KERNEL32(00B45378,?,?,?,00A83DF6,00B45F78,C956CA52,?,?,00B081E8,000000FF,?,00A81067,C956CA52,?,00B09CCA), ref: 00AEE5D1
Part of subcall function 00AEE5C6: LeaveCriticalSection.KERNEL32(00B45378,?,?,?,00A83DF6,00B45F78,C956CA52,?,?,00B081E8,000000FF,?,00A81067,C956CA52,?,00B09CCA), ref: 00AEE60E

SysAllocString.OLEAUT32(?), ref: 00AD9EEB
GetModuleFileNameW.KERNEL32(?,00000104), ref: 00AD9F33
LoadTypeLib.OLEAUT32(?,?), ref: 00AD9F4C
CoRegisterClassObject.OLE32(?,00B46728,00000004,00000004,?), ref: 00AD9F83
CoResumeClassObjects.OLE32(?), ref: 00AD9FEE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ADA02C
DispatchMessageW.USER32(?), ref: 00ADA040
Sleep.KERNEL32(00000064), ref: 00ADA048
QueryPerformanceCounter.KERNEL32(?), ref: 00ADA059
Sleep.KERNEL32(00000064), ref: 00ADA0A3

Strings

Updater-comproxystub.dll, xrefs: 00AD9FA8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$PerformanceQueryString$ClassCounterEnterLeaveMessageSleep$AllocCurrentDispatchFileFreeFrequencyFromLoadModuleNameObjectObjectsPeekRegisterResumeThreadType
String ID: Updater-comproxystub.dll
API String ID: 236963334-3887513332
Opcode ID: d2e72278cb5581a2e769d3fe43b7e13a12e4284157997910a14a2c69db49282f
Instruction ID: be1cb1e8935b17c3b26f8487a7b7fcf01c567be7b5eb0904dfde0a249b5624a5
Opcode Fuzzy Hash: d2e72278cb5581a2e769d3fe43b7e13a12e4284157997910a14a2c69db49282f
Instruction Fuzzy Hash: 62A1CF75900708DFDB10DFA4DC48BDEBBB4FB1A314F10821AE906A73A0DB74AA44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF410 Relevance: 27.1, APIs: 18, Instructions: 106windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ABF452
GetParent.USER32(00000000), ref: 00ABF455
GetParent.USER32(?), ref: 00ABF458
GetSystemMenu.USER32(00000000,00000001,?,?,00000000), ref: 00ABF45D
GetParent.USER32(?), ref: 00ABF46F
GetParent.USER32(00000000), ref: 00ABF472
GetParent.USER32(?), ref: 00ABF475
DrawMenuBar.USER32(00000000), ref: 00ABF478
GetParent.USER32(?), ref: 00ABF48A
GetParent.USER32(00000000), ref: 00ABF48D
GetParent.USER32(?), ref: 00ABF490
GetSystemMenu.USER32(00000000,00000000,?,?,00000000), ref: 00ABF495
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 00ABF4B3
GetParent.USER32(?), ref: 00ABF4C5
GetParent.USER32(00000000), ref: 00ABF4C8
GetParent.USER32(?), ref: 00ABF4CB
DrawMenuBar.USER32(00000000), ref: 00ABF4CE
DestroyMenu.USER32(00000000,?,?,00000000), ref: 00ABF4E0

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Parent$Menu$DrawSystem$DestroyModify
String ID:
API String ID: 3172740558-0
Opcode ID: 976ce1d2268b549c0ea29cca443d8c97cc24f5bb004c8bddbcfffcfb2d9f67f3
Instruction ID: ff64187242d30f37239e65cd8eeb9f12198c469c5856daf0931c4f052e6a252d
Opcode Fuzzy Hash: 976ce1d2268b549c0ea29cca443d8c97cc24f5bb004c8bddbcfffcfb2d9f67f3
Instruction Fuzzy Hash: CA31AF70A01314BFDB20AFB4DC49F9ABFACEF04754F144655F814A7291CB74E900CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1750 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 332windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AC1773
IsWindowVisible.USER32(?), ref: 00AC17BF
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00AC17D6
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00AC19A9
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00AC19BB
SetPropW.USER32(?,IsExterior,00000001), ref: 00AC1A36
GetWindowLongW.USER32(?,000000EC), ref: 00AC1A47
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AC1A58

Strings

IsExterior, xrefs: 00AC1A2E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$MessageSend$PropRedrawVisible
String ID: IsExterior
API String ID: 3598606994-3989742051
Opcode ID: 497e026d1b4e5bad77958c3fb67ac523658c7e3b3a6b05ac502cc7c2499bd3a5
Instruction ID: e27f73d030e370bdbeb6c5c5f9e19ae7962d452ab9fde1c93ff7cf519f5f5f7c
Opcode Fuzzy Hash: 497e026d1b4e5bad77958c3fb67ac523658c7e3b3a6b05ac502cc7c2499bd3a5
Instruction Fuzzy Hash: 91C179306083009FD710CF28C984B5ABBE5FF8A714F514A1DF585972A2DBB0E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AE7820 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 286windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00AE784C
GetWindowLongW.USER32(00000000,000000F0), ref: 00AE785D
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AE7871

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

GetWindowLongW.USER32(00000000,000000EC), ref: 00AE7884
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00AE7895
SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 00AE78AA
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AE78BA
IsWindow.USER32(00000000), ref: 00AE78D2
DestroyWindow.USER32(00000000,?,?,?), ref: 00AE78EE
GetClientRect.USER32(00000000,?), ref: 00AE7949
IsWindow.USER32(00000000), ref: 00AE7988
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5400001C,?,?,?,?,00000000,0000E801,00000000), ref: 00AE79CC
IsWindow.USER32(00000000), ref: 00AE79D5
GetClientRect.USER32(75C04810,?), ref: 00AE7A60

Strings

SCROLLBAR, xrefs: 00AE79C5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ClientMessageRectSend$CreateDestroyExceptionRaise
String ID: SCROLLBAR
API String ID: 3726670472-324577739
Opcode ID: 7056befe557bdab1adbc2eaf69b4885b2038e070e16e9d785f3a1b863a49a584
Instruction ID: bda5ad6532b16230ee426110a0e81a62509c14414ee9b8be30fa05dc4074fb1b
Opcode Fuzzy Hash: 7056befe557bdab1adbc2eaf69b4885b2038e070e16e9d785f3a1b863a49a584
Instruction Fuzzy Hash: 7FB14A71509345AFDB10CF29CC88B6EBBE5FF89310F508A29F95997290DB70E950CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA88C0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 276windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AA88ED
GetWindowLongW.USER32(?,000000F0), ref: 00AA8902
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AA8919

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

GetWindowLongW.USER32(?,000000EC), ref: 00AA8932
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AA8946
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00AA8954
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AA8967
IsWindow.USER32(00000000), ref: 00AA8982
DestroyWindow.USER32(00000000), ref: 00AA899E
GetClientRect.USER32(?,?), ref: 00AA89F6
IsWindow.USER32(00000000), ref: 00AA8A1A
CreateWindowExW.USER32(00000000,SCROLLBAR,00000000,5400001C,?,?,?,?,?,0000E801,00000000), ref: 00AA8A72
IsWindow.USER32(00000000), ref: 00AA8A7B
GetClientRect.USER32(?,?), ref: 00AA8B09

Strings

SCROLLBAR, xrefs: 00AA8A6B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ClientMessageRectSend$CreateDestroyExceptionRaise
String ID: SCROLLBAR
API String ID: 3726670472-324577739
Opcode ID: 5347dbd49415127e872c0dcc43b0d4b87faa780604ad912632a5e18b220ec7fd
Instruction ID: 300119f5272ad35ae6df326bd2fc09dd8a73c159d523b257eadf474793c46be0
Opcode Fuzzy Hash: 5347dbd49415127e872c0dcc43b0d4b87faa780604ad912632a5e18b220ec7fd
Instruction Fuzzy Hash: 67B14770509301AFE750CF28C949B6ABBF5FF8A724F108A1DF595972A0DB75E840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ABCAC0 Relevance: 25.8, APIs: 17, Instructions: 343COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00ABCB05
GetWindowRect.USER32(00000000,?), ref: 00ABCB13
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00ABCB43
InvalidateRect.USER32(00000000,00000000,00000001), ref: 00ABCE56
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 00ABCE80

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: 944f41153c90bfe23335467aef7b3c855c99c5a06d317c02b2d6006653bf8bcf
Instruction ID: b362fff801062afea74c8ad6eda6a6e2c104493187af346d6c2775d9fb0a7b7a
Opcode Fuzzy Hash: 944f41153c90bfe23335467aef7b3c855c99c5a06d317c02b2d6006653bf8bcf
Instruction Fuzzy Hash: B0D1F8756043019FD708CF6CC989AABBBE5BF88310F088A1DF989DB255D770E944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8FE0 Relevance: 25.8, APIs: 17, Instructions: 343COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00AA9025
GetWindowRect.USER32(00000000,?), ref: 00AA9033
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00AA9063
InvalidateRect.USER32(00000000,00000000,00000001), ref: 00AA9376
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 00AA93A0

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Rect$InvalidateItemPoints
String ID:
API String ID: 2775623374-0
Opcode ID: d392cf7e45b9dd440449ab2558e9529f9b2c29ee58e50a70dca14a28f09ad88c
Instruction ID: bd39ec4aca5f7ea8a7df12097444532aefe1741504f024a725ffb3be6312ca23
Opcode Fuzzy Hash: d392cf7e45b9dd440449ab2558e9529f9b2c29ee58e50a70dca14a28f09ad88c
Instruction Fuzzy Hash: 7CD1D5716043019FDB04CF6CC989A6BBBE5BF89700F088A1DF989DB295D770E944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00AE7020 Relevance: 24.2, APIs: 16, Instructions: 221windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,C956CA52), ref: 00AE709C
GetCursorPos.USER32(?), ref: 00AE70EE
SetMenuDefaultItem.USER32(?,?,00000000), ref: 00AE710A
SetForegroundWindow.USER32(?), ref: 00AE7128
MonitorFromPoint.USER32(00000000,00000000,00000000), ref: 00AE7146
MonitorFromPoint.USER32(?,?,00000002), ref: 00AE7158
GetMonitorInfoW.USER32(00000000,?), ref: 00AE7180
TrackPopupMenu.USER32(?,00000000,?,?,00000000,?,00000000), ref: 00AE71B2
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00AE71C3
DestroyMenu.USER32(00000000), ref: 00AE71D0
DestroyMenu.USER32(00000000), ref: 00AE71EC
LoadMenuW.USER32(?,C956CA52), ref: 00AE7235
GetMenuItemID.USER32(?,00000000), ref: 00AE7268
SendMessageW.USER32(?,00000111,?,00000000), ref: 00AE7288
DestroyMenu.USER32(00000000,?,?,?), ref: 00AE7295
DestroyMenu.USER32(00000000,?,?,?), ref: 00AE72AD

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Menu$Destroy$Monitor$FromItemLoadMessagePoint$CursorDefaultForegroundInfoPopupPostSendTrackWindow
String ID:
API String ID: 691141992-0
Opcode ID: 327ff01f6bc42a22ec5e7c2ab7d7bbc13c54e97275a312f4581b9c0bc35775cc
Instruction ID: f97c19e2abf1fa984886fbe391a21cae11c2d178369025a6061bc40808582ea3
Opcode Fuzzy Hash: 327ff01f6bc42a22ec5e7c2ab7d7bbc13c54e97275a312f4581b9c0bc35775cc
Instruction Fuzzy Hash: 53815971A05249EFDB25CFA5DD54BEEBBB8FF48710F10421AF912A72A0DB70AD018B51

Uniqueness

Uniqueness Score: -1.00%

Function 00AE94E0 Relevance: 24.1, APIs: 16, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000413), ref: 00AE94F9
GetDlgItem.USER32(?,000003FC), ref: 00AE9505
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE9519
EnableWindow.USER32(00000000,-00000001), ref: 00AE952A
GetDlgItem.USER32(01B80000,00000402), ref: 00AE9538
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE954A
EnableWindow.USER32(00000000,-00000001), ref: 00AE9555
GetDlgItem.USER32(01B80000,000003FF), ref: 00AE9563
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE9575
EnableWindow.USER32(00000000,-00000001), ref: 00AE9580
GetDlgItem.USER32(01B80000,0000040D), ref: 00AE958E
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE95A0
EnableWindow.USER32(00000000,-00000001), ref: 00AE95AB
GetDlgItem.USER32(?,00000423), ref: 00AE95B9
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE95C9
EnableWindow.USER32(?,00000000), ref: 00AE95D5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Item$EnableMessageSendWindow
String ID:
API String ID: 3471810782-0
Opcode ID: 4689e32179cd21dc2be635e703048034b0b90338484a49db4361f096aaa7eda5
Instruction ID: 3d7dc2372de60949ee270f3f53ed7d3a72ea86697d02d5d7d5a334498aec0227
Opcode Fuzzy Hash: 4689e32179cd21dc2be635e703048034b0b90338484a49db4361f096aaa7eda5
Instruction Fuzzy Hash: 4A214C316D131A7FEB205B75EC4AF7AB6A8EB45F11F444528B701EB1E1CEA0EC00966D

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2330 Relevance: 23.2, APIs: 5, Strings: 8, Instructions: 470processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00AE23A4
GetLastError.KERNEL32 ref: 00AE23B2

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00AE26F5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AE2707
GetLastError.KERNEL32 ref: 00AE271C

Strings

CreateProcess ", xrefs: 00AE277D
GetModuleFileName failed., xrefs: 00AE240D
" failed., xrefs: 00AE27FC
"%s" %s, xrefs: 00AE26BE
D, xrefs: 00AE2382
" with command line ", xrefs: 00AE27C2
LastError: , xrefs: 00AE2419, 00AE25EB, 00AE280E
VerifyDigitalSignature failed., xrefs: 00AE25DF

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Process$CriticalCurrentErrorLastSection$CreateEnterFileHeapInitializeModuleNameObjectSingleThreadWait
String ID: LastError: $" failed.$" with command line "$"%s" %s$CreateProcess "$D$GetModuleFileName failed.$VerifyDigitalSignature failed.
API String ID: 4273426264-3585311892
Opcode ID: 59a21b1d715f3a90487ee7deb5f513ce8268f39f52362a781cdc5982cb515ebe
Instruction ID: e024bac764324ec85deb299029d28687e69799f3e3e13e26af5535637a79ce42
Opcode Fuzzy Hash: 59a21b1d715f3a90487ee7deb5f513ce8268f39f52362a781cdc5982cb515ebe
Instruction Fuzzy Hash: F302E3319416599FDB20EF68DD59BAEB7F4EF45310F1482D8E409AB2A2DB30AE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD310 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 457fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000104,C956CA52,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD364
_wcsrchr.LIBVCRUNTIME ref: 00ACD441
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD4CE
_wcsrchr.LIBVCRUNTIME ref: 00ACD509
CopyFileW.KERNEL32(?,?,00000000,?,?,.exe,?,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD65B
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD668
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,.ini,?,?,00000000,?), ref: 00ACD724
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD751
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,00B13D4A,000000FF), ref: 00ACD772

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

Strings

RealUpdaterPath, xrefs: 00ACD7FC
.exe, xrefs: 00ACD5B3
.ini, xrefs: 00ACD67D
aiu, xrefs: 00ACD39C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$_wcsrchr$AttributesCopyCreateDeleteErrorFindHeapLastModuleNameProcessResourceWrite
String ID: .exe$.ini$RealUpdaterPath$aiu
API String ID: 1496347317-2284992342
Opcode ID: 6fa02f2e255ea25cc159b62472272183d679ef5b434e5402795001b48f607fb8
Instruction ID: c56d06c1ff3e76c658c06c18c0c0ee4d85e6438f68ec4ac8f19cf8bd9d04d687
Opcode Fuzzy Hash: 6fa02f2e255ea25cc159b62472272183d679ef5b434e5402795001b48f607fb8
Instruction Fuzzy Hash: 0702BD70A00206DFDB14DF68C989FAEB7B5FF44314F15866DE81A9B291DB74A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BCB0 Relevance: 23.2, APIs: 4, Strings: 9, Instructions: 433COMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

_wcschr.LIBVCRUNTIME ref: 00A9BD75
_wcschr.LIBVCRUNTIME ref: 00A9BE2F
_wcschr.LIBVCRUNTIME ref: 00A9BE5A
_wcschr.LIBVCRUNTIME ref: 00A9BFC1

Strings

<, xrefs: 00A9B3A1
d, xrefs: 00A9B39A
d, xrefs: 00A9B385
ddd, xrefs: 00A9B632, 00A9B63B
@$+,/:;=?&%<>{}[]()#^!*', xrefs: 00A9BC29, 00A9BC39
0123456789AaBbCcDdEeFf, xrefs: 00A9BD14, 00A9BD24
d, xrefs: 00A9B393
d, xrefs: 00A9B37E
%%%X, xrefs: 00A9BACF

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _wcschr$FindHeapProcessResource
String ID: @$+,/:;=?&%<>{}[]()#^!*'$%%%X$0123456789AaBbCcDdEeFf$<$d$d$d$d$ddd
API String ID: 3569040288-1066352928
Opcode ID: 3a769cce2f2178f30025532d232a0f65fd41f4ebf430255c68755e723a52589c
Instruction ID: 4c7c7b1212a3a74d5ab12a039692efabfa1ce733c3734a832e9fc7acaf132417
Opcode Fuzzy Hash: 3a769cce2f2178f30025532d232a0f65fd41f4ebf430255c68755e723a52589c
Instruction Fuzzy Hash: 8CF19B71A00609DFDF04DF68C989BADB7F5EF48324F248269E415EB391DB35AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F050 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 197registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00A9F0BE
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00A9F2B3
GetProcAddress.KERNEL32(00000000), ref: 00A9F2BA
GetCurrentProcess.KERNEL32(?), ref: 00A9F2F1

Strings

CurrentMajorVersionNumber, xrefs: 00A9F0FA
CurrentMinorVersionNumber, xrefs: 00A9F119
CurrentVersion, xrefs: 00A9F148
kernel32, xrefs: 00A9F2AE
, xrefs: 00A9F135
IsWow64Process, xrefs: 00A9F2A9
CSDVersion, xrefs: 00A9F20E
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00A9F0B4
CurrentBuildNumber, xrefs: 00A9F1BD

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressCurrentHandleModuleOpenProcProcess
String ID: $CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 4221128193-642306747
Opcode ID: 892bd1d2d906d1539ab597b4e86c9cd8c2eb467d3e85e02bca1de851e601138f
Instruction ID: cca4a21a967c97f120405b00677d191364df68965fba916bfd805ff1b6d878e0
Opcode Fuzzy Hash: 892bd1d2d906d1539ab597b4e86c9cd8c2eb467d3e85e02bca1de851e601138f
Instruction Fuzzy Hash: 36816DB59002289FDF20CF64DD45BDABBF8FB05714F0001EAE609A7292EB746A84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00AE60E0 Relevance: 22.9, APIs: 15, Instructions: 382windowCOMMON

Download Yara Rule

APIs

_wcsstr.LIBVCRUNTIME ref: 00AE6134
_wcsstr.LIBVCRUNTIME ref: 00AE6146
_wcsstr.LIBVCRUNTIME ref: 00AE61F3
_wcsstr.LIBVCRUNTIME ref: 00AE627F

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

SetWindowPos.USER32(00000001,00000000,00000000,00000000,00000352,00000258,00000016,?,?,00000000), ref: 00AE6346

Part of subcall function 00AA94E0: GetWindowLongW.USER32(8B0C428D,000000F0), ref: 00AA9527
Part of subcall function 00AA94E0: GetParent.USER32(8B0C428D), ref: 00AA9539
Part of subcall function 00AA94E0: GetWindowRect.USER32(8B0C428D,?), ref: 00AA955B
Part of subcall function 00AA94E0: GetWindowLongW.USER32(00000000,000000F0), ref: 00AA956E
Part of subcall function 00AA94E0: MonitorFromWindow.USER32(8B0C428D,00000002), ref: 00AA9586

IsWindowVisible.USER32(00000001), ref: 00AE63BA
ShowWindow.USER32(00000001,00000002), ref: 00AE63D7
ShowWindow.USER32(00000001,00000001), ref: 00AE63DE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$_wcsstr$LongShow$Exception@8FromMonitorParentRectThrowVisible
String ID:
API String ID: 1801163065-0
Opcode ID: a3fedfff2cede5ed0cd004dc840054620a0b159e74d763c1de1549cf8a439a28
Instruction ID: 77d571ccd17a967ae25a81438c03466afbc3973b588a1670837065a597a5cc3d
Opcode Fuzzy Hash: a3fedfff2cede5ed0cd004dc840054620a0b159e74d763c1de1549cf8a439a28
Instruction Fuzzy Hash: 0AD13571A002429FDB24DF2ACD45BAAB7A4FFA4350F00892DFA459B291DB71ED14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF82A9 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF8319
_free.LIBCMT ref: 00AF832F
_free.LIBCMT ref: 00AF8340
_free.LIBCMT ref: 00AF8351
_free.LIBCMT ref: 00AF8368
GetCPInfo.KERNEL32(?,?), ref: 00AF83B0

Part of subcall function 00AFF0FC: _free.LIBCMT ref: 00AFF167

_free.LIBCMT ref: 00AF855C
_free.LIBCMT ref: 00AF856F
_free.LIBCMT ref: 00AF857D
_free.LIBCMT ref: 00AF8588
_free.LIBCMT ref: 00AF85CA
_free.LIBCMT ref: 00AF85D2
_free.LIBCMT ref: 00AF85DA
_free.LIBCMT ref: 00AF85E2
_free.LIBCMT ref: 00AF85F0

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d356037ac338478f50fd53213c05d5b5aa4eae976cf8434b6e4bf3973419e4b3
Instruction ID: d137c211a0f0b9e069306b1324718befadc64688df38592f9a5445ebe5b6e062
Opcode Fuzzy Hash: d356037ac338478f50fd53213c05d5b5aa4eae976cf8434b6e4bf3973419e4b3
Instruction Fuzzy Hash: DEB19FB19002499FDB21DFB8C981BFEBBF4FF09300F144569FA95A7242DB75A8458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8550 Relevance: 22.8, APIs: 15, Instructions: 293COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000000,00000001), ref: 00AA8584

Part of subcall function 00A88E90: GetUserDefaultUILanguage.KERNEL32 ref: 00A88EFB

SetWindowTextW.USER32(00000000,00000000), ref: 00AA85A4
SetWindowTextW.USER32(00000000,00000000), ref: 00AA85F3
SetWindowTextW.USER32(00000000,00000000), ref: 00AA867D
GetDlgItem.USER32(00000000,00000426), ref: 00AA8690
GetDlgItem.USER32(00000000,00000427), ref: 00AA869F
GetDlgItem.USER32(00000000,00000434), ref: 00AA86F7
SetWindowTextW.USER32(00000000,?), ref: 00AA86FE
GetDlgItem.USER32(8B0C428D,00000429), ref: 00AA870F
SetWindowTextW.USER32(00000000,?), ref: 00AA8728
SetWindowTextW.USER32(00000000,?), ref: 00AA8776
GetDlgItem.USER32(8B0C428D,00000428), ref: 00AA87A6
SetWindowTextW.USER32(00000000,?), ref: 00AA87C3
GetDlgItem.USER32(8B0C428D,00000001), ref: 00AA87F2
EnableWindow.USER32(00000000,00000000), ref: 00AA87FB

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$ItemText$DefaultEnableException@8LanguageThrowUser
String ID:
API String ID: 1811620404-0
Opcode ID: 06b34b8da87785e488c912775a0ed3a0bca2b57150ffbc03124464aced2eb968
Instruction ID: 795cc408cf5a57d343a89bf63fae54019ff48a92a3cba281e0b988734e87d73d
Opcode Fuzzy Hash: 06b34b8da87785e488c912775a0ed3a0bca2b57150ffbc03124464aced2eb968
Instruction Fuzzy Hash: 21B15C30A01605DFDB00DFA8CD48A9EFBB1FF49321F548268E525AB2E2DB789D05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6810 Relevance: 22.7, APIs: 15, Instructions: 182windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB6550: SendMessageW.USER32(?,0000109D,00000001,00000000), ref: 00AB6631
Part of subcall function 00AB6550: SendMessageW.USER32(?,00001091,000000FF,00000028), ref: 00AB668E

GetClientRect.USER32(?,?), ref: 00AB6839
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 00AB6854
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 00AB6867
SendMessageW.USER32(?,0000101E,00000002,00000000), ref: 00AB6885
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6896
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00AB68EA
SendMessageW.USER32(?,0000102B,-00000001,?), ref: 00AB694B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6965
GetWindowLongW.USER32(?,000000F0), ref: 00AB6977
SendMessageW.USER32(?,?,?,0000102B), ref: 00AB69CC
SendMessageW.USER32(?,?,?,0000102B), ref: 00AB6A19
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00AB6A2E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB6A3F
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00AB6A95
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00AB6AE2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$ClientLongRectWindow
String ID:
API String ID: 3446042433-0
Opcode ID: 4b6708da8ada591f0665cc3e2270c2b693b4eec5dd12b3380c7a9fc56d26519b
Instruction ID: ad5f9206a2eb63817aebf49863053e2cac327ebc898923297e97429a7ed3351e
Opcode Fuzzy Hash: 4b6708da8ada591f0665cc3e2270c2b693b4eec5dd12b3380c7a9fc56d26519b
Instruction Fuzzy Hash: FC717331A14786ABE3208F60CD45BAAF7E5FFDA708F20571EF59465190DBF194808E86

Uniqueness

Uniqueness Score: -1.00%

Function 00AC0B20 Relevance: 22.7, APIs: 15, Instructions: 156windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AC0B5F
GetParent.USER32(00000000), ref: 00AC0B62
GetParent.USER32(?), ref: 00AC0B65
ShowWindow.USER32(00000000,00000001), ref: 00AC0B6A
GetParent.USER32(?), ref: 00AC0B88
GetDlgItem.USER32(?,0000041D), ref: 00AC0BAB
ShowWindow.USER32(00000000,00000000), ref: 00AC0BB6
GetDlgItem.USER32(?,0000040F), ref: 00AC0BCA
SendMessageW.USER32(00000000,00001036,00000000,00004020), ref: 00AC0BDB
GetDlgItem.USER32(FFFFFFFF,0000041C), ref: 00AC0C75
GetWindowLongW.USER32(00000000,000000F0), ref: 00AC0C84
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC0C9F
GetClientRect.USER32(?,?), ref: 00AC0CAB
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 00AC0CC2
SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 00AC0CD9

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ParentWindow$ItemMessageSend$LongShow$ClientRect
String ID:
API String ID: 2776136352-0
Opcode ID: 68ca0edf37d7548bd4c61bea6b6c250b7018fef8e5cdf2bddfbdc019af05df9c
Instruction ID: c75504695900ea0e400c73daf04a656b293db421b41fd5de4ae0a3518afeb986
Opcode Fuzzy Hash: 68ca0edf37d7548bd4c61bea6b6c250b7018fef8e5cdf2bddfbdc019af05df9c
Instruction Fuzzy Hash: 3C518170A00605AFEB14EF74CD49FAABBA9FF05720F108269F515A72D1DBB5AC10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA0D60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 324filethreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
GetCurrentThreadId.KERNEL32 ref: 00AA0E67
OutputDebugStringW.KERNEL32(?,00B2A3D4,00000002,?,?,?,?,?), ref: 00AA1058
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00AA1076
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00AA108C
FlushFileBuffers.KERNEL32(?), ref: 00AA1095
LeaveCriticalSection.KERNEL32(?), ref: 00AA10C5

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

Strings

[PID=, xrefs: 00AA0E3B
|, xrefs: 00AA0FBB
|Thread=, xrefs: 00AA0E5B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalFileSection$Current$BuffersDebugEnterException@8FlushInitializeLeaveOutputPointerProcessStringThreadThrowWrite
String ID: [PID=$|$|Thread=
API String ID: 4232973409-768267952
Opcode ID: 51e9e746ea0e0353040290b3d67a6530101812bd2aa660dda039823f3909ef92
Instruction ID: 80e4208b2f04e74187c3f59f2b2c37266d744f384c8c908839de307605585e95
Opcode Fuzzy Hash: 51e9e746ea0e0353040290b3d67a6530101812bd2aa660dda039823f3909ef92
Instruction Fuzzy Hash: 13C1C230A01645EFDB14DF68C959BAEB7B0FF46310F14816CE416AB292DB35AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDA70 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,UninstallFilePath,00000000,C956CA52,?,?), ref: 00ACDB22
GetLastError.KERNEL32 ref: 00ACDB41
GetACP.KERNEL32(?,00000000), ref: 00ACDC69
WideCharToMultiByte.KERNEL32(00000000,00000000,C956CA52,000000FF,00000000,00000000,00000000,00000000), ref: 00ACDCA7
WideCharToMultiByte.KERNEL32(?,00000000,C956CA52,000000FF,00000000,00000000,00000000,00000000), ref: 00ACDCD0
WriteFile.KERNEL32(?,00000000,-00000001,?,00000000), ref: 00ACDCED
CloseHandle.KERNEL32(?), ref: 00ACDD66

