Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aO1TcEaxfW.exe

Overview

General Information

Sample name:aO1TcEaxfW.exe
renamed because original name is a hash value
Original sample name:e00ad02b0b162b28aa86c99845253184960e5532f7f74091cfb5a8a677084347.exe
Analysis ID:1532628
MD5:479c1f5c983e8c2e0f2f3b9a9ebb6d53
SHA1:c7c3bcf6fd11e394af0964072cf97f2f7bc5daa7
SHA256:e00ad02b0b162b28aa86c99845253184960e5532f7f74091cfb5a8a677084347
Tags:exeuser-Chainskilabs
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • aO1TcEaxfW.exe (PID: 2636 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5540 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 4396 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1776 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1264 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 2804 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 380 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1396 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 2128 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1372 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5420 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5488 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1680 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5756 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 2860 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 4444 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6692 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 3332 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5940 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 768 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1440 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 432 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 2876 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 528 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
    • aO1TcEaxfW.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\aO1TcEaxfW.exe" MD5: 479C1F5C983E8C2E0F2F3B9A9EBB6D53)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: aO1TcEaxfW.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: aO1TcEaxfW.exeReversingLabs: Detection: 63%
Source: aO1TcEaxfW.exeVirustotal: Detection: 67%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: aO1TcEaxfW.exeJoe Sandbox ML: detected
Source: aO1TcEaxfW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: aO1TcEaxfW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004D9E7A FindFirstFileExW,0_2_004D9E7A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004D9E7A FindFirstFileExW,2_2_004D9E7A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004D40230_2_004D4023
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004D91440_2_004D9144
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004F02100_2_004F0210
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_0050E35E0_2_0050E35E
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_0050740B0_2_0050740B
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_005035250_2_00503525
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004CC6FE0_2_004CC6FE
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004DD8750_2_004DD875
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004CFBD00_2_004CFBD0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004FDBE00_2_004FDBE0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_00507C090_2_00507C09
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C1CD20_2_004C1CD2
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004F2DF00_2_004F2DF0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_0050BDB30_2_0050BDB3
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004FAE7F0_2_004FAE7F
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004DBEF10_2_004DBEF1
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C1F1A0_2_004C1F1A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C6F3C0_2_004C6F3C
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004F2FB00_2_004F2FB0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004DD8752_2_004DD875
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004D40232_2_004D4023
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004D91442_2_004D9144
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004CFBD02_2_004CFBD0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C1CD22_2_004C1CD2
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004CC6FE2_2_004CC6FE
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004DBEF12_2_004DBEF1
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C1F1A2_2_004C1F1A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C6F3C2_2_004C6F3C
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: String function: 004D36CA appears 34 times
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: String function: 004CB3D1 appears 32 times
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: String function: 004CD615 appears 42 times
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: String function: 004C7830 appears 104 times
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: String function: 004F5C20 appears 55 times
Source: aO1TcEaxfW.exeStatic PE information: invalid certificate
Source: aO1TcEaxfW.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: aO1TcEaxfW.exeStatic PE information: Section: .data ZLIB complexity 0.9963478649434317
Source: classification engineClassification label: mal64.winEXE@16226/0@0/0
Source: aO1TcEaxfW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: aO1TcEaxfW.exeReversingLabs: Detection: 63%
Source: aO1TcEaxfW.exeVirustotal: Detection: 67%
Source: unknownProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeSection loaded: apphelp.dllJump to behavior
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: aO1TcEaxfW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: aO1TcEaxfW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aO1TcEaxfW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aO1TcEaxfW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aO1TcEaxfW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aO1TcEaxfW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aO1TcEaxfW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C2198 push eax; ret 0_2_004C2392
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_0051637D push esi; ret 0_2_00516386
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004F55D3 push ecx; ret 0_2_004F55E6
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C6E4B push ecx; ret 0_2_004C6E5E
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C2198 push eax; ret 2_2_004C2392
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C6E4B push ecx; ret 2_2_004C6E5E
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeAPI coverage: 3.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004D9E7A FindFirstFileExW,0_2_004D9E7A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004D9E7A FindFirstFileExW,2_2_004D9E7A
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004CD27F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004CD27F
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C2198 mov edi, dword ptr fs:[00000030h]0_2_004C2198
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_0050703C mov eax, dword ptr fs:[00000030h]0_2_0050703C
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004FF396 mov ecx, dword ptr fs:[00000030h]0_2_004FF396
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004DAA07 mov eax, dword ptr fs:[00000030h]0_2_004DAA07
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004D0E59 mov ecx, dword ptr fs:[00000030h]0_2_004D0E59
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C2198 mov edi, dword ptr fs:[00000030h]2_2_004C2198
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004DAA07 mov eax, dword ptr fs:[00000030h]2_2_004DAA07
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004D0E59 mov ecx, dword ptr fs:[00000030h]2_2_004D0E59
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004DD006 GetProcessHeap,0_2_004DD006
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004CD27F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004CD27F
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C72B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004C72B0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C75D8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004C75D8
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C7765 SetUnhandledExceptionFilter,0_2_004C7765
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004CD27F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004CD27F
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C72B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004C72B0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C75D8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004C75D8
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 2_2_004C7765 SetUnhandledExceptionFilter,2_2_004C7765
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: C:\Users\user\Desktop\aO1TcEaxfW.exe "C:\Users\user\Desktop\aO1TcEaxfW.exe"Jump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004F56D0 cpuid 0_2_004F56D0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_004DC440
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,0_2_004D3436
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,0_2_004DC6E2
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,0_2_004DC72D
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,0_2_004DC7C8
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004DC853
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,0_2_004D38E0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,0_2_004DCAA6
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004DCBCF
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,0_2_004DCCD5
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004DCDA4
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_004DC853
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,2_2_004D38E0
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,2_2_004DCAA6
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004DCBCF
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,2_2_004DC440
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,2_2_004D3436
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetLocaleInfoW,2_2_004DCCD5
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_004DCDA4
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,2_2_004DC6E2
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,2_2_004DC72D
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: EnumSystemLocalesW,2_2_004DC7C8
Source: C:\Users\user\Desktop\aO1TcEaxfW.exeCode function: 0_2_004C74D2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004C74D2

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Software Packing		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532628 Sample: aO1TcEaxfW.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 64 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Machine Learning detection for sample 2->20 22 AI detected suspicious sample 2->22 6 aO1TcEaxfW.exe 2->6         started        process3 process4 8 aO1TcEaxfW.exe 6->8         started        10 aO1TcEaxfW.exe 6->10         started        12 aO1TcEaxfW.exe 6->12         started        14 35 other processes 6->14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
aO1TcEaxfW.exe63%ReversingLabsWin32.Spyware.Lummastealer
aO1TcEaxfW.exe67%VirustotalBrowse
aO1TcEaxfW.exe100%AviraHEUR/AGEN.1361748
aO1TcEaxfW.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532628
Start date and time:2024-10-13 19:16:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 8m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:aO1TcEaxfW.exe
renamed because original name is a hash value
Original Sample Name:e00ad02b0b162b28aa86c99845253184960e5532f7f74091cfb5a8a677084347.exe
Detection:MAL
Classification:mal64.winEXE@16226/0@0/0
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 65%
  • Number of executed functions: 5
  • Number of non-executed functions: 106
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target aO1TcEaxfW.exe, PID 5540 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.892174570871243
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:aO1TcEaxfW.exe
File size:1'040'784 bytes
MD5:479c1f5c983e8c2e0f2f3b9a9ebb6d53
SHA1:c7c3bcf6fd11e394af0964072cf97f2f7bc5daa7
SHA256:e00ad02b0b162b28aa86c99845253184960e5532f7f74091cfb5a8a677084347
SHA512:4a4e6bf9c882ed51306d83de5328b66c0f89cd6b1f4daf551a5f76a45a3ecce9a62e712c486bd3d5a4f78a0592b71f1faa474c31a26aabddc677b9f99a1e1c8c
SSDEEP:12288:8ZKj8X7/WmBgjKCI1izUgcPl0zVYMuPqiSCCx20mPM05o14SUUniAWhI4Dz+Ke7s:DjIQjKx+YMuSi80pkUUUUnFWhbyCEQ
TLSH:BE2512517084C033DA62283106F4D9B56E3D7AE10E91A9DF23E5AB7E0F613C1E631A6E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.............U.......U...,...U.......U.......................................................Rich...........................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x406bf0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x6709730D [Fri Oct 11 18:48:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:2bf5d9e2e4bbff197e62f5db8f2f3336

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The digital signature of the object did not verify
Error Number:-2146869232
Not Before, Not After
  • 19/10/2023 21:51:12 16/10/2024 21:51:12
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:2169E18183DAF704160A117E905BFDA4
Thumbprint SHA-1:CB9C4FBEA1D87D2D468AC5A9CAAB0163F6AD8401
Thumbprint SHA-256:C4405F06DFB035F3AD360D29D27D434E004E054B6FB18FA3A5566A9F9AFA8296
Serial:3300000557CF90DDC7D1C0888C000000000557

Entrypoint Preview

Instruction
call 00007F9D7528BD1Fh
jmp 00007F9D7528B26Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F9D7528B40Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F9D7528B3FCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F9D7528B3FEh
add edx, 28h
cmp edx, esi
jne 00007F9D7528B3DCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F9D7528B3EBh
push esi
call 00007F9D7528C026h
test eax, eax
je 00007F9D7528B412h
mov eax, dword ptr fs:[00000018h]
mov esi, 004F5130h
mov edx, dword ptr [eax+04h]
jmp 00007F9D7528B3F6h
cmp edx, eax
je 00007F9D7528B402h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F9D7528B3E2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F9D7528B3F9h
mov byte ptr [004F5134h], 00000001h
call 00007F9D7528B6ACh
call 00007F9D7528E5D9h
test al, al
jne 00007F9D7528B3F6h
xor al, al
pop ebp
ret
call 00007F9D752972B6h
test al, al
jne 00007F9D7528B3FCh
push 00000000h
call 00007F9D7528E5E0h
pop ecx
jmp 00007F9D7528B3DBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [004F5135h], 00000000h
je 00007F9D7528B3F6h
mov al, 01h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2c9600x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x10.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0xf92c80x4ec8
IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000x1bf8.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x2ac480x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2ab880x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x230000x128.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2116b0x21200ead13d05d0a1674cd36c1409f0dc8b44False0.5804908608490567data6.6405903593922675IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x230000xa0040xa200d0ff5210149f4d4d00f32d30ac0d4eeaFalse0.4287229938271605data4.917050456898412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2e0000xc7d540xc6e0041072ea328a99b1378ccbe2db3543dfcFalse0.9963478649434317DOS executable (block device driver \377\377\377\377)7.998247362969363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0xf60000x1bf80x1c006c4305c17e9b7059ead3dd6ffecd73f8False0.7600446428571429data6.53867085985248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0xf80000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllTlsFree, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:16:58
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:3
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:5
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:6
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:7
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:8
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:9
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:10
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:11
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:12
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:13
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:14
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:15
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:16
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:17
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:18
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:19
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:20
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:21
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:22
Start time:13:17:02
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:23
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:24
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:25
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:26
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:27
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:28
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:29
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:30
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:31
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:32
Start time:13:17:03
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:33
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:34
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:35
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:36
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:37
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:38
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:39
Start time:13:17:04
Start date:13/10/2024
Path:C:\Users\user\Desktop\aO1TcEaxfW.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\aO1TcEaxfW.exe"
Imagebase:0x4c0000
File size:1'040'784 bytes
MD5 hash:479C1F5C983E8C2E0F2F3B9A9EBB6D53
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:10.2%
    Total number of Nodes:254
    Total number of Limit Nodes:5
    execution_graph 33931 4c6a74 33932 4c6a80 ___scrt_is_nonwritable_in_current_image 33931->33932 33957 4c6c70 33932->33957 33934 4c6bda 33999 4c75d8 4 API calls 2 library calls 33934->33999 33935 4c6a87 33935->33934 33945 4c6ab1 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 33935->33945 33937 4c6be1 34000 4d0f66 23 API calls CallUnexpected 33937->34000 33939 4c6be7 34001 4d0f2a 23 API calls CallUnexpected 33939->34001 33941 4c6bef 33942 4c6ad0 33943 4c6b51 33965 4c76ed 33943->33965 33945->33942 33945->33943 33995 4d0f40 43 API calls 4 library calls 33945->33995 33946 4c6b57 33969 4c2198 33946->33969 33949 4c6b6c 33996 4c7723 GetModuleHandleW 33949->33996 33951 4c6b73 33951->33937 33952 4c6b77 33951->33952 33953 4c6b80 33952->33953 33997 4d0f1b 23 API calls CallUnexpected 33952->33997 33998 4c6de1 79 API calls ___scrt_uninitialize_crt 33953->33998 33956 4c6b88 33956->33942 33958 4c6c79 33957->33958 34002 4c6f3c IsProcessorFeaturePresent 33958->34002 33960 4c6c85 34003 4c9e6e 10 API calls 2 library calls 33960->34003 33962 4c6c8a 33963 4c6c8e 33962->33963 34004 4c9e8d 7 API calls 2 library calls 33962->34004 33963->33935 34005 4c84e0 33965->34005 33967 4c7700 GetStartupInfoW 33968 4c7713 33967->33968 33968->33946 34006 4c241e 33969->34006 33972 4c21f5 _strlen 34010 4c24d1 33972->34010 33974 4c21da 34041 4c31ce 45 API calls 3 library calls 33974->34041 33976 4c21ee 34042 4c2aac 75 API calls 33976->34042 33979 4c221c GetPEB 34014 4c1cd2 33979->34014 33985 4c233e 33987 4c1cd2 76 API calls 33985->33987 33986 4c2396 33993 4c23be messages 33986->33993 34043 4c12ac 43 API calls _Deallocate 33986->34043 33989 4c2354 33987->33989 33989->33949 33990 4c23e2 34045 4c693b 33990->34045 34044 4c24ab 43 API calls _Deallocate 33993->34044 33994 4c23f1 33994->33949 33995->33943 33996->33951 33997->33953 33998->33956 33999->33937 34000->33939 34001->33941 34002->33960 34003->33962 34004->33963 34005->33967 34007 4c243b _strlen 34006->34007 34052 4c2ade 34007->34052 34009 4c21b8 34009->33972 34040 4c28e9 45 API calls 4 library calls 34009->34040 34011 4c2504 34010->34011 34013 4c24e0 std::ios_base::_Init 34010->34013 34061 4c2bb7 45 API calls 2 library calls 34011->34061 34013->33979 34015 4c1d02 34014->34015 34023 4c1da1 34015->34023 34066 4c3348 45 API calls 5 library calls 34015->34066 34017 4c1eeb 34062 4c2cd7 34017->34062 34019 4c1eff 34020 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34019->34020 34021 4c1f13 34020->34021 34026 4c20ea 34021->34026 34023->34017 34025 4c2cd7 _Deallocate 43 API calls 34023->34025 34067 4c3348 45 API calls 5 library calls 34023->34067 34068 4c1176 74 API calls 34023->34068 34025->34023 34027 4c2151 34026->34027 34032 4c2121 34026->34032 34029 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34027->34029 34028 4c241e std::ios_base::_Init 45 API calls 34028->34032 34030 4c2165 VirtualProtect 34029->34030 34030->33985 34030->33986 34032->34027 34032->34028 34033 4c2169 34032->34033 34070 4c1f1a 75 API calls ctype 34032->34070 34071 4c24ab 43 API calls _Deallocate 34032->34071 34072 4c263e 75 API calls 5 library calls 34033->34072 34036 4c2173 34073 4c28b7 75 API calls 34036->34073 34038 4c2179 34074 4c24ab 43 API calls _Deallocate 34038->34074 34040->33974 34041->33976 34042->33972 34043->33993 34044->33990 34046 4c6944 IsProcessorFeaturePresent 34045->34046 34047 4c6943 34045->34047 34049 4c72ed 34046->34049 34047->33994 34075 4c72b0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34049->34075 34051 4c73d0 34051->33994 34053 4c2b49 34052->34053 34056 4c2aef std::ios_base::_Init 34052->34056 34060 4c12ce 45 API calls std::_Xinvalid_argument 34053->34060 34058 4c2af6 std::ios_base::_Init 34056->34058 34059 4c348b 45 API calls 2 library calls 34056->34059 34058->34009 34059->34058 34061->34013 34063 4c2ce4 34062->34063 34064 4c2cf1 messages 34062->34064 34069 4c12ac 43 API calls _Deallocate 34063->34069 34064->34019 34066->34015 34067->34023 34068->34023 34069->34064 34070->34032 34071->34032 34072->34036 34073->34038 34074->34027 34075->34051 34076 4dfde0 34079 4da706 34076->34079 34080 4da70f 34079->34080 34084 4da741 34079->34084 34085 4d52d0 34080->34085 34086 4d52db 34085->34086 34087 4d52e1 34085->34087 34136 4d385f 6 API calls std::_Locinfo::_Locinfo_ctor 34086->34136 34091 4d52e7 34087->34091 34137 4d389e 6 API calls std::_Locinfo::_Locinfo_ctor 34087->34137 34090 4d52fb 34090->34091 34092 4d52ff 34090->34092 34094 4d52ec 34091->34094 34145 4cfafc 43 API calls CallUnexpected 34091->34145 34138 4d3392 14 API calls 3 library calls 34092->34138 34113 4da511 34094->34113 34097 4d530b 34098 4d5328 34097->34098 34099 4d5313 34097->34099 34141 4d389e 6 API calls std::_Locinfo::_Locinfo_ctor 34098->34141 34139 4d389e 6 API calls std::_Locinfo::_Locinfo_ctor 34099->34139 34102 4d531f 34140 4d33ef 14 API calls 2 library calls 34102->34140 34103 4d5334 34104 4d5338 34103->34104 34105 4d5347 34103->34105 34142 4d389e 6 API calls std::_Locinfo::_Locinfo_ctor 34104->34142 34143 4d5043 14 API calls _unexpected 34105->34143 34109 4d5325 34109->34091 34110 4d5352 34144 4d33ef 14 API calls 2 library calls 34110->34144 34112 4d5359 34112->34094 34146 4da666 34113->34146 34118 4da554 34118->34084 34121 4da56d 34184 4d33ef 14 API calls 2 library calls 34121->34184 34122 4da57b 34173 4da761 34122->34173 34126 4da5b3 34185 4cd579 14 API calls __Wcrtomb 34126->34185 34128 4da5ce 34130 4da5fa 34128->34130 34187 4d33ef 14 API calls 2 library calls 34128->34187 34129 4da5b8 34186 4d33ef 14 API calls 2 library calls 34129->34186 34132 4da643 34130->34132 34188 4da183 43 API calls 2 library calls 34130->34188 34189 4d33ef 14 API calls 2 library calls 34132->34189 34136->34087 34137->34090 34138->34097 34139->34102 34140->34109 34141->34103 34142->34102 34143->34110 34144->34112 34147 4da672 ___scrt_is_nonwritable_in_current_image 34146->34147 34148 4da68c 34147->34148 34190 4cd5cd EnterCriticalSection 34147->34190 34150 4da53b 34148->34150 34193 4cfafc 43 API calls CallUnexpected 34148->34193 34157 4da291 34150->34157 34151 4da6c8 34192 4da6e5 LeaveCriticalSection std::_Lockit::~_Lockit 34151->34192 34154 4da69c 34154->34151 34191 4d33ef 14 API calls 2 library calls 34154->34191 34194 4cfb40 34157->34194 34159 4da2a3 34160 4da2c4 34159->34160 34161 4da2b2 GetOEMCP 34159->34161 34162 4da2c9 GetACP 34160->34162 34163 4da2db 34160->34163 34161->34163 34162->34163 34163->34118 34164 4d3e14 34163->34164 34165 4d3e52 34164->34165 34166 4d3e22 34164->34166 34205 4cd579 14 API calls __Wcrtomb 34165->34205 34168 4d3e3d HeapAlloc 34166->34168 34171 4d3e26 _unexpected 34166->34171 34170 4d3e50 34168->34170 34168->34171 34169 4d3e57 34169->34121 34169->34122 34170->34169 34171->34165 34171->34168 34204 4d03a3 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 34171->34204 34174 4da291 45 API calls 34173->34174 34175 4da781 34174->34175 34177 4da7be IsValidCodePage 34175->34177 34181 4da7fa __fread_nolock 34175->34181 34176 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34179 4da5a8 34176->34179 34178 4da7d0 34177->34178 34177->34181 34180 4da7ff GetCPInfo 34178->34180 34183 4da7d9 __fread_nolock 34178->34183 34179->34126 34179->34128 34180->34181 34180->34183 34181->34176 34206 4da365 34183->34206 34184->34118 34185->34129 34186->34118 34187->34130 34188->34132 34189->34118 34190->34154 34191->34151 34192->34148 34195 4cfb5e 34194->34195 34201 4d5215 43 API calls 3 library calls 34195->34201 34197 4cfb7f 34202 4d3e62 43 API calls __Getctype 34197->34202 34199 4cfb95 34203 4d3ec0 43 API calls _Fputc 34199->34203 34201->34197 34202->34199 34204->34171 34205->34169 34207 4da38d GetCPInfo 34206->34207 34216 4da456 34206->34216 34213 4da3a5 34207->34213 34207->34216 34209 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34211 4da50f 34209->34211 34211->34181 34217 4d86fc 34213->34217 34215 4d89f3 48 API calls 34215->34216 34216->34209 34218 4cfb40 std::_Locinfo::_Locinfo_ctor 43 API calls 34217->34218 34219 4d871c 34218->34219 34237 4d9869 34219->34237 34221 4d8749 34223 4d87d8 34221->34223 34224 4d3e14 std::_Locinfo::_Locinfo_ctor 15 API calls 34221->34224 34227 4d87e0 34221->34227 34228 4d876e __fread_nolock std::_Locinfo::_Locinfo_ctor 34221->34228 34222 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34225 4d8803 34222->34225 34240 4c691d 14 API calls std::_Locinfo::~_Locinfo 34223->34240 34224->34228 34232 4d89f3 34225->34232 34227->34222 34228->34223 34229 4d9869 __fread_nolock MultiByteToWideChar 34228->34229 34230 4d87b9 34229->34230 34230->34223 34231 4d87c4 GetStringTypeW 34230->34231 34231->34223 34233 4cfb40 std::_Locinfo::_Locinfo_ctor 43 API calls 34232->34233 34234 4d8a06 34233->34234 34241 4d8805 34234->34241 34238 4d987a MultiByteToWideChar 34237->34238 34238->34221 34240->34227 34242 4d8820 34241->34242 34243 4d9869 __fread_nolock MultiByteToWideChar 34242->34243 34247 4d8866 34243->34247 34244 4d89de 34245 4c693b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 34244->34245 34246 4d89f1 34245->34246 34246->34215 34247->34244 34248 4d3e14 std::_Locinfo::_Locinfo_ctor 15 API calls 34247->34248 34250 4d888c std::_Locinfo::_Locinfo_ctor 34247->34250 34257 4d8912 34247->34257 34248->34250 34251 4d9869 __fread_nolock MultiByteToWideChar 34250->34251 34250->34257 34252 4d88d1 34251->34252 34252->34257 34269 4d3a1d 34252->34269 34255 4d893b 34258 4d89c6 34255->34258 34259 4d3e14 std::_Locinfo::_Locinfo_ctor 15 API calls 34255->34259 34262 4d894d std::_Locinfo::_Locinfo_ctor 34255->34262 34256 4d8903 34256->34257 34261 4d3a1d std::_Locinfo::_Locinfo_ctor 7 API calls 34256->34261 34281 4c691d 14 API calls std::_Locinfo::~_Locinfo 34257->34281 34280 4c691d 14 API calls std::_Locinfo::~_Locinfo 34258->34280 34259->34262 34261->34257 34262->34258 34263 4d3a1d std::_Locinfo::_Locinfo_ctor 7 API calls 34262->34263 34264 4d8990 34263->34264 34264->34258 34278 4d98e5 WideCharToMultiByte 34264->34278 34266 4d89aa 34266->34258 34267 4d89b3 34266->34267 34279 4c691d 14 API calls std::_Locinfo::~_Locinfo 34267->34279 34282 4d35cb 34269->34282 34272 4d3a2e LCMapStringEx 34277 4d3a75 34272->34277 34273 4d3a55 34285 4d3a7a 5 API calls std::_Locinfo::_Locinfo_ctor 34273->34285 34276 4d3a6e LCMapStringW 34276->34277 34277->34255 34277->34256 34277->34257 34278->34266 34279->34257 34280->34257 34281->34244 34286 4d36ca 34282->34286 34285->34276 34287 4d35e1 34286->34287 34288 4d36f8 34286->34288 34287->34272 34287->34273 34288->34287 34293 4d35ff LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_FlsGetValue 34288->34293 34290 4d370c 34290->34287 34291 4d3712 GetProcAddress 34290->34291 34291->34287 34292 4d3722 std::_Locinfo::_Locinfo_ctor 34291->34292 34292->34287 34293->34290

    Executed Functions

    Function 004C2198 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 205memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 004C241E: _strlen.LIBCMT ref: 004C2436
    • _strlen.LIBCMT ref: 004C220C
    • VirtualProtect.KERNELBASE(005B4300,000004E4,00000040,?,004EAABC,00000000,IOanz UZA891nNAIUsy U(Ahy8*! ), ref: 004C2337
      • Part of subcall function 004C28E9: __EH_prolog3_catch.LIBCMT ref: 004C28F0
      • Part of subcall function 004C28E9: _strlen.LIBCMT ref: 004C2908
      • Part of subcall function 004C31CE: __EH_prolog3_catch.LIBCMT ref: 004C31D5
    Strings
    • IOanz UZA891nNAIUsy U(Ahy8*! , xrefs: 004C21AB
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: _strlen$H_prolog3_catch$ProtectVirtual
    • String ID: IOanz UZA891nNAIUsy U(Ahy8*!