Strings

UninstallFilePath, xrefs: 00ACDAEF
General, xrefs: 00ACD9A9, 00ACD9B9
:again if not exist "%s" goto end if exist "%s" del "%s" goto again :end rmDir "%s" del "%s" | cls, xrefs: 00ACDC3A
del "%s" , xrefs: 00ACDBCF
@echo off , xrefs: 00ACDB6F, 00ACDB7F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharFileMultiWide$CloseCreateErrorHandleLastWrite
String ID: :again if not exist "%s" goto end if exist "%s" del "%s" goto again :end rmDir "%s" del "%s" | cls$@echo off $General$UninstallFilePath$del "%s"
API String ID: 2566189600-1430081174
Opcode ID: 1feaf00b010137a14c26b842dc46a4627f3c87cb2bf2d9ac65af1991e283f81e
Instruction ID: 7839024b1f316bed296d5434592c73a1bc1fcad15ab6b7fffaa1560ac975047c
Opcode Fuzzy Hash: 1feaf00b010137a14c26b842dc46a4627f3c87cb2bf2d9ac65af1991e283f81e
Instruction Fuzzy Hash: 6CA1C270A01205EFDB10DF68CD89FAEBBB4EF04314F158168E915AB292DBB49904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC0000 Relevance: 21.3, APIs: 14, Instructions: 257windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AC0054
GetWindowLongW.USER32(?,000000F0), ref: 00AC0068
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AC007F
GetWindowLongW.USER32(?,000000EC), ref: 00AC0092
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AC00A6
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00AC00B4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AC00C7
GetDlgItem.USER32(?,0000E801), ref: 00AC00D4
IsWindow.USER32(00000000), ref: 00AC00DD
DestroyWindow.USER32(00000000), ref: 00AC00F9
GetClientRect.USER32(?,?), ref: 00AC014E
GetDlgItem.USER32(?), ref: 00AC02DC
GetWindowRect.USER32(00000000,?), ref: 00AC02EE
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00AC0301

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ItemMessageRectSend$ClientDestroyPoints
String ID:
API String ID: 4053346426-0
Opcode ID: 89bd69df81ed8d82be12fb591ad5717b80011b1a9e891f75f057c9c020eec3ef
Instruction ID: beae60794b223fe5390c1dc07824bd443db2329c2cd37f707412d062b8be2923
Opcode Fuzzy Hash: 89bd69df81ed8d82be12fb591ad5717b80011b1a9e891f75f057c9c020eec3ef
Instruction Fuzzy Hash: F3A18FB4901204EFEB24DF68D988F9DBBB4FF05320F114229E925A73E1DB75A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9810 Relevance: 21.3, APIs: 14, Instructions: 256windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AB9864
GetWindowLongW.USER32(?,000000F0), ref: 00AB9878
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AB988F

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

GetWindowLongW.USER32(?,000000EC), ref: 00AB98A2
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AB98B6
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00AB98C4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AB98D7
GetDlgItem.USER32(?,0000E801), ref: 00AB98E4
IsWindow.USER32(00000000), ref: 00AB98ED
DestroyWindow.USER32(00000000), ref: 00AB9909
GetClientRect.USER32(?,?), ref: 00AB995E
GetDlgItem.USER32(?), ref: 00AB9AD0
GetWindowRect.USER32(00000000,?), ref: 00AB9AE2
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00AB9AF5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ItemMessageRectSend$ClientDestroyExceptionPointsRaise
String ID:
API String ID: 1311170239-0
Opcode ID: 5a5f7f2f4158677c2af8a8a4eca87bc9229c33f0bc9ad9f96d7e39929a5def24
Instruction ID: eea78de400d312659c875bf842e75d125631d462c19ec62e5407c3105406b6a9
Opcode Fuzzy Hash: 5a5f7f2f4158677c2af8a8a4eca87bc9229c33f0bc9ad9f96d7e39929a5def24
Instruction Fuzzy Hash: CEA171B0901204DFDB10DF68DD89B9ABBB9FF05320F208229F925A73E1DB75A954CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ADE530 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,C956CA52), ref: 00ADE5D6
GetLastError.KERNEL32 ref: 00ADE5E0
EnterCriticalSection.KERNEL32(?), ref: 00ADE62C
LeaveCriticalSection.KERNEL32(?,76ECE820,?), ref: 00ADE659
GetModuleFileNameW.KERNEL32(00A80000,?,00000104), ref: 00ADE6AE
GetModuleHandleW.KERNEL32(00000000), ref: 00ADE749
LeaveCriticalSection.KERNEL32(?,Module,?), ref: 00ADE843
EnterCriticalSection.KERNEL32(?), ref: 00ADE888
LeaveCriticalSection.KERNEL32(?,Module_Raw,?), ref: 00ADE8BC

Part of subcall function 00AEEA58: ___report_securityfailure.LIBCMT ref: 00AEEA5D

Strings

REGISTRY, xrefs: 00ADE8F9
Module, xrefs: 00ADE82A
Module_Raw, xrefs: 00ADE8A3

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$Leave$EnterModule$CountErrorFileHandleInitializeLastNameSpin___report_securityfailure
String ID: Module$Module_Raw$REGISTRY
API String ID: 22735638-549000027
Opcode ID: 98b6b96c176226d7b4ae92f458ed0968b1de66a411a82b5c8d48ad5cb92a7a2e
Instruction ID: 99974d3063417bdc5863931c2963775795ef9406c0be419173ef9ab0fd81e00a
Opcode Fuzzy Hash: 98b6b96c176226d7b4ae92f458ed0968b1de66a411a82b5c8d48ad5cb92a7a2e
Instruction Fuzzy Hash: 39B1DF35900358DADB21EB64CD44BDEB7B4AF59300F1445DAE40AAB790EB74AF84CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00AC19E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 00AC1A36
GetWindowLongW.USER32(?,000000EC), ref: 00AC1A47
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AC1A58
RemovePropW.USER32 ref: 00AC1AB1
GetParent.USER32(?), ref: 00AC1AFC
SendMessageW.USER32(00000000,?,?,?), ref: 00AC1B09
GetDlgItem.USER32(?,0000E801), ref: 00AC1B5C
ShowWindow.USER32(00000000,00000000), ref: 00AC1B6E
GetClientRect.USER32(?,?), ref: 00AC1BAC
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 00AC1BC7
SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 00AC1BE3

Strings

IsExterior, xrefs: 00AC1A2E, 00AC1AA2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSendWindow$LongProp$ClientItemParentRectRemoveShow
String ID: IsExterior
API String ID: 1925185345-3989742051
Opcode ID: be0484a9836a7540581f574768c68798c3c483becdd4fdca5a42fd7d6957b55b
Instruction ID: 41e2712dd988c429bf6bec1b6e13d5edd7c1f6d0659131cfe376ffd7f7458e19
Opcode Fuzzy Hash: be0484a9836a7540581f574768c68798c3c483becdd4fdca5a42fd7d6957b55b
Instruction Fuzzy Hash: E361DF706047009FDB20DF24E889F6BB7E1FB85314F504A1DF49697291CB75E855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC5B0 Relevance: 21.2, APIs: 14, Instructions: 191windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00ABC5DD
GetWindowLongW.USER32(?,000000F0), ref: 00ABC5F2
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00ABC609

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

GetWindowLongW.USER32(?,000000EC), ref: 00ABC61D
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ABC631
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00ABC63F
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ABC652
GetDlgItem.USER32(?,0000E801), ref: 00ABC65F
IsWindow.USER32(00000000), ref: 00ABC668
DestroyWindow.USER32(00000000), ref: 00ABC684
GetClientRect.USER32(?,?), ref: 00ABC6DC
GetDlgItem.USER32(?,00000417), ref: 00ABC76F
GetWindowRect.USER32(00000000,?), ref: 00ABC783
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00ABC798

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$ItemMessageRectSend$ClientDestroyExceptionPointsRaise
String ID:
API String ID: 1311170239-0
Opcode ID: cd2e145dc2303bed25e5fedb008fafc6affab0ad5551603e6a564b4285f41f6b
Instruction ID: 1528bf180e90ca7a29c170bfed1fadd4089c9eaef0b842cdb278505de579ffee
Opcode Fuzzy Hash: cd2e145dc2303bed25e5fedb008fafc6affab0ad5551603e6a564b4285f41f6b
Instruction Fuzzy Hash: F3715D70505341AFE710DF28C849F9ABBE9FF85320F209B19F5A5D72A1DB71A850CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AA94E0 Relevance: 19.7, APIs: 13, Instructions: 170COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(8B0C428D,000000F0), ref: 00AA9527
GetParent.USER32(8B0C428D), ref: 00AA9539
GetWindow.USER32(8B0C428D,00000004), ref: 00AA954A
GetWindowRect.USER32(8B0C428D,?), ref: 00AA955B
GetWindowLongW.USER32(00000000,000000F0), ref: 00AA956E
MonitorFromWindow.USER32(8B0C428D,00000002), ref: 00AA9586
GetMonitorInfoW.USER32(00000000,?), ref: 00AA95A8
GetWindowRect.USER32(00000000,?), ref: 00AA95C9
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 00AA967F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: 11db7e66b1c9dc5fac094d3632ce18e090aefabe5e10bcc40d1b6b8f92222ecd
Instruction ID: b1b342cd19a96eab94cc0cf509307149fcb513b43d498ac40730489cbc0459ff
Opcode Fuzzy Hash: 11db7e66b1c9dc5fac094d3632ce18e090aefabe5e10bcc40d1b6b8f92222ecd
Instruction Fuzzy Hash: ED519C32D01119AFDB21CFA8DD49AEEBBB5FF49710F644229E815E3294DB30AD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4EC0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 389synchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00AC4EF1
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00AC5000
GetTickCount.KERNEL32 ref: 00AC5028
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00AC5041
SetEvent.KERNEL32(?,-00001860,-00001040,-00000820), ref: 00AC5257

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

GetLastError.KERNEL32 ref: 00AC52E8
SetEvent.KERNEL32(?), ref: 00AC52F9

Strings

Command , xrefs: 00AC510B
Waiting for commands. File map name: , xrefs: 00AC4F4A
%s("%s", "%s", "%s"), xrefs: 00AC5159
executed. Return code: , xrefs: 00AC518C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CountEventObjectSingleTickWait$ErrorHeapLastProcess
String ID: executed. Return code: $%s("%s", "%s", "%s")$Command $Waiting for commands. File map name:
API String ID: 277822026-3193615611
Opcode ID: f85496019ae471e4edb0b7c4b34c9eb77abd864e0a8df17a55070ced1ea05027
Instruction ID: 924b4ecdd70acea055023357f0a3f21e325cd79948ec3dc992ca514b3760c079
Opcode Fuzzy Hash: f85496019ae471e4edb0b7c4b34c9eb77abd864e0a8df17a55070ced1ea05027
Instruction Fuzzy Hash: EBE1AD31A016059BDB00EFB8C949FAEB7F4FF45310F14826DE415EB2A2DB74A940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B0147A Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B014BE

Part of subcall function 00B00852: _free.LIBCMT ref: 00B0086F
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00881
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00893
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008A5
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008B7
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008C9
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008DB
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008ED
Part of subcall function 00B00852: _free.LIBCMT ref: 00B008FF
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00911
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00923
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00935
Part of subcall function 00B00852: _free.LIBCMT ref: 00B00947

_free.LIBCMT ref: 00B014B3

Part of subcall function 00AFB0C1: HeapFree.KERNEL32(00000000,00000000,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?), ref: 00AFB0D7
Part of subcall function 00AFB0C1: GetLastError.KERNEL32(?,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?,?), ref: 00AFB0E9

_free.LIBCMT ref: 00B014D5
_free.LIBCMT ref: 00B014EA
_free.LIBCMT ref: 00B014F5
_free.LIBCMT ref: 00B01517
_free.LIBCMT ref: 00B0152A
_free.LIBCMT ref: 00B01538
_free.LIBCMT ref: 00B01543
_free.LIBCMT ref: 00B0157B
_free.LIBCMT ref: 00B01582
_free.LIBCMT ref: 00B0159F
_free.LIBCMT ref: 00B015B7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 03d9667db00e1b3dc6bbf6adefdde40aa1c21d178c0c2fea02f5a21c8434453d
Instruction ID: b02ad5faea638b4830a0de6f94d4313aae13246d7efbef182eec1788ebc0b286
Opcode Fuzzy Hash: 03d9667db00e1b3dc6bbf6adefdde40aa1c21d178c0c2fea02f5a21c8434453d
Instruction Fuzzy Hash: 3C3140716106049FDB35AABCD945B6A7BF8EF40310F104899F599DB2A1DF31ED808B20

Uniqueness

Uniqueness Score: -1.00%

Function 00A888E0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,C956CA52), ref: 00A88966
GetLastError.KERNEL32 ref: 00A88994

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00A889AA
FreeLibrary.KERNEL32(00000000), ref: 00A889C3
GetLastError.KERNEL32 ref: 00A889D0

Strings

ConvertStringSidToSidW, xrefs: 00A889A4
Advapi32.dll, xrefs: 00A88934

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastLibrary$AddressException@8FreeLoadProcThrow
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 564822862-1129428314
Opcode ID: 56976af4a893c79fb797429419d431b5c02c6d4bde40845bbe37435425b38745
Instruction ID: 385846350df50b9c0a41f21ee9d2c515e43bdc09bdbc06a6442bd40fb56ebbb5
Opcode Fuzzy Hash: 56976af4a893c79fb797429419d431b5c02c6d4bde40845bbe37435425b38745
Instruction Fuzzy Hash: CCC19DB1C02209DBDB10EF94C948BEEBBB5FF54314F608219E815B7280DF78AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AA48E0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 246fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00B285D0,80000000,00000000,00000000,00000003,00000080,00000000,C956CA52,?,00000000,?), ref: 00AA491F
GetLastError.KERNEL32(?,?,?,?,80004005,80004005,80004005), ref: 00AA4940

Part of subcall function 00A8CC10: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,?,00000000,00000000,00AA4BC2,00000000), ref: 00A8CC34
Part of subcall function 00A8CC10: MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,?,00000000), ref: 00A8CC68

GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,80004005,80004005,80004005), ref: 00AA4950
GetLastError.KERNEL32(?,?,?,?,80004005,80004005,80004005), ref: 00AA495D
CloseHandle.KERNEL32(00000000,?,?,?,?,80004005,80004005,80004005), ref: 00AA4AD6

Strings

ISO-8859-1, xrefs: 00AA4AFC
utf-16, xrefs: 00AA4A01
utf-8, xrefs: 00AA49D5
US-ASCII, xrefs: 00AA4B25

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWide$CloseCreateHandleSize
String ID: ISO-8859-1$US-ASCII$utf-16$utf-8
API String ID: 743212032-3020978663
Opcode ID: 48d194f7a2c754518c1b99600dae994f2664392cd8f6df4c3a5b5ef1c89debaf
Instruction ID: a4fb6061d11644fe90cd514bbddb0f60023f16820a101566d84728bac6b1014e
Opcode Fuzzy Hash: 48d194f7a2c754518c1b99600dae994f2664392cd8f6df4c3a5b5ef1c89debaf
Instruction Fuzzy Hash: C591C171600205DFDB00DF68C845BAEB7B5EF89320F248269F9159B3D1DBB1DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B00950 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B00998
_free.LIBCMT ref: 00B009BC
_free.LIBCMT ref: 00B009C9
_free.LIBCMT ref: 00B009EE
_free.LIBCMT ref: 00B009FB
_free.LIBCMT ref: 00B00A04
_free.LIBCMT ref: 00B00CE2
_free.LIBCMT ref: 00B00CEA

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 49f197c51aa88a4d0a0f760a201dd66164b80238fe9c3da6a59a4fba5a87be74
Instruction ID: d9325fcac3786bde4566a38ddcf464d1383c8268b0178ca4a7ef8e4e770b918d
Opcode Fuzzy Hash: 49f197c51aa88a4d0a0f760a201dd66164b80238fe9c3da6a59a4fba5a87be74
Instruction Fuzzy Hash: 0AC10576D50209BFEB20DBA8DD82FAE7BF8EF44700F144165FA44EB2C2E67099419760

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4B90 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 487memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A9E7E0: GetLastError.KERNEL32 ref: 00A9E832

GetLastError.KERNEL32 ref: 00AD4C5F
LocalAlloc.KERNEL32(00000000,00000000), ref: 00AD4C6D
LocalFree.KERNEL32(00000000), ref: 00AD4C9B
_wcschr.LIBVCRUNTIME ref: 00AD4F96
GetLastError.KERNEL32 ref: 00AD4CA1

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

LocalFree.KERNEL32(00000000,?), ref: 00AD512F

Strings

Service running from path: , xrefs: 00AD4D30
LegacyIpcObjectBaseName: , xrefs: 00AD507C
%s support service, xrefs: 00AD5EC0
;, xrefs: 00AD6152

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastLocal$CriticalCurrentFreeProcessSection$AllocEnterHeapInitializeThread_wcschr
String ID: %s support service$;$LegacyIpcObjectBaseName: $Service running from path:
API String ID: 2295661362-1157221049
Opcode ID: f324010e4dd335f28a34a56d284975eddadb6e967347f97ae2b0a526a62b8d9d
Instruction ID: a91bf1c17f66f05e4aa22431bc994cd7cd70114b2056bcd35f27ae01cc24cbe7
Opcode Fuzzy Hash: f324010e4dd335f28a34a56d284975eddadb6e967347f97ae2b0a526a62b8d9d
Instruction Fuzzy Hash: A7129D74A01604DFDB14EFA8C998BAEB7F5FF48314F14825EE416AB3A1DB70A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AE5C40 Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 433threadCOMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00AE5CD0
_wcsrchr.LIBVCRUNTIME ref: 00AE5EBE
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE608D
GetWindowLongW.USER32(?,000000F0), ref: 00AE60A2

Strings

HKCR, xrefs: 00AE5E1D
HKCU, xrefs: 00AE5D4D
HKLM, xrefs: 00AE5D06
HKU, xrefs: 00AE5D91
HKCC, xrefs: 00AE5DD5
HKUD, xrefs: 00AE5E5E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongProcessThread_wcschr_wcsrchr
String ID: HKCC$HKCR$HKCU$HKLM$HKU$HKUD
API String ID: 3671539109-2836228076
Opcode ID: 67781fb8cfa1a02672eca7760335992eeea7f52c5de35080578a66355502887f
Instruction ID: 35e0a95aab824bab01ec7e3b12a5cbca3379a3422aa2a7b6e9f2e86315a7a6c5
Opcode Fuzzy Hash: 67781fb8cfa1a02672eca7760335992eeea7f52c5de35080578a66355502887f
Instruction Fuzzy Hash: 16E1E571A00A42CFDB14CF79D994BAAB3B1FF51728F258669E4129B291EB32DD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA5A60 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 332networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

ResetEvent.KERNEL32(?), ref: 00AA5AEA
InternetConnectW.WININET(?,?,?,?,?,00000001,08000000), ref: 00AA5B04
SetEvent.KERNEL32(?), ref: 00AA5B23
ResetEvent.KERNEL32(?), ref: 00AA5CB3
FtpOpenFileW.WININET(00000000,?,80000000,80000002), ref: 00AA5CC6
SetEvent.KERNEL32(?), ref: 00AA5CE5
FtpGetFileSize.WININET(00000000,00000000), ref: 00AA5D70
InternetSetStatusCallbackW.WININET(00000000,00000000), ref: 00AA5DB8
InternetCloseHandle.WININET(00000000), ref: 00AA5DBF

Strings

FTP Server, xrefs: 00AA5B99, 00AA5BA9

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Event$Internet$FileReset$CallbackCloseConnectHandleHeapOpenProcessSizeStatus
String ID: FTP Server
API String ID: 2007386413-688436434
Opcode ID: 10dd9dd8886f92941df7d1d864e32bede213c79e68053566b7baf9a1a49a0768
Instruction ID: 66a270ddb24a97d5eaac7fa38b1d8eb05e06786711a9ecc5d343dcb01bda3933
Opcode Fuzzy Hash: 10dd9dd8886f92941df7d1d864e32bede213c79e68053566b7baf9a1a49a0768
Instruction Fuzzy Hash: 17D1A031901609DFDB11DF78C988BAEBBB4FF46324F148298E815AB292D774DD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2320 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 305fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000,00000202,00B11CB8,000000FF), ref: 00AC23A4

Part of subcall function 00AA0A60: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00AA0A9A
Part of subcall function 00AA0A60: WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00AA0AC3

WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00AC24EC
CloseHandle.KERNEL32(00000000), ref: 00AC24F5
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00AC2532
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00AC25C9

Strings

url, xrefs: 00AC235D
open, xrefs: 00AC252B
URL, xrefs: 00AC2362
[InternetShortcut]URL=, xrefs: 00AC242B
-_.~!*'();:@&=+$,/?#[], xrefs: 00AC247F, 00AC256C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharExecuteFileMultiShellWide$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL$[InternetShortcut]URL=$open$url
API String ID: 520909297-1843308693
Opcode ID: 8eb726d373f76842b1718b287b99217001862411a5f4c6450b1a0953fa426609
Instruction ID: 53ddc5531b9bdf34075e1d7d6561f602265d44ca9516ea169ebebe1e8d59e805
Opcode Fuzzy Hash: 8eb726d373f76842b1718b287b99217001862411a5f4c6450b1a0953fa426609
Instruction Fuzzy Hash: AEB148726002899FEB14DF28CD85FDE3BA2EF55304F11811DE5489B3D1D779AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5350 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 284COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(000F001F,00000000,00000000,C956CA52,?,-00000010,00000014,00000000), ref: 00AC5383
GetLastError.KERNEL32(?,-00000010,00000014,00000000), ref: 00AC5394
OpenEventW.KERNEL32(001F0003,00000000,?,?,-00000010,00000014,00000000), ref: 00AC54A9
GetLastError.KERNEL32(?,-00000010,00000014,00000000), ref: 00AC54B6
OpenEventW.KERNEL32(001F0003,00000000,?,?,-00000010,00000014,00000000), ref: 00AC5590
GetLastError.KERNEL32(?,-00000010,00000014,00000000), ref: 00AC559D

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

Strings

Unable to open Cmd event., xrefs: 00AC5501
Unable to open WaitCmd event., xrefs: 00AC55F0
Unable to create file mapping., xrefs: 00AC53E7
LastError: , xrefs: 00AC53F3, 00AC550D, 00AC55FC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastOpen$CriticalCurrentEventProcessSection$EnterFileHeapInitializeMappingThread
String ID: LastError: $Unable to create file mapping.$Unable to open Cmd event.$Unable to open WaitCmd event.
API String ID: 1974056431-574013566
Opcode ID: 28b19c10b17132778480e7a93aa7907f1b7ead07c260d467b42241d1aace727d
Instruction ID: c1f6a9ba8d8f6d754c1c3a176aaf70dcdb8fa1fb3d880a407ed716a6bf78ab7c
Opcode Fuzzy Hash: 28b19c10b17132778480e7a93aa7907f1b7ead07c260d467b42241d1aace727d
Instruction Fuzzy Hash: 05A1A1319016059FDB14EFB8CE19FAEB7E4EF41320F15426CB515AB2E2DB70A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 00ABC1BC
GetWindowLongW.USER32(?,000000EC), ref: 00ABC1CD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ABC1DE
RemovePropW.USER32(?,IsExterior), ref: 00ABC21A
GetParent.USER32(?), ref: 00ABC24E
SendMessageW.USER32(00000000,00000000,?,?), ref: 00ABC258
GetDlgItem.USER32(?,0000E801), ref: 00ABC2A3
ShowWindow.USER32(00000000,00000000,?,?,?,?,00ABB0F0,?,?,?,?), ref: 00ABC2B1
ShowWindow.USER32(00000000,00000005,?,?,?,?,00ABB0F0,?,?,?,?), ref: 00ABC2C0

Strings

IsExterior, xrefs: 00ABC1B4, 00ABC20B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongPropShow$ItemMessageParentRemoveSend
String ID: IsExterior
API String ID: 157459838-3989742051
Opcode ID: 2942ff04153711f5ca49d234ccdd5df94bb7a92db941c065fb5b78491a7c9a4d
Instruction ID: b842abd5107019dd1cc55aef842d972499e519f047c04d69094503f920acc0fe
Opcode Fuzzy Hash: 2942ff04153711f5ca49d234ccdd5df94bb7a92db941c065fb5b78491a7c9a4d
Instruction Fuzzy Hash: 9151D1705007009FDB31AF64D988FA7BBE8EB44B24F504619F056972A2C776E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8A40 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 00AB8A7C
GetWindowLongW.USER32(?,000000EC), ref: 00AB8A8D
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AB8A9E
RemovePropW.USER32(?,IsExterior), ref: 00AB8ADA
GetParent.USER32(?), ref: 00AB8B0E
SendMessageW.USER32(00000000,00000000,?,?), ref: 00AB8B18
GetDlgItem.USER32(?,0000E801), ref: 00AB8B63
ShowWindow.USER32(00000000,00000000,?,?,?,00000000,00AB43A3,?,00000000,?,?,?,00000000,?,?), ref: 00AB8B71
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00AB43A3,?,00000000,?,?,?,00000000,?,?), ref: 00AB8B80

Strings

IsExterior, xrefs: 00AB8A74, 00AB8ACB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongPropShow$ItemMessageParentRemoveSend
String ID: IsExterior
API String ID: 157459838-3989742051
Opcode ID: 2c4c04b175a9f58ad9b8f26e2b9ef5c326913c7d2bc26e13e7d711f682160985
Instruction ID: 5daaf770c1919685874eda591453adad78d7b8504e6679b892bbadc9728daa79
Opcode Fuzzy Hash: 2c4c04b175a9f58ad9b8f26e2b9ef5c326913c7d2bc26e13e7d711f682160985
Instruction Fuzzy Hash: 8351D2B05047009FD7219F38D888BAB7BECFB45725F104A1DF056976A2CB7AE885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDAF0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 00ABDB2C
GetWindowLongW.USER32(?,000000EC), ref: 00ABDB3D
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ABDB4E
RemovePropW.USER32(?,IsExterior), ref: 00ABDB8A
GetParent.USER32(?), ref: 00ABDBBE
SendMessageW.USER32(00000000,00000000,?,?), ref: 00ABDBC8
GetDlgItem.USER32(?,0000E801), ref: 00ABDC13
ShowWindow.USER32(00000000,00000000,?,?,?,?,00ABD099,?,?,?,?), ref: 00ABDC21
ShowWindow.USER32(00000000,00000005,?,?,?,?,00ABD099,?,?,?,?), ref: 00ABDC30

Strings

IsExterior, xrefs: 00ABDB24, 00ABDB7B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongPropShow$ItemMessageParentRemoveSend
String ID: IsExterior
API String ID: 157459838-3989742051
Opcode ID: cae42cc91a4f4a79b46ab2ac6649ed8a00c7ba2c41c822f4b922cbe5810d6e45
Instruction ID: b741b89c634efc4eb0efb642807b30bd7e748bb45f6b672b5e85a1ff488a6df1
Opcode Fuzzy Hash: cae42cc91a4f4a79b46ab2ac6649ed8a00c7ba2c41c822f4b922cbe5810d6e45
Instruction Fuzzy Hash: F651D1705047009FDB219F34D888BA77FE8FB41729F104A1DF056972A2DBB6E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABFCB0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 00ABFCEC
GetWindowLongW.USER32(?,000000EC), ref: 00ABFCFD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00ABFD0E
RemovePropW.USER32(?,IsExterior), ref: 00ABFD4A
GetParent.USER32(?), ref: 00ABFD7E
SendMessageW.USER32(00000000,00000000,?,?), ref: 00ABFD88
GetDlgItem.USER32(?,0000E801), ref: 00ABFDD3
ShowWindow.USER32(00000000,00000000,?,?,?,?,00ABE14A,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00ABFDE1
ShowWindow.USER32(00000000,00000005,?,?,?,?,00ABE14A,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00ABFDF0