    • API String ID: 2874085908-4274611474
    • Opcode ID: 1e19a4f26aff960fcfa94ef71e80e1739f92dd7ef1120d71bf26d2ddac4356f7
    • Instruction ID: 439eebd7acef25890cc4937fd030bdbc0c86396af0106aacb30f77a88751d5cb
    • Opcode Fuzzy Hash: 1e19a4f26aff960fcfa94ef71e80e1739f92dd7ef1120d71bf26d2ddac4356f7
    • Instruction Fuzzy Hash: D551253AE10208AFDB04EAA5D945FEEB7B5EB48314F10813FF505A72D0DBBC58008B58
    Function 004D8805 Relevance: 4.7, APIs: 3, Instructions: 202COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 46 4d8805-4d881e 47 4d8834-4d8839 46->47 48 4d8820-4d8830 call 4d0378 46->48 50 4d8848-4d886e call 4d9869 47->50 51 4d883b-4d8845 47->51 48->47 55 4d8832 48->55 56 4d8874-4d887f 50->56 57 4d89e1-4d89f2 call 4c693b 50->57 51->50 55->47 58 4d8885-4d888a 56->58 59 4d89d4 56->59 62 4d888c-4d8895 call 4c6f10 58->62 63 4d889f-4d88aa call 4d3e14 58->63 64 4d89d6 59->64 71 4d88b5-4d88b9 62->71 72 4d8897-4d889d 62->72 63->71 73 4d88ac 63->73 67 4d89d8-4d89df call 4c691d 64->67 67->57 71->64 76 4d88bf-4d88d6 call 4d9869 71->76 75 4d88b2 72->75 73->75 75->71 76->64 79 4d88dc-4d88ee call 4d3a1d 76->79 81 4d88f3-4d88f7 79->81 82 4d88f9-4d8901 81->82 83 4d8912-4d8914 81->83 84 4d893b-4d8947 82->84 85 4d8903-4d8908 82->85 83->64 88 4d8949-4d894b 84->88 89 4d89c6 84->89 86 4d890e-4d8910 85->86 87 4d89ba-4d89bc 85->87 86->83 91 4d8919-4d8933 call 4d3a1d 86->91 87->67 92 4d894d-4d8956 call 4c6f10 88->92 93 4d8960-4d896b call 4d3e14 88->93 90 4d89c8-4d89cf call 4c691d 89->90 90->83 91->87 104 4d8939 91->104 92->90 102 4d8958-4d895e 92->102 93->90 103 4d896d 93->103 105 4d8973-4d8978 102->105 103->105 104->83 105->90 106 4d897a-4d8992 call 4d3a1d 105->106 106->90 109 4d8994-4d899b 106->109 110 4d899d-4d899e 109->110 111 4d89be-4d89c4 109->111 112 4d899f-4d89b1 call 4d98e5 110->112 111->112 112->90 115 4d89b3-4d89b9 call 4c691d 112->115 115->87
    APIs
    • __freea.LIBCMT ref: 004D89B4
      • Part of subcall function 004D3E14: HeapAlloc.KERNEL32(00000000,00000000,?,?,004C78E5,?,?,?,?,?,004C11CC,?,00000001), ref: 004D3E46
    • __freea.LIBCMT ref: 004D89C9
    • __freea.LIBCMT ref: 004D89D9
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __freea$AllocHeap
    • String ID:
    • API String ID: 85559729-0
    • Opcode ID: 8af9d88884d35ebe34b43ad3e29ef371c157cc707e79587109583041cd3a1db4
    • Instruction ID: 4e26d7fbcbfb3d2d06f33ed69dbacfbef018e0e94c771cc3fc464809aab155c3
    • Opcode Fuzzy Hash: 8af9d88884d35ebe34b43ad3e29ef371c157cc707e79587109583041cd3a1db4
    • Instruction Fuzzy Hash: DF51D5B2600106AFEF219E65CCA1EBB36A9EF44354B15016FFC44E7350EE39CD109B6A
    Function 004DA761 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 118 4da761-4da789 call 4da291 121 4da78f-4da795 118->121 122 4da951-4da952 call 4da302 118->122 124 4da798-4da79e 121->124 125 4da957-4da959 122->125 126 4da7a4-4da7b0 124->126 127 4da8a0-4da8bf call 4c84e0 124->127 129 4da95a-4da968 call 4c693b 125->129 126->124 130 4da7b2-4da7b8 126->130 136 4da8c2-4da8c7 127->136 133 4da7be-4da7ca IsValidCodePage 130->133 134 4da898-4da89b 130->134 133->134 135 4da7d0-4da7d7 133->135 134->129 138 4da7ff-4da80c GetCPInfo 135->138 139 4da7d9-4da7e5 135->139 140 4da8c9-4da8ce 136->140 141 4da904-4da90e 136->141 144 4da88c-4da892 138->144 145 4da80e-4da82d call 4c84e0 138->145 142 4da7e9-4da7f5 call 4da365 139->142 146 4da901 140->146 147 4da8d0-4da8d8 140->147 141->136 143 4da910-4da93a call 4da253 141->143 153 4da7fa 142->153 157 4da93b-4da94a 143->157 144->122 144->134 145->142 158 4da82f-4da836 145->158 146->141 151 4da8f9-4da8ff 147->151 152 4da8da-4da8dd 147->152 151->140 151->146 156 4da8df-4da8e5 152->156 153->125 156->151 159 4da8e7-4da8f7 156->159 157->157 160 4da94c 157->160 161 4da838-4da83d 158->161 162 4da862-4da865 158->162 159->151 159->156 160->122 161->162 164 4da83f-4da847 161->164 163 4da86a-4da871 162->163 163->163 165 4da873-4da887 call 4da253 163->165 166 4da849-4da850 164->166 167 4da85a-4da860 164->167 165->142 169 4da851-4da858 166->169 167->161 167->162 169->167 169->169
    APIs
      • Part of subcall function 004DA291: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 004DA2BC
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,004DA5A8,?,00000000,?,?,?), ref: 004DA7C2
    • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,004DA5A8,?,00000000,?,?,?), ref: 004DA804
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: 7c00dd80a1c5ec4addbc55db15c87d7e0e3ea370253d28ce18c1215639423ed1
    • Instruction ID: 5f66ea0674623ee5d015eac514368a3903ec55af1fa529d7b15a69dbd1e7916a
    • Opcode Fuzzy Hash: 7c00dd80a1c5ec4addbc55db15c87d7e0e3ea370253d28ce18c1215639423ed1
    • Instruction Fuzzy Hash: 81510370A002458EDB20DF26C8A56ABBBF5FF41304F18486FE48687352E67899569B4A
    Function 004D3A1D Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 171 4d3a1d-4d3a2c call 4d35cb 174 4d3a2e-4d3a53 LCMapStringEx 171->174 175 4d3a55-4d3a6f call 4d3a7a LCMapStringW 171->175 179 4d3a75-4d3a77 174->179 175->179
    APIs
    • LCMapStringEx.KERNELBASE(?,004D88F3,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004D3A51
    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004D88F3,?,?,00000000,?,00000000), ref: 004D3A6F
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: String
    • String ID:
    • API String ID: 2568140703-0
    • Opcode ID: 2bb66d55ea816c32679566faafc008404ed496f354da25580c8e5796e86305a6
    • Instruction ID: 34d9478228c8db1fdaea8369d0beca5a6d320efab8dd239f5225d1538fa3cb42
    • Opcode Fuzzy Hash: 2bb66d55ea816c32679566faafc008404ed496f354da25580c8e5796e86305a6
    • Instruction Fuzzy Hash: CCF09D3210015ABBCF139F91DC19EEE3F66FF48766F054016FA1925220C736CA72AB96
    Function 004DA365 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 180 4da365-4da387 181 4da38d-4da39f GetCPInfo 180->181 182 4da4a0-4da4c6 180->182 181->182 183 4da3a5-4da3ac 181->183 184 4da4cb-4da4d0 182->184 187 4da3ae-4da3b8 183->187 185 4da4da-4da4e0 184->185 186 4da4d2-4da4d8 184->186 189 4da4ec 185->189 190 4da4e2-4da4e5 185->190 188 4da4e8-4da4ea 186->188 187->187 191 4da3ba-4da3cd 187->191 192 4da4ee-4da500 188->192 189->192 190->188 193 4da3ee-4da3f0 191->193 192->184 196 4da502-4da510 call 4c693b 192->196 194 4da3cf-4da3d6 193->194 195 4da3f2-4da429 call 4d86fc call 4d89f3 193->195 199 4da3e5-4da3e7 194->199 206 4da42e-4da463 call 4d89f3 195->206 202 4da3e9-4da3ec 199->202 203 4da3d8-4da3da 199->203 202->193 203->202 205 4da3dc-4da3e4 203->205 205->199 209 4da465-4da46f 206->209 210 4da47d-4da47f 209->210 211 4da471-4da47b 209->211 213 4da48d 210->213 214 4da481-4da48b 210->214 212 4da48f-4da49c 211->212 212->209 215 4da49e 212->215 213->212 214->212 215->196
    APIs
    • GetCPInfo.KERNEL32(E8458D00,?,004DA5B4,004DA5A8,00000000), ref: 004DA397
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-0
    • Opcode ID: 25e6b3315d85c755cbfd6cfd8fbe79ec5220ffec3451c50d53336e9ef6cd8f56
    • Instruction ID: 07f4936cad8acc6373118f721efd4b9701e6ddb00717fe436bbcb70606b95414
    • Opcode Fuzzy Hash: 25e6b3315d85c755cbfd6cfd8fbe79ec5220ffec3451c50d53336e9ef6cd8f56
    • Instruction Fuzzy Hash: 1A517E715042589ADB218E28CD94AFA7BBCEB45304F2405EFE49AC7342D3789E46DF26

    Non-executed Functions

    Function 004DCDA4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004DCEB0
    • IsValidCodePage.KERNEL32(00000000), ref: 004DCEF9
    • IsValidLocale.KERNEL32(?,00000001), ref: 004DCF08
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004DCF50
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004DCF6F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
    • String ID: `uN
    • API String ID: 415426439-1958408982
    • Opcode ID: 4136ec0ffed96aadd48030be4d299f4c56ee55b6273004dca2a27f35fd73d41f
    • Instruction ID: ab3995da11208ec982ff8b46df53e018dee085eaacc29865cbe77a5f666ca41c
    • Opcode Fuzzy Hash: 4136ec0ffed96aadd48030be4d299f4c56ee55b6273004dca2a27f35fd73d41f
    • Instruction Fuzzy Hash: 08517FB2A00206ABDF10DFA5CCD1ABF77B9AF04701F14456BE504EB391E7789A04CB69
    Function 004DD875 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: cb58271ccd5f7219ff65f5e5415f5b335f72a073dab08ca914a5d228c8a1a04b
    • Instruction ID: 164a472c0bfa04925de49170c95a2c77baf69f8bfe2deca39ef3c2aabd831399
    • Opcode Fuzzy Hash: cb58271ccd5f7219ff65f5e5415f5b335f72a073dab08ca914a5d228c8a1a04b
    • Instruction Fuzzy Hash: 74D21571E082298BDB65DE29CD50BEAB7B5EB44305F1441EBD40EE7340EB78AE818F45
    Function 004DC440 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetACP.KERNEL32(?,?,?,?,?,?,004D1773,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004DC501
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004D1773,?,?,?,00000055,?,-00000050,?,?), ref: 004DC52C
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004DC68F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$CodeInfoLocalePageValid
    • String ID: `uN$utf8
    • API String ID: 607553120-506889755
    • Opcode ID: 40ae614af944a7c5fd5864c8ef2d98dbad0911e66e79a14ac830152f60e99aba
    • Instruction ID: e10c6afdb8d472600e3057e28e639eeebca04d95dc7a0143f9f5e6de6bc069a7
    • Opcode Fuzzy Hash: 40ae614af944a7c5fd5864c8ef2d98dbad0911e66e79a14ac830152f60e99aba
    • Instruction Fuzzy Hash: 3671E271A00207AAD724AB76CCA6BBB73A8EF05714F14442BF505DB381EA79ED40C66D
    Function 004DCBCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,004DCEED,00000002,00000000,?,?,?,004DCEED,?,00000000), ref: 004DCC68
    • GetLocaleInfoW.KERNEL32(?,20001004,004DCEED,00000002,00000000,?,?,?,004DCEED,?,00000000), ref: 004DCC91
    • GetACP.KERNEL32(?,?,004DCEED,?,00000000), ref: 004DCCA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 90078d3225666d6893302c9b37df74223b3f17fa29b9321d729125372d092dea
    • Instruction ID: f296d936602206417e0987f30810f53e2223810d259bb9dba5a9a94164e8b692
    • Opcode Fuzzy Hash: 90078d3225666d6893302c9b37df74223b3f17fa29b9321d729125372d092dea
    • Instruction Fuzzy Hash: B621CB32720102A6DB348F25C9A5A97B3A6EF50F61B568467E70ED7304E736DE41C35C
    Function 004D4023 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
    • Instruction ID: a16a4b82de38bc13296bbb2843f4eb647f8d769884c50436b4152a7a34eefb0e
    • Opcode Fuzzy Hash: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
    • Instruction Fuzzy Hash: 61B15932A002859FDB15CF68C8A17FFBBE5EF95344F1581ABE804AB341D2389D01C769
    Function 00503525 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 2105af1ce281aa8cf08cd6a1838856530ae0e12a9ea78a25eca6150783de226d
    • Instruction ID: d426cee4e1eda2b2338a6667bfce5f27ae6ebc338a4c7499eda03c960587863e
    • Opcode Fuzzy Hash: 2105af1ce281aa8cf08cd6a1838856530ae0e12a9ea78a25eca6150783de226d
    • Instruction Fuzzy Hash: 21B139B29052469FDB258F68C8817EEBFA9FF55310F14816AE805AB382D375DF01C7A0
    Function 004C75D8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004C75E4
    • IsDebuggerPresent.KERNEL32 ref: 004C76B0
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004C76C9
    • UnhandledExceptionFilter.KERNEL32(?), ref: 004C76D3
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: cc7343ddf99e75bdd7de30d84addadc0c0c9b906c1a45485dec29e488c02ec7d
    • Instruction ID: 31f8bddbacdf0e0be1122fd933de58efb82dfb38cd216efd3957938e8f53d13e
    • Opcode Fuzzy Hash: cc7343ddf99e75bdd7de30d84addadc0c0c9b906c1a45485dec29e488c02ec7d
    • Instruction Fuzzy Hash: 7C310779D052589BDB61DF64D989BCDBBB8BF08304F1041AAE40CAB250EB749B848F48
    Function 004C1CD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004C3348: __EH_prolog3_catch.LIBCMT ref: 004C334F
    • _Deallocate.LIBCONCRT ref: 004C1EAD
    • _Deallocate.LIBCONCRT ref: 004C1EFA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Deallocate$H_prolog3_catch
    • String ID: Current val: %d
    • API String ID: 1212816977-1825967858
    • Opcode ID: 0c5ece480e667c3aade1e7a2071629e511f587d41bc5a7464e326e17ed6afd97
    • Instruction ID: 290b1c11bd000a2843c6c844fa62112e16a5d9c403b9d44406169b4627206d3f
    • Opcode Fuzzy Hash: 0c5ece480e667c3aade1e7a2071629e511f587d41bc5a7464e326e17ed6afd97
    • Instruction Fuzzy Hash: 4C61DE7651C3818FC350DF2AD480A6BFBE0AFC9714F144A2EF9D593252D739E9048B9A
    Function 004F0210 Relevance: 4.7, Strings: 2, Instructions: 2226COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID: $p`C
    • API String ID: 0-4134204333
    • Opcode ID: 7c1bf759990cea01889fddccd937b28553c04d3b666f7c82e54e0ff48d564f50
    • Instruction ID: d5b23b84952c7e8b6affd0b02e411b2836e00269c54d9366f929cda272567d1c
    • Opcode Fuzzy Hash: 7c1bf759990cea01889fddccd937b28553c04d3b666f7c82e54e0ff48d564f50
    • Instruction Fuzzy Hash: 6CD2D127620A0A4BE31C9939CD523F6B686EBDA320F45433BFAA5D73F1D37948428745
    Function 004DC853 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004DC8A7
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004DC8F1
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004DC9B7
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLast
    • String ID:
    • API String ID: 661929714-0
    • Opcode ID: dbf1b8ca590e669cba44b756787234759571e8161c24b68897877547ff49db60
    • Instruction ID: e0f4444a4909dd5058defdc8274c86b0592f4e976cedca55c313515433c7d463
    • Opcode Fuzzy Hash: dbf1b8ca590e669cba44b756787234759571e8161c24b68897877547ff49db60
    • Instruction Fuzzy Hash: 6B618F7195011B9BDB28DF29CCE2BAAB7A8EF04314F1041BBE905D6385EB38D945CF58
    Function 004CD27F Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004CD377
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004CD381
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004CD38E
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: b6de86447dc22fdf3f0768ecc2770519a26e1d95b3671cfd979757da6056f79f
    • Instruction ID: b0f04b2f1f4c51f1226533f8b055fedf788e79fa04d5f6f3cdb381c45b628a7b
    • Opcode Fuzzy Hash: b6de86447dc22fdf3f0768ecc2770519a26e1d95b3671cfd979757da6056f79f
    • Instruction Fuzzy Hash: 5F31F674901218ABCB61DF65DD89B9DBBB4BF08310F5041EAE41CA7261EB349F858F48
    Function 004CFBD0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 71130d6100ede6563424b8a4d7df45df7381647f619140e561abbae099e1f578
    • Instruction ID: bdb83a348c6a3ad334daa70ae6c0f2730875682c7ff582ed18ea900e36c080c6
    • Opcode Fuzzy Hash: 71130d6100ede6563424b8a4d7df45df7381647f619140e561abbae099e1f578
    • Instruction Fuzzy Hash: 7BF14E75E002199FDF14CF69D880BAEB7B2FF89314F15826EE815A7391D738AD058B84
    Function 004FDBE0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
    • Instruction ID: 4749fb5482a93915d94f46e9b5283d9c5cddaed7c47accdafcae5bff39ddaf69
    • Opcode Fuzzy Hash: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
    • Instruction Fuzzy Hash: A7F15F71E002199FDF14CF69C880AAEB7B2FF89314F15826EE919AB394D7349D41CB94
    Function 0050E35E Relevance: 2.9, APIs: 1, Instructions: 1436COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID:
    • API String ID: 4168288129-0
    • Opcode ID: 942fe0f3c29f653e39a35ed8cb6196759c4aba01ded4976b721137ac199a4da5
    • Instruction ID: e869c025661fde07b22620491e8c02390c7cd1a50eba2c73c94adaba9b8b0d8e
    • Opcode Fuzzy Hash: 942fe0f3c29f653e39a35ed8cb6196759c4aba01ded4976b721137ac199a4da5
    • Instruction Fuzzy Hash: 7CD21871E082298FDB65CE28DD457EEBBB5FB44304F1445EAD44DA7280DB78AE858F40
    Function 004D9144 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004D913F,?,?,00000008,?,?,004E15B5,00000000), ref: 004D9371
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 2188581ec020ef70aa659af0711484c0219602e939d292b00e6279d26ee6ed55
    • Instruction ID: d90f45a6b3799db1d50b444b6bcc4603007d332cd4256627b65402fac74c67cc
    • Opcode Fuzzy Hash: 2188581ec020ef70aa659af0711484c0219602e939d292b00e6279d26ee6ed55
    • Instruction Fuzzy Hash: 3EB13D31610609DFD715CF28C496B657BA0FF49364F25869AE899CF3A1C339ED82CB44
    Function 004C6F3C Relevance: 1.7, APIs: 1, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004C6F52
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 1e34fa5ef17f28ef501dc7d6dc56b37adbc515efe23127b15979d9a6b2aac0ac
    • Instruction ID: f5367342cb083fc700ea652ef28f1ff84b5c04cc65be839b2468e593d042382c
    • Opcode Fuzzy Hash: 1e34fa5ef17f28ef501dc7d6dc56b37adbc515efe23127b15979d9a6b2aac0ac
    • Instruction Fuzzy Hash: ABA1CEB59046548FDB58CF69E8C27AABBF0FB88324F14812ED608EB351D3799940CF58
    Function 004D9E7A Relevance: 1.6, APIs: 1, Instructions: 108COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 990b271d8729bb7eb1f16322a3715aa57dfe855deceacbad75902106d1e9bc2e
    • Instruction ID: eca71b1d0f87f51100dc2db0268d57e2166ff7dff81653a1be6bf26148984c05
    • Opcode Fuzzy Hash: 990b271d8729bb7eb1f16322a3715aa57dfe855deceacbad75902106d1e9bc2e
    • Instruction Fuzzy Hash: EB31F572900219AFCB20DFA9CC99DBBB77DEB84314F14455EF805D7344EA34AE408B68
    Function 004DCAA6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004DCAFA
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 1a29a6157bf3a44074cac694b557486bffd477a4bda642f4d6e6c471ab213b6b
    • Instruction ID: 90a08b531a7d47b484d8e42f6dee02664bafc12dca881ec4af90b9b322a36645
    • Opcode Fuzzy Hash: 1a29a6157bf3a44074cac694b557486bffd477a4bda642f4d6e6c471ab213b6b
    • Instruction Fuzzy Hash: 98216572A541075BDB149B16ECA2A7B73A8EB05714B10007FF905DA341EA78ED05CA58
    Function 004FAE7F Relevance: 1.6, Strings: 1, Instructions: 314COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 1632f8d23e9e32ab9f3a7bcd8b2446ae787a5851f4b5be5d31f7a579b1156ae9
    • Instruction ID: a58379157ae692600ae4a6791cd51f94e3683ab298b805b1ca37e2d330d50d36
    • Opcode Fuzzy Hash: 1632f8d23e9e32ab9f3a7bcd8b2446ae787a5851f4b5be5d31f7a579b1156ae9
    • Instruction Fuzzy Hash: F6B1B2B090060E8BCB24CF69C591ABFB7B1EB02304F14451FDB569B781DB399951CBAA
    Function 004DC72D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • EnumSystemLocalesW.KERNEL32(004DC853,00000001,00000000,?,-00000050,?,004DCE84,00000000,?,?,?,00000055,?), ref: 004DC79F
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: fb71e3e76c764e9a1b710d1bf37203736dfa014efaca71995af44394ee71ac1a
    • Instruction ID: 1da83f696391be4185601f616f8d4e346bf359d4fe38b92b302860be4be201a1
    • Opcode Fuzzy Hash: fb71e3e76c764e9a1b710d1bf37203736dfa014efaca71995af44394ee71ac1a
    • Instruction Fuzzy Hash: 0B11293B6047025FDB18AF79C8E56BAB791FF80719B14442EE54647B40D775A902CF44
    Function 004DCCD5 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004DCA6F,00000000,00000000,?), ref: 004DCD01
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 425c2749ca9867c2b211bcf931d21a06dfe78f027f2b2106a52e783c116dc266
    • Instruction ID: b4189fb848c2528c50c4e5de393a95f34227e9162c21cac64e076fd869b4be4a
    • Opcode Fuzzy Hash: 425c2749ca9867c2b211bcf931d21a06dfe78f027f2b2106a52e783c116dc266
    • Instruction Fuzzy Hash: F1F0D6326101136BDF245A618CA5ABB7B69EB40754F14487BEC15A3340DA3CEE01CAD4
    Function 004DC7C8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • EnumSystemLocalesW.KERNEL32(004DCAA6,00000001,?,?,-00000050,?,004DCE48,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004DC812
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 6e67b2abeca06124506bf0138f98ce1c96050183a23b534522db67883969469e
    • Instruction ID: bf583f5bad2fcf58ac975ba9eca51e2f708483f71a4a2549ae62a2181301acb2
    • Opcode Fuzzy Hash: 6e67b2abeca06124506bf0138f98ce1c96050183a23b534522db67883969469e
    • Instruction Fuzzy Hash: E6F022323003065FCB246F7698D5A6ABB90FB80329B14406FF9058B780C7B5AC01DA58
    Function 004D3436 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004CD5CD: EnterCriticalSection.KERNEL32(-005B5550,?,004D03E7,00000000,004EC430,0000000C,004D03AE,?,?,004D33C5,?,?,004D53B3,00000001,00000364,00000000), ref: 004CD5DC
    • EnumSystemLocalesW.KERNEL32(004D3429,00000001,004EC580,0000000C,004D37DC,00000000), ref: 004D346E
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 90e9c1c7093d4aec0733c2c94292fe5243dc58c19850d4951c62a48cd2de5e12
    • Instruction ID: e4a3e71f8f521c5872bd125c40e27129302946d930e69163f99f615fed2fd131
    • Opcode Fuzzy Hash: 90e9c1c7093d4aec0733c2c94292fe5243dc58c19850d4951c62a48cd2de5e12
    • Instruction Fuzzy Hash: ABF03776A00214EFD701EF99E842B9C77B0FB48726F10466BE410DB2A1D7799A04CF49
    Function 004DC6E2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • EnumSystemLocalesW.KERNEL32(004DC63B,00000001,?,?,?,004DCEA6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004DC719
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: aac747fb310ab717d0d760d14ce24aeba695579884d4d77e870f3fefc1126d4f
    • Instruction ID: 05a95464563fb8e27b9269c38a75454ab22b04c02fcdcef1025d6cceb8edaccc
    • Opcode Fuzzy Hash: aac747fb310ab717d0d760d14ce24aeba695579884d4d77e870f3fefc1126d4f
    • Instruction Fuzzy Hash: 24F0E53A34020657CB04AF76D8A5B6BBF94EFC1754B0A409BEA098B391C679D943CB94
    Function 004D38E0 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004D22D9,?,20001004,00000000,00000002,?,?,004D18DB), ref: 004D3914
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 97d0c2a6f371a2a52f3782f1d85efd6bd697d01914b287f07674e2ca5d32aba4
    • Instruction ID: 1715acc850e0921878ddbffdb0a37565a2b36307bfcece00b8cc707df7192d8d
    • Opcode Fuzzy Hash: 97d0c2a6f371a2a52f3782f1d85efd6bd697d01914b287f07674e2ca5d32aba4
    • Instruction Fuzzy Hash: 1AE04F76500128BBCF126F61DC29AAE7F26EF44762F004027FD4566321CB758F21AADA
    Function 004C7765 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00007771,004C6A67), ref: 004C776A
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 8270c4a0000ae84dd4abe3c885c1597be9d987fbb291dab97f26bb99c455fbff
    • Instruction ID: b3db126ca7c25aca55b9a96ff612541ec48946d935621f4dd143b58c0543924c
    • Opcode Fuzzy Hash: 8270c4a0000ae84dd4abe3c885c1597be9d987fbb291dab97f26bb99c455fbff
    • Instruction Fuzzy Hash:
    Function 004C1F1A Relevance: 1.4, Strings: 1, Instructions: 156COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID: Z81xbyuAua
    • API String ID: 0-3121583705
    • Opcode ID: 3f30ecf3cfb6df1267f4d54dd9a80f8470a32b593f4005cb04432b11f827557a
    • Instruction ID: de43aef61e8653ed250779edc25eb52f8a4cd07af31b0ae0bab52831b52762a2
    • Opcode Fuzzy Hash: 3f30ecf3cfb6df1267f4d54dd9a80f8470a32b593f4005cb04432b11f827557a
    • Instruction Fuzzy Hash: BB414E76E1052B4BCB4CEEB9C9455AFBB65E746310B04427FDE11DB3D1E2748A01CAD4
    Function 004DD006 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 01ccc3dbc57af60c8b6c1beac5cc4dfb02e4c9973eabc1a9a69538856e8d4824
    • Instruction ID: 91b456c2fa7463f09550a271a91598e216dc4e0c3091552840b0c4f0d4f50588
    • Opcode Fuzzy Hash: 01ccc3dbc57af60c8b6c1beac5cc4dfb02e4c9973eabc1a9a69538856e8d4824
    • Instruction Fuzzy Hash: 0BA012301001008F43408F35594D30C77A45600181348C26A5000C5031E62445406F00
    Function 00507C09 Relevance: .6, Instructions: 637COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a38eda1e5fe163a9d2d8931a55af3b0b8e09c8fe7de01bd8f0dbc5a1a148cf17
    • Instruction ID: 8a80d40a6afe9bf5cf60f7c7f0ae51077c61999a084cb7e2f69ae2c48cfd9810
    • Opcode Fuzzy Hash: a38eda1e5fe163a9d2d8931a55af3b0b8e09c8fe7de01bd8f0dbc5a1a148cf17
    • Instruction Fuzzy Hash: 6A322221E29F014ED7239634DC2233AAA48BFB73D4F55D737E819B59A6EF29C4934101
    Function 0050BDB3 Relevance: .3, Instructions: 327COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f5aa115f7b62961c69c6af82bb8e917d91efee6d1de70f3159456f9e0484eb9b
    • Instruction ID: a264b1514ffffc5874612e680ad18726d589637d9003df63e2905038a167b94d
    • Opcode Fuzzy Hash: f5aa115f7b62961c69c6af82bb8e917d91efee6d1de70f3159456f9e0484eb9b
    • Instruction Fuzzy Hash: 85B1F5356007029BDB38AF25CC96BBFBBA8FF45708F14456DEA83865C0E775A985CB10
    Function 004DBEF1 Relevance: .3, Instructions: 327COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
    • String ID:
    • API String ID: 3471368781-0
    • Opcode ID: 6fa5cf44366eb58c23f911707b39be87179586595b347a651a772d7e55a6c6ae
    • Instruction ID: 5a02d764e8b908bf58fc2651efe6b4519ab3e069a8d2ba2edc564db959e4f7a0
    • Opcode Fuzzy Hash: 6fa5cf44366eb58c23f911707b39be87179586595b347a651a772d7e55a6c6ae
    • Instruction Fuzzy Hash: 5EB118355007429BDB349F65CCE2ABBB3E8EF44308F54456FE942C6781EB79A985CB08
    Function 004CC6FE Relevance: .3, Instructions: 314COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c5304c0cad711593c9a311b51f9fcfb05ad03deacda0e06d56bf3f623eb1870d
    • Instruction ID: a171d8dc2ad720349a7c69a490599d2890f2849870b84d3650a65601410de531