Strings

IsExterior, xrefs: 00ABFCE4, 00ABFD3B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$LongPropShow$ItemMessageParentRemoveSend
String ID: IsExterior
API String ID: 157459838-3989742051
Opcode ID: d40fbae2f12b4b0a31ab579943067cc19c3fc04922b3f30299f688890bb56c2c
Instruction ID: 333d2f96b6477596efc23ff0ca77e97181832275ad31002212856e9ef4b310e4
Opcode Fuzzy Hash: d40fbae2f12b4b0a31ab579943067cc19c3fc04922b3f30299f688890bb56c2c
Instruction Fuzzy Hash: CE51D470504700DFDB319F24DC88BA77BE9FB45718F244A2DF056966A2CB72E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00A9A757
GetParent.USER32 ref: 00A9A768
GetDlgCtrlID.USER32(?), ref: 00A9A773
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00A9A77E
GetParent.USER32(?), ref: 00A9A79A
GetDlgCtrlID.USER32(?), ref: 00A9A7A6
SendMessageW.USER32(00000000,00000111,?,?), ref: 00A9A7B7

Strings

open, xrefs: 00A9A7D1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Ctrl$MessageParentSend
String ID: open
API String ID: 1194393872-2758837156
Opcode ID: db91510d8dc54c2e1bbecb0571242cd0807adb61391f2bc5b0c1a33303f54673
Instruction ID: 6421fab5055e6c8fa1aebff6c398d31bf9ddab82b876201583ec89d04fd944cb
Opcode Fuzzy Hash: db91510d8dc54c2e1bbecb0571242cd0807adb61391f2bc5b0c1a33303f54673
Instruction Fuzzy Hash: DA217D35201340ABDB005F58EC89BE97FE5EB84721F848059FD58CB292C679D805DB73

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6D40 Relevance: 16.6, APIs: 11, Instructions: 131windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00AB6D90
SendMessageW.USER32(?,00001012,00000000,?), ref: 00AB6DC8
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00AB6DE3
LoadMenuW.USER32(0000006F), ref: 00AB6E09

Part of subcall function 00AB7DA0: GetSubMenu.USER32(00000000,00000000), ref: 00AB7DCE

ModifyMenuW.USER32(?,00000000,00000400,00009C44,?), ref: 00AB6E41
ModifyMenuW.USER32(?,00009C45,00000000,00009C45,?), ref: 00AB6E59
EnableMenuItem.USER32(?,00009C44,00000001), ref: 00AB6E6F
EnableMenuItem.USER32(?,00009C44,00000000), ref: 00AB6E7D
EnableMenuItem.USER32(?,00009C45,00000001), ref: 00AB6E87
TrackPopupMenu.USER32(?,00000042,?,?,00000000,00000001,00000000), ref: 00AB6E9C
DestroyMenu.USER32(00000000), ref: 00AB6EAE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Menu$EnableItem$MessageModifySend$ClientDestroyLoadPopupScreenTrack
String ID:
API String ID: 1831142517-0
Opcode ID: ae3b9cf523f5454119cbfa6a888c6bf55aa413d5ce42c77bc4e6b9fbbec47823
Instruction ID: 33252c0553de5c98a8b0c685b7f9e63c2a5145be254a9fb5320153adc5270818
Opcode Fuzzy Hash: ae3b9cf523f5454119cbfa6a888c6bf55aa413d5ce42c77bc4e6b9fbbec47823
Instruction Fuzzy Hash: 34414B75A01208AFEB118FA4DD85FDEBBF5FF09710F104126FA05BB291DBB5A9008B65

Uniqueness

Uniqueness Score: -1.00%

Function 00A99080 Relevance: 16.6, APIs: 11, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 00A990CD
IsWindowEnabled.USER32(00000000), ref: 00A990D6
SetTextColor.GDI32(?,00000000), ref: 00A990FC
SelectObject.GDI32(?,?), ref: 00A9912B
GetWindowLongW.USER32(00000000,000000F0), ref: 00A9913F
DrawTextW.USER32(?,?,000000FF,?,00000000), ref: 00A99178
GetFocus.USER32 ref: 00A9917E
DrawFocusRect.USER32(?,?), ref: 00A99196
SetTextColor.GDI32(?,?), ref: 00A991A2
SelectObject.GDI32(?,?), ref: 00A991AE

Part of subcall function 00A991D0: GetClientRect.USER32(00000000,?), ref: 00A9927A
Part of subcall function 00A991D0: SetBkMode.GDI32(?,00000001), ref: 00A99285
Part of subcall function 00A991D0: SelectObject.GDI32(?,?), ref: 00A99297
Part of subcall function 00A991D0: DrawTextW.USER32(?,00000000,00000000,?,00000001), ref: 00A992BF
Part of subcall function 00A991D0: IsWindowEnabled.USER32(00000000), ref: 00A992C8
Part of subcall function 00A991D0: SetTextColor.GDI32(?,00000000), ref: 00A992EE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Text$ColorDrawObjectSelectWindow$EnabledFocusModeRect$ClientLong
String ID:
API String ID: 1016125553-0
Opcode ID: 0fd71dc3d659879c9e8d73e744ca62b73986bb8b5548de119dd4d60d6c85b1f4
Instruction ID: 38aaa95ebc873774558a85fb42fc24cba1c885ec5fed1f629e32f52130740ffb
Opcode Fuzzy Hash: 0fd71dc3d659879c9e8d73e744ca62b73986bb8b5548de119dd4d60d6c85b1f4
Instruction Fuzzy Hash: 99418B71600605BBDF229F58DD49BABBBF5FB08310F20862DF956926A0CB71F940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC6E40 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 313COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(001F0003,00000000,?,C956CA52,00000000,00000000,00000000,?,C956CA52), ref: 00AC6F84
GetLastError.KERNEL32(?,C956CA52), ref: 00AC6FA5
SetEvent.KERNEL32(00000000), ref: 00AC70F2
CloseHandle.KERNEL32(00000000), ref: 00AC70D0

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Strings

SignalServer , xrefs: 00AC6EBC
Unable to open event , xrefs: 00AC6FF7
started, xrefs: 00AC6EF0
Server is ready, xrefs: 00AC7145
LastError: , xrefs: 00AC702B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Event$CloseErrorHandleHeapLastOpenProcess
String ID: LastError: $ started$Server is ready$SignalServer $Unable to open event
API String ID: 3790043926-187756022
Opcode ID: ec3d2c4e9729969bd1915a6b4bd0864a4cd99f7bfb97f1a659294a7841b1979b
Instruction ID: 5591ad0123b130b6a3c0453d62b1850bf67fe7bcbec08e0d33b205ddaf07ee02
Opcode Fuzzy Hash: ec3d2c4e9729969bd1915a6b4bd0864a4cd99f7bfb97f1a659294a7841b1979b
Instruction Fuzzy Hash: 0CB1CF316016069BDB04EFB8CD55FAEB7B4EF45314F19829CE415AB2A2DB309D04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAB90 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 208registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B46108,C956CA52,75C04920,?), ref: 00ABAC03
GetClassInfoExW.USER32(00000000,?,?), ref: 00ABAC3A
GetClassInfoExW.USER32(?,00000030), ref: 00ABAC51
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABAC67
LoadCursorW.USER32(00A80000,?), ref: 00ABACC0
GetClassInfoExW.USER32(00A80000,00AB51AF,?), ref: 00ABAD1C
RegisterClassExW.USER32(?), ref: 00ABAD33
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABADEC

Strings

ATL:%p, xrefs: 00ABACE0

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Class$CriticalInfoSection$Leave$CursorEnterLoadRegister
String ID: ATL:%p
API String ID: 269841140-4171052921
Opcode ID: e60925767843385ea82c7a57b1426f59c72bbd500092352c9b4e1492d8b600a0
Instruction ID: 18c567219c5226ee614a2ba326c71a7d9896bccc11a8e096b154f7abbac1812f
Opcode Fuzzy Hash: e60925767843385ea82c7a57b1426f59c72bbd500092352c9b4e1492d8b600a0
Instruction Fuzzy Hash: 1381C035900745DFDB21CF68C9407AABBF4FF69310F10861DE895A7A52EB30BA84CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F8D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,?,?,00A8EB7B,?), ref: 00A9F8E4
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A9F91C
GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 00A9F92E
GetProcAddress.KERNEL32(IsWow64Process), ref: 00A9F940
GetCurrentProcess.KERNEL32(00000000,?,?,00A8EB7B), ref: 00A9F955

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A9F91E
Wow64DisableWow64FsRedirection, xrefs: 00A9F916
IsWow64Process, xrefs: 00A9F930
kernel32.dll, xrefs: 00A9F8DF

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressProc$CurrentLibraryLoadProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 137661620-2588563345
Opcode ID: 8c75d5c2f5bdda0e36141fd54241b0109b7714e9f1524c4201831d6846ee9e1b
Instruction ID: f46e631c63b821453df1c99bdabdfbd1cf211972f62ecd47dde34813274d84a4
Opcode Fuzzy Hash: 8c75d5c2f5bdda0e36141fd54241b0109b7714e9f1524c4201831d6846ee9e1b
Instruction Fuzzy Hash: 5B01F279E02320AFCF249BB4AD0875B7FE4BB8A750F0440A9E809E3360CF709910DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00AE83F0 Relevance: 15.2, APIs: 10, Instructions: 198COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00AE8494

Part of subcall function 00AE88C0: GetDlgItem.USER32(?,00000001), ref: 00AE88FE
Part of subcall function 00AE88C0: SetWindowTextW.USER32(00000000,?), ref: 00AE891E
Part of subcall function 00AE88C0: GetDlgItem.USER32(?,00000002), ref: 00AE894C
Part of subcall function 00AE88C0: SetWindowTextW.USER32(00000000,?), ref: 00AE896C
Part of subcall function 00AE88C0: LoadLibraryW.KERNEL32(UxTheme.dll), ref: 00AE89A9
Part of subcall function 00AE88C0: SetWindowTextW.USER32(00000000,?), ref: 00AE8ABC

GetDlgItem.USER32(?,0000E801), ref: 00AE86A3
ShowWindow.USER32(00000000,00000000), ref: 00AE86B4

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$ItemText$DialogLibraryLoadShow
String ID:
API String ID: 655108055-0
Opcode ID: 8bbe9e5992bcb6c842ade34c1d615b98f1e529aba8048dd983e54f40260b5df7
Instruction ID: 967979a6f3b461bee66f33c00a0c91a590585b5cd98b4f78aa0ca3d3b20a2b73
Opcode Fuzzy Hash: 8bbe9e5992bcb6c842ade34c1d615b98f1e529aba8048dd983e54f40260b5df7
Instruction Fuzzy Hash: F9917DB0900699DBDF20CF65CC4879ABBB4FB04305F204599E509A7281EF79AEC5CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00AB73F0 Relevance: 15.1, APIs: 10, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00AB7461
SendMessageW.USER32(?,0000104B,00000000,00000000), ref: 00AB74B7
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00AB74D3
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB7517
GetParent.USER32(?), ref: 00AB7580
GetParent.USER32(?), ref: 00AB7590
GetParent.USER32(00000000), ref: 00AB7593
GetParent.USER32(00000000), ref: 00AB7596
ShowWindow.USER32(00000000,00000002,?,?,C000008C,00000001), ref: 00AB75A3
ShowWindow.USER32(00000000,00000001,?,?,C000008C,00000001), ref: 00AB75A8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageParentSend$ShowWindow
String ID:
API String ID: 3076789325-0
Opcode ID: e7c66a8afbbbece43960432b3af2ce0d1e42e134c9fda53b2ee344c5eba32555
Instruction ID: 6befef5eaba231b2cf140dd885bea0f4776782cd1802a58b525d23e964068519
Opcode Fuzzy Hash: e7c66a8afbbbece43960432b3af2ce0d1e42e134c9fda53b2ee344c5eba32555
Instruction Fuzzy Hash: D7410231204701ABE7309B25CD85BABB7E9FFC9304F004A2DF58996292DBB1E8408B55

Uniqueness

Uniqueness Score: -1.00%

Function 00AFADD6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AFADEA

Part of subcall function 00AFB0C1: HeapFree.KERNEL32(00000000,00000000,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?), ref: 00AFB0D7
Part of subcall function 00AFB0C1: GetLastError.KERNEL32(?,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?,?), ref: 00AFB0E9

_free.LIBCMT ref: 00AFADF6
_free.LIBCMT ref: 00AFAE01
_free.LIBCMT ref: 00AFAE0C
_free.LIBCMT ref: 00AFAE17
_free.LIBCMT ref: 00AFAE22
_free.LIBCMT ref: 00AFAE2D
_free.LIBCMT ref: 00AFAE38
_free.LIBCMT ref: 00AFAE43
_free.LIBCMT ref: 00AFAE51

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 575a34c68f1c1be745140a8923f62dc407f3db4bd0efa2ba6aa39f717fcf80b9
Instruction ID: cb4c5f15e64e12b5187e207a2de8d7c74f4ae1c65734a1eeb437e67cabb46c0a
Opcode Fuzzy Hash: 575a34c68f1c1be745140a8923f62dc407f3db4bd0efa2ba6aa39f717fcf80b9
Instruction Fuzzy Hash: 901177B651010CAFCB01EF94CA42DEA3FB5EF04350B5144A5BA584F122DB32DA909B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C840 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 430libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A85DC0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A85E24
Part of subcall function 00A85DC0: _wcschr.LIBVCRUNTIME ref: 00A85E69
Part of subcall function 00A85DC0: GetLastError.KERNEL32 ref: 00A85EC0

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00A9CB5F
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 00A9CBD2
GetLastError.KERNEL32 ref: 00A9CBF0
FreeLibrary.KERNEL32(?), ref: 00A9CCCA

Strings

GetPackagePath, xrefs: 00A9CB59, 00A9CBCC
neutral, xrefs: 00A9C968
x86, xrefs: 00A9C919
x64, xrefs: 00A9C94C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressErrorLastProc$DirectoryFreeLibrarySystem_wcschr
String ID: GetPackagePath$neutral$x64$x86
API String ID: 1853563071-1738950451
Opcode ID: 09d1acb4d7b26ef63a49ca0776fcd3ab83055acaace3931dc1dbd37940e9b91f
Instruction ID: 334dd591b2544d4bd45ec397b26d292125f6aed70e44bda7da96b229331391e2
Opcode Fuzzy Hash: 09d1acb4d7b26ef63a49ca0776fcd3ab83055acaace3931dc1dbd37940e9b91f
Instruction Fuzzy Hash: 17023874A016099FDF14DFA8C985AADBBF1FF49324F148169E815AB3A1DB31AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB0590 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 384fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00AB0095,C956CA52,00AB0095,?,?), ref: 00AB06DF
GetLastError.KERNEL32( LastError: ,0000000C,Failed to delete file: ,00000017,?,?), ref: 00AB0788
RemoveDirectoryW.KERNEL32(00000000,C956CA52,00AB0095,?,?), ref: 00AB0897

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

GetLastError.KERNEL32( LastError: ,0000000C,Failed to delete folder: ,?,?), ref: 00AB093A

Part of subcall function 00A886A0: RaiseException.KERNEL32(?,?,00000000,00000000,00AECAAE,C000008C,00000001,?,00AECADF,00000000,?,?,00A87027,00000000,C956CA52,00B45FF4), ref: 00A886AC

Strings

Failed to delete file: , xrefs: 00AB073A
Failed to delete folder: , xrefs: 00AB08F0
DoErase started., xrefs: 00AB0604
LastError: , xrefs: 00AB077B, 00AB092D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalCurrentErrorLastProcessSection$DeleteDirectoryEnterExceptionFileHeapInitializeRaiseRemoveThread
String ID: LastError: $DoErase started.$Failed to delete file: $Failed to delete folder:
API String ID: 3787932129-2252587364
Opcode ID: 78198e6d3e3ea3e2ddf00789626d608b46323fe34ffd6ed6dca86ba91fe9e673
Instruction ID: d94b1f156729fc89a2b3335e16eed6a889c766a73b204d4d00621e4d68aaef4d
Opcode Fuzzy Hash: 78198e6d3e3ea3e2ddf00789626d608b46323fe34ffd6ed6dca86ba91fe9e673
Instruction Fuzzy Hash: 8ED190306006099FDB14EFA8C955FAFB7B9BF45714F1486ACE4169B2A3EB30E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ACDDB0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 270processCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

_wcsrchr.LIBVCRUNTIME ref: 00ACDE15
CreateProcessW.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,00000010,00000044,?), ref: 00ACE040
GetLastError.KERNEL32(?,00000000,?,00B285E8,00000000), ref: 00ACE04A
ShellExecuteExW.SHELL32(?), ref: 00ACE0A1

Strings

open, xrefs: 00ACE09A
<, xrefs: 00ACE085
D, xrefs: 00ACDF02
Running temp updater from path: , xrefs: 00ACDF5F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Process$CreateErrorExecuteHeapLastShell_wcsrchr
String ID: <$D$Running temp updater from path: $open
API String ID: 1219615081-4224873415
Opcode ID: a72ac8a31b504c447e1ffcb4fcca06ce34053f9daa64a82dafe882505c73bd85
Instruction ID: dba37d7f0a6b8b705ba4ca75e56115e097fedb8f2b7dd271d638f23224cb5840
Opcode Fuzzy Hash: a72ac8a31b504c447e1ffcb4fcca06ce34053f9daa64a82dafe882505c73bd85
Instruction Fuzzy Hash: E5B1CE71A00649DFDB00DFA8C944BAEBBF4FF49314F1582ADE409AB291DB71A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B1C7 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 194networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 00A9B3CE

Strings

<, xrefs: 00A9B3A1
d, xrefs: 00A9B39A
d, xrefs: 00A9B385
d, xrefs: 00A9B38C
d, xrefs: 00A9B393
d, xrefs: 00A9B37E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CrackHeapInternetProcess
String ID: <$d$d$d$d$d
API String ID: 3103537952-658347696
Opcode ID: 9b8ca0767974a664501f9910ae8448e342347aea25bbde849edd46957152da9d
Instruction ID: b96f5b4fc47d71f5e3ef31395edde33a91d72677ea785eacf524337d8fb741d5
Opcode Fuzzy Hash: 9b8ca0767974a664501f9910ae8448e342347aea25bbde849edd46957152da9d
Instruction Fuzzy Hash: D1619B71A01749DFDB00DFA8C944BAEBBF0FF45314F20825DE519AB291DB71A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F9C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,ps1,ps1), ref: 00A9FAC5
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000), ref: 00A9FB09
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00A9FB26
CloseHandle.KERNEL32(00000000), ref: 00A9FB40
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00A9FB7C

Strings

Unable to get temp file , xrefs: 00A9FA8C
ps1, xrefs: 00A9FA2C, 00A9FA3C, 00A9FA50
Unable to save script file , xrefs: 00A9FB4F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 3201387394-4253966538
Opcode ID: b2d5ed1bc96f22730a1c27710f82450decd09a6e5593f333c2a709a4113dbc0c
Instruction ID: 35687ac55e89fae4f12fe262c16b735dc9f726aa842b7b3b0847cd8624b6a709
Opcode Fuzzy Hash: b2d5ed1bc96f22730a1c27710f82450decd09a6e5593f333c2a709a4113dbc0c
Instruction Fuzzy Hash: F261B231A01205EFDF00DF68C955BAEBBF4AF05714F148168E919EB2D1DB759A04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6EE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 146windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000435,00000000,?), ref: 00AB6F72
SendMessageW.USER32(?,00000449,00000002,?), ref: 00AB6F9E
SendMessageW.USER32(?,00000437,00000000,?), ref: 00AB6FDE
SendMessageW.USER32(?,0000043A,00000001,00000074), ref: 00AB7009
SendMessageW.USER32(?,00000444,00000001,00000074), ref: 00AB70B4

Strings

t, xrefs: 00AB6FF1
, xrefs: 00AB7023
, xrefs: 00AB701E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend
String ID: $ $t
API String ID: 3850602802-3061772819
Opcode ID: 7730e6c8c27a9b89f17324642de44476c8b3d1770ecfd22fc07d0cf2490087a9
Instruction ID: d19889e467d9dafac6657791cd91a98fa88edcb2b0ff853b2c6d2bd1b7740507
Opcode Fuzzy Hash: 7730e6c8c27a9b89f17324642de44476c8b3d1770ecfd22fc07d0cf2490087a9
Instruction Fuzzy Hash: 27517A71509300AFD760DF64C985BAFBBE8EF88704F50581EF686D6192D7B0E948CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D0E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,C956CA52), ref: 00A8D11E
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00A8D141
GetSystemMetrics.USER32(0000000C), ref: 00A8D17C
GetSystemMetrics.USER32(0000000B), ref: 00A8D192
LoadImageW.USER32(?,?,00000001,00000000,00000000,?), ref: 00A8D1A1
FreeLibrary.KERNEL32(00000000), ref: 00A8D1BF

Strings

ComCtl32.dll, xrefs: 00A8D112
LoadIconMetric, xrefs: 00A8D13B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: LibraryLoadMetricsSystem$AddressFreeImageProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 1983857168-764666640
Opcode ID: 9ef88cc083fa2018dd0eb209f64265ae19113560497d7bd352223e70beca4724
Instruction ID: de280422af72b0ad0eb848ae9a3e1a6846a8efba201caad4ecf18ac58bb3f4bd
Opcode Fuzzy Hash: 9ef88cc083fa2018dd0eb209f64265ae19113560497d7bd352223e70beca4724
Instruction Fuzzy Hash: 4A319171A00219ABDB109F95DC48BAFBFF8EF49760F00426AF915A7280DBB49D008B90

Uniqueness

Uniqueness Score: -1.00%

Function 00AECB11 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00A98FD4,?,?,00AECE56,00B450CC,?,?,?,00A98FD4,?), ref: 00AECB23
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00A98FD4,?,?,00AECE56,00B450CC,?,?,?,00A98FD4,?), ref: 00AECB38
DecodePointer.KERNEL32(00A98FD4,?,?,?,?,?,?,?,?,?,?,00A98FD4,?), ref: 00AECBB4

Strings

AtlThunk_DataToCode, xrefs: 00AECB77
atlthunk.dll, xrefs: 00AECB33
AtlThunk_FreeData, xrefs: 00AECB8E
AtlThunk_InitData, xrefs: 00AECB60
AtlThunk_AllocateData, xrefs: 00AECB49

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: a896afda572147c804d0bdd271c534e78dbf0051a1d520d662af93eba2920b60
Instruction ID: c09e48b3672af6a3987aa043513cef5a4c49ca6d2d18fa2eba65619b04b670f5
Opcode Fuzzy Hash: a896afda572147c804d0bdd271c534e78dbf0051a1d520d662af93eba2920b60
Instruction Fuzzy Hash: 1901C471641B40A7CA26A7119D07FDA3B946F02715F4400D5FC05772E3FBA59F0A81D2

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1300 Relevance: 13.8, APIs: 9, Instructions: 322windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00AC133E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AC13A1
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AC13FB

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

SendMessageW.USER32(?,0000104C,00000000,?), ref: 00AC15AC

Part of subcall function 00A88E90: GetUserDefaultUILanguage.KERNEL32 ref: 00A88EFB

ShowWindow.USER32(?,00000001), ref: 00AC160C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AC1636
SetWindowTextW.USER32(?,?), ref: 00AC1644
GetParent.USER32(?), ref: 00AC1664
IsWindowVisible.USER32(00000000), ref: 00AC166B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$Window$DefaultHeapLanguageParentProcessShowTextUserVisible
String ID:
API String ID: 3298974852-0
Opcode ID: 813b0839ff9312fd8f4a55f28108349f2f47dc8497e734b19d4987a95f35651e
Instruction ID: 3359aa42628b3afa41fee511aedcfb86fe30db339d165b37ec46fb6d61461b98
Opcode Fuzzy Hash: 813b0839ff9312fd8f4a55f28108349f2f47dc8497e734b19d4987a95f35651e
Instruction Fuzzy Hash: 44D18D31600209DFEB15DF68C984F997BB2FF86314F198269F9199B292DB75E840CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE72E0 Relevance: 13.7, APIs: 9, Instructions: 223windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000E801), ref: 00AE736A
ShowWindow.USER32(00000000,00000005,?,?,?), ref: 00AE7373
SendMessageW.USER32(00000001,00000476,00000000,00000000), ref: 00AE73A0
GetWindowLongW.USER32(00000001,000000EC), ref: 00AE741F
SetWindowLongW.USER32(00000001,000000EC,00000000), ref: 00AE7430
CallWindowProcW.USER32(?,00000001,?,?,?), ref: 00AE74A1
SendMessageW.USER32(00000001,00000476,00000000,00000000), ref: 00AE74D4
DestroyWindow.USER32(00000001,?,?,?), ref: 00AE74E1
SendMessageW.USER32(00000001,00000010,00000000,00000000), ref: 00AE7522

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$MessageSend$Long$CallDestroyItemProcShow
String ID:
API String ID: 3082038109-0
Opcode ID: e0b93667d3436adbdf1b8f6d9b46ca67b428522347ea9c0f00e4f46cdabcf147
Instruction ID: de4b4af1b478de8eafc7ca9c1021bc1adb2e47e4e561957438be84b69709680d
Opcode Fuzzy Hash: e0b93667d3436adbdf1b8f6d9b46ca67b428522347ea9c0f00e4f46cdabcf147
Instruction Fuzzy Hash: 468116716047448BEB31CF29DC85BABB7E5FB44320F10452DF99A872D0CB71A855DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF530 Relevance: 13.6, APIs: 9, Instructions: 139windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE29D0: SendMessageW.USER32(?,00000406,00000000,?), ref: 00AE2A26
Part of subcall function 00AE29D0: SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AE2A34
Part of subcall function 00AE29D0: SetWindowTextW.USER32(?,00000000), ref: 00AE2A9B

GetParent.USER32(?), ref: 00ABF5CB
GetParent.USER32(00000000), ref: 00ABF5CE
GetParent.USER32(?), ref: 00ABF5D1
GetSystemMenu.USER32(00000000,00000001), ref: 00ABF5D6
GetParent.USER32(?), ref: 00ABF5EC
GetParent.USER32(00000000), ref: 00ABF5EF
GetParent.USER32(?), ref: 00ABF5F2
DrawMenuBar.USER32(00000000), ref: 00ABF5F5

Part of subcall function 00AC0390: GetWindowLongW.USER32(?,000000F0), ref: 00AC03C5
Part of subcall function 00AC0390: GetParent.USER32(?), ref: 00AC03CF

ShowWindow.USER32(?,?,?,?,?), ref: 00ABF674

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Parent$Window$MenuMessageSend$DrawLongShowSystemText
String ID:
API String ID: 3072083481-0
Opcode ID: 58d943e178d21725ac54ad805604060e471c6785131a811b6e8ba0de137758af
Instruction ID: 42dbd7c0a59500df12c8084bf24c0f30851f60c0fd98aa1e50d60e016b259924
Opcode Fuzzy Hash: 58d943e178d21725ac54ad805604060e471c6785131a811b6e8ba0de137758af
Instruction Fuzzy Hash: 3B417E72700216AFDB10DF55DC85F9AF768FF58320F04466AEA099B252DB71AC50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7810 Relevance: 13.6, APIs: 9, Instructions: 136fileCOMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(00000004,00000000,00B2B208,00B2B208,C956CA52,?,?,?,00B2B208), ref: 00AC7853
GetLastError.KERNEL32(?,?,?,00B2B208), ref: 00AC7860
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,00B2B208), ref: 00AC7874
GetLastError.KERNEL32(?,?,?,00B2B208), ref: 00AC7881
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B2B208), ref: 00AC78F3
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00B2B208), ref: 00AC7908
OpenEventW.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,?,00B2B208), ref: 00AC7930
SetEvent.KERNEL32(00000000), ref: 00AC794B
CloseHandle.KERNEL32(00000000), ref: 00AC7961

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$CloseErrorEventHandleLastOpenView$MappingUnmap
String ID:
API String ID: 228536551-0
Opcode ID: 78193c3eb2b579c98f25d6917f5fc5130b1f197f4876ac93454e0af9bac5448b
Instruction ID: 7df6064920989fb764894fd3d211a676cc1b6528c538313e3ceaec0a92a23125
Opcode Fuzzy Hash: 78193c3eb2b579c98f25d6917f5fc5130b1f197f4876ac93454e0af9bac5448b
Instruction Fuzzy Hash: 99517C71A016069BDB21CF68CC08B9EBBB8FF05324F258359E925E72D0DB34A904CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9290 Relevance: 13.6, APIs: 9, Instructions: 123windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AB92FD
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00AB930D
OffsetRect.USER32(?,?,?), ref: 00AB9323
GetWindowDC.USER32(00000000), ref: 00AB9340