    • Opcode Fuzzy Hash: c5304c0cad711593c9a311b51f9fcfb05ad03deacda0e06d56bf3f623eb1870d
    • Instruction Fuzzy Hash: F6B1DDB890060B8BCBA4CA6885D5FBFB7A1EB05304F14061FD45AA7791C739D942CB9E
    Function 0050740B Relevance: .3, Instructions: 274COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 66bd135522bfd48ef431717ac9a2d3ac4e718912ce61b150da326bc1aaae8d12
    • Instruction ID: e1f6f0c8a08dd956e7b84a8bd6d9694527a109c69dd75ee18b13d9fa827cf235
    • Opcode Fuzzy Hash: 66bd135522bfd48ef431717ac9a2d3ac4e718912ce61b150da326bc1aaae8d12
    • Instruction Fuzzy Hash: 1EB11F71A14609DFDB15CF2CC486A997FA0FF49364F258658E89ACF2E1C336E991CB40
    Function 004F2FB0 Relevance: .2, Instructions: 165COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
    • Instruction ID: d07c145b4fb86bf32b275ddca0000d6174c1dae9ef55c472fb3c3c85e205dba9
    • Opcode Fuzzy Hash: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
    • Instruction Fuzzy Hash: DA51E6317116168FD708CF39C991A66F7E2FB98310F04876AE529CB281EB34E915CB94
    Function 004F56D0 Relevance: .1, Instructions: 147COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
    • Instruction ID: 2b2c74bd14e73b16252346f96c9974427fc8d5f1040df4b9b09b338a5ab63764
    • Opcode Fuzzy Hash: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
    • Instruction Fuzzy Hash: 45518EB1E11A19CFDB18CF54E9857AABBF0FB48351F24953AD601EB390D378A900CB58
    Function 004F2DF0 Relevance: .1, Instructions: 140COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
    • Instruction ID: 72758cc61ff716e0d173fa98eada8b0fd66eb47900372df42d253c73173009bc
    • Opcode Fuzzy Hash: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
    • Instruction Fuzzy Hash: AF51B231711A168FD70CCF39C995AA6B7E1FB98310F148769E42ACB2D2DB34A914CB94
    Function 0050703C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
    • Instruction ID: c9efd0c5340889ace06fd430962f9129261a3512b156de6d8b24c4e56b15ad79
    • Opcode Fuzzy Hash: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
    • Instruction Fuzzy Hash: 40E04632915268EBCB24DB99892898AB6ACFB88B00B5145A6B501D3280C670EE00CBD0
    Function 004DAA07 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 110e375efb2033e03ce8b70e48f77e8cdc524782d876c586b63fa1f672508759
    • Instruction ID: c74547eb0855e715a81899ed11ed0007a4db1acddf66b89d729d14bc3b00c7a0
    • Opcode Fuzzy Hash: 110e375efb2033e03ce8b70e48f77e8cdc524782d876c586b63fa1f672508759
    • Instruction Fuzzy Hash: 31E04672921228EBCB15DBC98A1498AB2ECEB44B44B11419BB501D3311C2B8DE00CBE5
    Function 004FF396 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
    • Instruction ID: e68cd119ccdd460209cd76909c126991c8e0a903f27a7e10f9cd86c85a7f6d50
    • Opcode Fuzzy Hash: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
    • Instruction Fuzzy Hash: EFC08C3501590987CE298D1082753BE3358FBD1BC2F80049DCF024B783C91EAC8ADE90
    Function 004D0E59 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 352c58746815d872af4b3af9a2255c15039a5ed1f7fec551035c6ea349d431e8
    • Instruction ID: 724ad65489f929b6e8a62c2e80d49b6501006e724cec027844c7a480c8183072
    • Opcode Fuzzy Hash: 352c58746815d872af4b3af9a2255c15039a5ed1f7fec551035c6ea349d431e8
    • Instruction Fuzzy Hash: 10C08C3518094046CE298910C3713AA3354E3F67C3FC0088FC4030B752C62E9C86D709
    Function 004F2A10 Relevance: 15.2, APIs: 10, Instructions: 191COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 330 4f2a10-4f2a4f call 4f3364 333 4f2a88-4f2a95 330->333 334 4f2a51-4f2a64 call 4f3364 330->334 335 4f2ac8 333->335 336 4f2a97-4f2a9f 333->336 344 4f2a76-4f2a82 call 4f33bc 334->344 345 4f2a66-4f2a71 334->345 338 4f2aca-4f2ace 335->338 336->338 339 4f2aa1-4f2ac7 call 4f33bc call 4f5313 336->339 342 4f2ae0-4f2ae2 338->342 343 4f2ad0-4f2ad8 call 4f3694 338->343 342->339 346 4f2ae4-4f2ae6 342->346 343->346 357 4f2ada-4f2add 343->357 344->333 345->344 350 4f2aec-4f2b01 call 4f5321 346->350 351 4f2ae8-4f2aea 346->351 359 4f2b0f 350->359 360 4f2b03-4f2b08 350->360 351->339 357->342 362 4f2b14-4f2b63 call 4f3364 359->362 361 4f2b0a-4f2b0d 360->361 360->362 361->362 365 4f2b69-4f2bd4 call 4f379a call 4f4c6b call 4f4cd6 call 4f37e5 362->365 366 4f2c88-4f2c92 call 4f350e 362->366 377 4f2bdf-4f2bed 365->377 378 4f2bd6-4f2bdc call 4fbc24 365->378 380 4f2bef-4f2bf5 call 4fbc24 377->380 381 4f2bf8-4f2c06 377->381 378->377 380->381 384 4f2c08-4f2c0e call 4fbc24 381->384 385 4f2c11-4f2c1f 381->385 384->385 386 4f2c2a-4f2c38 385->386 387 4f2c21-4f2c27 call 4fbc24 385->387 391 4f2c3a-4f2c40 call 4fbc24 386->391 392 4f2c43-4f2c51 386->392 387->386 391->392 396 4f2c5c-4f2c83 call 4f33bc call 4f3668 392->396 397 4f2c53-4f2c59 call 4fbc24 392->397 396->339 397->396
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004F2A3C
    • std::_Lockit::_Lockit.LIBCPMT ref: 004F2A59
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004F2A7D
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004F2AA8
    • std::_Lockit::_Lockit.LIBCPMT ref: 004F2B1A
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004F2B6F
    • __Getctype.LIBCPMT ref: 004F2B86
    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004F2BC6
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004F2C68
    • std::_Facet_Register.LIBCPMT ref: 004F2C6E
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
    • String ID:
    • API String ID: 103145292-0
    • Opcode ID: 0e92b9310a67500b865c09545a8f2bb56ed2792cd4dae89ee153d5d1402e315f
    • Instruction ID: 754d71f69a9f4de1ecace718964a9ab2f0b35a1bd4afc0f8869b24986ee826d1
    • Opcode Fuzzy Hash: 0e92b9310a67500b865c09545a8f2bb56ed2792cd4dae89ee153d5d1402e315f
    • Instruction Fuzzy Hash: F361B2B19043849FD720DF25D941B6BB7E4BF94304F04582EFA8997311EB78E944CB9A
    Function 004F8888 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 406 4f8888-4f88b3 call 4f9800 409 4f88b9-4f88bc 406->409 410 4f8c27-4f8c2c call 4fc02c 406->410 409->410 412 4f88c2-4f88cb 409->412 414 4f89c8-4f89ce 412->414 415 4f88d1-4f88d5 412->415 417 4f89d6-4f89e4 414->417 415->414 416 4f88db-4f88e2 415->416 418 4f88fa-4f88ff 416->418 419 4f88e4-4f88eb 416->419 420 4f89ea-4f89ee 417->420 421 4f8b90-4f8b93 417->421 418->414 423 4f8905-4f890d call 4f850c 418->423 419->418 422 4f88ed-4f88f4 419->422 420->421 426 4f89f4-4f89fb 420->426 424 4f8bb6-4f8bbf call 4f850c 421->424 425 4f8b95-4f8b98 421->425 422->414 422->418 440 4f8913-4f892c call 4f850c * 2 423->440 441 4f8bc1-4f8bc5 423->441 424->410 424->441 425->410 428 4f8b9e-4f8bb3 call 4f8c2d 425->428 429 4f89fd-4f8a04 426->429 430 4f8a13-4f8a19 426->430 428->424 429->430 434 4f8a06-4f8a0d 429->434 435 4f8a1f-4f8a46 call 4f5fec 430->435 436 4f8b30-4f8b34 430->436 434->421 434->430 435->436 452 4f8a4c-4f8a4f 435->452 438 4f8b36-4f8b3f call 4f6a9e 436->438 439 4f8b40-4f8b4c 436->439 438->439 439->424 445 4f8b4e-4f8b58 439->445 440->410 467 4f8932-4f8938 440->467 449 4f8b5a-4f8b5c 445->449 450 4f8b66-4f8b68 445->450 449->424 453 4f8b5e-4f8b62 449->453 454 4f8b7f-4f8b8c call 4f92a6 450->454 455 4f8b6a-4f8b7d call 4f850c * 2 450->455 457 4f8a52-4f8a67 452->457 453->424 459 4f8b64 453->459 470 4f8b8e 454->470 471 4f8beb-4f8c00 call 4f850c * 2 454->471 484 4f8bc6 call 4fe6a4 455->484 462 4f8a6d-4f8a70 457->462 463 4f8b11-4f8b24 457->463 459->455 462->463 464 4f8a76-4f8a7e 462->464 463->457 468 4f8b2a-4f8b2d 463->468 464->463 469 4f8a84-4f8a98 464->469 473 4f893a-4f893e 467->473 474 4f8964-4f896c call 4f850c 467->474 468->436 475 4f8a9b-4f8aac 469->475 470->424 502 4f8c05-4f8c22 call 4f61df call 4f91a6 call 4f9363 call 4f911d 471->502 503 4f8c02 471->503 473->474 479 4f8940-4f8947 473->479 489 4f896e-4f898e call 4f850c * 2 call 4f92a6 474->489 490 4f89d0-4f89d3 474->490 480 4f8aae-4f8abf call 4f8d63 475->480 481 4f8ad2-4f8adf 475->481 485 4f895b-4f895e 479->485 486 4f8949-4f8950 479->486 499 4f8ae3-4f8b0b call 4f8808 480->499 500 4f8ac1-4f8aca 480->500 481->475 492 4f8ae1 481->492 498 4f8bcb-4f8be6 call 4f6a9e call 4f8f17 call 4f5f80 484->498 485->410 485->474 486->485 487 4f8952-4f8959 486->487 487->474 487->485 489->490 520 4f8990-4f8995 489->520 490->417 497 4f8b0e 492->497 497->463 498->471 499->497 500->480 506 4f8acc-4f8acf 500->506 502->410 503->502 506->481 520->484 523 4f899b-4f89ae call 4f8f2f 520->523 523->498 527 4f89b4-4f89c0 523->527 527->484 528 4f89c6 527->528 528->523
    APIs
    • type_info::operator==.LIBVCRUNTIME ref: 004F89A7
    • ___TypeMatch.LIBVCRUNTIME ref: 004F8AB5
    • _UnwindNestedFrames.LIBCMT ref: 004F8C07
    • CallUnexpected.LIBVCRUNTIME ref: 004F8C22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 2751267872-393685449
    • Opcode ID: bca48ede98bc9644994582ff637e3a37132db79052d9ea52617ab948eb45153a
    • Instruction ID: a804e3c725c2516a535762cce207620dec127af1e269e8481c79d6f40371706f
    • Opcode Fuzzy Hash: bca48ede98bc9644994582ff637e3a37132db79052d9ea52617ab948eb45153a
    • Instruction Fuzzy Hash: FCB156B180020DAFCF14DFA5C8819BEB7B5EF15314B14445FEA106F202DB78EA51CBAA
    Function 004D768F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 529 4d768f-4d769f 530 4d76b9-4d76bb 529->530 531 4d76a1-4d76b4 call 4cd566 call 4cd579 529->531 533 4d7a0f-4d7a1c call 4cd566 call 4cd579 530->533 534 4d76c1-4d76c7 530->534 548 4d7a27 531->548 553 4d7a22 call 4cd47b 533->553 534->533 537 4d76cd-4d76f9 534->537 537->533 540 4d76ff-4d7708 537->540 543 4d770a-4d771d call 4cd566 call 4cd579 540->543 544 4d7722-4d7724 540->544 543->553 546 4d7a0b-4d7a0d 544->546 547 4d772a-4d772e 544->547 551 4d7a2a-4d7a2d 546->551 547->546 552 4d7734-4d7738 547->552 548->551 552->543 556 4d773a-4d7751 552->556 553->548 558 4d7796-4d779c 556->558 559 4d7753-4d7756 556->559 560 4d776d-4d7784 call 4cd566 call 4cd579 call 4cd47b 558->560 561 4d779e-4d77a5 558->561 562 4d7758-4d7760 559->562 563 4d7765-4d776b 559->563 592 4d7942 560->592 564 4d77a9-4d77c7 call 4d3e14 call 4d33ef * 2 561->564 565 4d77a7 561->565 566 4d7816-4d7829 562->566 563->560 567 4d7789-4d7794 563->567 603 4d77c9-4d77df call 4cd579 call 4cd566 564->603 604 4d77e4-4d780c call 4d7c35 564->604 565->564 571 4d782f-4d783b 566->571 572 4d78e5-4d78ee call 4defd5 566->572 569 4d7813 567->569 569->566 571->572 576 4d7841-4d7843 571->576 583 4d795f 572->583 584 4d78f0-4d7902 572->584 576->572 580 4d7849-4d786a 576->580 580->572 586 4d786c-4d7882 580->586 588 4d7963-4d7979 ReadFile 583->588 584->583 589 4d7904-4d7913 GetConsoleMode 584->589 586->572 591 4d7884-4d7886 586->591 593 4d797b-4d7981 588->593 594 4d79d7-4d79e2 GetLastError 588->594 589->583 595 4d7915-4d7919 589->595 591->572 597 4d7888-4d78ab 591->597 602 4d7945-4d794f call 4d33ef 592->602 593->594 600 4d7983 593->600 598 4d79fb-4d79fe 594->598 599 4d79e4-4d79f6 call 4cd579 call 4cd566 594->599 595->588 601 4d791b-4d7933 ReadConsoleW 595->601 597->572 605 4d78ad-4d78c3 597->605 611 4d793b-4d7941 call 4cd51f 598->611 612 4d7a04-4d7a06 598->612 599->592 608 4d7986-4d7998 600->608 609 4d7935 GetLastError 601->609 610 4d7954-4d795d 601->610 602->551 603->592 604->569 605->572 615 4d78c5-4d78c7 605->615 608->602 618 4d799a-4d799e 608->618 609->611 610->608 611->592 612->602 615->572 622 4d78c9-4d78e0 615->622 625 4d79b7-4d79c4 618->625 626 4d79a0-4d79b0 call 4d73a9 618->626 622->572 631 4d79c6 call 4d7500 625->631 632 4d79d0-4d79d5 call 4d7201 625->632 637 4d79b3-4d79b5 626->637 638 4d79cb-4d79ce 631->638 632->638 637->602 638->637
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3907804496
    • Opcode ID: 75f8db5692d6d32213a861d6597d5b5989ce04d401f4f97b81a88f5f61dea488
    • Instruction ID: 1a98b4844ae0108cac7eef90246f0306295ac8079451f0927fb698838c8008e2
    • Opcode Fuzzy Hash: 75f8db5692d6d32213a861d6597d5b5989ce04d401f4f97b81a88f5f61dea488
    • Instruction Fuzzy Hash: E8B139B5E08205EFDB01DFA9C8A1BAE7BB1AF45314F14419BE40067391E7789E46CF29