Part of subcall function 00AB9EF0: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00AB9F54
Part of subcall function 00AB9EF0: CreatePatternBrush.GDI32(00000000), ref: 00AB9F61
Part of subcall function 00AB9EF0: DeleteObject.GDI32(00000000), ref: 00AB9F6A

SelectObject.GDI32(00000000,?), ref: 00AB9370
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00AB9398
SelectObject.GDI32(?,00000000), ref: 00AB93A3
DeleteObject.GDI32(?), ref: 00AB93B6
ReleaseDC.USER32(?,00000000), ref: 00AB93D8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Object$Window$CreateDeleteRectSelect$BitmapBrushOffsetPatternPointsRelease
String ID:
API String ID: 4269786674-0
Opcode ID: 8f5266f6c18db4b21947885153095eb6cf84cb7b3fd7a99f3c59e00eaea12693
Instruction ID: fe1b0e5e7220b50d705462467bf66fc06262ead0ad84f1e0cb9c8c937a286ee5
Opcode Fuzzy Hash: 8f5266f6c18db4b21947885153095eb6cf84cb7b3fd7a99f3c59e00eaea12693
Instruction Fuzzy Hash: DA4149B5D01248EFDB11DFA8D949BEEBBF8EF09310F204259E911A3291DB756A048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00AAFCC0 Relevance: 13.6, APIs: 9, Instructions: 119windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9D2D0: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00A9D314
Part of subcall function 00A9D2D0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A9D31F

GetDlgItem.USER32(?,00000002), ref: 00AAFCFF

Part of subcall function 00A88E90: GetUserDefaultUILanguage.KERNEL32 ref: 00A88EFB

SetWindowTextW.USER32(00000000,?), ref: 00AAFD28
SetWindowTextW.USER32(FFFFFFFF,?), ref: 00AAFD5B
GetDlgItem.USER32(FFFFFFFF,00000415), ref: 00AAFD6B
SetWindowTextW.USER32(?,00000000), ref: 00AAFD89
GetDlgItem.USER32(FFFFFFFF,000003EB), ref: 00AAFDB9
GetWindowLongW.USER32(00000000,000000F0), ref: 00AAFDC1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AAFDD6
SendMessageW.USER32(?,0000040A,00000001,0000001E), ref: 00AAFDE8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$ItemMessageSendText$Long$DefaultLanguageUser
String ID:
API String ID: 1321448501-0
Opcode ID: 4dea7820ec6973b595456640109c4d1f599d4c63f534d1eb47b6ffb2a7ae902c
Instruction ID: ae588b6b20dd67bbbccf99b9f9b74e153f6a02870e5b56ebe9ddae51eb1dc65e
Opcode Fuzzy Hash: 4dea7820ec6973b595456640109c4d1f599d4c63f534d1eb47b6ffb2a7ae902c
Instruction Fuzzy Hash: 49415971601A06AFDB159F68CD45A9ABBB5FF49320F108329F12597AE0DB71B820CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00ABBC80 Relevance: 13.6, APIs: 9, Instructions: 118threadwindowCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,C956CA52,?,75C05540), ref: 00ABBCBE
GetCurrentThreadId.KERNEL32 ref: 00ABBCED
EnterCriticalSection.KERNEL32(00B46108), ref: 00ABBD0D
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABBD31
DialogBoxParamW.USER32(00000069,?,Function_0003A4E0,00000000), ref: 00ABBD4D

Part of subcall function 00AECD7E: GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
Part of subcall function 00AECD7E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A

GetParent.USER32(00000000), ref: 00ABBD95
SendMessageW.USER32(00000000,0000048C,?,?), ref: 00ABBDA9

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalHeapSection$AllocCurrentDialogEnterErrorLastLeaveMessageParamParentProcessSendThread
String ID:
API String ID: 4075722872-0
Opcode ID: 99005ee5eb773e1cdb6e8c98c7f94b3fff058feae8de3323ec556034ed28f5fc
Instruction ID: c0b320a2e2c8c02edb2fad71a52ba3df2fcb2eff4d8997c36ea89ac9c870d8e7
Opcode Fuzzy Hash: 99005ee5eb773e1cdb6e8c98c7f94b3fff058feae8de3323ec556034ed28f5fc
Instruction Fuzzy Hash: 8841F531504740EFEB219F64DD09BCABBF8FF46710F00861AF954A36A1CBB5A510CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AD8A10 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 396threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00ABE160: CoCreateInstance.OLE32(00B1A630,00000000,00000001,00B1A620,?), ref: 00ABE293

Part of subcall function 00AC04B0: CoCreateInstance.OLE32(00B1A630,00000000,00000001,00B1A620,?), ref: 00AC05E2

GetActiveWindow.USER32 ref: 00AD8CAD
SetLastError.KERNEL32(0000000E,?,?), ref: 00AD8CE6
GetCurrentThreadId.KERNEL32 ref: 00AD8D08
EnterCriticalSection.KERNEL32(00B46108,?,?), ref: 00AD8D25
LeaveCriticalSection.KERNEL32(00B46108,?,?), ref: 00AD8D48
PropertySheetW.COMCTL32(?,?,?), ref: 00AD8D56

Strings

Updater wizard ended. Return code: , xrefs: 00AD8DED

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateCriticalInstanceSection$ActiveCurrentEnterErrorLastLeavePropertySheetThreadWindow
String ID: Updater wizard ended. Return code:
API String ID: 642537505-3061603331
Opcode ID: d7bd2fb796d99473a41f4894fe72a0d0ad8381c5d54661ffcadaedb42fe6afcd
Instruction ID: 799abdb14ca5f6cb17cf82fd08f04ac334ceb976fae32fd61fed58c1ba770fb3
Opcode Fuzzy Hash: d7bd2fb796d99473a41f4894fe72a0d0ad8381c5d54661ffcadaedb42fe6afcd
Instruction Fuzzy Hash: EC0259B0D01249DFEF14DFA8C945BEEBBF1AF08304F144169E51AAB381DB789A04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA617 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AFAECA: GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
Part of subcall function 00AFAECA: _free.LIBCMT ref: 00AFAF01
Part of subcall function 00AFAECA: SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
Part of subcall function 00AFAECA: _abort.LIBCMT ref: 00AFAF48

_memcmp.LIBVCRUNTIME ref: 00AFA8C1
_free.LIBCMT ref: 00AFA932
_free.LIBCMT ref: 00AFA94B
_free.LIBCMT ref: 00AFA97D
_free.LIBCMT ref: 00AFA986
_free.LIBCMT ref: 00AFA992

Strings

C, xrefs: 00AFA77F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 2f53b1eff6f966a8410cb22054ec32e1124b45ebfb7d8738075e519c4faa5421
Instruction ID: dfc5d2873f36a668af5d20328016a433c6a145d97e14939df7aae2fc1db761af
Opcode Fuzzy Hash: 2f53b1eff6f966a8410cb22054ec32e1124b45ebfb7d8738075e519c4faa5421
Instruction Fuzzy Hash: 0EB13AB5A012199FDB24DF58C884BADB7B4FF18304F1445AAEA4DA7350E771AE90CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00AE50A0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 250encryptionCOMMON

Download Yara Rule

APIs

#224.MSI(00000000,00000001,00000000,00000000,00000000,C956CA52,?,-00000010,00000000), ref: 00AE50E3
#224.MSI(?,00000001,?,00000000,00000000,?,-00000010,00000000), ref: 00AE5118
CertFreeCertificateContext.CRYPT32(00000000,?,-00000010,00000000), ref: 00AE5123

Strings

%ld, xrefs: 00AE51F4
VerifySignatureTrust returnned: , xrefs: 00AE51C8

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: #224$CertCertificateContextFree
String ID: %ld$VerifySignatureTrust returnned:
API String ID: 3969086042-4195536293
Opcode ID: e2321ebb1e1b8ed9a340f08c96fffa0281b7f7ee32eb9a618d310f18ee8a85ca
Instruction ID: 45ea6b0f6bf03e3204a89ff74d9c77a19594f87c62c56cb08caaec5f9e6dd42d
Opcode Fuzzy Hash: e2321ebb1e1b8ed9a340f08c96fffa0281b7f7ee32eb9a618d310f18ee8a85ca
Instruction Fuzzy Hash: 8681E231E006499FDB00DBB9DD05BAEBBF4EF44324F148269E915EB2A1DB349D00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD90E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC91E0: CoCreateInstance.OLE32(00B1A630,00000000,00000001,00B1A620,?), ref: 00AC9274

GetActiveWindow.USER32 ref: 00AD9127
SetLastError.KERNEL32(0000000E), ref: 00AD914A

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

GetCurrentThreadId.KERNEL32 ref: 00AD916E
EnterCriticalSection.KERNEL32(00B46108), ref: 00AD918E
LeaveCriticalSection.KERNEL32(00B46108), ref: 00AD91B7
DialogBoxParamW.USER32(0000006E,00000000,Function_0003A4E0,00000000), ref: 00AD91D1

Part of subcall function 00AECD7E: GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
Part of subcall function 00AECD7E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A

Strings

Updater wizard ended. Return code: , xrefs: 00AD922D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalHeapSection$ActiveAllocCreateCurrentDialogEnterErrorException@8InstanceLastLeaveParamProcessThreadThrowWindow
String ID: Updater wizard ended. Return code:
API String ID: 617823270-3061603331
Opcode ID: ecea0e803fdd4ab31668a19161c8b5ec4c00730663cb631846efbf02e7e12973
Instruction ID: 8ee883d7faf59b1c51e1341d06f2738084fe082cebbb52359009a564259c7e03
Opcode Fuzzy Hash: ecea0e803fdd4ab31668a19161c8b5ec4c00730663cb631846efbf02e7e12973
Instruction Fuzzy Hash: 0F518131901255EFEB10DF68CD09B9EBBE4AF06714F148299F819A72D1DB709A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D590 Relevance: 12.4, APIs: 3, Strings: 5, Instructions: 392COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00A9D5E5

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

GetLastError.KERNEL32 ref: 00A9D70C
GetLastError.KERNEL32(Unable to set service description error code: ,0000002E), ref: 00A9D93F

Strings

!, xrefs: 00A9D98E
Create Service failed error code: , xrefs: 00A9D75D
Unable to set service description error code: , xrefs: 00A9D935
CreateService SUCCESS, xrefs: 00A9D83F
Unable to open SCM error code, xrefs: 00A9D636

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$CriticalCurrentProcessSection$EnterHeapInitializeThread
String ID: !$Create Service failed error code: $CreateService SUCCESS$Unable to open SCM error code$Unable to set service description error code:
API String ID: 2386437487-866946418
Opcode ID: 66b12104b2f08d668bce9c5a3ce8635f083b8515ad111703706e524e1addb9cb
Instruction ID: c1879c56989a1a13f2d18fe007433ed18ba8185cc3a0bd6db1a6123466c6bbff
Opcode Fuzzy Hash: 66b12104b2f08d668bce9c5a3ce8635f083b8515ad111703706e524e1addb9cb
Instruction Fuzzy Hash: 1CE1A0716012059FDB00EFB8C959BAEBBF4EF45324F14829CE515EB2A2DB709D44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADFCD0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,C956CA52,?,00000000,?,00B080E0,000000FF,?,00AE06AE,?), ref: 00ADFD09
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00ADFD19
GetModuleHandleW.KERNEL32(Advapi32.dll,C956CA52,?,00000000,?,00B080E0,000000FF,?,00AE06AE,?), ref: 00ADFD79
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00ADFD89

Strings

RegDeleteKeyTransactedW, xrefs: 00ADFD13
Advapi32.dll, xrefs: 00ADFD04, 00ADFD74
RegDeleteKeyExW, xrefs: 00ADFD83

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: c6d0831fd724d0c2daf502713427854814c552f117a98ce183fc0db30e4070b2
Instruction ID: d4274d2a8740f2b7cf854e0c1b62c077b18160223b257393bb76a78215a1bc8b
Opcode Fuzzy Hash: c6d0831fd724d0c2daf502713427854814c552f117a98ce183fc0db30e4070b2
Instruction Fuzzy Hash: 5D310636604304AFDB218F54EC05B96BBB6FB46B24F10813BE94A93390DB76A550DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9480 Relevance: 12.2, APIs: 8, Instructions: 193COMMON

Download Yara Rule

APIs

FillRect.USER32(00000000,?,00000010), ref: 00AB951F
FillRect.USER32(00000000,?,00000006), ref: 00AB9554
FillRect.USER32(00000000,?,00000011), ref: 00AB9578
FillRect.USER32(00000000,?,00000011), ref: 00AB958E

Part of subcall function 00AB9B80: GetWindowLongW.USER32(00000002,000000EC), ref: 00AB9BEE
Part of subcall function 00AB9B80: DrawEdge.USER32(00000024,?,0000000A,0000200F), ref: 00AB9C09
Part of subcall function 00AB9B80: FillRect.USER32(00000024,?,0000000D), ref: 00AB9C18

GetWindowLongW.USER32(?,000000EC), ref: 00AB9602
DrawEdge.USER32(00000000,?,00000005,0000000A), ref: 00AB9629

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: FillRect$DrawEdgeLongWindow
String ID:
API String ID: 954985401-0
Opcode ID: 7c86867f238d0175df92e11bc36f601d9e5c2bf8e9868254aeca3925968213ae
Instruction ID: 06a448e8406dff7c4fe77e1abf893e53bf3b774cc14fdb57f38dc9bff88904db
Opcode Fuzzy Hash: 7c86867f238d0175df92e11bc36f601d9e5c2bf8e9868254aeca3925968213ae
Instruction Fuzzy Hash: 17719071D01208AFDF11CFA8D981BEEBBB9FF49310F244255E915A7292DB30AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AB6160 Relevance: 12.2, APIs: 8, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000407), ref: 00AB6189
GetWindowRect.USER32(00000000,?), ref: 00AB6195
ScreenToClient.USER32(?,?), ref: 00AB61A9
ScreenToClient.USER32(?,?), ref: 00AB61B7

Part of subcall function 00ABAB90: EnterCriticalSection.KERNEL32(00B46108,C956CA52,75C04920,?), ref: 00ABAC03
Part of subcall function 00ABAB90: GetClassInfoExW.USER32(00000000,?,?), ref: 00ABAC3A
Part of subcall function 00ABAB90: GetClassInfoExW.USER32(?,00000030), ref: 00ABAC51
Part of subcall function 00ABAB90: LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABAC67

Part of subcall function 00ABAA00: SetLastError.KERNEL32(0000000E,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00ABAA3E

GetSystemMetrics.USER32(00000000), ref: 00AB61E1
GetSystemMetrics.USER32(00000001), ref: 00AB61E9
GetSystemMetrics.USER32(00000000), ref: 00AB6216
GetSystemMetrics.USER32(00000001), ref: 00AB621E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MetricsSystem$ClassClientCriticalInfoScreenSection$EnterErrorItemLastLeaveRectWindow
String ID:
API String ID: 4272293037-0
Opcode ID: 4bac4cb6107322df0cc1c04d2c637c1b71925f7e927030c80ac20c96e2ffc0a8
Instruction ID: 4dac81cb809b071e861965c0b0559c01efc262ec19487d493cc6c091eb986e52
Opcode Fuzzy Hash: 4bac4cb6107322df0cc1c04d2c637c1b71925f7e927030c80ac20c96e2ffc0a8
Instruction Fuzzy Hash: B051C5316042059BDB08DF68CD46BEAB7E9EF84304F084579FD899F296DB74E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC9500 Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00A9D2D0: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00A9D314
Part of subcall function 00A9D2D0: SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A9D31F

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

SetWindowTextW.USER32(00000000,?), ref: 00AC9593

Part of subcall function 00AA94E0: GetWindowLongW.USER32(8B0C428D,000000F0), ref: 00AA9527
Part of subcall function 00AA94E0: GetParent.USER32(8B0C428D), ref: 00AA9539
Part of subcall function 00AA94E0: GetWindowRect.USER32(8B0C428D,?), ref: 00AA955B
Part of subcall function 00AA94E0: GetWindowLongW.USER32(00000000,000000F0), ref: 00AA956E
Part of subcall function 00AA94E0: MonitorFromWindow.USER32(8B0C428D,00000002), ref: 00AA9586

GetDlgItem.USER32(00000000,00000415), ref: 00AC95AE
GetDlgItem.USER32(00000000,00000002), ref: 00AC95BB
EnableWindow.USER32(00000000,00000000), ref: 00AC95C6
GetDlgItem.USER32(?,00000415), ref: 00AC95DC
GetDlgItem.USER32(?,000003EB), ref: 00AC95EA
GetWindowLongW.USER32(00000000,000000F0), ref: 00AC95F8
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AC9610

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$ItemLong$MessageSend$EnableFromHeapMonitorParentProcessRectText
String ID:
API String ID: 1308372421-0
Opcode ID: dea2a38f09569114d4da42176a61efb877265ae81fcf8459577b5995d4df3f0b
Instruction ID: 6e1b904c768397095105652b7f68f1c168760e1899d0cb788689ebf0705d3f54
Opcode Fuzzy Hash: dea2a38f09569114d4da42176a61efb877265ae81fcf8459577b5995d4df3f0b
Instruction Fuzzy Hash: CE418C71A00605AFDB10DF68CC85FAABBF4FF49720F108669F5299B2E1DB31A910CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00AE6890 Relevance: 12.1, APIs: 8, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AE68AC
GetSystemMetrics.USER32(00000000), ref: 00AE68CA
GetSystemMetrics.USER32(00000001), ref: 00AE68D2
PostMessageW.USER32(?,0000052C,00000000,00000000), ref: 00AE6900
PostMessageW.USER32(?,00000112,0000F020,00000000), ref: 00AE6920
SetWindowLongW.USER32(?,000000F0,?), ref: 00AE693A
GetWindowLongW.USER32(?,000000EC), ref: 00AE693F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AE694E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: LongWindow$MessageMetricsPostSystem
String ID:
API String ID: 1079118673-0
Opcode ID: 9d1d7a522ac1ffdd6c67df16950ab59812827ee7417b0da653d8f43bfe888441
Instruction ID: 9d5b9b31628148d0a03f42cecc35edac5c35e45ac94f3590c902655485e08c92
Opcode Fuzzy Hash: 9d1d7a522ac1ffdd6c67df16950ab59812827ee7417b0da653d8f43bfe888441
Instruction Fuzzy Hash: 2F21F3712043546BD310DB29DC89F6B7BE8EB85330F148A29F655A72D3CB75A840CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00AECC1D Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC41
HeapAlloc.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC48

Part of subcall function 00AECD13: IsProcessorFeaturePresent.KERNEL32(0000000C,00AECC2F,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECD15

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC58
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC7F
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC93
InterlockedPopEntrySList.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECCA6
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECCB9

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: b14c66748df8e15d24624693d80c3db4034783c88dc1625e85348409445caeef
Instruction ID: df484ece3b47f00229d87f8df3a84463f558ff250aefb215435a1f0bc6f03435
Opcode Fuzzy Hash: b14c66748df8e15d24624693d80c3db4034783c88dc1625e85348409445caeef
Instruction Fuzzy Hash: 4B110875202A51ABD33117A6AC88FBB7669FF897A0F308021F909E7250DE31ED0187F5

Uniqueness

Uniqueness Score: -1.00%

Function 00AD15B0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 437COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,C956CA52,-00000001,00000000,-00000001), ref: 00AD161A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00B28C0C,00B14960,000000FF), ref: 00AD1624

Strings

install, xrefs: 00AD1850
" installer runned. Exit code: , xrefs: 00AD192B
. Return code: , xrefs: 00AD1947
Update ", xrefs: 00AD18F5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: " installer runned. Exit code: $. Return code: $Update "$install
API String ID: 2776309574-2545104472
Opcode ID: dace32ca3c7e0e570d6c1f0bcfaa8f57cdf8897c7416fc34783ba8fcfee0eb55
Instruction ID: 4b4ee2ab59d9d7ca862912bb6a0423697bda2f2db37afa6682265ed0d46c97fd
Opcode Fuzzy Hash: dace32ca3c7e0e570d6c1f0bcfaa8f57cdf8897c7416fc34783ba8fcfee0eb55
Instruction Fuzzy Hash: 04F1E370A01205EFDB14DFA8C995BAEB7F4EF45314F14856EE81AAF392DB309901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ADF5D0 Relevance: 10.9, APIs: 7, Instructions: 357stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADFE10: CharNextW.USER32(?,00000000,00000000,74DEF360,?,?,00AE086F,00000000,00000000,?,?,?,00000000,00000000,00AE0B13,?), ref: 00ADFE48
Part of subcall function 00ADFE10: CharNextW.USER32(00000000,?,00000000,00000000,74DEF360,?,?,00AE086F,00000000,00000000,?,?,?,00000000,00000000,00AE0B13), ref: 00ADFE6F
Part of subcall function 00ADFE10: CharNextW.USER32(00000027,?,00000000,00000000,74DEF360,?,?,00AE086F,00000000,00000000,?,?,?,00000000,00000000,00AE0B13), ref: 00ADFE8C
Part of subcall function 00ADFE10: CharNextW.USER32(00000027,?,00000000,00000000,74DEF360,?,?,00AE086F,00000000,00000000,?,?,?,00000000,00000000,00AE0B13), ref: 00ADFE94
Part of subcall function 00ADFE10: CharNextW.USER32(?,?,00000000,00000000,74DEF360,?,?,00AE086F,00000000,00000000,?,?,?,00000000,00000000,00AE0B13), ref: 00ADFF02

lstrcmpiW.KERNEL32(?,00B2D500,?,C956CA52,?,00000000,?), ref: 00ADF657
lstrcmpiW.KERNEL32(?,00B2D504), ref: 00ADF66E
VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 00ADF8B2
CharNextW.USER32(?,?), ref: 00ADF9C1
CharNextW.USER32(00000000), ref: 00ADF9D7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CharNext$lstrcmpi$From
String ID:
API String ID: 298784196-0
Opcode ID: 9300fd502639e25dec1c04d564ae982297ea55d3a66846cccf44923c0c3831ac
Instruction ID: fe4f54aa677e788ca3d6e0c14cf687b965a7f51ec1b0633e160b5068328f0c09
Opcode Fuzzy Hash: 9300fd502639e25dec1c04d564ae982297ea55d3a66846cccf44923c0c3831ac
Instruction Fuzzy Hash: CDD17C71900249EFCF24DF54C995BEEB7B4BF18340F55412AEA1BAB3A0E770AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E340 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 350COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D), ref: 00A9E5F1
GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D), ref: 00A9E6EE
GetLastError.KERNEL32(Unable to find the service error code: ,00000027), ref: 00A9E3DE

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

GetLastError.KERNEL32(Unable to set the service status error code: ,0000002D), ref: 00A9E4E4

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Strings

, xrefs: 00A9E73A
Unable to set the service status error code: , xrefs: 00A9E4DA, 00A9E5E7, 00A9E6E4
Unable to find the service error code: , xrefs: 00A9E3D4

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$CriticalCurrentProcessSection$EnterHeapInitializeThread
String ID: $Unable to find the service error code: $Unable to set the service status error code:
API String ID: 2386437487-612451267
Opcode ID: bb5f3a587639dfee59448cc13699074d95c8b391cc3b5b142db7f1ef1061aa53
Instruction ID: 8ac68098344d5960f3743750fb1a891cb9488aee1600f0aae8acbb07922a60e1
Opcode Fuzzy Hash: bb5f3a587639dfee59448cc13699074d95c8b391cc3b5b142db7f1ef1061aa53
Instruction Fuzzy Hash: 6AD19F35200604ABDB10EFB8C959F5ABBE4EF45724F14825CF85A9B2A2DB30E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB63D0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 317windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

SendMessageW.USER32(?,0000109D,00000001,00000000), ref: 00AB6631
SendMessageW.USER32(?,00001091,000000FF,00000028), ref: 00AB668E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB66DC
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00AB6733
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00AB6776

Strings

(, xrefs: 00AB6655

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$HeapProcess
String ID: (
API String ID: 2165194322-3887548279
Opcode ID: 1601eff8f352ccc6e038c7ca8fe4dcc0a704e959b7250faa11e6e2bbe514a729
Instruction ID: 59befb77a1ba2cbc3f81ffec5bba0c8c56eb19a3604256924b9135f920395c06
Opcode Fuzzy Hash: 1601eff8f352ccc6e038c7ca8fe4dcc0a704e959b7250faa11e6e2bbe514a729
Instruction Fuzzy Hash: B1D1C571A0060ADFDB14DF64C984BEEF7B8FF45314F148219E825AB292D774A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE3B00 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,C956CA52,?,?,00000000,00B17C50,000000FF), ref: 00AE3B46
GetLastError.KERNEL32( LastError: ,0000000C,Unable to get the module path.,0000001E,?,?,00000000,00B17C50,000000FF), ref: 00AE3BB9

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

_wcsrchr.LIBVCRUNTIME ref: 00AE3C53
_wcsrchr.LIBVCRUNTIME ref: 00AE3CFF

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Strings

Unable to get the module path., xrefs: 00AE3BA0
LastError: , xrefs: 00AE3BAC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalCurrentProcessSection_wcsrchr$EnterErrorFileHeapInitializeLastModuleNameThread
String ID: LastError: $Unable to get the module path.
API String ID: 2208616992-1723246353
Opcode ID: 746e8a5bc16485b0a68de9c76a759d4c6b5a424c79d55ccadcb829b2e884d60b
Instruction ID: ac259f606a3e6ade6e47f089bc6548c799fe8b984c9a308f07e6c718a70c01ca
Opcode Fuzzy Hash: 746e8a5bc16485b0a68de9c76a759d4c6b5a424c79d55ccadcb829b2e884d60b
Instruction Fuzzy Hash: F891C3726006459FDF14EF69CD99B6EB7B5EF84310F24866CE4169B292DB30DA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4B40 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 226registrysynchronizationwindowCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000001,00000000,00000000,.mtx), ref: 00AC4C9F
RegisterWindowMessageW.USER32(00000000), ref: 00AC4CB5

Strings

.tmp, xrefs: 00AC4B94
.mtx, xrefs: 00AC4C55

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateMessageMutexRegisterWindow
String ID: .mtx$.tmp
API String ID: 627715353-3212867314
Opcode ID: d249b558c507e8ffb1ad3258ee1fda6893b40df2f21211ed4ed7ee2baee8718f
Instruction ID: a6f24b67e7838b58a7e2d2c5e4f70f3bda99f04c60a4993d7e91d5f97d95c1e0
Opcode Fuzzy Hash: d249b558c507e8ffb1ad3258ee1fda6893b40df2f21211ed4ed7ee2baee8718f
Instruction Fuzzy Hash: DF81BD31A05A0AEFD710DF68C854FAAF7F4FF48320F10866DE4259B2A1DB30A905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B00D75 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B00DE4
_free.LIBCMT ref: 00B00DF2
_free.LIBCMT ref: 00B00F20
_free.LIBCMT ref: 00B00F2B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9108f3102f8769598874a250262fdad2e9c0e2ab1889cb95b6918d4b180bed66
Instruction ID: 2d60ffc32bedbc841f9048d9550f353f8571610719f3b950752738bbe759e3e3
Opcode Fuzzy Hash: 9108f3102f8769598874a250262fdad2e9c0e2ab1889cb95b6918d4b180bed66
Instruction Fuzzy Hash: A161C575D10209EFDB20EFA8C881BAABFF4EF05710F1445A9F954EB282EB309D419B50

Uniqueness

Uniqueness Score: -1.00%

Function 00AE29D0 Relevance: 10.7, APIs: 7, Instructions: 192windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,?), ref: 00AE2A26
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AE2A34

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

SetWindowTextW.USER32(?,00000000), ref: 00AE2A9B
SetWindowTextW.USER32(?,?), ref: 00AE2B0B
SendMessageW.USER32(?,00000406,00000000,00000064), ref: 00AE2B6E
SendMessageW.USER32(?,0000040A,00000001,0000001E), ref: 00AE2B89
SetWindowTextW.USER32(?,?), ref: 00AE2BB2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$TextWindow$HeapProcess
String ID:
API String ID: 2466994877-0
Opcode ID: e1fcc9b4071e714cf09bf5e16bc9375e34296ed6079fa96ca35a67bd054420b4
Instruction ID: aff890341750eb4db444de9f6ed17d495ac164f6653929a845a694d1ea8d0878
Opcode Fuzzy Hash: e1fcc9b4071e714cf09bf5e16bc9375e34296ed6079fa96ca35a67bd054420b4
Instruction Fuzzy Hash: 1261D031500608EBDB11DF58CC85B9ABBB9FF45320F14C26AF9189F2A2DB71E950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE75B0 Relevance: 10.7, APIs: 7, Instructions: 158stringthreadwindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B46108,C956CA52), ref: 00AE75FA
GetCurrentThreadId.KERNEL32 ref: 00AE760E
LeaveCriticalSection.KERNEL32(00B46108), ref: 00AE7648
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00AE7682
lstrlenW.KERNEL32(00000000), ref: 00AE7734
lstrcpynW.KERNEL32(-00000078,00000000,?), ref: 00AE774E
Shell_NotifyIconW.SHELL32(00000000,-00000090), ref: 00AE775A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$CurrentEnterIconLeaveLongNotifyShell_ThreadWindowlstrcpynlstrlen
String ID:
API String ID: 2565358240-0
Opcode ID: 60970432a3a4e563628791917683dc6d3fd05b270d3bacb5be2f5689934a00d5
Instruction ID: 2b63cc4606ed8cf60591a62f7362ba407a3f9e4429cd71cbc4d3b04f1e3f1055
Opcode Fuzzy Hash: 60970432a3a4e563628791917683dc6d3fd05b270d3bacb5be2f5689934a00d5
Instruction Fuzzy Hash: 4051BE70A012419FDB10CF69D984B6ABBF4FF05314F148269E804EB396DB71DD00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0584D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B05FC2,00000000,00000000,00000000,00000000,00000000,00AF575A), ref: 00B0588F
__fassign.LIBCMT ref: 00B0590A
__fassign.LIBCMT ref: 00B05925
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B0594B
WriteFile.KERNEL32(?,00000000,00000000,00B05FC2,00000000,?,?,?,?,?,?,?,?,?,00B05FC2,00000000), ref: 00B0596A
WriteFile.KERNEL32(?,00000000,00000001,00B05FC2,00000000,?,?,?,?,?,?,?,?,?,00B05FC2,00000000), ref: 00B059A3

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a908f4e1953a91fe7998cf2500aea9a3b3727efdae7f851d7839d4f731edd886
Instruction ID: 9f5585192f768f88c48da98f38a29c83a00547a9c6022ce5c9a1f7835d96f6b6
Opcode Fuzzy Hash: a908f4e1953a91fe7998cf2500aea9a3b3727efdae7f851d7839d4f731edd886
Instruction Fuzzy Hash: E3518171900649EFDB20CFA8D885AEEBBF8FF09310F14415AE956E7291E730A940CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A86040 Relevance: 10.6, APIs: 7, Instructions: 149COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8608A
std::_Lockit::_Lockit.LIBCPMT ref: 00A860AC
std::_Lockit::~_Lockit.LIBCPMT ref: 00A860D4
__Getctype.LIBCPMT ref: 00A861A5
__Getcvt.LIBCPMT ref: 00A861B8
std::_Facet_Register.LIBCPMT ref: 00A86207
std::_Lockit::~_Lockit.LIBCPMT ref: 00A86231

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
String ID:
API String ID: 2755674607-0
Opcode ID: f549816d1cb9b6b17800ebecff2add3a56c94cf66a78f42bd0245345511cdc48
Instruction ID: 1f60f900dcb2a50beb71cf16c8d115edb2c18351a0ee280633562253ffb697f6
Opcode Fuzzy Hash: f549816d1cb9b6b17800ebecff2add3a56c94cf66a78f42bd0245345511cdc48
Instruction Fuzzy Hash: 1751B0B1D00644CFEB20DF58CA4579EBBF0FF14314F148299D845AB392EB75AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7340 Relevance: 10.6, APIs: 7, Instructions: 144networkCOMMON

Download Yara Rule

APIs

InternetSetOptionW.WININET(000000FF,0000002B,00000000,?), ref: 00AA738A
InternetSetOptionW.WININET(000000FF,0000002C,00000000,?), ref: 00AA7395
InternetSetOptionW.WININET(000000FF,0000001C,00000000,?), ref: 00AA73B0
InternetSetOptionW.WININET(000000FF,0000001D,00000000,?), ref: 00AA73BB
InternetSetOptionW.WININET(000000FF,0000002B,00000000,?), ref: 00AA7450
InternetSetOptionW.WININET(000000FF,0000001C,00000000,?), ref: 00AA745F
InternetSetOptionW.WININET(000000FF,0000001D,00000000,?), ref: 00AA746A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 09977b1415efdb2e2c9b616ce54a8865448d8d7f33a34939b14df94886ea6fe1
Instruction ID: 02554ee526cb4dd5f64dd9ef1673e6a0fb00b491c530abe91b7df69499d155c9
Opcode Fuzzy Hash: 09977b1415efdb2e2c9b616ce54a8865448d8d7f33a34939b14df94886ea6fe1
Instruction Fuzzy Hash: 44413B7A204204AFD704DF58D888D6BBBE9FF8D724F14449AF5519B3A2CB21E805DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0710 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00AF073B
___except_validate_context_record.LIBVCRUNTIME ref: 00AF0743
_ValidateLocalCookies.LIBCMT ref: 00AF07D1
__IsNonwritableInCurrentImage.LIBCMT ref: 00AF07FC
_ValidateLocalCookies.LIBCMT ref: 00AF0851

Strings

csm, xrefs: 00AF07E6

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2a6c41f0c6359a6d2ea7ac27b1c6fbe157bc582d5c90151dd2e3bb84a0387e07
Instruction ID: e8bd6df5454be36b288fb92a272bac05b4e99eb3f09799da1a23b0f3b9058b2b
Opcode Fuzzy Hash: 2a6c41f0c6359a6d2ea7ac27b1c6fbe157bc582d5c90151dd2e3bb84a0387e07
Instruction Fuzzy Hash: F841A334A0020D9BCB10EFA8C845AAEBFB5AF44324F148195FA15AB392D731AE11CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4510 Relevance: 10.6, APIs: 7, Instructions: 101filethreadsynchronizationCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(00000000,00000012,00000000,00000000), ref: 00AC455F
GetExitCodeThread.KERNEL32(00000000,?), ref: 00AC4568
CloseHandle.KERNEL32(00000000), ref: 00AC457A
CloseHandle.KERNEL32(00000000,C956CA52,?,?,00000000), ref: 00AC4584
UnmapViewOfFile.KERNEL32(?,C956CA52,?,?,00000000), ref: 00AC458E
ReleaseMutex.KERNEL32(?,C956CA52,?,?,00000000), ref: 00AC459C
CloseHandle.KERNEL32(?), ref: 00AC45A5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CloseHandle$Thread$CodeExitFileMessageMutexPostReleaseUnmapView
String ID:
API String ID: 962052055-0
Opcode ID: 50ec67f20a78c92ae195e42a1ba6cf768f298f4bb42c96c52ec2c2ea257c843c
Instruction ID: 069a958ce831b93c91ff3d27835bbdc90a420e11de6cb465a82afbdeeb542ea1
Opcode Fuzzy Hash: 50ec67f20a78c92ae195e42a1ba6cf768f298f4bb42c96c52ec2c2ea257c843c
Instruction Fuzzy Hash: A8415771A00608AFD721CF69CD48B5AFBF8FF49320F158669E459976A0DB74ED04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A8ECE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,00000020,00000044,?,00000000,?,?,?,?,00A8ABFA,?,?,00AE6708), ref: 00A8ECFB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00A8ED11
FreeLibrary.KERNEL32(00000000), ref: 00A8ED4A
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,00A8ABFA,?,?,00AE6708,?,?,?,C956CA52,00000000), ref: 00A8ED66

Strings

Shlwapi.dll, xrefs: 00A8ECFA
DllGetVersion, xrefs: 00A8ED0B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 11c7db9f7ee9c85094e18857c08d38df0db4e845249f334a9cb6d2e9f8ab0f9b
Instruction ID: 35f3bedffc24870b3693502368f825d945816d6be523ccfd87c94b1689816232
Opcode Fuzzy Hash: 11c7db9f7ee9c85094e18857c08d38df0db4e845249f334a9cb6d2e9f8ab0f9b
Instruction Fuzzy Hash: 4E216F766043019BD700EF2AED416ABB7E4BFDD714F80096EF489D7251EB25E80887A3

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,80004005,80004005,C956CA52,?,00000005), ref: 00AA4E04
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,80004005,80004005,C956CA52,?,00000005), ref: 00AA4E21
InternetOpenW.WININET(AdvancedInstaller,00000003,?,00000000,10000000), ref: 00AA4E6C
GetLastError.KERNEL32(C956CA52,?,00000005,?,?,?,?,?,?,?,?,?,?,?,00000000,00B0D5E8), ref: 00AA4E80
InternetSetStatusCallbackW.WININET(00000000,00AA4EA0), ref: 00AA4E8F

Strings

AdvancedInstaller, xrefs: 00AA4E67

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateEventInternet$CallbackErrorLastOpenStatus
String ID: AdvancedInstaller
API String ID: 2592705480-1372594473
Opcode ID: 60daeadf79eb9abf8e0a753f1141c9aa432c28bff1d53cb363a028641295ffee
Instruction ID: cc1ac0dd4dba92b0b05ae8cf76d3d0c2e8110dfd98db32ae9a1e83fa9fcb76b6
Opcode Fuzzy Hash: 60daeadf79eb9abf8e0a753f1141c9aa432c28bff1d53cb363a028641295ffee
Instruction Fuzzy Hash: 0A117C31340602BFD7209B76DD89F96BBA5BB89705F108018F2059B2D0DBB1B811CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0124A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B00F91: _free.LIBCMT ref: 00B00FBA

_free.LIBCMT ref: 00B01298

Part of subcall function 00AFB0C1: HeapFree.KERNEL32(00000000,00000000,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?), ref: 00AFB0D7
Part of subcall function 00AFB0C1: GetLastError.KERNEL32(?,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?,?), ref: 00AFB0E9

_free.LIBCMT ref: 00B012A3
_free.LIBCMT ref: 00B012AE
_free.LIBCMT ref: 00B01302
_free.LIBCMT ref: 00B0130D
_free.LIBCMT ref: 00B01318
_free.LIBCMT ref: 00B01323

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dfcf1bf996d0b689919ce21319067d9abbde4ddea214af247af22a6f998200d5
Instruction ID: a70cd46806829cc9cc4463ff0e2d0ce7f45e8cd90bdcdd64ba394b2b5cdb5f4d
Opcode Fuzzy Hash: dfcf1bf996d0b689919ce21319067d9abbde4ddea214af247af22a6f998200d5
Instruction Fuzzy Hash: 41111C71560B09AEDA30BBB0CC57FDBBBECEF04700F404865B2E9A6092DFA5B5449660

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9300 Relevance: 9.3, APIs: 6, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A89130: InternetCrackUrlW.WININET(000000FF,00000000,00000000,?), ref: 00A89272

GetActiveWindow.USER32 ref: 00AD94AA
SetLastError.KERNEL32(0000000E), ref: 00AD94C7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ActiveCrackErrorHeapInternetLastProcessWindow
String ID:
API String ID: 4120725808-0
Opcode ID: bd711eeb1c4a97430e3ba54d9fe55321760e46e96de9eebed7139ebb68810615
Instruction ID: 4bbbc2f1164dd4644164425131a4736d5d14ed9a6e620f713ffbf5fa196d2ed2
Opcode Fuzzy Hash: bd711eeb1c4a97430e3ba54d9fe55321760e46e96de9eebed7139ebb68810615
Instruction Fuzzy Hash: A4C18F71800288EFDB15DFA8D944BDEBBF4BF05314F148269F819A7291D7B59A08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE46D0 Relevance: 9.2, APIs: 6, Instructions: 229COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,C956CA52,00000000,?), ref: 00AE4770
EnumWindows.USER32(00AE44D0,?), ref: 00AE4862

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EnumOpenProcessWindows
String ID:
API String ID: 3870184218-0
Opcode ID: 11c836ae18a20c2e8cd1373ed2cc9d50123da821c3f625b59a07fbf954eb6164
Instruction ID: 85e083c6966a25535568802b689c37cabf1dc1c4835394bc53dce829549d0016
Opcode Fuzzy Hash: 11c836ae18a20c2e8cd1373ed2cc9d50123da821c3f625b59a07fbf954eb6164
Instruction Fuzzy Hash: C2917A70D01289DFDB10DFA9D988BEEBBF8EF08314F148158E914BB291DB759944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB3F0 Relevance: 9.2, APIs: 6, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00AAB43C
SysFreeString.OLEAUT32(00000000), ref: 00AAB45F

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

SysAllocString.OLEAUT32(?), ref: 00AAB4ED
SysFreeString.OLEAUT32(00000000), ref: 00AAB510
SysAllocString.OLEAUT32(?), ref: 00AAB5D2
SysFreeString.OLEAUT32(00000000), ref: 00AAB5F7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: String$AllocFree$Exception@8Throw
String ID:
API String ID: 273423687-0
Opcode ID: ae4528ae0b9dc2e3c8273ec9aaa5d235e9677fb1da4c2108578f45d356dcef1a
Instruction ID: 2146ed3ccd162215ffe626798b368a51f93925b53040f629bc87993e3ce731b1
Opcode Fuzzy Hash: ae4528ae0b9dc2e3c8273ec9aaa5d235e9677fb1da4c2108578f45d356dcef1a
Instruction Fuzzy Hash: 64717F72A14649EFD710CF58D804B9ABBE8FB05720F10825AEC25EB791D779D900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC21F Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AF5CB6,00AF5CB6,?,?,?,00AFC470,00000001,00000001,6DE85006), ref: 00AFC279
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AFC470,00000001,00000001,6DE85006,?,?,?), ref: 00AFC2FF
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,6DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AFC3F9
__freea.LIBCMT ref: 00AFC406

Part of subcall function 00AFB073: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AFB143,?,00000000,?,00AF3D73,?,00000004,00000004,?,00000000,?,00AF944D), ref: 00AFB0A5

__freea.LIBCMT ref: 00AFC40F
__freea.LIBCMT ref: 00AFC434

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: 91941231bcb783e4aa77830ef75d235fad9b4e4486bf479bd3d6f78790b23ef9
Instruction ID: 0035110eed15d9e8b90e4add5df897092362a373349b2caa1ba7d6bebb037cd0
Opcode Fuzzy Hash: 91941231bcb783e4aa77830ef75d235fad9b4e4486bf479bd3d6f78790b23ef9
Instruction Fuzzy Hash: 0B51E17264020EABEB259FE6CE45EBF77A9EF44760F154628FE04DA180EB34DC509690

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7CCE Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00AF7CFA
__cftoe.LIBCMT ref: 00AF7D2C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 275b3e1c0ca23aadcb278f99a93f66308b2138e2a9fc7f25e1efea18ebea7d35
Instruction ID: 3763eb4ce7b67bb64f309aff551c798dda1e1c3346779efc60f8907c4ab18038
Opcode Fuzzy Hash: 275b3e1c0ca23aadcb278f99a93f66308b2138e2a9fc7f25e1efea18ebea7d35
Instruction Fuzzy Hash: C0511B7290820DABDF209BE8CD41EBE77B9EF49330F50425AFA1496192DB31DD008A64

Uniqueness

Uniqueness Score: -1.00%

Function 00AC9980 Relevance: 9.2, APIs: 6, Instructions: 170windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00000000,00000498,00000000,00000000), ref: 00AC99C8
EndDialog.USER32(00000000,00000002), ref: 00AC9B69

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: DialogMessagePost
String ID:
API String ID: 1489130658-0
Opcode ID: eec76594944ce40b08067e851ef4ddd366ccace63f203d0c9bc65345d24c8fe6
Instruction ID: af2efa2a462b7c7625eee95961edcc359654669a81a839861812baaa6859abfb
Opcode Fuzzy Hash: eec76594944ce40b08067e851ef4ddd366ccace63f203d0c9bc65345d24c8fe6
Instruction Fuzzy Hash: 6A61AE31600605EBDB04DF68CD49F9AF7B5FF44320F15C268E825AB2A1DB75AE10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A92080 Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A920BD
std::_Lockit::_Lockit.LIBCPMT ref: 00A920DD
std::_Lockit::~_Lockit.LIBCPMT ref: 00A92105
__Getcoll.LIBCPMT ref: 00A921C3
std::_Facet_Register.LIBCPMT ref: 00A92242
std::_Lockit::~_Lockit.LIBCPMT ref: 00A9226C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: c6696a1a7e263d869bdc556c09d6feccf39df2e8993ff5d75c1717df733f6623
Instruction ID: 0530a8abacf41269d9e8ef92e1c1943edfee6d953936999a96a123b447d4f14a
Opcode Fuzzy Hash: c6696a1a7e263d869bdc556c09d6feccf39df2e8993ff5d75c1717df733f6623
Instruction Fuzzy Hash: E451B9B1E00248EFDF11DFA9D984B9DFBB0FF51310F208259E415AB292CB75AA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00AEAC70 Relevance: 9.2, APIs: 6, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00B18AF0,40000000,00000000,00000000,00000004,00000080,00000000,?,C956CA52,?,?), ref: 00AEACE2
GetLastError.KERNEL32(?,?), ref: 00AEACFD
WriteFile.KERNEL32(00000000,0000FEFF,00000002,?,00000000,?,?), ref: 00AEAD27
GetLastError.KERNEL32(?,?), ref: 00AEAD31
CloseHandle.KERNEL32(00000000,?,?), ref: 00AEAD49
CloseHandle.KERNEL32(00000000,?,?), ref: 00AEAD6F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CloseErrorFileHandleLast$CreateWrite
String ID:
API String ID: 7012363-0
Opcode ID: 6f91e85d6a7d34d2a4fe8b495e1d4ca4c6a48caecc37a96ddaf2424ece1d097c
Instruction ID: dd311aacbf19bd9067191263dffdc710f7cfb5940c73131d49fd728b2106d9c7
Opcode Fuzzy Hash: 6f91e85d6a7d34d2a4fe8b495e1d4ca4c6a48caecc37a96ddaf2424ece1d097c
Instruction Fuzzy Hash: B151D331900658DFDB20CF69CC887DEBBF4EF18324F148219E959A7380DB74AA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA120 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

GetModuleFileNameW.KERNEL32(00000000,00000104,ConfigFilePath,?,?,?,?,?,?,?,?,?,?,00B16211,000000FF), ref: 00ADA35E
_wcsrchr.LIBVCRUNTIME ref: 00ADA437

Strings

Software\Caphyon\Advanced Updater\Settings, xrefs: 00ADA190, 00ADA1A0
.ini, xrefs: 00ADA464, 00ADA4A7
ConfigFilePath, xrefs: 00ADA227, 00ADA237

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: FileFindHeapModuleNameProcessResource_wcsrchr
String ID: .ini$ConfigFilePath$Software\Caphyon\Advanced Updater\Settings
API String ID: 2798025010-2585319053
Opcode ID: 1f00f6a588065badf61c2c6fc626f335c844a1c9b7a119c87d42a391f4a00333
Instruction ID: 9623556d428460a835c7f48e2978b9fb889c35592e77f594f8c3c93d74510997
Opcode Fuzzy Hash: 1f00f6a588065badf61c2c6fc626f335c844a1c9b7a119c87d42a391f4a00333
Instruction Fuzzy Hash: 1DE1AE70A00205DFDB10DFA8C949BAEB7F4FF54314F148569E426AB392DB70AE04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAA00 Relevance: 9.1, APIs: 6, Instructions: 129threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00ABAA3E
GetCurrentThreadId.KERNEL32 ref: 00ABAA77
EnterCriticalSection.KERNEL32(00B46108), ref: 00ABAA97
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABAABB
CreateWindowExW.USER32(00000000,00000000,00000000,00B46108,?,80000000,00000000,80000000,00000408,00000000,00000000), ref: 00ABAB16

Part of subcall function 00AECD7E: GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
Part of subcall function 00AECD7E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A

LeaveCriticalSection.KERNEL32(?,C956CA52,?,00000000,00B08100,000000FF,?,C0000005,00000001), ref: 00ABAB6D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$HeapLeave$AllocCreateCurrentEnterErrorLastProcessThreadWindow
String ID:
API String ID: 2771114698-0
Opcode ID: b4e045413bcb5edbe6923b649c60a41e2e9678f31bd8cef5f9625639342ef734
Instruction ID: 38ff71c50ce1da2c6b5a945ba02c1fc46513c37eee6727b293edfdccfc4863fd
Opcode Fuzzy Hash: b4e045413bcb5edbe6923b649c60a41e2e9678f31bd8cef5f9625639342ef734
Instruction Fuzzy Hash: A041AF75A04644AFDB10CF68DD05B9ABBF8FF49710F00825EFC14A3691DB75A910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AE56D0 Relevance: 9.1, APIs: 6, Instructions: 121libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000022,C956CA52,?,?,00000000,80004005,C956CA52,?,?,00000000), ref: 00AE5701
FindResourceW.KERNEL32(00000000,00000001,0000000A,?,00000000,00000022,C956CA52), ref: 00AE5727
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000022,C956CA52), ref: 00AE5739

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

LockResource.KERNEL32(C956CA52,?,00000000,00000022,C956CA52), ref: 00AE5768
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00000022,C956CA52), ref: 00AE5777

Part of subcall function 00AA7930: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,00AA4B44,00000000,00000000,?,00AA4B44,00000000), ref: 00AA7993
Part of subcall function 00AA7930: MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,00AA4B44,?,00000000,?,00AA4B44,00000000), ref: 00AA79C5

FreeLibrary.KERNEL32(00000000,?,00000000,00000022,C956CA52), ref: 00AE57EC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Resource$ByteCharLibraryLoadMultiWide$FindFreeHeapLockProcessSizeof
String ID:
API String ID: 2321941516-0
Opcode ID: 4dec8d55adcd4a31b3c65abde5229353aa6e3d65adfb7704309e2c7bcadee74f
Instruction ID: 5c444f71ec04af9f12ace7fb7e828f06fd83d8fbd3a144e9f3697f3fa9f504e8
Opcode Fuzzy Hash: 4dec8d55adcd4a31b3c65abde5229353aa6e3d65adfb7704309e2c7bcadee74f
Instruction Fuzzy Hash: CE41A571901646DFDB00DFA9DC88BAEBBF8FF45324F148659E821A7291DB749900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB7AD0 Relevance: 9.1, APIs: 6, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AB7AFF
SendMessageW.USER32(00000000,0000048A,?,?), ref: 00AB7B13
GetDlgItem.USER32(00000000,00000000), ref: 00AB7BB9
ShowWindow.USER32(00000000,00000000), ref: 00AB7BD3
GetDlgItem.USER32(00000000,00003025), ref: 00AB7C1B
ShowWindow.USER32(00000000,00000001), ref: 00AB7C2A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ItemShowWindow$MessageParentSend
String ID:
API String ID: 2610741203-0
Opcode ID: 06f57cb2876c59b73951bd479b23cd0c78333f438584006252583b9520524134
Instruction ID: 776b4af8015761adbe478987e0396e86dd555db6f63ffa0ab31fe64cb5158dd6
Opcode Fuzzy Hash: 06f57cb2876c59b73951bd479b23cd0c78333f438584006252583b9520524134
Instruction Fuzzy Hash: 9441E7716082408BE705EB24DC99AAFB7E9EBC5300F40456DE98787392DBB5ED04CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00AD9770 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00AD97CF
LocalAlloc.KERNEL32(00000040,00000000), ref: 00AD97DC
GetLastError.KERNEL32 ref: 00AD97FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B157A0), ref: 00AD9895
LocalFree.KERNEL32(00000000,S-1-1-0,00020030), ref: 00AD98BA

Strings

S-1-1-0, xrefs: 00AD9868

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$Local$AllocFree
String ID: S-1-1-0
API String ID: 3336120135-3642767757
Opcode ID: c5d523eb9e0fb4afd50c2ee6f59bcba3beb25d738c354b6906da77f178a31ea8
Instruction ID: b477aa244a73ab3da43e26bfb5d0dbc8e5581fb24fbbd73b25a9af0c3b966ac7
Opcode Fuzzy Hash: c5d523eb9e0fb4afd50c2ee6f59bcba3beb25d738c354b6906da77f178a31ea8
Instruction Fuzzy Hash: BD4158B4901219EBEB11DFA4CD48BAFBBB8FF05714F104159E901A7390DBB59E04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC030 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ABC09E
GetDlgItem.USER32(00000000,00000000), ref: 00ABC0DE
EnableWindow.USER32(00000000,00000000), ref: 00ABC0E8
GetParent.USER32(?), ref: 00ABC12D
GetDlgItem.USER32(00000000,00003025), ref: 00ABC139
EnableWindow.USER32(00000000,00000001), ref: 00ABC13D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EnableItemParentWindow
String ID:
API String ID: 655088124-0
Opcode ID: 75ae7dc90662c2c3e442f3a4497794b9bfd136726ebb21da54cfab80c8ae6c44
Instruction ID: 8ff2e9f8bb206e22193114337f65747db7a98bb1e5c211d776259643d5c84c3c
Opcode Fuzzy Hash: 75ae7dc90662c2c3e442f3a4497794b9bfd136726ebb21da54cfab80c8ae6c44
Instruction Fuzzy Hash: 9D31F372608250CBD704EF59EC49AABF3EAFBC8310F44452DEA4297292CB34EC049796

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8880 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AB88EE
GetDlgItem.USER32(00000000,00000000), ref: 00AB892E
EnableWindow.USER32(00000000,00000000), ref: 00AB8938
GetParent.USER32(?), ref: 00AB897D
GetDlgItem.USER32(00000000,00003025), ref: 00AB8989
EnableWindow.USER32(00000000,00000001), ref: 00AB898D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EnableItemParentWindow
String ID:
API String ID: 655088124-0
Opcode ID: 5969f87de76f0598fa8f762478c7e3959c895c36af8e40275ac92dac17bcf7d1
Instruction ID: 695283fcd20ddf992bcd146f820ea85e551a1b841a7e685f0cb50b55c9a09874
Opcode Fuzzy Hash: 5969f87de76f0598fa8f762478c7e3959c895c36af8e40275ac92dac17bcf7d1
Instruction Fuzzy Hash: 3D31B0726052108BDB059F29EC59ABBB7EEFBC8300F44442DE58697291CB38AD04CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00AE95E0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000413), ref: 00AE95F8
SendMessageW.USER32(00000000,00000087,00000000,00000000), ref: 00AE962A
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE9641
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AE965B
GetWindow.USER32(00000000,00000002), ref: 00AE9661
GetWindowLongW.USER32(00000000,000000F0), ref: 00AE9670

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend$Window$ItemLong
String ID:
API String ID: 1613074769-0
Opcode ID: d0546ca5e1c98a6491967fac46fc6421204b477c87002dee5c7465a163fb728f
Instruction ID: ee8727a14877f887988b29622c18a44a54af0db84ff971cf09a7bf9782950bb6
Opcode Fuzzy Hash: d0546ca5e1c98a6491967fac46fc6421204b477c87002dee5c7465a163fb728f
Instruction Fuzzy Hash: 60110431242392ABE7315F169C49FAB7758AF82750F148125F920AB1D1CB74AD01CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2026 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00AF201D,00AEF77B), ref: 00AF2034
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AF2042
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AF205B
SetLastError.KERNEL32(00000000,?,00AF201D,00AEF77B), ref: 00AF20AD

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6f83cb0951ec770ec3869c5415e942c355ed57bacb9f090e27594f1a9e96e1dd
Instruction ID: e392cbe792b66dd35543f1de9fa7334e5dd50436a5258c9947f566507bcd8456
Opcode Fuzzy Hash: 6f83cb0951ec770ec3869c5415e942c355ed57bacb9f090e27594f1a9e96e1dd
Instruction Fuzzy Hash: 6901D83710E21E6EAB242BF5BC85BB72A54FB227747600229F710561E1EF614E24D740

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAECA Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000010,00AF3AD1,00000010,00000001,?,00AF4277,?,00000001,00000010,?), ref: 00AFAECE
_free.LIBCMT ref: 00AFAF01
_free.LIBCMT ref: 00AFAF29
SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF36
SetLastError.KERNEL32(00000000,00000001,00000010,?), ref: 00AFAF42
_abort.LIBCMT ref: 00AFAF48

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1b9c295e628d34abc377c9a52b801cf057ad7ed189185070df902ead821bf390
Instruction ID: caf4c890cd85fff79d13c08fed9f7c4f694986fd3f8a15113ed98bebf05cd907
Opcode Fuzzy Hash: 1b9c295e628d34abc377c9a52b801cf057ad7ed189185070df902ead821bf390
Instruction Fuzzy Hash: D2F0F4F950860826C62233E5AD49BFB1A699FE2770B210014FB1CE7192EF6188424263