    Function 004CA278 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 639 4ca278-4ca2a3 call 4cb1f0 642 4ca2a9-4ca2ac 639->642 643 4ca617-4ca61c call 4cfafc 639->643 642->643 644 4ca2b2-4ca2bb 642->644 646 4ca3b8-4ca3be 644->646 647 4ca2c1-4ca2c5 644->647 650 4ca3c6-4ca3d4 646->650 647->646 649 4ca2cb-4ca2d2 647->649 651 4ca2ea-4ca2ef 649->651 652 4ca2d4-4ca2db 649->652 653 4ca3da-4ca3de 650->653 654 4ca580-4ca583 650->654 651->646 656 4ca2f5-4ca2fd call 4c9efc 651->656 652->651 655 4ca2dd-4ca2e4 652->655 653->654 659 4ca3e4-4ca3eb 653->659 657 4ca585-4ca588 654->657 658 4ca5a6-4ca5af call 4c9efc 654->658 655->646 655->651 673 4ca5b1-4ca5b5 656->673 674 4ca303-4ca31c call 4c9efc * 2 656->674 657->643 661 4ca58e-4ca5a3 call 4ca61d 657->661 658->643 658->673 662 4ca3ed-4ca3f4 659->662 663 4ca403-4ca409 659->663 661->658 662->663 667 4ca3f6-4ca3fd 662->667 668 4ca40f-4ca436 call 4c810d 663->668 669 4ca520-4ca524 663->669 667->654 667->663 668->669 681 4ca43c-4ca43f 668->681 671 4ca526-4ca52f call 4c7f4f 669->671 672 4ca530-4ca53c 669->672 671->672 672->658 679 4ca53e-4ca548 672->679 674->643 698 4ca322-4ca328 674->698 683 4ca54a-4ca54c 679->683 684 4ca556-4ca558 679->684 686 4ca442-4ca457 681->686 683->658 687 4ca54e-4ca552 683->687 688 4ca56f-4ca57c call 4cac96 684->688 689 4ca55a-4ca56d call 4c9efc * 2 684->689 691 4ca45d-4ca460 686->691 692 4ca501-4ca514 686->692 687->658 694 4ca554 687->694 706 4ca57e 688->706 707 4ca5db-4ca5f0 call 4c9efc * 2 688->707 713 4ca5b6 call 4d2bf9 689->713 691->692 700 4ca466-4ca46e 691->700 692->686 699 4ca51a-4ca51d 692->699 694->689 703 4ca32a-4ca32e 698->703 704 4ca354-4ca35c call 4c9efc 698->704 699->669 700->692 705 4ca474-4ca488 700->705 703->704 709 4ca330-4ca337 703->709 723 4ca35e-4ca37e call 4c9efc * 2 call 4cac96 704->723 724 4ca3c0-4ca3c3 704->724 710 4ca48b-4ca49c 705->710 706->658 736 4ca5f5-4ca612 call 4c82f9 call 4cab96 call 4cad53 call 4cab0d 707->736 737 4ca5f2 707->737 714 4ca339-4ca340 709->714 715 4ca34b-4ca34e 709->715 716 4ca49e-4ca4af call 4ca753 710->716 717 4ca4c2-4ca4cf 710->717 727 4ca5bb-4ca5d6 call 4c7f4f call 4ca907 call 4c7ee3 713->727 714->715 721 4ca342-4ca349 714->721 715->643 715->704 733 4ca4b1-4ca4ba 716->733 734 4ca4d3-4ca4fb call 4ca1f8 716->734 717->710 726 4ca4d1 717->726 721->704 721->715 723->724 753 4ca380-4ca385 723->753 724->650 731 4ca4fe 726->731 727->707 731->692 733->716 739 4ca4bc-4ca4bf 733->739 734->731 736->643 737->736 739->717 753->713 755 4ca38b-4ca39e call 4ca91f 753->755 755->727 760 4ca3a4-4ca3b0 755->760 760->713 761 4ca3b6 760->761 761->755
    APIs
    • type_info::operator==.LIBVCRUNTIME ref: 004CA397
    • ___TypeMatch.LIBVCRUNTIME ref: 004CA4A5
    • CallUnexpected.LIBVCRUNTIME ref: 004CA612
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CallMatchTypeUnexpectedtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 1206542248-393685449
    • Opcode ID: bd084257eb1abc2b7bf058a13017993e4ea80041defd002e1bc622ecf5c51fb8
    • Instruction ID: f3d325c2e5bfb8f6c2ba4a50cd6a363858344b7d3b86c2090f375d4f405ed108
    • Opcode Fuzzy Hash: bd084257eb1abc2b7bf058a13017993e4ea80041defd002e1bc622ecf5c51fb8
    • Instruction Fuzzy Hash: E7B1897980020DEFCF55DF95C885EAEBBB5AF04308B14805FE8006B252D739DE61CB9A
    Function 00512215 Relevance: 10.7, APIs: 7, Instructions: 248COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 762 512215-512247 763 512259-51225c 762->763 764 512249-512257 call 4fe65b 762->764 766 512262-512267 763->766 767 51245d 763->767 764->766 770 512279-51227c 766->770 771 512269-512277 call 4fe65b 766->771 768 51245f-512470 call 4f5313 767->768 770->767 772 512282-512287 770->772 771->772 776 512294-512296 772->776 777 512289-512291 772->777 779 5122a0-5122a2 776->779 780 512298-51229a 776->780 777->776 782 5122a8-5122ab 779->782 783 5124ad 779->783 780->779 781 51233f-512357 call 508eff 780->781 781->767 790 51235d-512369 781->790 784 5122b1-5122b4 782->784 785 512337-51233a 782->785 788 5122b6-5122c3 784->788 789 5122fc-5122ff 784->789 785->768 788->767 797 5122c9-5122cb 788->797 789->768 791 5124a9-5124ab 790->791 792 51236f-512374 790->792 796 5124a2-5124a7 call 4f505f 791->796 794 512376-51237f call 4f56a0 792->794 795 51238d-512398 call 503316 792->795 794->791 808 512385-51238b 794->808 795->791 811 51239e 795->811 809 51245c 796->809 801 512304-512306 797->801 802 5122cd-5122d1 797->802 801->781 805 512308-51230c 801->805 802->789 807 5122d3-5122da 802->807 805->785 810 51230e-512315 805->810 807->789 812 5122dc 807->812 814 5123a4-5123a9 808->814 809->767 810->785 815 512317 810->815 811->814 813 5122df-5122e4 812->813 813->789 816 5122e6-5122ea 813->816 814->791 818 5123af-5123c7 call 508eff 814->818 817 51231a-51231f 815->817 819 5122f4-5122fa 816->819 820 5122ec-5122ee 816->820 817->785 821 512321-512325 817->821 826 5124a1 818->826 827 5123cd-5123e6 call 508eff 818->827 819->789 819->813 820->783 820->819 823 512327-512329 821->823 824 51232f-512335 821->824 823->783 823->824 824->785 824->817 826->796 827->826 830 5123ec-5123f8 827->830 831 51249d-51249f 830->831 832 5123fe-512403 830->832 833 512450-51245b call 4f505f * 2 831->833 834 512405-51240e call 4f56a0 832->834 835 51241c-512427 call 503316 832->835 833->809 834->831 843 512414-51241a 834->843 835->831 844 512429 835->844 846 51242f-512434 843->846 844->846 846->831 847 512436-51244d call 508eff 846->847 850 512471-51249b call 50239e call 4f505f * 2 847->850 851 51244f 847->851 850->768 851->833
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __freea$__alloca_probe_16
    • String ID:
    • API String ID: 3509577899-0
    • Opcode ID: 32b707187ff529a70b224748a92498d49adc66242394f2d30edada97c912442b
    • Instruction ID: aba792b74b199af272481673ee97d2f58fccbd5e0f2c924591a0ff2e69d823dc
    • Opcode Fuzzy Hash: 32b707187ff529a70b224748a92498d49adc66242394f2d30edada97c912442b
    • Instruction Fuzzy Hash: D47117769002099FFF219E94CC41FFE7FA9BF49310F140419EA54A7282DBB9DCA187A4
    Function 004D35FF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,004D370C,?,?,00000000,00000000,?,?,004D38BA,00000021,FlsSetValue,004E69C8,004E69D0,00000000), ref: 004D36C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-$ext-ms-
    • API String ID: 3664257935-537541572
    • Opcode ID: d6700ce3e451b604a4867f0e0fe22b7f03929138ff27007eda637ce6f1d88459
    • Instruction ID: 72d3798394d2c05a770bc98a5774bd461ebc9500fded15b62475ffdf1ac3ec19
    • Opcode Fuzzy Hash: d6700ce3e451b604a4867f0e0fe22b7f03929138ff27007eda637ce6f1d88459
    • Instruction Fuzzy Hash: 0021D531A01210BBCB319F219C68A5B3768AB41766F290627F915AB391D778EF01C6DA
    Function 004C38EF Relevance: 10.5, APIs: 7, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C38F6
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C3900
    • int.LIBCPMT ref: 004C3917
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • codecvt.LIBCPMT ref: 004C393A
    • std::_Facet_Register.LIBCPMT ref: 004C3951
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C3971
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C397E
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
    • String ID:
    • API String ID: 2133458128-0
    • Opcode ID: 6d88e42c7a09896f35e96b7c4740e55817413cb387bc3717f3b5c62899afd113
    • Instruction ID: 0ef3de9ee907dfa1819455a810f662bd999492c43cb25d8419a0a09ee137b4f7
    • Opcode Fuzzy Hash: 6d88e42c7a09896f35e96b7c4740e55817413cb387bc3717f3b5c62899afd113
    • Instruction Fuzzy Hash: 7E01E1799001199BCB90EFA5C841FBE7771AF84726F14840FF4116B3A2CB78AE01CB88
    Function 004F3919 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004F3920
    • std::_Lockit::_Lockit.LIBCPMT ref: 004F392A
      • Part of subcall function 004EF880: std::_Lockit::_Lockit.LIBCPMT ref: 004EF89C
      • Part of subcall function 004EF880: std::_Lockit::~_Lockit.LIBCPMT ref: 004EF8B9
    • codecvt.LIBCPMT ref: 004F3964
    • std::_Facet_Register.LIBCPMT ref: 004F397B
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004F399B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
    • String ID: dOC
    • API String ID: 712880209-682359054
    • Opcode ID: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
    • Instruction ID: 5efd12f9fea9895eeb4060c1bf68c908c47d096bdb4c98b64e5b6f1e645c9211
    • Opcode Fuzzy Hash: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
    • Instruction Fuzzy Hash: 1001D671900619ABCB05EF65C845ABE7771AF84716F24041FE610AB391CFBC9F058B99
    Function 004C3155 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C3161
    • int.LIBCPMT ref: 004C3174
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C31A7
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C31BD
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C31C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID: pO[
    • API String ID: 2081738530-552102644
    • Opcode ID: 86569a7a134f25fcfb986a2c94a421c4b17fbb95ce0c36c7f1ccb38182bb35f2
    • Instruction ID: f43b4d970b1d6a33a524819e581f5154951aef797a2443a49eae6758687d3567
    • Opcode Fuzzy Hash: 86569a7a134f25fcfb986a2c94a421c4b17fbb95ce0c36c7f1ccb38182bb35f2
    • Instruction Fuzzy Hash: 7401243A500114BFCB54AF51D805EEE77A8EF81728B14464EF80257392EF38AF01C788
    Function 004C6751 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004C679A
    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004C6805
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C6822
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004C6861
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C68C0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004C68E3
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide
    • String ID:
    • API String ID: 2829165498-0
    • Opcode ID: 2781e9fcd670cc6f8c8640b8c949cf1656b92106863f7af17978584bb00a2e8a
    • Instruction ID: 6ead63d353c8ccd2243a5c0d5c157cc15e285738e4b881732e1e23d63ef8307c
    • Opcode Fuzzy Hash: 2781e9fcd670cc6f8c8640b8c949cf1656b92106863f7af17978584bb00a2e8a
    • Instruction Fuzzy Hash: B351D07A50120AABDF60AF55CC44FAB7BA9EF44754F16842EF905A6250DB39CD00CB68
    Function 004C5019 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C5020
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C502A
    • int.LIBCPMT ref: 004C5041
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C507B
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C509B
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C50A8
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
    • String ID:
    • API String ID: 55977855-0
    • Opcode ID: a54284937665cc8ebb35aa83882acfc992958f5527ed38e600be172a067c2588
    • Instruction ID: a723adfbd55a5833b14b588e7a98e11e09915f0fde11a5082b96902081152ddb
    • Opcode Fuzzy Hash: a54284937665cc8ebb35aa83882acfc992958f5527ed38e600be172a067c2588
    • Instruction Fuzzy Hash: 9A11E139910618ABCB95EF66C805BAE77F4BF84325F50450FE401A7392DB78BE458B88
    Function 004C9F0A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,004C9F01,004C80FB,004C77B5), ref: 004C9F18
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004C9F26
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004C9F3F
    • SetLastError.KERNEL32(00000000,004C9F01,004C80FB,004C77B5), ref: 004C9F91
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 6049e0c36028fe846bff13b38c7cdc6490d067ce3ed2ca417a36132e90f88bfb
    • Instruction ID: 9f62e71f915faba16f617a64bbd84968c2bf2251352954619ec8f63695d7da83
    • Opcode Fuzzy Hash: 6049e0c36028fe846bff13b38c7cdc6490d067ce3ed2ca417a36132e90f88bfb
    • Instruction Fuzzy Hash: DB01D83A20C361BEA7A42A767CCEF672745FB01778724023FF1108A1E6EF5A4D01518D
    Function 004D0E7B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,675816BD,?,?,00000000,004E2025,000000FF,?,004D0E0B,004D0F3B,?,004D0DDF,00000000), ref: 004D0EB0
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004D0EC2
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,004E2025,000000FF,?,004D0E0B,004D0F3B,?,004D0DDF,00000000), ref: 004D0EE4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: cfec1d245605b13d0896357a7a08d5c79a46e2d403c6255aedd0482c24b7bdd2
    • Instruction ID: 407de137f6f97285b02752e8bb5b6401058dc16e098bd96e2275aa5b0853b115
    • Opcode Fuzzy Hash: cfec1d245605b13d0896357a7a08d5c79a46e2d403c6255aedd0482c24b7bdd2
    • Instruction Fuzzy Hash: 4E01A731500659EFDB128F41DC49BAFBBB8FB04722F00052BE811A7391EB789900CA58
    Function 00506DA1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __freea$__alloca_probe_16
    • String ID:
    • API String ID: 3509577899-0
    • Opcode ID: 2717c78738c49986ff27965d3fda623c27c661b0839ae79fd8e1837d9ca99192