Uniqueness

Uniqueness Score: -1.00%

Function 00A8E8E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C956CA52), ref: 00A8EA81
GetTempPathW.KERNEL32(00000104,?), ref: 00A8EB19

Strings

shim_clone, xrefs: 00A8EB3E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Path$FolderTemp
String ID: shim_clone
API String ID: 2466465029-3944563459
Opcode ID: a219550ad3dc08924b79b33ee08c242e5fa8a3ffe0ae6759eefc9e6690fb653c
Instruction ID: 85b5177d7fc544072d12881addfad914655e253b4fa1c40825e7ed8aadf8e874
Opcode Fuzzy Hash: a219550ad3dc08924b79b33ee08c242e5fa8a3ffe0ae6759eefc9e6690fb653c
Instruction Fuzzy Hash: C181F135A01219DFDB24EF68CD85BAEB7E4FF45B00F508199F90597281EB70AE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A8E980 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C956CA52), ref: 00A8EA81
GetTempPathW.KERNEL32(00000104,?), ref: 00A8EB19
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?), ref: 00A8EB4A
CopyFileW.KERNEL32(?,?,00000000,?), ref: 00A8EB99

Part of subcall function 00AEE5C6: EnterCriticalSection.KERNEL32(00B45378,?,?,?,00A83DF6,00B45F78,C956CA52,?,?,00B081E8,000000FF,?,00A81067,C956CA52,?,00B09CCA), ref: 00AEE5D1
Part of subcall function 00AEE5C6: LeaveCriticalSection.KERNEL32(00B45378,?,?,?,00A83DF6,00B45F78,C956CA52,?,?,00B081E8,000000FF,?,00A81067,C956CA52,?,00B09CCA), ref: 00AEE60E

Part of subcall function 00AEE57C: EnterCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE586
Part of subcall function 00AEE57C: LeaveCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE5B9

Strings

shim_clone, xrefs: 00A8EB3E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$EnterFileLeavePathTemp$CopyFolderName
String ID: shim_clone
API String ID: 4112476602-3944563459
Opcode ID: 96f2a0e87de32d6f994d8a438f9b02e7133f83b7731fa067577f8471505132a7
Instruction ID: ec905f63cf78fc2777bbc75d291ad3671f877fd4b37bd4923a78d71b2489524e
Opcode Fuzzy Hash: 96f2a0e87de32d6f994d8a438f9b02e7133f83b7731fa067577f8471505132a7
Instruction Fuzzy Hash: A9610371A00209DFDB28FB24CD85BAEB7F5FB55B00F5080A9E406971C1EB70AE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4BD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,0000000C,00000003,00000080,00000000,C956CA52,?,00000005), ref: 00AA4D8B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00AA4DA3

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

Strings

S-1-5-18, xrefs: 00AA4D41
After calling FileSystemUtil::CreateSubFolders(), xrefs: 00AA4C46
S-1-1-0, xrefs: 00AA4D2E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalCurrentFileProcessSection$CreateEnterHeapInitializePointerThread
String ID: After calling FileSystemUtil::CreateSubFolders()$S-1-1-0$S-1-5-18
API String ID: 2163036398-3279744742
Opcode ID: 37b39546b8db1d2117d5e5029231fd498c62ce3cf8e34efbcfbf8f5ce217147c
Instruction ID: e1c2f2f5100bece98caceb3bbf9adf5444d413cf208a65a21f72ea9303dc8f2a
Opcode Fuzzy Hash: 37b39546b8db1d2117d5e5029231fd498c62ce3cf8e34efbcfbf8f5ce217147c
Instruction Fuzzy Hash: AD51B170901218AFDB54EFA8CD45BAEBBF4EF49320F248269F425EB2D1DB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A9D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?), ref: 00A8AA9A
GetProcAddress.KERNEL32(?,LocalRegisterProxyStub), ref: 00A8AABF
CoRevokeClassObject.OLE32(?,C956CA52,?,00000000), ref: 00A8AB5C
FreeLibrary.KERNEL32(?,C956CA52,?,00000000), ref: 00A8AB9F

Strings

LocalRegisterProxyStub, xrefs: 00A8AAB9

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Library$AddressClassFreeLoadObjectProcRevoke
String ID: LocalRegisterProxyStub
API String ID: 1528236259-861675034
Opcode ID: dcaccbdc3c735dfd828b9bc6360ec735ba7290510226fff425b933266451259a
Instruction ID: 3c6355002547b32d120bfb367891af5bd4170d4977604b527fa94014e9138fab
Opcode Fuzzy Hash: dcaccbdc3c735dfd828b9bc6360ec735ba7290510226fff425b933266451259a
Instruction Fuzzy Hash: EE61CB70A01705DFE720DF68C944B5AFBF4FF15710F00866AE85697790DB74AA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AD1CF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,-00000001,?,?,?,?,?,?,?,C956CA52,00000000,-00000001), ref: 00AD1D63
SystemTimeToFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,C956CA52,00000000,-00000001), ref: 00AD1D87
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD1D9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD1DE8

Strings

Caphyon, xrefs: 00AD1D35, 00AD1DAB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Caphyon
API String ID: 1518329722-1059601326
Opcode ID: 48892efa241464da1b6e3812a895362192ccc845b0b3bb7510c803a12c0de117
Instruction ID: c7923f6f95fdc65946b40048f2bc44e2ad7fbfbb8d30deaa075e98c2deb67959
Opcode Fuzzy Hash: 48892efa241464da1b6e3812a895362192ccc845b0b3bb7510c803a12c0de117
Instruction Fuzzy Hash: 8C31D8322043046BD710DF65DD82BABB3EAEF88354F04092EF99687290EB71ED158796

Uniqueness

Uniqueness Score: -1.00%

Function 00A85DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00A85E24
_wcschr.LIBVCRUNTIME ref: 00A85E69
LoadLibraryExW.KERNEL32(?,00000000,00000000,0000000C,00B28AD8,00000001,00000000), ref: 00A85E7E
GetLastError.KERNEL32 ref: 00A85EC0

Strings

Kernel32.dll, xrefs: 00A85E56

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem_wcschr
String ID: Kernel32.dll
API String ID: 2402191659-1926710522
Opcode ID: 4ab4c1be630c1a27cad84fec841da02ef5bd05e7623265b5e39fe8cdb6ae729d
Instruction ID: 4a6e1a0c03ca778f1ab491e42db704022a79fb835adae118f20a1ff07f297c06
Opcode Fuzzy Hash: 4ab4c1be630c1a27cad84fec841da02ef5bd05e7623265b5e39fe8cdb6ae729d
Instruction Fuzzy Hash: 4E318071A00A05DBD720EF68CD45BAEB7F5FF54710F10862AE829D72D1DBB4AA048B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AB80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,C956CA52,?,?,?,00000000,00000000,00B08B80,000000FF,?,00A9977F,80000001,Software\Microsoft\Internet Explorer\Settings,0002001F,?), ref: 00A9ABC3
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00A9ABDA
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,C956CA52,?,?,?,00000000,00000000,00B08B80,000000FF,?,00A9977F,80000001), ref: 00A9AC13

Strings

RegOpenKeyTransactedW, xrefs: 00A9ABD4
Advapi32.dll, xrefs: 00A9ABBE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: 1c3d713336901940a07f41c9ad9748f850f5a2c8d5cb7eae0bde3437c3553f96
Instruction ID: 391a52b110026175b3a5eac8bf1c9898f214dc44852c2384403e1595c5744d4f
Opcode Fuzzy Hash: 1c3d713336901940a07f41c9ad9748f850f5a2c8d5cb7eae0bde3437c3553f96
Instruction Fuzzy Hash: 9221AF71700215AFDF108F94DC44FAABBE9FB18760F04812AF819DB290DB759950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A86800 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8682D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A86890
__CxxThrowException@8.LIBVCRUNTIME ref: 00A868C9
__Towupper.LIBCPMT ref: 00A868D8

Strings

bad locale name, xrefs: 00A868B3

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: std::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_ThrowTowupper
String ID: bad locale name
API String ID: 1431638821-1405518554
Opcode ID: 95e829a96b6f86c2dff08d04296cda6cf5902c9174cec8e1528908bb6686f733
Instruction ID: 10c477aa3f42ce46593678688ec301e003564e2a3d335b09a499801587be179a
Opcode Fuzzy Hash: 95e829a96b6f86c2dff08d04296cda6cf5902c9174cec8e1528908bb6686f733
Instruction Fuzzy Hash: 4321F470904784EED720DFA8C905B8BBFF4EF15300F008A9EE49997682D775A608CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8B7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AF8B30,00000000,?,00AF8AD0,00000000,00B41630,0000000C,00AF8C27,00000000,00000002), ref: 00AF8B9F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AF8BB2
FreeLibrary.KERNEL32(00000000,?,?,?,00AF8B30,00000000,?,00AF8AD0,00000000,00B41630,0000000C,00AF8C27,00000000,00000002), ref: 00AF8BD5

Strings

mscoree.dll, xrefs: 00AF8B98
CorExitProcess, xrefs: 00AF8BAA

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c0a6ca549e4851cb77ed93ccbc0e2d95baadef9f448fff5995980d3f6a753e7b
Instruction ID: 41b360eda81a2eef88ebba8a9e76d89a689ca3d02cdc3c304f30dbe7d76163c7
Opcode Fuzzy Hash: c0a6ca549e4851cb77ed93ccbc0e2d95baadef9f448fff5995980d3f6a753e7b
Instruction Fuzzy Hash: 63F04F31A01218BBCB119FA1DC19BEEBFB4EF08751F8040A9F905A72A0DF359E50CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC8D40 Relevance: 7.9, APIs: 5, Instructions: 372windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

GetEnvironmentVariableW.KERNEL32(00000010,00000000,00000104,00000000,?,?,00B132F8,000000FF,?,00AAAC51,?), ref: 00AC8F37
GetEnvironmentVariableW.KERNEL32(00000010,00000000,00000104,?,?,?,?,?,?), ref: 00AC8F81
GetDlgItem.USER32(00000000,00000002), ref: 00AC913D
PostMessageW.USER32(00000000,00000111,00000002,00000000), ref: 00AC914E
EndDialog.USER32(00000000,00000002), ref: 00AC917E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EnvironmentVariable$DialogHeapItemMessagePostProcess
String ID:
API String ID: 2769693469-0
Opcode ID: 956e69be6ef5d67fbfd3cfd04c8b6d480613b2d418021f6157072dace989569c
Instruction ID: f009b3298a37c2d04d1457d43a501e710c71d15522f6e5aeb2541b3e10dafa1d
Opcode Fuzzy Hash: 956e69be6ef5d67fbfd3cfd04c8b6d480613b2d418021f6157072dace989569c
Instruction Fuzzy Hash: 32D1AB71A002059FDB14DF68C989BAEBBF4FF49310F15856DE905AB391DB35AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1990 Relevance: 7.8, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

GetPrivateProfileStringW.KERNEL32(?,?,00000010,00000000,00000100,00000002), ref: 00AB1A0A
GetPrivateProfileStringW.KERNEL32(?,?,00000010,00000000,00000100,00000002), ref: 00AB1A61
GetPrivateProfileSectionNamesW.KERNEL32(00000000,00000100,?), ref: 00AB1B40
GetPrivateProfileSectionNamesW.KERNEL32(00000000,00000100,?), ref: 00AB1B92
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00AB1CC5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: PrivateProfile$String$NamesSection$HeapProcessWrite
String ID:
API String ID: 305312363-0
Opcode ID: 952a8c417d5bbe4d5980857f8e8824b402abca40cea5bc277709c85327216d35
Instruction ID: 3cee083e7b57a56cc4cb63fadd698b00b89cb207ea7e710ad496919830afe9da
Opcode Fuzzy Hash: 952a8c417d5bbe4d5980857f8e8824b402abca40cea5bc277709c85327216d35
Instruction Fuzzy Hash: 4CA1D371901205EFCB11DF68CD59BAEBBF8FF45320F108569E816AB3A1DB759A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB6B0 Relevance: 7.7, APIs: 5, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(-00000010,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00B138A8,000000FF,?,00AE9C97), ref: 00ACB74E
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 00ACB786
ReadFile.KERNEL32(00000000,00000000,0000000A,?,00000000), ref: 00ACB7A8
CloseHandle.KERNEL32(00000000,00B138A8), ref: 00ACB8DE

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: e6e55e035fe2d5e72a29323b7e452ee950c4f7ce0a727068fb8a6a896316f25e
Instruction ID: f7f7f6177b6c259fcb6a54ce7d4235bf1f639ec91c2e2d50c8f519f100b44414
Opcode Fuzzy Hash: e6e55e035fe2d5e72a29323b7e452ee950c4f7ce0a727068fb8a6a896316f25e
Instruction Fuzzy Hash: EE81BF71A11204DFDB10DF68C84AFEEB7F8EF49310F25826DE415A7291EB35A904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AFD9F6 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be833cabe5c2a20348fa562fd1720ee3e8b733ccd8b15e6f2ee0083648ea8d43
Instruction ID: a14d3ec56aa3f0d153a3cd4c8c92e96f7a50e0cc466a0d48b3e31f9ba3f71a3d
Opcode Fuzzy Hash: be833cabe5c2a20348fa562fd1720ee3e8b733ccd8b15e6f2ee0083648ea8d43
Instruction Fuzzy Hash: 3471D27190421E9BCF22DFE5C884ABFBB76EF41360F154229F654A7180D7B08D42C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE69A0 Relevance: 7.7, APIs: 5, Instructions: 213windowstringCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,00000000), ref: 00AE6A09
ModifyMenuW.USER32(?,00009C48,00000000,00009C48,?), ref: 00AE6AD4
lstrlenW.KERNEL32 ref: 00AE6BA8
lstrcpynW.KERNEL32(?,?,00000000), ref: 00AE6BC2
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AE6BD1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Menu$EnableIconItemModifyNotifyShell_lstrcpynlstrlen
String ID:
API String ID: 2193901437-0
Opcode ID: 738eb1f6626822d2282cbbadff9ee04fc853b13b5dee1af7c8ce3763b1b9d8d7
Instruction ID: 209c3d731c1680abd172885ceec4cff3814c1a2b48699797458558918379d7c5
Opcode Fuzzy Hash: 738eb1f6626822d2282cbbadff9ee04fc853b13b5dee1af7c8ce3763b1b9d8d7
Instruction Fuzzy Hash: D1819B71A01645EFDB10CF68C944BAAFBB8FF45764F108669E825DB2A1DB71AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC820 Relevance: 7.7, APIs: 5, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00ABC2E0,000000F0), ref: 00ABC846
IsWindowVisible.USER32(00ABC2E0), ref: 00ABC891
SendMessageW.USER32(00ABC2E0,0000000B,00000000,00000000), ref: 00ABC8A7
SendMessageW.USER32(00ABC2E0,0000000B,00000001,00000000), ref: 00ABCA94
RedrawWindow.USER32(00ABC2E0,00000000,00000000,00000185), ref: 00ABCAA5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: 7cc42826ec5c6680f2c45f495004a691863deef3c90a9ce6b4b11e6aeb395a2c
Instruction ID: c56e39a0feb90483eb5b72ab3f0f3049774ede17ca5d0fb806e00b6bce9f14a3
Opcode Fuzzy Hash: 7cc42826ec5c6680f2c45f495004a691863deef3c90a9ce6b4b11e6aeb395a2c
Instruction Fuzzy Hash: F5816971A083059FD710CF19C980A9AFBEAFF84760F554A1EF894E7262D771E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8D40 Relevance: 7.7, APIs: 5, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(-00000014,000000F0), ref: 00AA8D66
IsWindowVisible.USER32(-00000014), ref: 00AA8DB1
SendMessageW.USER32(-00000014,0000000B,00000000,00000000), ref: 00AA8DC7
SendMessageW.USER32(-00000014,0000000B,00000001,00000000), ref: 00AA8FB4
RedrawWindow.USER32(-00000014,00000000,00000000,00000185), ref: 00AA8FC5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: 84185819b53b2dd2a3a8b31b8dd36c2f25053dceb38717cd77ae19ecd8fdbb42
Instruction ID: 4c9e4f2c75dbc087abe08bc98d420320505be9a74dd8b60689e9a5367f870a5f
Opcode Fuzzy Hash: 84185819b53b2dd2a3a8b31b8dd36c2f25053dceb38717cd77ae19ecd8fdbb42
Instruction Fuzzy Hash: 62813871A083029FD710CF19C940A5EFBE6BFD9754F154A1EF994A72A0EB74E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9C50 Relevance: 7.7, APIs: 5, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00AB9C76
IsWindowVisible.USER32(?), ref: 00AB9CC1
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00AB9CD7
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00AB9EC4
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00AB9ED5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$MessageSend$LongRedrawVisible
String ID:
API String ID: 554559110-0
Opcode ID: b286da16277235fc7efa8223f85b11b18012d6c48c19221312ae2355e2091301
Instruction ID: 0aeadfd2b20f1160302170bae6c9f8496af5ee616b59f1e529831b6dd9fad5af
Opcode Fuzzy Hash: b286da16277235fc7efa8223f85b11b18012d6c48c19221312ae2355e2091301
Instruction Fuzzy Hash: AD816731A087019FD710CF19C980A9AFBFAFF88750F554A1EFA94A7261D771E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA199 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AFB073: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AFB143,?,00000000,?,00AF3D73,?,00000004,00000004,?,00000000,?,00AF944D), ref: 00AFB0A5

_free.LIBCMT ref: 00AFA2A4
_free.LIBCMT ref: 00AFA2BB
_free.LIBCMT ref: 00AFA2DA
_free.LIBCMT ref: 00AFA2F5
_free.LIBCMT ref: 00AFA30C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$AllocHeap
String ID:
API String ID: 1835388192-0
Opcode ID: 1d38e10c0530d632455491f35e7422ddfad720bb03fdab5c73664b174321d4ad
Instruction ID: 002ec54f802250935d97b9fb8694706b550846c1c7592523d8fc1e515fff3da2
Opcode Fuzzy Hash: 1d38e10c0530d632455491f35e7422ddfad720bb03fdab5c73664b174321d4ad
Instruction Fuzzy Hash: 3551A2B2A003089FDB20DFA9D981AFA77F4EF64720B140669FA4DD7261E732D9418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D920 Relevance: 7.7, APIs: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,C956CA52,?,?,00000000,?,?,?,?,?), ref: 00A8D973
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,00B09970,000000FF), ref: 00A8D9A1
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,00B09970,000000FF), ref: 00A8D9F5
ReadFile.KERNEL32(00000000,?,00010000,?,00000000,00010000,?,?,00000000,?,?,?,?,?,00B09970,000000FF), ref: 00A8DA61
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,00B09970,000000FF), ref: 00A8DAD7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID:
API String ID: 3664964396-0
Opcode ID: 14c3ff5ab1f5b3975d98f225fa211edda6d12c59f73ec521ab036dbd3973b88d
Instruction ID: 217f117fbe8b53f20b71bc83524d6c1b4c86c7071e04a884291e5a6ceca3ee09
Opcode Fuzzy Hash: 14c3ff5ab1f5b3975d98f225fa211edda6d12c59f73ec521ab036dbd3973b88d
Instruction Fuzzy Hash: CC51F271901248EFDB25EF68CD45BEEBBB4FF15310F248159E859AB2C0DB745A08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1810 Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,C956CA52,?,00000000,?,?,?,C956CA52,?,000000DC), ref: 00AB190C
GetLastError.KERNEL32 ref: 00AB192A
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00AB1942
GetLastError.KERNEL32 ref: 00AB194C
CloseHandle.KERNEL32(00000000), ref: 00AB196B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID:
API String ID: 3160720760-0
Opcode ID: 32cc85595d5f7a954ed600c5001bfabecdac4c219fb2f9a67f3366cc7aa1d5f1
Instruction ID: 1f9c932d8e02396e4cdca9de48eef21f14076c5b6b9bfb3bb9aca80cd04ba6ce
Opcode Fuzzy Hash: 32cc85595d5f7a954ed600c5001bfabecdac4c219fb2f9a67f3366cc7aa1d5f1
Instruction Fuzzy Hash: CD41B571A00205EFD721CF68DC45BAABBF8FF05720F10826AE915E7390DB71A904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABEB00 Relevance: 7.6, APIs: 5, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

GetParent.USER32(?), ref: 00ABEB6D
SendMessageW.USER32(00000000,00000478,00000000,?), ref: 00ABEB8A
SetWindowTextW.USER32(00000000,?), ref: 00ABEB93
GetParent.USER32(?), ref: 00ABEC6E
PostMessageW.USER32(00000000,00000471,00000005,00000000), ref: 00ABEC7E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageParent$HeapPostProcessSendTextWindow
String ID:
API String ID: 2975121123-0
Opcode ID: 401686deb2044d6e498b17007c4a3a4664ca41a4e43c158001b570b36632ab7a
Instruction ID: f65f28ebd8ba09368b7fbc4bd5246ab185d47622967aaf65d25d081392d6d90d
Opcode Fuzzy Hash: 401686deb2044d6e498b17007c4a3a4664ca41a4e43c158001b570b36632ab7a
Instruction Fuzzy Hash: 1E518E31200A06AFEB15DB78CC49FE5B7A8FF09710F044659F6698B6A1DB71A810CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB70F0 Relevance: 7.6, APIs: 5, Instructions: 139windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00AB7148
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB717C
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00AB71D7
SendMessageW.USER32(?,0000102B,00000001,?), ref: 00AB732A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AB7340

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 781b54760209d9bf5745fad0b37ba583f2844f9a5dd56feb92f0c559a940d5f9
Instruction ID: 1a1f61bb5e8bcaad0208b3c6080c91d35540f6f1ecb09b0211d6d30728ab2f88
Opcode Fuzzy Hash: 781b54760209d9bf5745fad0b37ba583f2844f9a5dd56feb92f0c559a940d5f9
Instruction Fuzzy Hash: 385181319187859BE7308F50CE447EEB7EABFDA304F209A1EF58856151EBF094848B82

Uniqueness

Uniqueness Score: -1.00%

Function 00AC7690 Relevance: 7.6, APIs: 5, Instructions: 136fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000004,?,?,00000000,C956CA52,?,?,?,?,00AAF2C5), ref: 00AC76F3
GetLastError.KERNEL32(?,?,00AAF2C5), ref: 00AC7700
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,?,00AAF2C5), ref: 00AC772D
GetLastError.KERNEL32(?,?,00AAF2C5), ref: 00AC773A
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00AAF2C5), ref: 00AC77C1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CreateErrorFileLast$EventMappingView
String ID:
API String ID: 267765441-0
Opcode ID: 63fa111bcb03150478087e5f58554c92949f967780134b939395a32d6206a6f3
Instruction ID: 5800372fd7f86b4bc767493fb2a9d07f09f5ad64bd50e3e17469255f66625945
Opcode Fuzzy Hash: 63fa111bcb03150478087e5f58554c92949f967780134b939395a32d6206a6f3
Instruction Fuzzy Hash: 5F518D70600B0A9BD710CFA9CD48F9ABBB8FF48730F158369A5259B2D1EB74A9008F50

Uniqueness

Uniqueness Score: -1.00%

Function 00A88D20 Relevance: 7.6, APIs: 6, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?), ref: 00A88D39
LocalFree.KERNEL32(?,?,?), ref: 00A88D49
GetLastError.KERNEL32 ref: 00A88D87
LocalAlloc.KERNEL32(00000040,00000014), ref: 00A88DC6
GetLastError.KERNEL32 ref: 00A88DE0
LocalFree.KERNEL32(?), ref: 00A88DF1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Local$Free$ErrorLast$Alloc
String ID:
API String ID: 3879364810-0
Opcode ID: 17ad217c3909c443d3bfd469574efa6cd514d017728a8b75f64e8521c4487e45
Instruction ID: c66e2152b221c429d6786e32640768537582d9d94eeaaceae5698f90d9e91410
Opcode Fuzzy Hash: 17ad217c3909c443d3bfd469574efa6cd514d017728a8b75f64e8521c4487e45
Instruction Fuzzy Hash: C9416775600705AFEB20EF65EC44B57B7E8FB48710F404A2EE946C3680EF78E9088B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF93C0 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF9432
_free.LIBCMT ref: 00AF9452

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 062259b0c544b78e48963332175176f8f845b42020a9dc9af980f13b88a37aae
Instruction ID: f3384038c35eceebee98b83ddb7f0bf2bc01f657fb1e671150bccc172dbfdf4e
Opcode Fuzzy Hash: 062259b0c544b78e48963332175176f8f845b42020a9dc9af980f13b88a37aae
Instruction Fuzzy Hash: 5441D436A002089FCB10DFB8C981A6EB7F5EF85314B154669F715EB381DB31AD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A8EDC0 Relevance: 7.6, APIs: 5, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A8E980: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,C956CA52), ref: 00A8EA81
Part of subcall function 00A8E980: GetTempPathW.KERNEL32(00000104,?), ref: 00A8EB19

GetFileVersionInfoSizeW.VERSION(?,?,C956CA52), ref: 00A8EE0D
GetFileVersionInfoW.VERSION(?,?,?,?,00000000), ref: 00A8EE39
VerQueryValueW.VERSION(?,00B28AD8,?,?), ref: 00A8EE51
GetLastError.KERNEL32 ref: 00A8EE7E
DeleteFileW.KERNEL32(?), ref: 00A8EE91

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: File$InfoPathVersion$DeleteErrorFolderLastQuerySizeTempValue
String ID:
API String ID: 2981634894-0
Opcode ID: 30de4dd7196d38b8b91048da276e9babd8746a8a84b893994215e9a9ce063a57
Instruction ID: f099a12ee571116a42e1a7a64b07dfb280f41798bb6ba14a44a6a18faaa6f932
Opcode Fuzzy Hash: 30de4dd7196d38b8b91048da276e9babd8746a8a84b893994215e9a9ce063a57
Instruction Fuzzy Hash: 0531AE71A01259EBDB11DFA5DD44BEFFBB8EF08310F14416AE815A3290DB359A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A92065 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00A92071

Part of subcall function 00AF065A: RaiseException.KERNEL32(?,?,?,?), ref: 00AF06BA

std::_Lockit::_Lockit.LIBCPMT ref: 00A920BD
std::_Lockit::_Lockit.LIBCPMT ref: 00A920DD
std::_Lockit::~_Lockit.LIBCPMT ref: 00A92105
__Getcoll.LIBCPMT ref: 00A921C3
std::_Facet_Register.LIBCPMT ref: 00A92242
std::_Lockit::~_Lockit.LIBCPMT ref: 00A9226C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionException@8Facet_GetcollRaiseRegisterThrow
String ID:
API String ID: 1560489502-0
Opcode ID: e74a0af8c78a6469b52acef34ff571df7a5579c842bacc8e6e48ce4b2710029c
Instruction ID: 9352983415f2925ce522520c6ed23baaf881d31b9b1ca394508c48537ca7cd4e
Opcode Fuzzy Hash: e74a0af8c78a6469b52acef34ff571df7a5579c842bacc8e6e48ce4b2710029c
Instruction Fuzzy Hash: 2F31D135A04244EFCF21DF95D941BADB7F4FF61320F20425AE9156B2A2CB30AE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD440 Relevance: 7.6, APIs: 5, Instructions: 87threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,C956CA52,?,-00000010,00000000), ref: 00ADD47E
GetCurrentThreadId.KERNEL32 ref: 00ADD4AD
EnterCriticalSection.KERNEL32(00B46108), ref: 00ADD4CD
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ADD4F1
DialogBoxParamW.USER32(0000006E,00000000,Function_0003A4E0,00000000), ref: 00ADD50D

Part of subcall function 00AECD7E: GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
Part of subcall function 00AECD7E: HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalHeapSection$AllocCurrentDialogEnterErrorLastLeaveParamProcessThread
String ID:
API String ID: 3247953248-0
Opcode ID: 3acdfe054f2bef2cb3055db14a7d5a4ce8f1268c651b6e1feb740a952ebe059b
Instruction ID: 54176a42bb4402a6e1fe1e37b0a10b03e420680f464d19f426cf05b76bc38eef
Opcode Fuzzy Hash: 3acdfe054f2bef2cb3055db14a7d5a4ce8f1268c651b6e1feb740a952ebe059b
Instruction Fuzzy Hash: 8321F435A44744AFD720DF68EC06B89BBF4FB06B20F10861AF821B37D0DBB161148B52

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB490 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000415), ref: 00ACB4BD
GetDlgItem.USER32(?,000003EB), ref: 00ACB4CE