    • Instruction ID: 30c05cfdd5a6c174b2c0a7aa98835d82f8f3c3ec844de710c1575c2f92c6f06a
    • Opcode Fuzzy Hash: 2717c78738c49986ff27965d3fda623c27c661b0839ae79fd8e1837d9ca99192
    • Instruction Fuzzy Hash: BE518C7260021BAFEF209F64DC85EBF3EA9FF44754B150529BE08D6191EA75DD2086A0
    Function 004C25C5 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C25D1
    • int.LIBCPMT ref: 004C25E4
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C2617
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C262D
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C2638
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID:
    • API String ID: 2081738530-0
    • Opcode ID: fbe851eac835b5899b5643f104823385747e5965bc840aa45ce505b18409e63d
    • Instruction ID: f4db926c12eec6af5535d89e0c4bdb0ae8e98fe8526e8fd0518bedefe8cd6d6d
    • Opcode Fuzzy Hash: fbe851eac835b5899b5643f104823385747e5965bc840aa45ce505b18409e63d
    • Instruction Fuzzy Hash: 3C01D43A600114BBCB55AB65C905EEE7768DF85724F11424FF802573A1EBB8AF028798
    Function 004C4D9C Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C4DA3
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C4DAE
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C4E1C
      • Part of subcall function 004C4EFF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004C4F17
    • std::locale::_Setgloballocale.LIBCPMT ref: 004C4DC9
    • _Yarn.LIBCPMT ref: 004C4DDF
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
    • String ID:
    • API String ID: 1088826258-0
    • Opcode ID: b3ab9adf7c49731727f0eaf465a1c5c043ab6a3c9a20d69b366f41cc45e0b8af
    • Instruction ID: 4518d22efc48399e02261a07613934fa03bd37a4f325e900abf7cb4e1bd4e9b5
    • Opcode Fuzzy Hash: b3ab9adf7c49731727f0eaf465a1c5c043ab6a3c9a20d69b366f41cc45e0b8af
    • Instruction Fuzzy Hash: 20019A79A001909BCB46EF61D995A7D77A1BB84315B16800FE81217392CB3C6E06DB89
    Function 0050DD9D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 273COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: __dosmaperr
    • String ID: H
    • API String ID: 2332233096-2852464175
    • Opcode ID: f80aff05c03fc09639beafaa39d995decf8c3a4e6499cf810c1a49e9d87c7d5e
    • Instruction ID: 3fd62c6a5a1e300dddad871a5d8da6ea0b6055c1b2a50cf53bfc2b70fd5cf0e2
    • Opcode Fuzzy Hash: f80aff05c03fc09639beafaa39d995decf8c3a4e6499cf810c1a49e9d87c7d5e
    • Instruction Fuzzy Hash: 45A11532A145599FCF19AFA8DC96BAD3FB0BB46310F28015DF802DB2D1D7349812DB65
    Function 004D6888 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D6A20
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D6A33
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: ^hM$^hM
    • API String ID: 885266447-1182382858
    • Opcode ID: 45b46c6b2c2186212d6ff6c47f8f5ca8bfd23470a37298ba18f8160f25da4a9b
    • Instruction ID: 011d7d848b220e993517c8d16e6758193a646962e2b5a5d96f27b63fc37fc775
    • Opcode Fuzzy Hash: 45b46c6b2c2186212d6ff6c47f8f5ca8bfd23470a37298ba18f8160f25da4a9b
    • Instruction Fuzzy Hash: C55191B1A00148AFCF14CF99C8A1AAEBBB2EF49350F15815BE895A7351D339ED42CF54
    Function 004C28E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3_catch_strlen
    • String ID: input string: $xN[
    • API String ID: 3133806014-4158660745
    • Opcode ID: 8d9fe5703f8e829ccf08b5ec7fd768545cff65b4d1467ccb19f041f2ba01df28
    • Instruction ID: 530fdb0df99ebb75456f6fe3a2f747d05f297172d9beb560d3abb8f6af535347
    • Opcode Fuzzy Hash: 8d9fe5703f8e829ccf08b5ec7fd768545cff65b4d1467ccb19f041f2ba01df28
    • Instruction Fuzzy Hash: 7F41B579B002008FCBA0DB69CAC0E6D77B1BB48734F29424FE415A73A2C6F5AC41CB59
    Function 004CB052 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004CB003,00000000,?,005B54C4,?,?,?,004CB1A6,00000004,InitializeCriticalSectionEx,004E4C70,InitializeCriticalSectionEx), ref: 004CB05F
    • GetLastError.KERNEL32(?,004CB003,00000000,?,005B54C4,?,?,?,004CB1A6,00000004,InitializeCriticalSectionEx,004E4C70,InitializeCriticalSectionEx,00000000,?,004CAF5D), ref: 004CB069
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004CB091
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 3b4bed5e43fbb8e18260c01669b98aa2e4aa05eadd58102deb05afa84dec4115
    • Instruction ID: 3fa1d5d944ec88fda4182c2850afaa244d7e92f9c382a351ba988cfd133321b0
    • Opcode Fuzzy Hash: 3b4bed5e43fbb8e18260c01669b98aa2e4aa05eadd58102deb05afa84dec4115
    • Instruction Fuzzy Hash: 70E01274640344B7DB211F72EC4AF1A3A54AB40B55F144076FA0CAD1E1D7659A5085CC
    Function 004D582E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(675816BD,00000000,00000000,?), ref: 004D5891
      • Part of subcall function 004D98E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004D89AA,?,00000000,-00000008), ref: 004D9991
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004D5AEC
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004D5B34
    • GetLastError.KERNEL32 ref: 004D5BD7
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
    • String ID:
    • API String ID: 2112829910-0
    • Opcode ID: 376bea2b079986c3fd21da8065f4e56178424d44a7a334b16c85a8fc1e156455
    • Instruction ID: 8d9c77296adcd51c308c30d7adce332801e7059f6727de08bae5cc0b719456b0
    • Opcode Fuzzy Hash: 376bea2b079986c3fd21da8065f4e56178424d44a7a334b16c85a8fc1e156455
    • Instruction Fuzzy Hash: A8D18CB5D006589FCB05CFA8C890AADBBB5FF09314F28416BE456E7341EB34A946CF54
    Function 004CA021 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: b07fb726297c6d7aa63ecfb1a985e229bcfc2ebf46f8a60382e72262c784082d
    • Instruction ID: f8a42183039e9f6e8ad5a29d6db9ca25d05c471e2c1f0b9d6a7e39d5156b8a7b
    • Opcode Fuzzy Hash: b07fb726297c6d7aa63ecfb1a985e229bcfc2ebf46f8a60382e72262c784082d
    • Instruction Fuzzy Hash: 4551E37960120AAFDB698F56C841F7A77A4EF00718F18412FE84147391DB39AC61DB9A
    Function 004F8631 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: d95edfa48ed7d5b6bb91a825a2d964fdf8877f62f468544baf2dcb66ebf8e1e5
    • Instruction ID: f85f9e51757541913dae6893fa9e98c9e911181f780e23138e03c1bcbe60970e
    • Opcode Fuzzy Hash: d95edfa48ed7d5b6bb91a825a2d964fdf8877f62f468544baf2dcb66ebf8e1e5
    • Instruction Fuzzy Hash: 4C51D17160060AAFEB28AF11DD45B7A77E4EF04304F24442FEA158F291DB39ED41CB98
    Function 004F851A Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004F8536
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004F854F
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Value___vcrt_
    • String ID:
    • API String ID: 1426506684-0
    • Opcode ID: f79783cf4e283788485e810e96ae3962078c34cc6f58696eba5703b373d9bdf3
    • Instruction ID: 12237f89a83c71778afd01c5ee149bff5287eb5ad235d1421212cb41a2b412db
    • Opcode Fuzzy Hash: f79783cf4e283788485e810e96ae3962078c34cc6f58696eba5703b373d9bdf3
    • Instruction Fuzzy Hash: AF01F53221D319BFDA692775BD8567726A4EB01378330223FF3149A2E1EF195C01968C
    Function 004E0616 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConso.KERNEL32(00000000,00000000,?,00000000,00000000,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000), ref: 004E062D
    • GetLastError.KERNEL32(?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?,?,?,004D61B2,00000000), ref: 004E0639
      • Part of subcall function 004E05FF: CloseHandle.KERNEL32(FFFFFFFE,004E0649,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?,?), ref: 004E060F
    • ___initconout.LIBCMT ref: 004E0649
      • Part of subcall function 004E05C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004E05F0,004DF036,?,?,004D5C2B,?,00000000,00000000,?), ref: 004E05D4
    • WriteConso.KERNEL32(00000000,00000000,?,00000000,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?), ref: 004E065E
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ConsoWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 1327366883-0
    • Opcode ID: 6ff8b9b6e930565a6bb9a9dfd0105c9818d80cd778a287d3665571bfa8dcf1a3
    • Instruction ID: 93934a9356787c62b20f84325b131c10896ce8c0f73639908e311d7458e7f49d
    • Opcode Fuzzy Hash: 6ff8b9b6e930565a6bb9a9dfd0105c9818d80cd778a287d3665571bfa8dcf1a3
    • Instruction Fuzzy Hash: E0F03736400199BBCF125F97EC48E8A3F65FF48362B044569F9199A131C6718A60DF98
    Function 0050AC9D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID: AC$ AC
    • API String ID: 0-2553023829
    • Opcode ID: cedf6b15ef201e08950a9590e3cc96283dc0a593f63901964313eeb3d6e4f466
    • Instruction ID: 13b5895934ec9191942d54aaeb7e57eb462298748d712da147d429f3f5537403
    • Opcode Fuzzy Hash: cedf6b15ef201e08950a9590e3cc96283dc0a593f63901964313eeb3d6e4f466
    • Instruction Fuzzy Hash: ABC112B6A40206ABDB20DEA8CC86FDE7BF8BB48700F144165FA05FB2C2D674D9419765
    Function 004C263E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3_catch_strlen
    • String ID: pO[
    • API String ID: 3133806014-552102644
    • Opcode ID: 3e8597b8314083715665bcefcdd1caccbcb09d2d4b06288dd44d082b74bdf497
    • Instruction ID: cb0539e37111b0a531ff75cf1df551e198b85516c1fafe135bf601d745433259
    • Opcode Fuzzy Hash: 3e8597b8314083715665bcefcdd1caccbcb09d2d4b06288dd44d082b74bdf497
    • Instruction Fuzzy Hash: 57716078E012058FCB64DF99D980EADB7F1BF48314B24825EE415AB392D7B8AD42CF54
    Function 004F8320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 004F835F
    • __IsNonwritableInCurrentImage.LIBCMT ref: 004F8413
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 73f2a96de005f1e6ec4b1510e602c753a631824e33d570dc704df2bb37d82237
    • Instruction ID: 82d8ef7a150593808c08cb1ba5be95eb1faf97b10a274c3e40f4b929e2d79cd7
    • Opcode Fuzzy Hash: 73f2a96de005f1e6ec4b1510e602c753a631824e33d570dc704df2bb37d82237
    • Instruction Fuzzy Hash: 2241B734A0010D9BCF10DF69C881AAE7BB0BF44314F14819AEE145F352DB39A915CB99
    Function 004C9D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 004C9D4F
    • __IsNonwritableInCurrentImage.LIBCMT ref: 004C9E03
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 427bb8b9c59822d2145f1adf9cd135c67b1e5b617d440f5eee92f3a9aa7a84f5
    • Instruction ID: 5a6075f1bb3929a43a19bd17cde543692e1711d423893af617633a9855f86066
    • Opcode Fuzzy Hash: 427bb8b9c59822d2145f1adf9cd135c67b1e5b617d440f5eee92f3a9aa7a84f5
    • Instruction Fuzzy Hash: 4941C638A00218ABCF50DF59C888F9EBBB1AF45318F14815FE8156B392D7399E11CB95
    Function 004CA61D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?), ref: 004CA642
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: 45d56c5c9a639abef8bb38956ac9f455838d8e473b16656e60d6e2e8d98527d2
    • Instruction ID: 877cc43cdc847d85da4bf6c1fdace910be984000e653ca669e3fc15e4d46042a
    • Opcode Fuzzy Hash: 45d56c5c9a639abef8bb38956ac9f455838d8e473b16656e60d6e2e8d98527d2
    • Instruction Fuzzy Hash: 1641473590020DAFCF16CF98CD85FAEBBB5BF48308F19405EF90466251D7399960DB5A
    Function 004C693B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004C72E3
    • ___raise_securityfailure.LIBCMT ref: 004C73CB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: `Q[
    • API String ID: 3761405300-3901748827
    • Opcode ID: 09228daee5f0710627490194a0cd5330037726245915be5a6ad9e31a7db4cb2c
    • Instruction ID: cc20897adb86d7c0ebbd48e76711b00a73fe05f3e8181254e79fa2449b2609e9
    • Opcode Fuzzy Hash: 09228daee5f0710627490194a0cd5330037726245915be5a6ad9e31a7db4cb2c
    • Instruction Fuzzy Hash: E52125B8502B009BD799DF29F985704BBA4FB68300F54422AE5049B3B1F3B46989EF49
    Function 004C73E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004C73EB
    • ___raise_securityfailure.LIBCMT ref: 004C74A8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: `Q[
    • API String ID: 3761405300-3901748827
    • Opcode ID: 1ba1338820687ad6800a1742a3ee74ea73f9eb03fcb4ff23fecaf11688f66fa7
    • Instruction ID: 6956842c869adc949f369f0e500d65e3bb2b7acb5701eb83606abc6077522c09
    • Opcode Fuzzy Hash: 1ba1338820687ad6800a1742a3ee74ea73f9eb03fcb4ff23fecaf11688f66fa7
    • Instruction Fuzzy Hash: BC11C3B8516B449BDB8ADF29F981744BBA4FB68300B04535AE9089B370F370694DEF45
    Function 004C1605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C160C
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004C1644
      • Part of subcall function 004C4E9A: _Yarn.LIBCPMT ref: 004C4EB9
      • Part of subcall function 004C4E9A: _Yarn.LIBCPMT ref: 004C4EDD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
    • String ID: bad locale name