Part of subcall function 00AA94E0: GetWindowLongW.USER32(8B0C428D,000000F0), ref: 00AA9527
Part of subcall function 00AA94E0: GetParent.USER32(8B0C428D), ref: 00AA9539
Part of subcall function 00AA94E0: GetWindowRect.USER32(8B0C428D,?), ref: 00AA955B
Part of subcall function 00AA94E0: GetWindowLongW.USER32(00000000,000000F0), ref: 00AA956E
Part of subcall function 00AA94E0: MonitorFromWindow.USER32(8B0C428D,00000002), ref: 00AA9586

GetDlgItem.USER32(?,00000002), ref: 00ACB53F
PostMessageW.USER32(?,00000111,00000002,00000000), ref: 00ACB550

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Item$Long$FromMessageMonitorParentPostRect
String ID:
API String ID: 464501233-0
Opcode ID: 4b0b499075e9a8609b0acf5d79da96149c97c97f050b587fb20aeeb19e15c180
Instruction ID: 6db26a703f82d5cda1d5b1295974337d6ce26c728911c814042bf8f4669b85a6
Opcode Fuzzy Hash: 4b0b499075e9a8609b0acf5d79da96149c97c97f050b587fb20aeeb19e15c180
Instruction Fuzzy Hash: 9E3159B1201208DFDB10DF14D9C9FA6BBA4FB49311F51819AF9068F2A6CB72EC44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AF6B Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00A9AF80
GetWindowLongW.USER32(?,000000FC), ref: 00A9AF95
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00A9AFAB
GetWindowLongW.USER32(?,000000FC), ref: 00A9AFC5
SetWindowLongW.USER32(?,000000FC,?), ref: 00A9AFD5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: 3a6732912476f9efb11b41ec19952c6a878e778a8204412ca18829923c1b2945
Instruction ID: 9782262821ef057b07df60739eb2d1e8e2411dbc6f775c891df5976baf076d2d
Opcode Fuzzy Hash: 3a6732912476f9efb11b41ec19952c6a878e778a8204412ca18829923c1b2945
Instruction Fuzzy Hash: BB212971208700AFC721AF19DC84857BBF5FF88720B508A1EF496836A1D732E954DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2C00 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00B285E8), ref: 00AE2C24
SetWindowTextW.USER32(?,?), ref: 00AE2C3A
SendMessageW.USER32(?,00000402,?,00000000), ref: 00AE2C76

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: TextWindow$MessageSend
String ID:
API String ID: 2225844749-0
Opcode ID: 2f438e372006cedf6a5585b2b3613e495c3da35eb0f5f9f7293465a0d6365425
Instruction ID: cef4a15db9dc0113a95d39f257cb73dd4f246df8558c0c9cb8d1c82c0d542afa
Opcode Fuzzy Hash: 2f438e372006cedf6a5585b2b3613e495c3da35eb0f5f9f7293465a0d6365425
Instruction Fuzzy Hash: DA118271600200ABDE219B11DE49F5D7B69BBB1755F30C449F24AEA0A2C663DC53D745

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAF4E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00AF37A7,00AFB161,?,00AF3D73,?,00000004,00000004,?,00000000,?,00AF944D,?,00000004), ref: 00AFAF53
_free.LIBCMT ref: 00AFAF88
_free.LIBCMT ref: 00AFAFAF
SetLastError.KERNEL32(00000000,?,?,?,?,?,00A83E56,?,00A83E56), ref: 00AFAFBC
SetLastError.KERNEL32(00000000,?,?,?,?,?,00A83E56,?,00A83E56), ref: 00AFAFC5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 83641e5ab23db51e804798573ab94b8e5f47c0aecc62c19814e5985dfe264053
Instruction ID: 1f966f4bcd180fe692bb460c57738aa25545e4d97e29d9265c42ea7845fc7d6c
Opcode Fuzzy Hash: 83641e5ab23db51e804798573ab94b8e5f47c0aecc62c19814e5985dfe264053
Instruction Fuzzy Hash: 650149F61086083BC31223F1AC49EFB1A79DFE13B57210114F70DA7192EF7089414222

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9200 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(-00000020), ref: 00AB921B
GetWindowLongW.USER32(?,000000EC), ref: 00AB9225
GetSystemMetrics.USER32(-0000002D), ref: 00AB923F
GetSystemMetrics.USER32(-0000002D), ref: 00AB925C
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 00AB926D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: System$Metrics$InfoLongParametersWindow
String ID:
API String ID: 72108969-0
Opcode ID: e2248469ba3574259208b32be75d01d3182524bf069aaafbbb9d95cec1b00f41
Instruction ID: 462543083b0cc9e063d659fa9d92cdb2f5c7aad0bb3cc5c40042e61c92e158c7
Opcode Fuzzy Hash: e2248469ba3574259208b32be75d01d3182524bf069aaafbbb9d95cec1b00f41
Instruction Fuzzy Hash: C601D472A143046FE7615B35CD49BDBBBECEF49310F18482EE582D3A92D6B8E440CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1D90 Relevance: 7.5, APIs: 5, Instructions: 48synchronizationnetworkCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,C956CA52,?,?,?,00B0CC78,000000FF), ref: 00AA1DCF
InternetCloseHandle.WININET(00000000), ref: 00AA1DDD
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00B0CC78,000000FF), ref: 00AA1DEF
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00B0CC78,000000FF), ref: 00AA1DFA
InternetCloseHandle.WININET(FFFFFFFF), ref: 00AA1E15

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CloseHandleInternetObjectSingleWait$EventReset
String ID:
API String ID: 259955505-0
Opcode ID: f263a3107f0ac4cc45f9c8fce815a7c669ddc7a29fca8b459e4cde10dc930f4a
Instruction ID: d41dca6d708778b90d2ef9dc4c507fd4478d4c13291f1d583d10c8d4fe6dad2a
Opcode Fuzzy Hash: f263a3107f0ac4cc45f9c8fce815a7c669ddc7a29fca8b459e4cde10dc930f4a
Instruction Fuzzy Hash: EB112AB1505606FBDB118F59DD48B59FBB8FB0A720F208319E429A37E0DBB5A820CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AE6D90 Relevance: 7.5, APIs: 5, Instructions: 47stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,C000008C,00000001,80004005,C956CA52), ref: 00AE6DAB
lstrcpynW.KERNEL32(?,?,00000001,?,?,C000008C,00000001,80004005,C956CA52), ref: 00AE6DC5
lstrlenW.KERNEL32(C956CA52,?,?,C000008C,00000001,80004005,C956CA52), ref: 00AE6DD0
lstrcpynW.KERNEL32(?,C956CA52,00000001,?,?,C000008C,00000001,80004005,C956CA52), ref: 00AE6DEA
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AE6E0A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: lstrcpynlstrlen$IconNotifyShell_
String ID:
API String ID: 1698051517-0
Opcode ID: 396ecf8dd9dcfb9eb6a1669256d89bb35b0ac3647f5548629ef66df40d660edd
Instruction ID: ba58402b166dce99062e5474a4b20d64755e94a6ef4683d9018fe7bde24ffbd4
Opcode Fuzzy Hash: 396ecf8dd9dcfb9eb6a1669256d89bb35b0ac3647f5548629ef66df40d660edd
Instruction Fuzzy Hash: 990175B1601259AFDB11CF54EC44BEB37DCEF49310F00442AFD45D7241CA70EA509BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B00D0C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B00D24

Part of subcall function 00AFB0C1: HeapFree.KERNEL32(00000000,00000000,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?), ref: 00AFB0D7
Part of subcall function 00AFB0C1: GetLastError.KERNEL32(?,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?,?), ref: 00AFB0E9

_free.LIBCMT ref: 00B00D36
_free.LIBCMT ref: 00B00D48
_free.LIBCMT ref: 00B00D5A
_free.LIBCMT ref: 00B00D6C

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4f351a71aefb87d5454e2a64f0490e80918fbd845f8b75ee70f6e77cd40f0376
Instruction ID: c48fbd0f7b3872b9d6ee25a09c1e716d1a41cfe4f605c169b18e3f1ad1499fcd
Opcode Fuzzy Hash: 4f351a71aefb87d5454e2a64f0490e80918fbd845f8b75ee70f6e77cd40f0376
Instruction Fuzzy Hash: 4DF03C76524604ABC620EBD8F9C2E2B7BE9FA01310B644855F558D7642CF20FDD08A70

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD9A0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ABD9DF
GetParent.USER32(00000000), ref: 00ABD9E2
GetParent.USER32(00000000), ref: 00ABD9E5
ShowWindow.USER32(00000000,00000002), ref: 00ABD9F2
ShowWindow.USER32(00000000,00000001), ref: 00ABD9F7

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Parent$ShowWindow
String ID:
API String ID: 4286518374-0
Opcode ID: da456d6d471df370cb35baf90da929204605df50b19629e28c9a4341b3f04fd6
Instruction ID: d065a2dc20b7e4c3f9588e7765ee3b130ef6082305bafc31dc2396270700e3d6
Opcode Fuzzy Hash: da456d6d471df370cb35baf90da929204605df50b19629e28c9a4341b3f04fd6
Instruction Fuzzy Hash: 7EF06231A01220ABDB219B55DC08F9ABF69FF85724F15845AF5445B251CA72EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF960F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AF962D

Part of subcall function 00AFB0C1: HeapFree.KERNEL32(00000000,00000000,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?), ref: 00AFB0D7
Part of subcall function 00AFB0C1: GetLastError.KERNEL32(?,?,00B00FBF,?,00000000,?,00000000,?,00B01263,?,00000007,?,?,00B01612,?,?), ref: 00AFB0E9

_free.LIBCMT ref: 00AF963F
_free.LIBCMT ref: 00AF9652
_free.LIBCMT ref: 00AF9663
_free.LIBCMT ref: 00AF9674

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4135888cba342a8674f3ee3e7f2961228240f9ef78a3ff204906edc184d6bade
Instruction ID: 2272bba94a6cc20ef8700d4bb6b408986362167ad6d4abbe699b5550212dd9ac
Opcode Fuzzy Hash: 4135888cba342a8674f3ee3e7f2961228240f9ef78a3ff204906edc184d6bade
Instruction Fuzzy Hash: 4CF03ABC810D688BCA226FA8FD4152A3BA4FB077203550106F1A4972B3CF344A968F96

Uniqueness

Uniqueness Score: -1.00%

Function 00AA5100 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

GET, xrefs: 00AA5188
OpenUrl() returned:, xrefs: 00AA51E5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID: GET$OpenUrl() returned:
API String ID: 0-2056621786
Opcode ID: f28e108f1f0c9864f0a8a868127ec820b46ef3d871617224dc2dd39f2e39995e
Instruction ID: f39819f0c006e2da66a16ddd9c62204df50eabf4032b35a7c909912733f89d47
Opcode Fuzzy Hash: f28e108f1f0c9864f0a8a868127ec820b46ef3d871617224dc2dd39f2e39995e
Instruction Fuzzy Hash: 20A1AF31A00A499FDB10DFB8C944BAEBBB5FF46320F148269E815AB2D1DB74DD05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2F10 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00AB301B

Part of subcall function 00A824C0: __CxxThrowException@8.LIBVCRUNTIME ref: 00A824D5

#173.MSI(00000001,00000010,00000000,00000104,00000104,00000010,?,00000001,00000001,00000010), ref: 00AB3093
#173.MSI(?,?,00000000,00000104,00000105), ref: 00AB30CE

Strings

APPDIR, xrefs: 00AB2F3D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: #173$Exception@8Throw_wcschr
String ID: APPDIR
API String ID: 3431245675-1435851147
Opcode ID: e2dbad164c7eb6f12c361db293ff649ffdb1f8a7756f17521dd1b3653c96c985
Instruction ID: f6febb4d6f2d0afc735f6d6e34e44641a0636f3cfe741c086ce361015413b354
Opcode Fuzzy Hash: e2dbad164c7eb6f12c361db293ff649ffdb1f8a7756f17521dd1b3653c96c985
Instruction Fuzzy Hash: 9D81C372A001059BDF14DF68D845BEEB7B8FF45320F14876AE8169B391D775AA40CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00AAE8E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

CompareFileTime.KERNEL32(?,?), ref: 00AAEA66
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AAEACE
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AAEB21

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

Strings

LastModified, xrefs: 00AAEA0D, 00AAEA1D, 00AAEB2D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Time$File$System$CompareFindHeapProcessResource
String ID: LastModified
API String ID: 1551326426-2900887607
Opcode ID: 8e2992cb2d2cd62d248e28beb6ddcb1491554fcf8d5813c79b9817f159153f7a
Instruction ID: a4ce173be247b37dd673b8c5edabab7fe1c28030e411ad9c4af13194ea256c6f
Opcode Fuzzy Hash: 8e2992cb2d2cd62d248e28beb6ddcb1491554fcf8d5813c79b9817f159153f7a
Instruction Fuzzy Hash: 23917C31901259CBEB20DB68CD44BADB7B4BF05314F1482DAE519E72D2EB74AE84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00AADA60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 198libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll,C956CA52), ref: 00AADC2C
FreeLibrary.KERNEL32(?), ref: 00AADCE2

Strings

0x%X, xrefs: 00AADADB
wininet.dll, xrefs: 00AADC27

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Library$FreeLoad
String ID: 0x%X$wininet.dll
API String ID: 534179979-2038226600
Opcode ID: ef554f98dc9b1eda4102c2beb82c53bb94c79cdc881a64d1e9fc3be5c319d537
Instruction ID: 92b964f5343c70dcbb3974a894dad45e43a13118f2443ec711b3b8f1c679ecd5
Opcode Fuzzy Hash: ef554f98dc9b1eda4102c2beb82c53bb94c79cdc881a64d1e9fc3be5c319d537
Instruction Fuzzy Hash: 8B71E171A01206CFCB14DF68C985B6EF7B1FF86320F6486A9D8569B7D1DB709900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE90D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

EnableWindow.USER32(?,00000001), ref: 00AE925D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AE928A

Strings

NoAutoUpdateCheck, xrefs: 00AE91CC, 00AE91DC
AutoUpdatePolicy, xrefs: 00AE9131, 00AE9141

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EnableFindHeapMessageProcessResourceSendWindow
String ID: AutoUpdatePolicy$NoAutoUpdateCheck
API String ID: 1765928292-325369193
Opcode ID: 5fbaf598433af4a5f0b9b1556b82a8a04dd80d86a3a13a1fb1e36884f0803ef2
Instruction ID: f0f76a3bcf8b8b3793680e3352e400d123f71ffcf8284df76ac82e52b8f3b073
Opcode Fuzzy Hash: 5fbaf598433af4a5f0b9b1556b82a8a04dd80d86a3a13a1fb1e36884f0803ef2
Instruction Fuzzy Hash: 0B517071A0074AAFDB14DFA9C985BEFBBB4EF04310F104269E615A72D1DB709A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE92E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

CoTaskMemFree.OLE32(?,C956CA52,?,00000000,00B18788,000000FF,?,80004005,80004005,C956CA52,?), ref: 00AE94C3

Part of subcall function 00A9D330: GetWindowTextLengthW.USER32(?), ref: 00A9D337
Part of subcall function 00A9D330: GetWindowTextW.USER32(?,?,00000001), ref: 00A9D369

GetDlgItem.USER32(?,00000413), ref: 00AE938B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00AE93B4

Strings

AutoUpdatePolicy, xrefs: 00AE93EA, 00AE93FA

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: TextWindow$FreeHeapItemLengthMessageProcessSendTask
String ID: AutoUpdatePolicy
API String ID: 1923109199-4250888325
Opcode ID: 0df7fdfa36813fd123d3e25295304474d8b128faf3799292a1b40414a8f74220
Instruction ID: 0ac7eb690b21ff75e8a218216d2fcdf1ac821ed2aa60da9df74d5ed217bf66a6
Opcode Fuzzy Hash: 0df7fdfa36813fd123d3e25295304474d8b128faf3799292a1b40414a8f74220
Instruction Fuzzy Hash: A851CF31600649AFCB10DF68CE45BAEB7F9FF44710F148669E525AB2D1DB30A901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8C7A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\updater.exe,00000104), ref: 00AF8CB5
_free.LIBCMT ref: 00AF8D80
_free.LIBCMT ref: 00AF8D8A

Strings

C:\Users\user\Desktop\updater.exe, xrefs: 00AF8CAC, 00AF8CB3, 00AF8CE2, 00AF8D1A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\updater.exe
API String ID: 2506810119-3006157215
Opcode ID: 116f6af00f2217509b1391b99f345724b941e01ad40ad5b6dc2098fea8accf96
Instruction ID: a32d4c65ee83e67d0e99ae96a41e3131b6aa856fad60225bd17b127b517506a5
Opcode Fuzzy Hash: 116f6af00f2217509b1391b99f345724b941e01ad40ad5b6dc2098fea8accf96
Instruction Fuzzy Hash: 15319DB1A0061CEFCB21EFD9DD858AEBBBCEF95310B104066FA0497252DB744E41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A9969C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00000001), ref: 00A996CC

Strings

Anchor Color Visited, xrefs: 00A997DD
Anchor Color, xrefs: 00A997A4
Software\Microsoft\Internet Explorer\Settings, xrefs: 00A9976A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: TextWindow
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings
API String ID: 530164218-3433146436
Opcode ID: fa60fc196017c915337a1bea431bdb7bcb6a8e73e4b33d8dae10812441b2c78c
Instruction ID: d4cfc54b3d06f28a58c3faca29b858cfa6bf039e3ae232eb5b3dcae0bf8f6775
Opcode Fuzzy Hash: fa60fc196017c915337a1bea431bdb7bcb6a8e73e4b33d8dae10812441b2c78c
Instruction Fuzzy Hash: D1415870A01218AAEF20DF59C955BAEB3F5BF55310F10429EE819A3290EB706E84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AEEBF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 00AEEC70

Strings

csm, xrefs: 00AEEC09

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Initialize
String ID: csm
API String ID: 2538663250-1018135373
Opcode ID: d1baf270dbf62662689f17a6786cf64d54aa830dccbc79e624dcae27a468b1a1
Instruction ID: b94ae95e672634fbcc9cf8c3be2f91fcc41903d2841477dd3de91903339ca7cb
Opcode Fuzzy Hash: d1baf270dbf62662689f17a6786cf64d54aa830dccbc79e624dcae27a468b1a1
Instruction Fuzzy Hash: 19114F71A002895EDE10FFF79B077AE26E5AF55340F140864FA04E6243EE39D91086B3

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B710 Relevance: 6.5, APIs: 5, Instructions: 254COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000001,00000008,?,00000000,00000001,00000000,C956CA52,00000004,00000000), ref: 00A8B780
GetLastError.KERNEL32(?,00000000,00000001,00000000,C956CA52,00000004,00000000), ref: 00A8B7B2
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,C956CA52,00000004,00000000), ref: 00A8B7FB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9ac17d76ed2b9cf2dac43c72715fd0e4ac2507f30cdcef92b78360211ae260b6
Instruction ID: a265d208bf8281ced968472548e22b5715c04faa6ac85d2d7f0fb79646097862
Opcode Fuzzy Hash: 9ac17d76ed2b9cf2dac43c72715fd0e4ac2507f30cdcef92b78360211ae260b6
Instruction Fuzzy Hash: A9819675700705ABEF24AFA4EC45BAEB7B8FF44B51F10412AF905E7290DB35E9048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B9D0 Relevance: 6.5, APIs: 5, Instructions: 249COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000001,00000008,?,00000000,00000001,00000000,C956CA52,?,?,?,00000001,00000000,C956CA52,00000004), ref: 00A8BA40
GetLastError.KERNEL32(?,00000000,00000001,00000000,C956CA52,?,?,?,00000001,00000000,C956CA52,00000004,00000000), ref: 00A8BA72
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,C956CA52,?,?,?,00000001,00000000,C956CA52,00000004,00000000), ref: 00A8BABB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: cedbbee70a40aae34aa02614054d2d792f103bd5b5950ce21bbe13b8c279101a
Instruction ID: 96667e7acdfbae59d0cfcff847a05e974edfda0409b8b8fc62f28a22703b456d
Opcode Fuzzy Hash: cedbbee70a40aae34aa02614054d2d792f103bd5b5950ce21bbe13b8c279101a
Instruction Fuzzy Hash: 5381A575B00609AFEF24EFA4DC45BAEB7B8FB48751F10412AF915E7690DF31A9048B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB4D0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00AFB55B
__alldvrm.LIBCMT ref: 00AFB75C
__alldvrm.LIBCMT ref: 00AFB77E

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 79920e698a1ecdc048f021869cc2c46f777150bb015cee654010e9029b8f0aa7
Instruction ID: b4e95ab8a87178b48de2ddfdbef2c554123cf0e711dad2ce7173563b57b0855e
Opcode Fuzzy Hash: 79920e698a1ecdc048f021869cc2c46f777150bb015cee654010e9029b8f0aa7
Instruction Fuzzy Hash: E5A16771A2528A9FDB219FA8C8917BEBBF0EF55300F184169F6859B281C3388D41C760

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E7E0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00A9E832

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AA0D60: InitializeCriticalSection.KERNEL32(?,C956CA52,00000000,00000000), ref: 00AA0D9D
Part of subcall function 00AA0D60: EnterCriticalSection.KERNEL32(00000000,C956CA52,00000000,00000000), ref: 00AA0DAA
Part of subcall function 00AA0D60: GetCurrentProcessId.KERNEL32( [PID=,00000006,00B2A430,00000002), ref: 00AA0E48
Part of subcall function 00AA0D60: GetCurrentThreadId.KERNEL32 ref: 00AA0E67

GetLastError.KERNEL32 ref: 00A9E918

Strings

OpenService failed error code: , xrefs: 00A9E96C
Unable to open SCM error code: , xrefs: 00A9E886

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalCurrentErrorLastProcessSection$EnterHeapInitializeThread
String ID: OpenService failed error code: $Unable to open SCM error code:
API String ID: 3417424740-3695868027
Opcode ID: 92fb76733b117f61452a18eee6498b2a5e9446370f2e7c3c400ff3b0cec4a9cf
Instruction ID: 24b5ce3fbb7194d047edba2681eaf143bece547f0b6f2269527b09f707933ee4
Opcode Fuzzy Hash: 92fb76733b117f61452a18eee6498b2a5e9446370f2e7c3c400ff3b0cec4a9cf
Instruction Fuzzy Hash: DB71D2316002559FDB10EF68CD09BAEBBE0FF05320F148658F8599B2A2DB709D04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD8220 Relevance: 6.2, APIs: 4, Instructions: 200threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(8B0C428D,00B159A2,00000001,?), ref: 00AD831A
GetLastError.KERNEL32 ref: 00AD8324
GetExitCodeThread.KERNEL32(00000000,?,?,00000000,00B29F68,00000000,00000000,?,00000000,00000000,C956CA52,?,00000000,?), ref: 00AD83FE
GetLastError.KERNEL32 ref: 00AD840D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLastThread$CodeExitMessagePost
String ID:
API String ID: 951987726-0
Opcode ID: 4de2e43e996c7ab7947bb2eaa89ff5462c2ec4466e10cee7dd376abf5cd72bc5
Instruction ID: 8a21f3d530065e1cb581918b2e5010322f6057046d8164f249f1b8e430eb8dfc
Opcode Fuzzy Hash: 4de2e43e996c7ab7947bb2eaa89ff5462c2ec4466e10cee7dd376abf5cd72bc5
Instruction Fuzzy Hash: 80819BB1900609EFDB10DFA8D994BEEFBB4FF04314F50865AE416A7280DB75A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAEC0 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: LongWindow$Parent
String ID:
API String ID: 2125864951-0
Opcode ID: e0f9cc1077c35a0ac0d446b153af32f93e3c3f2724d00da675fa3227fe5f7289
Instruction ID: b507222a07b66b39f451e310e0b7554d46adb801c6edb922eef910d4b3c81730
Opcode Fuzzy Hash: e0f9cc1077c35a0ac0d446b153af32f93e3c3f2724d00da675fa3227fe5f7289
Instruction Fuzzy Hash: 5351F672B44609AFDB14DF64D842BFAF7A8FB44710F40022AE915973C1DB766924CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7490 Relevance: 6.2, APIs: 4, Instructions: 173networkCOMMON

Download Yara Rule

APIs

InternetQueryOptionW.WININET(00000000,0000004B,C956CA52,00AA64BD), ref: 00AA7502
GetLastError.KERNEL32 ref: 00AA750C
_wcschr.LIBVCRUNTIME ref: 00AA75BB

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorInternetLastOptionQuery_wcschr
String ID:
API String ID: 4155398863-0
Opcode ID: 1404e9ffce5c2615e006515d1f617a81b0d0e0563588249ae21dea826f7cfa5d
Instruction ID: 089b9b27d9cc083e89a7e9b9af677333098809d5a42254b394898b7e5e2caa36
Opcode Fuzzy Hash: 1404e9ffce5c2615e006515d1f617a81b0d0e0563588249ae21dea826f7cfa5d
Instruction Fuzzy Hash: 8C617D71A0060A9FDB14DF68C948BAEFBB5FF45321F208659E815AB391EB359940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4700 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000034,00000000,00000000,00000000,0000005F,?,?,00000000,?,80070057,?), ref: 00AC47FA
GetLastError.KERNEL32(80070057,?,?,00000000,0000000C,00AC47EE,0000000C,?,?,00000000,00000000,00AC49F1,?,?,?,?), ref: 00AC4819
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,00000000,0000000C,00AC47EE,0000000C,?,?,00000000,00000000,00AC49F1,?), ref: 00AC482D
GetLastError.KERNEL32(?,00000000,0000000C,00AC47EE,0000000C,?,?,00000000,00000000,00AC49F1,?,?,?,?), ref: 00AC483A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorFileLast$CreateMappingView
String ID:
API String ID: 2231327692-0
Opcode ID: 25f2f5828312ce8d6ba6031db8aa7e689edce9c9a478868b98359b2b1a8f64c8
Instruction ID: c2a25118ebf54536dee6f2112acba641826f5918fd49fb1ac4e594510f7c231c
Opcode Fuzzy Hash: 25f2f5828312ce8d6ba6031db8aa7e689edce9c9a478868b98359b2b1a8f64c8
Instruction Fuzzy Hash: 404102366007019FD7209F68DC94F5AB3A1FF8A720F12466EE522DB590DB30E844CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AA7930 Relevance: 6.1, APIs: 4, Instructions: 125networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,00AA4B44,00000000,00000000,?,00AA4B44,00000000), ref: 00AA7993
MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,00AA4B44,?,00000000,?,00AA4B44,00000000), ref: 00AA79C5
InternetSetStatusCallbackW.WININET(00000000,00000000), ref: 00AA7A50
InternetCloseHandle.WININET(00000000), ref: 00AA7A59

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharInternetMultiWide$CallbackCloseHandleHeapProcessStatus
String ID:
API String ID: 4164208729-0
Opcode ID: 98c85d8f16e5c3629dd81a8d7c219e7d5d12ec859771c572db9768570f7d58a5
Instruction ID: d4e029b341bfc494dadf3877e407261ff6ddadbdb1cf0603938f1a1034daf5b9
Opcode Fuzzy Hash: 98c85d8f16e5c3629dd81a8d7c219e7d5d12ec859771c572db9768570f7d58a5
Instruction Fuzzy Hash: 5241CF31204644AFD721DF58DD49F6EBBE8EB06B10F10861EF955DB390DB71A9008B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A870 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

CoRevokeClassObject.OLE32(?,C956CA52), ref: 00A8A8D2
RevokeActiveObject.OLEAUT32(?,00000000), ref: 00A8A8E9
CoRevokeClassObject.OLE32(?,C956CA52), ref: 00A8A948
FreeLibrary.KERNEL32(?,C956CA52), ref: 00A8A987

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ObjectRevoke$Class$ActiveFreeLibrary
String ID:
API String ID: 1969129228-0
Opcode ID: ad19ad962ee1d8021b8fb8a28db07abed709a1ae7da12b2f888605553f9a12b0
Instruction ID: 830bebf55ed05dbda67149859991a6e4d87a3aad3dc7c5bd29c80e3503592d07
Opcode Fuzzy Hash: ad19ad962ee1d8021b8fb8a28db07abed709a1ae7da12b2f888605553f9a12b0
Instruction Fuzzy Hash: 06410371902606EFEB21EF28C944B4AFBF4FF10724F10865AE46597690D775EA01CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00AFF2AE Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,6DE85006,00AF4A29,00000000,00000000,00AF5CB6,?,00AF5CB6,?,00000001,00AF4A29,6DE85006,00000001,00AF5CB6,00AF5CB6), ref: 00AFF2FB
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AFF384
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AFF396
__freea.LIBCMT ref: 00AFF39F

Part of subcall function 00AFB073: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AFB143,?,00000000,?,00AF3D73,?,00000004,00000004,?,00000000,?,00AF944D), ref: 00AFB0A5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 067b60a310b9abdc7e142c934f0c3a583901b09d65a25fb46b397b183436f4a9
Instruction ID: 1494c019d56d937e4096f2652b6615c96123eafab68ab90ec34dbbff2c01113e
Opcode Fuzzy Hash: 067b60a310b9abdc7e142c934f0c3a583901b09d65a25fb46b397b183436f4a9
Instruction Fuzzy Hash: F031BD32A0020AAFDB248FA5CC85EBE7BA5EF01710F054228FD149B290EB35DD54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4DA0 Relevance: 6.1, APIs: 4, Instructions: 106fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,C956CA52,00000000,00000000,install), ref: 00AC4DDA
CloseHandle.KERNEL32(?,C956CA52,00000000,00000000,install), ref: 00AC4DEE
CloseHandle.KERNEL32(?,C956CA52,00000000,00000000,install), ref: 00AC4DF8
CloseHandle.KERNEL32(?,C956CA52,00000000,00000000,install), ref: 00AC4E02

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: aae7e22408265cde2699c7f80b89222edbd8b7069d6a6cb828ee4620f9964d3d
Instruction ID: 9f85724b941cbc9b0a541155cbf4577ce2e700b48d1c4338b9a0a3ed4b068242
Opcode Fuzzy Hash: aae7e22408265cde2699c7f80b89222edbd8b7069d6a6cb828ee4620f9964d3d
Instruction Fuzzy Hash: E6414A70A016459FD711CF6DC948B4AFBF8EF49320F1586A9D415D72A1DB34ED04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE6F10 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

CreatePropertySheetPageW.COMCTL32(00AE6839,C956CA52,00000020,00000044,00000000,00000020,?,00B12295,000000FF,?,00AE6839,?), ref: 00AE6F3B
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AE6F6B
DestroyPropertySheetPage.COMCTL32(00000000,?,00AE6839,?,?,?,?,?,?,C956CA52,00000000,00000000,?), ref: 00AE6F78

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: PagePropertySheet$CreateDestroyMessageSend
String ID:
API String ID: 906237230-0
Opcode ID: ea97c621d1fd2b73beb62b729aca2eac32ef0516e3c5caa4e45135ac6e4af625
Instruction ID: 0f9021667d652c29b267351ef9dec141d483d00131f1d1fd47f0ed02d0eb5d73
Opcode Fuzzy Hash: ea97c621d1fd2b73beb62b729aca2eac32ef0516e3c5caa4e45135ac6e4af625
Instruction Fuzzy Hash: B931E371A047859FDB20CF56D880B6AF7F8FB547A4F104A2EE90697680EB71EC04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA3C0 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B46108,C956CA52), ref: 00ABA3FD
GetCurrentThreadId.KERNEL32 ref: 00ABA411
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABA44F
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00ABA4AC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 38d5e002516d6d2213ea25d5eb8e7d321a7e90201984cd4ee731ef87c55c9fdc
Instruction ID: 10d6dbe71dd4e5184850335040842c0f39f9733d00ba2b3b3682c81c09633c7a
Opcode Fuzzy Hash: 38d5e002516d6d2213ea25d5eb8e7d321a7e90201984cd4ee731ef87c55c9fdc
Instruction Fuzzy Hash: 7831F932A04255AFCB10CF65DC08B9ABBF8FF55760F00426AE815E3751DB71A910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA4E0 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B46108,C956CA52), ref: 00ABA51D
GetCurrentThreadId.KERNEL32 ref: 00ABA531
LeaveCriticalSection.KERNEL32(00B46108), ref: 00ABA56F
SetWindowLongW.USER32(?,00000004,00000000), ref: 00ABA5CC

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: bb73034cbc36cd8771f5c4d597d4fe3b6a0225689e9d48d6c82411802f8245ff
Instruction ID: e7981efa9fef6edd6c9d9d638ffdb0581df1e07de50fe3ba61de256d644931b8
Opcode Fuzzy Hash: bb73034cbc36cd8771f5c4d597d4fe3b6a0225689e9d48d6c82411802f8245ff
Instruction Fuzzy Hash: 5C31FC32904645EFCB20CF69DC44B9ABBF8FF55760F00425AE815E3351D771AA10CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ABF6A0 Relevance: 6.1, APIs: 4, Instructions: 97windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE2C00: SetWindowTextW.USER32(?,00B285E8), ref: 00AE2C24

GetParent.USER32(?), ref: 00ABF76A
PostMessageW.USER32(00000000,00000471,00000002,00000000), ref: 00ABF77A

Part of subcall function 00AC0390: GetWindowLongW.USER32(?,000000F0), ref: 00AC03C5
Part of subcall function 00AC0390: GetParent.USER32(?), ref: 00AC03CF

GetParent.USER32(?), ref: 00ABF79A
PostMessageW.USER32(00000000,00000471,00000001,00000000), ref: 00ABF7AA

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Parent$MessagePostWindow$LongText
String ID:
API String ID: 3912892740-0
Opcode ID: f4d2c47f8f47647fdfc9babf8699701c143a8e655f3a2b33d541ace011d0fe45
Instruction ID: deba495ee3e798ad1808011fedb4c0d5e23848e2ed7911f92acc9685714c8998
Opcode Fuzzy Hash: f4d2c47f8f47647fdfc9babf8699701c143a8e655f3a2b33d541ace011d0fe45
Instruction Fuzzy Hash: BB318072301202AFEA10DB58DC85FE9F768FF54710F148569F349AB1A2DBB1AC56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A470 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00A9A4A5
GetStockObject.GDI32(0000000D), ref: 00A9A4B8
GetObjectW.GDI32(?,0000005C,C956CA52), ref: 00A9A4DE
CreateFontIndirectW.GDI32(?), ref: 00A9A50F

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Object$CreateDeleteFontIndirectStock
String ID:
API String ID: 1113379131-0
Opcode ID: 7d8897e45cc14025df137dedaf416a568cc5526a7efd22cd1dbce6291fd0d919
Instruction ID: 7ed328d04e6f319d35504283e69204a394e632dae7cd145059c1b4c5e2d72c22
Opcode Fuzzy Hash: 7d8897e45cc14025df137dedaf416a568cc5526a7efd22cd1dbce6291fd0d919
Instruction Fuzzy Hash: D321F571A007889FDB20DFA4DD49BAABBF8FF44724F00421EE956DB6C1DBB4A5048B41

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A670 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A9A6BA
SendMessageW.USER32(00000000,00000138,00000000,?), ref: 00A9A6CC
GetClientRect.USER32(?,?), ref: 00A9A6E6
FillRect.USER32(00000000,?,00000000), ref: 00A9A6F4

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Rect$ClientFillMessageParentSend
String ID:
API String ID: 425900729-0
Opcode ID: a428e386d992c199124863be2d1bca8445e811f1895b0e72c3b2280565f09dfa
Instruction ID: a2fae265fc81fad26eb2eb6acd8b382e063670308c64874d783433a9fba6cc98
Opcode Fuzzy Hash: a428e386d992c199124863be2d1bca8445e811f1895b0e72c3b2280565f09dfa
Instruction Fuzzy Hash: F711B776900704AFCB10DF54DD45A9AFBF8FB19710F504269FD1597290DB316D10CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AF22DE Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00AF22F8

Part of subcall function 00AF2245: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AF2274
Part of subcall function 00AF2245: ___AdjustPointer.LIBCMT ref: 00AF228F

_UnwindNestedFrames.LIBCMT ref: 00AF230D
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AF231E
CallCatchBlock.LIBVCRUNTIME ref: 00AF2346

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 73c323dc4542d0db21c672283fcde77eabbba66266825555033cde54c15294b5
Instruction ID: e4e249c4bd285e6482783614783d7ba5048cdff3a4ef1dbc1b585f168569b36a
Opcode Fuzzy Hash: 73c323dc4542d0db21c672283fcde77eabbba66266825555033cde54c15294b5
Instruction Fuzzy Hash: 1E01297210014CBBDF12AF95CD46EEF3F69EF48754F044118FE48AA121C736E861ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ABFBB0 Relevance: 6.1, APIs: 4, Instructions: 53windowsleepCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ABFBBE
IsWindowVisible.USER32(?), ref: 00ABFC02
Sleep.KERNEL32(0000000A,?,00ABFB14,?), ref: 00ABFC1C
IsWindowVisible.USER32(?), ref: 00ABFC21

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: VisibleWindow$Sleep
String ID:
API String ID: 2470227460-0
Opcode ID: 526a45c61edbeea8c2e8d54cf725487ed242bd559327364fbde9f6ca2600e55b
Instruction ID: cfbd6aaa2b76bbc5338b3e06d62d2f49fa36325ee506127f48a54aff7590d2cd
Opcode Fuzzy Hash: 526a45c61edbeea8c2e8d54cf725487ed242bd559327364fbde9f6ca2600e55b
Instruction Fuzzy Hash: E51184353003059FDB209F68DC80FA6BBAAFF8A714B188479E5598B221CB72EC51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AFC73F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000004,00000000,00000000,?,00AFC6E6,00000004,00000000,00000000,00000000,?,00AFC950,00000006,FlsSetValue), ref: 00AFC771
GetLastError.KERNEL32(?,00AFC6E6,00000004,00000000,00000000,00000000,?,00AFC950,00000006,FlsSetValue,00B1F674,FlsSetValue,00000000,00000364,?,00AFAF9C), ref: 00AFC77D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AFC6E6,00000004,00000000,00000000,00000000,?,00AFC950,00000006,FlsSetValue,00B1F674,FlsSetValue,00000000), ref: 00AFC78B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b16e872ca6d443b97d37ee3b4d4684a19f2666198a2f96ad90c9ff59a66ba19c
Instruction ID: 061fd5e57e84d092bd96b5fb07228da9530ca5d3f168d44d621990b2c5cb48ee
Opcode Fuzzy Hash: b16e872ca6d443b97d37ee3b4d4684a19f2666198a2f96ad90c9ff59a66ba19c
Instruction Fuzzy Hash: EC01AC3661122F9BC7215BAA9D48DB67798AF45BB17604521FA05D7151DF30E800CEE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F690 Relevance: 6.1, APIs: 4, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,C956CA52,?,?,?,00B080E0,000000FF), ref: 00A9F6C7
GetExitCodeThread.KERNEL32(?,?,?,?,?,00B080E0,000000FF), ref: 00A9F6E1
TerminateThread.KERNEL32(?,00000000,?,?,?,00B080E0,000000FF), ref: 00A9F6F9
CloseHandle.KERNEL32(?,?,?,?,00B080E0,000000FF), ref: 00A9F702

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: e4c7a5ff2d3645bfb811703f61366ba65b69c86343d7c180462b102d37e3587f
Instruction ID: 644466b3fa663c36b32c18c57925a7e6944651a2f2be57f4c5a2d2857017de3b
Opcode Fuzzy Hash: e4c7a5ff2d3645bfb811703f61366ba65b69c86343d7c180462b102d37e3587f
Instruction Fuzzy Hash: 80112531600704EFCB218F14DC45B96BBF8FB04710F008629F969D32A0DBB0A910CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F730 Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,C956CA52,?,?,?,00B080E0,000000FF), ref: 00A9F767
GetExitCodeThread.KERNEL32(?,?,?,?,?,00B080E0,000000FF), ref: 00A9F781
TerminateThread.KERNEL32(?,00000000,?,?,?,00B080E0,000000FF), ref: 00A9F799
CloseHandle.KERNEL32(?,?,?,?,00B080E0,000000FF), ref: 00A9F7A2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: 8f97440aa17b39bc5ed8d3d556439325254c4b1dc849cf8c8b084d2599cb2f85
Instruction ID: 0742074e811dc8ff504e4158665e29d20de7bf8ea3ba92923c79a7f685e54d33
Opcode Fuzzy Hash: 8f97440aa17b39bc5ed8d3d556439325254c4b1dc849cf8c8b084d2599cb2f85
Instruction Fuzzy Hash: B4017571600B05EFDB218F54DD45B96B7F8FB09711F004A2DE86AD36A0DB75B950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE57C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE586
LeaveCriticalSection.KERNEL32(00B45378,?,?,00A83E67,00B45F78,00B18EF0), ref: 00AEE5B9
SetEvent.KERNEL32(00000000,00A83E67,00B45F78,00B18EF0), ref: 00AEE647
ResetEvent.KERNEL32 ref: 00AEE653

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 15b094ce5d54eda3ac0ad6698c7fc36ce6eceebddc3230936b41c7a7ebb59ed0
Instruction ID: 8148469a3c15ae0df8679d397cc1738d2d4efbdfaf855cf36c6c2fcd5aa19b02
Opcode Fuzzy Hash: 15b094ce5d54eda3ac0ad6698c7fc36ce6eceebddc3230936b41c7a7ebb59ed0
Instruction Fuzzy Hash: 46014F79A02A10EFDB259F18FC4899937B9FB4B3517414059E90797321CF706A60CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F7C0 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00A9F8B0,?,00000000,?), ref: 00A9F7E2
GetLastError.KERNEL32(?,00000000,?), ref: 00A9F7EF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?), ref: 00A9F803
GetExitCodeThread.KERNEL32(?,?,?,00000000,?), ref: 00A9F811

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Thread$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 2732711357-0
Opcode ID: 3a86634d8cdfd9066a72283011a3a66cd0d7de62e47a1a48beca574dd7a6d276
Instruction ID: b6b57f882ff45c2d39739e6ac14965d5469779ce07abbb01fddc6c442452c37d
Opcode Fuzzy Hash: 3a86634d8cdfd9066a72283011a3a66cd0d7de62e47a1a48beca574dd7a6d276
Instruction Fuzzy Hash: 3DF03C31209311AFD761CF64EC48F9BBBE4EB49710F008E2AB599D2190DB70E844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB7A10 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AB7A25
SendMessageW.USER32(00000000,0000048C,?,?), ref: 00AB7A39
GetParent.USER32(?), ref: 00AB7A52
GetDlgItem.USER32(?,00000000), ref: 00AB7A65

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Parent$ItemMessageSend
String ID:
API String ID: 693264709-0
Opcode ID: 997f917659f9816cf8c327df9137faf3d1b1e7f2464128e17141d26719b13a41
Instruction ID: 5d6525aa115a91eb8ebadad256f8c3a242a5296a33b029a58d943c0a189177e2
Opcode Fuzzy Hash: 997f917659f9816cf8c327df9137faf3d1b1e7f2464128e17141d26719b13a41
Instruction Fuzzy Hash: 68F09071105210AFEB126B70DD08ADEBFAAEF84310F40C81DB18593261CBB69940DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AE6E20 Relevance: 6.0, APIs: 4, Instructions: 28windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000475,00000000,?), ref: 00AE6E31
IsWindow.USER32(?), ref: 00AE6E3E
SendMessageW.USER32(?,00000476,00000000,00000000), ref: 00AE6E54
PostQuitMessage.USER32(00000000), ref: 00AE6E60

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Message$Send$PostQuitWindow
String ID:
API String ID: 1571817601-0
Opcode ID: 26e251d5e198f8566322e6a85ac07f5d6b8551daf2487510b9fd881941f5a4bd
Instruction ID: a9b5274afc2da0791d58285b5b40f86a3f28aabb55d9c95c80e350df82b2f0b4
Opcode Fuzzy Hash: 26e251d5e198f8566322e6a85ac07f5d6b8551daf2487510b9fd881941f5a4bd
Instruction Fuzzy Hash: 91F0E5753553006BFB311F22ED0DB8ABA56AB10B91F008825B685971E4DAA19851C615

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB990 Relevance: 6.0, APIs: 4, Instructions: 20threadwindowCOMMON

Download Yara Rule

APIs

CoAddRefServerProcess.OLE32 ref: 00AAB997
InterlockedIncrement.KERNEL32(?), ref: 00AAB9A5
CoReleaseServerProcess.OLE32 ref: 00AAB9B0
PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00AAB9C5

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ProcessServer$IncrementInterlockedMessagePostReleaseThread
String ID:
API String ID: 1957768959-0
Opcode ID: 04cc6bf21274513ca3200a4bda5d81e8e41563ddb639f7e1d80e950060daeb8a
Instruction ID: b834ee9d1aeb8025b0fa8dcb266d210b079b99d55db0019afed0f2be59e8258d
Opcode Fuzzy Hash: 04cc6bf21274513ca3200a4bda5d81e8e41563ddb639f7e1d80e950060daeb8a
Instruction Fuzzy Hash: 55E0B631215200AFD3509B68DE4CB9BBBE9BF69706F81C814F545E71A2DF34D814EB22

Uniqueness

Uniqueness Score: -1.00%

Function 00AB43D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 428COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00AB4606
SetRectEmpty.USER32(?), ref: 00AB46D0

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00AB5E60: GetSystemMetrics.USER32(00000000), ref: 00AB5F3F
Part of subcall function 00AB5E60: GetSystemMetrics.USER32(00000001), ref: 00AB5F46

Strings

@, xrefs: 00AB4A00

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: EmptyMetricsRectSystem$HeapProcess
String ID: @
API String ID: 3451170441-2766056989
Opcode ID: c3de759661a7b12c4434256b9e8d6121b927e2d693a71b20a508ebae0865113e
Instruction ID: d4d6dab1041a0e7523c5eb7aa18639e1104fb9b1575b8c823dc334f865a08dae
Opcode Fuzzy Hash: c3de759661a7b12c4434256b9e8d6121b927e2d693a71b20a508ebae0865113e
Instruction Fuzzy Hash: AD223AB0401785DFEB11DF28C55879ABFE0AF05318F24859CD9A99F392C7B9A608CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD84A0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 424threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(8B0C428D,00B159A2,00000001,?), ref: 00AD85AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B15C00), ref: 00AD85B5

Part of subcall function 00AD90E0: GetActiveWindow.USER32 ref: 00AD9127
Part of subcall function 00AD90E0: SetLastError.KERNEL32(0000000E), ref: 00AD914A

Strings

AutoUpdatePolicy, xrefs: 00AD8625

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ErrorLast$ActiveMessagePostThreadWindow
String ID: AutoUpdatePolicy
API String ID: 3170639484-4250888325
Opcode ID: f6394b364421e0d507dfe6a646625e758014825ec4e1b3cc06a7aeb8ebc8ab09
Instruction ID: 5d2f64d2df75d22c7234d06881a0ddba2b2852bfd42474edeb27b94f99c5e91c
Opcode Fuzzy Hash: f6394b364421e0d507dfe6a646625e758014825ec4e1b3cc06a7aeb8ebc8ab09
Instruction Fuzzy Hash: 72027970600249EFDB18CF68C994BEEBBA4BF44314F14815AF8569B381DB79ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD21F0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00AD2225

Strings

\?"|><:/*, xrefs: 00AD1F88

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _wcsrchr
String ID: \?"|><:/*
API String ID: 1752292252-1324864017
Opcode ID: c088e29c15e0b99c191a4e64a72e9bbd1d04e534e60cdd56a3b516ec94c3546d
Instruction ID: 1bfb2562eedbecd03969e8015ffb0c4d927edd98c8cccbdae3d96f6583b2539b
Opcode Fuzzy Hash: c088e29c15e0b99c191a4e64a72e9bbd1d04e534e60cdd56a3b516ec94c3546d
Instruction Fuzzy Hash: BBE16D74A01605DFCB04DFA8C994BAEB7B1FF58314F1481ADE416AB361DB35A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD0C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

SetRectEmpty.USER32(?), ref: 00ABD2F5

Part of subcall function 00A88E90: GetUserDefaultUILanguage.KERNEL32 ref: 00A88EFB

Strings

j, xrefs: 00ABD142
Caphyon, xrefs: 00ABD25D

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: DefaultEmptyHeapLanguageProcessRectUser
String ID: Caphyon$j
API String ID: 1149285834-2631482484
Opcode ID: 429ca1d9a175336b3c34d0563630865773250cd1bad78dc8dbfd22c26bf453b3
Instruction ID: a90b971378999cfa4e101a2e3ccffd92d8b117eb6a1d4c596ec1659d77007122
Opcode Fuzzy Hash: 429ca1d9a175336b3c34d0563630865773250cd1bad78dc8dbfd22c26bf453b3
Instruction Fuzzy Hash: 30A16C71501645DFDB00DF28C598B89BFE0FF05318F1481A8E9589F396D7B99A18CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB38D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 202COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00AB3A25

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

Strings

General, xrefs: 00AB39F4, 00AB3A04
DownloadsFolder, xrefs: 00AB3933, 00AB3943, 00AB39B2, 00AB39C2

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: FindHeapPrivateProcessProfileResourceStringWrite
String ID: DownloadsFolder$General
API String ID: 3872484821-1606063811
Opcode ID: c98e871836089bbcb7b5c5fd75150725dde6469613e87459d2f82165006b89e9
Instruction ID: da13d57e391ebca7d90182351f13430bd13c412784dc6000c0e41e333b328a97
Opcode Fuzzy Hash: c98e871836089bbcb7b5c5fd75150725dde6469613e87459d2f82165006b89e9
Instruction Fuzzy Hash: 3071C732901605DFDB00DFA8C945BAEB7B4FF05320F24826DE965AB2D2DB319E04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3B30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(?,C956CA52,00000000,?), ref: 00AB3C9A

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

Part of subcall function 00A871F0: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,00A81A30,file://,?,80004005,C956CA52,?,00B0BC2A,000000FF), ref: 00A87228

Strings

General, xrefs: 00AB3C6C, 00AB3C7C
CheckFrequency, xrefs: 00AB3B90, 00AB3BA0, 00AB3C2A, 00AB3C3A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: FindHeapPrivateProcessProfileResourceStringWrite
String ID: CheckFrequency$General
API String ID: 3872484821-4252838660
Opcode ID: e21bb81266098d235831b3499b34b003fa58965835ce91f92b7a50be0a3973a7
Instruction ID: c59842d77c53a9ab4ddc6a5cf8cc13342b3f816578d9da92a8614e60dec3ae45
Opcode Fuzzy Hash: e21bb81266098d235831b3499b34b003fa58965835ce91f92b7a50be0a3973a7
Instruction Fuzzy Hash: 7B619731901649DFDB00EFA8C945B9DBBB4FF05324F148659E925EB2E2DB709E04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA6910 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A83D50: GetProcessHeap.KERNEL32 ref: 00A83DA5

FtpCommandW.WININET(?,00000000,00000001,00AA5C93,?,00000000), ref: 00AA6988
_wcschr.LIBVCRUNTIME ref: 00AA69AF

Part of subcall function 00AA68C0: GetLastError.KERNEL32(00000000,80004005,80004005), ref: 00AA68C3
Part of subcall function 00AA68C0: WaitForSingleObject.KERNEL32(?,0000000A), ref: 00AA68F1

Strings

REST %u, xrefs: 00AA6961

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: CommandErrorHeapLastObjectProcessSingleWait_wcschr
String ID: REST %u
API String ID: 1613455642-3183379045
Opcode ID: 0a226f2430bcce406c03f5bae1971082a6d675d053dc880ab0dcc585b8ddb40e
Instruction ID: b10761d1c6bdd9969b1076eee3403689ab7324b3c750a99f690e067119f5aecc
Opcode Fuzzy Hash: 0a226f2430bcce406c03f5bae1971082a6d675d053dc880ab0dcc585b8ddb40e
Instruction Fuzzy Hash: 1551DE31600605AFD710DF68C984BAAB7B8FF46324F28826AE525DB6D1DB75EC04CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AD5730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_wcsstr.LIBVCRUNTIME ref: 00AD57FF

Strings

/qb, xrefs: 00AD57F9, 00AD5824
msi, xrefs: 00AD57E1

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: _wcsstr
String ID: /qb$msi
API String ID: 1512112989-3627483025
Opcode ID: b842980d374641f452dc346156ae4e7c328ab38dbc10cba2396b27963061837c
Instruction ID: 968e3108b0875d78f8a5c6db7eea92c2cd78054de877413063021de032074387
Opcode Fuzzy Hash: b842980d374641f452dc346156ae4e7c328ab38dbc10cba2396b27963061837c
Instruction Fuzzy Hash: 8D31EF71A00A05DFDB20DF28C985B6EB7F4FF04714F10856AE866DB390DB70A904DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B01CEB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 00B01DC6

Strings

OCP, xrefs: 00B01D3F
ACP, xrefs: 00B01D09

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: e9c116d0ac793fad731bb5bd47c23106d06dffd1c6d069180e38eb05e439f35b
Instruction ID: ef5451a986d575cc4609e67f13edd894e05a27c65ed1207736229c053eda88b9
Opcode Fuzzy Hash: e9c116d0ac793fad731bb5bd47c23106d06dffd1c6d069180e38eb05e439f35b
Instruction Fuzzy Hash: 3F217462B10105A6D73C9F6CC941BA77BE6EB54B50F564EF4E90AD7184E732DE408390

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00ABDAB5
PostMessageW.USER32(00000000,00000471,00000002,00000000), ref: 00ABDAC5

Strings

AutoUpdatePolicy, xrefs: 00ABDA5A

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: MessageParentPost
String ID: AutoUpdatePolicy
API String ID: 3400216365-4250888325
Opcode ID: 55b3f2d3aec4ac9db9c4f0d8564a08062e52c8dc38e3f9a157d019d4b45b2b58
Instruction ID: 1e79666b3917ad2b4a13e083e43384b823ea97bf160c4d41166db1dd645c9f4f
Opcode Fuzzy Hash: 55b3f2d3aec4ac9db9c4f0d8564a08062e52c8dc38e3f9a157d019d4b45b2b58
Instruction Fuzzy Hash: FC21A431244545EFEB10DF68CD45FA5B7A8FB48720F108269B929CF2E2DB74AD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AFCD8C Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,C956CA52,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,C956CA52), ref: 00AFCE22
GetLastError.KERNEL32(?,00000000), ref: 00AFCE30
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,C956CA52,00000000,?,00000000), ref: 00AFCE8B

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b64e1b9f94e0cb9301c9214b3bcaeb3c7e06e2223a4f851a8551739dbcdd8e0a
Instruction ID: e2e974c3f24875b49721f33752a03e3864d7bf1fe25dddd3bb6bc168a30f793d
Opcode Fuzzy Hash: b64e1b9f94e0cb9301c9214b3bcaeb3c7e06e2223a4f851a8551739dbcdd8e0a
Instruction Fuzzy Hash: 6E41E63160020DAFDF21DFE6CA446BABBB4EF42370F154169FA55AB2A1DB309D00C750

Uniqueness

Uniqueness Score: -1.00%

Function 00AECD7E Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,00ABAA35,C956CA52,75C04920,?,00000408,?,?,?,?,?,00AB51AF), ref: 00AECD83
HeapAlloc.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECD8A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00AB51AF), ref: 00AECDD0
HeapFree.KERNEL32(00000000,?,?,?,?,00AB51AF), ref: 00AECDD7

Part of subcall function 00AECC1D: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC41
Part of subcall function 00AECC1D: HeapAlloc.KERNEL32(00000000,?,00AECDC6,75C04920,?,?,?,?,00AB51AF), ref: 00AECC48

Memory Dump Source

Source File: 00000000.00000002.1679849984.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.1679830034.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679907824.0000000000B1A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679930923.0000000000B44000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679945553.0000000000B47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_updater.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 6aa9602e8e61641f57b060767171f6aa8bab672feb378f1e6c506ce983a9f3d5
Instruction ID: 8841fbcd07152e8e3324e4a4a5304a2a94ae90afc6dd33a849463e5bb53d0881
Opcode Fuzzy Hash: 6aa9602e8e61641f57b060767171f6aa8bab672feb378f1e6c506ce983a9f3d5
Instruction Fuzzy Hash: F4F0E933645B5297C725277ABC4DAAF3E659F847B17118479F446C7284DE21CC038761

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report updater.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: updater.exePID: 6584, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: updater.exePID: 6584, Parent PID: 2580COMMON

Execution Graph

Windows Analysis Report
updater.exe

Function 00ADDB80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76
libraryCOMMON

Function 00A8DFB0 Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Function 00AF8AFA Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00AD63C0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 159
COMMON

Function 00ADD9F0 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Function 00A87BF0 Relevance: 1.6, APIs: 1, Instructions: 76
registryCOMMON

Function 00ABB550 Relevance: 51.5, APIs: 34, Instructions: 453
windowCOMMON

Function 00AB50F0 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 446
windowthreadCOMMON