    • API String ID: 1908188788-1405518554
    • Opcode ID: f05da5a036d7ccd16b7466ff5816ad52d35535dece5a10e40359ffd68c79ca9f
    • Instruction ID: 84514c555865795cd5b8bde9f2ca37c0846846fc85f46d95b794e10b63ab47ca
    • Opcode Fuzzy Hash: f05da5a036d7ccd16b7466ff5816ad52d35535dece5a10e40359ffd68c79ca9f
    • Instruction Fuzzy Hash: 72F017B5506B909E83709FBB8581947FBE4BE29311394CA2FE1DEC3A11D734A504CB6E
    Function 004F39AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3
    • String ID: JRB$pdB
    • API String ID: 431132790-4236282298
    • Opcode ID: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
    • Instruction ID: b28e40d75a35f46d5e2b310363485234f208446f6dad3fa67c814476f4e91699
    • Opcode Fuzzy Hash: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
    • Instruction Fuzzy Hash: BE01D6B4A00619CFC761DF28C540A6ABBF0BF08304B51896EE5C9DB711D7B5EA40CF58
    Function 004EF6F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • ___std_exception_copy.LIBVCRUNTIME ref: 004EF72C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ___std_exception_copy
    • String ID: 4/C$HPC
    • API String ID: 2659868963-744383018
    • Opcode ID: 9d0356c4336352dee0926bcbf3281c68f0182bfbb42950667dd02130b88f9e35
    • Instruction ID: c5e7dd0d85913dc107d306dec19027d4e87af5f1d071d73adba1ff5112de981e
    • Opcode Fuzzy Hash: 9d0356c4336352dee0926bcbf3281c68f0182bfbb42950667dd02130b88f9e35
    • Instruction Fuzzy Hash: 47E092B19102149BC604FF64D80198AB3E89E54714B50C92FF684D3105F7B4D9488768
    Function 004EF880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004EF89C
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004EF8B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Lockitstd::_$Lockit::_Lockit::~_
    • String ID: HPC
    • API String ID: 593203224-3567667220
    • Opcode ID: ff915995972932a6eddaed0ea957f7cf20ef5995c47567fe176cbd0ea19bccae
    • Instruction ID: c6c15dd740b0432d6d32ba622311d6237db9242b5d9217ec3522b5d1f06e7996
    • Opcode Fuzzy Hash: ff915995972932a6eddaed0ea957f7cf20ef5995c47567fe176cbd0ea19bccae
    • Instruction Fuzzy Hash: 15F03035914205DFD728EF19E8427A977E0BB94701F40087FE5D947390DB746988CB8A
    Function 004F3A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004F3A27
    • std::locale::_Init.LIBCPMT ref: 004F3A48
      • Part of subcall function 004F369A: __EH_prolog3.LIBCMT ref: 004F36A1
      • Part of subcall function 004F369A: std::_Lockit::_Lockit.LIBCPMT ref: 004F36AC
      • Part of subcall function 004F369A: std::locale::_Setgloballocale.LIBCPMT ref: 004F36C7
      • Part of subcall function 004F369A: _Yarn.LIBCPMT ref: 004F36DD
      • Part of subcall function 004F369A: std::_Lockit::~_Lockit.LIBCPMT ref: 004F371D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3235692029.00000000004EE000.00000004.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000000.00000002.3235638100.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235654169.00000000004C1000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235676527.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235742736.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235757154.00000000005B5000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.3235769472.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
    • String ID: gRB
    • API String ID: 3152668004-2726697949
    • Opcode ID: 6379a8a037087f08d6e289ffdf4a874cfc4f3d5eaffd94999f4a30d221e1aac3
    • Instruction ID: 1336acd993eca032d1c5a82056fd9cac8da6a8b8f0724ff65aa27397fc3eabdd
    • Opcode Fuzzy Hash: 6379a8a037087f08d6e289ffdf4a874cfc4f3d5eaffd94999f4a30d221e1aac3
    • Instruction Fuzzy Hash: EFE0D832A05A15A7D3106F5A510233DB281AF40715F55501FF7019B3C1CFFC4D00478D

    Non-executed Functions

    Function 004DCDA4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004DCEB0
    • IsValidCodePage.KERNEL32(00000000), ref: 004DCEF9
    • IsValidLocale.KERNEL32(?,00000001), ref: 004DCF08
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004DCF50
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004DCF6F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
    • String ID: `uN
    • API String ID: 415426439-1958408982
    • Opcode ID: 4136ec0ffed96aadd48030be4d299f4c56ee55b6273004dca2a27f35fd73d41f
    • Instruction ID: ab3995da11208ec982ff8b46df53e018dee085eaacc29865cbe77a5f666ca41c
    • Opcode Fuzzy Hash: 4136ec0ffed96aadd48030be4d299f4c56ee55b6273004dca2a27f35fd73d41f
    • Instruction Fuzzy Hash: 08517FB2A00206ABDF10DFA5CCD1ABF77B9AF04701F14456BE504EB391E7789A04CB69
    Function 004DC440 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004D5215: GetLastError.KERNEL32(?,00000000,004CFB7F,?,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D5219
      • Part of subcall function 004D5215: SetLastError.KERNEL32(00000000,?,?,?,00000003,004CC27B,?,?,?,?,00000000), ref: 004D52BB
    • GetACP.KERNEL32(?,?,?,?,?,?,004D1773,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004DC501
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004D1773,?,?,?,00000055,?,-00000050,?,?), ref: 004DC52C
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004DC68F
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLast$CodeInfoLocalePageValid
    • String ID: `uN$utf8
    • API String ID: 607553120-506889755
    • Opcode ID: 40ae614af944a7c5fd5864c8ef2d98dbad0911e66e79a14ac830152f60e99aba
    • Instruction ID: e10c6afdb8d472600e3057e28e639eeebca04d95dc7a0143f9f5e6de6bc069a7
    • Opcode Fuzzy Hash: 40ae614af944a7c5fd5864c8ef2d98dbad0911e66e79a14ac830152f60e99aba
    • Instruction Fuzzy Hash: 3671E271A00207AAD724AB76CCA6BBB73A8EF05714F14442BF505DB381EA79ED40C66D
    Function 004DCBCF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,004DCEED,00000002,00000000,?,?,?,004DCEED,?,00000000), ref: 004DCC68
    • GetLocaleInfoW.KERNEL32(?,20001004,004DCEED,00000002,00000000,?,?,?,004DCEED,?,00000000), ref: 004DCC91
    • GetACP.KERNEL32(?,?,004DCEED,?,00000000), ref: 004DCCA6
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 90078d3225666d6893302c9b37df74223b3f17fa29b9321d729125372d092dea
    • Instruction ID: f296d936602206417e0987f30810f53e2223810d259bb9dba5a9a94164e8b692
    • Opcode Fuzzy Hash: 90078d3225666d6893302c9b37df74223b3f17fa29b9321d729125372d092dea
    • Instruction Fuzzy Hash: B621CB32720102A6DB348F25C9A5A97B3A6EF50F61B568467E70ED7304E736DE41C35C
    Function 004D4023 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
    • Instruction ID: a16a4b82de38bc13296bbb2843f4eb647f8d769884c50436b4152a7a34eefb0e
    • Opcode Fuzzy Hash: 17a8af3533a897e6e906cec53c923a3a22616cf0740b16545c45100316cc9468
    • Instruction Fuzzy Hash: 61B15932A002859FDB15CF68C8A17FFBBE5EF95344F1581ABE804AB341D2389D01C769
    Function 004C75D8 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004C75E4
    • IsDebuggerPresent.KERNEL32 ref: 004C76B0
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004C76C9
    • UnhandledExceptionFilter.KERNEL32(?), ref: 004C76D3
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: cc7343ddf99e75bdd7de30d84addadc0c0c9b906c1a45485dec29e488c02ec7d
    • Instruction ID: 31f8bddbacdf0e0be1122fd933de58efb82dfb38cd216efd3957938e8f53d13e
    • Opcode Fuzzy Hash: cc7343ddf99e75bdd7de30d84addadc0c0c9b906c1a45485dec29e488c02ec7d
    • Instruction Fuzzy Hash: 7C310779D052589BDB61DF64D989BCDBBB8BF08304F1041AAE40CAB250EB749B848F48
    Function 004C1CD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004C3348: __EH_prolog3_catch.LIBCMT ref: 004C334F
    • _Deallocate.LIBCONCRT ref: 004C1EAD
    • _Deallocate.LIBCONCRT ref: 004C1EFA
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Deallocate$H_prolog3_catch
    • String ID: Current val: %d
    • API String ID: 1212816977-1825967858
    • Opcode ID: 0c5ece480e667c3aade1e7a2071629e511f587d41bc5a7464e326e17ed6afd97
    • Instruction ID: 290b1c11bd000a2843c6c844fa62112e16a5d9c403b9d44406169b4627206d3f
    • Opcode Fuzzy Hash: 0c5ece480e667c3aade1e7a2071629e511f587d41bc5a7464e326e17ed6afd97
    • Instruction Fuzzy Hash: 4C61DE7651C3818FC350DF2AD480A6BFBE0AFC9714F144A2EF9D593252D739E9048B9A
    Function 004C38EF Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C38F6
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C3900
    • int.LIBCPMT ref: 004C3917
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • codecvt.LIBCPMT ref: 004C393A
    • std::_Facet_Register.LIBCPMT ref: 004C3951
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C3971
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C397E
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
    • String ID: O[
    • API String ID: 2133458128-1280590916
    • Opcode ID: 6d88e42c7a09896f35e96b7c4740e55817413cb387bc3717f3b5c62899afd113
    • Instruction ID: 0ef3de9ee907dfa1819455a810f662bd999492c43cb25d8419a0a09ee137b4f7
    • Opcode Fuzzy Hash: 6d88e42c7a09896f35e96b7c4740e55817413cb387bc3717f3b5c62899afd113
    • Instruction Fuzzy Hash: 7E01E1799001199BCB90EFA5C841FBE7771AF84726F14840FF4116B3A2CB78AE01CB88
    Function 004D768F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3907804496
    • Opcode ID: 75f8db5692d6d32213a861d6597d5b5989ce04d401f4f97b81a88f5f61dea488
    • Instruction ID: 1a98b4844ae0108cac7eef90246f0306295ac8079451f0927fb698838c8008e2
    • Opcode Fuzzy Hash: 75f8db5692d6d32213a861d6597d5b5989ce04d401f4f97b81a88f5f61dea488
    • Instruction Fuzzy Hash: E8B139B5E08205EFDB01DFA9C8A1BAE7BB1AF45314F14419BE40067391E7789E46CF29
    Function 004C5019 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C5020
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C502A
    • int.LIBCPMT ref: 004C5041
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C507B
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C509B
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C50A8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
    • String ID: <O[
    • API String ID: 55977855-1499995728
    • Opcode ID: a54284937665cc8ebb35aa83882acfc992958f5527ed38e600be172a067c2588
    • Instruction ID: a723adfbd55a5833b14b588e7a98e11e09915f0fde11a5082b96902081152ddb
    • Opcode Fuzzy Hash: a54284937665cc8ebb35aa83882acfc992958f5527ed38e600be172a067c2588
    • Instruction Fuzzy Hash: 9A11E139910618ABCB95EF66C805BAE77F4BF84325F50450FE401A7392DB78BE458B88
    Function 004C3155 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C3161
    • int.LIBCPMT ref: 004C3174
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C31A7
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C31BD
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C31C8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID: DO[$pO[
    • API String ID: 2081738530-1813791736
    • Opcode ID: 86569a7a134f25fcfb986a2c94a421c4b17fbb95ce0c36c7f1ccb38182bb35f2
    • Instruction ID: f43b4d970b1d6a33a524819e581f5154951aef797a2443a49eae6758687d3567
    • Opcode Fuzzy Hash: 86569a7a134f25fcfb986a2c94a421c4b17fbb95ce0c36c7f1ccb38182bb35f2
    • Instruction Fuzzy Hash: 7401243A500114BFCB54AF51D805EEE77A8EF81728B14464EF80257392EF38AF01C788
    Function 004CA278 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMON
    Download Yara Rule
    APIs
    • type_info::operator==.LIBVCRUNTIME ref: 004CA397
    • ___TypeMatch.LIBVCRUNTIME ref: 004CA4A5
    • CallUnexpected.LIBVCRUNTIME ref: 004CA612
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CallMatchTypeUnexpectedtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 1206542248-393685449
    • Opcode ID: bd084257eb1abc2b7bf058a13017993e4ea80041defd002e1bc622ecf5c51fb8
    • Instruction ID: f3d325c2e5bfb8f6c2ba4a50cd6a363858344b7d3b86c2090f375d4f405ed108
    • Opcode Fuzzy Hash: bd084257eb1abc2b7bf058a13017993e4ea80041defd002e1bc622ecf5c51fb8
    • Instruction Fuzzy Hash: E7B1897980020DEFCF55DF95C885EAEBBB5AF04308B14805FE8006B252D739DE61CB9A
    Function 004D35FF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,004D370C,?,?,00000000,00000000,?,?,004D38BA,00000021,FlsSetValue,004E69C8,004E69D0,00000000), ref: 004D36C0
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-$ext-ms-
    • API String ID: 3664257935-537541572
    • Opcode ID: d6700ce3e451b604a4867f0e0fe22b7f03929138ff27007eda637ce6f1d88459
    • Instruction ID: 72d3798394d2c05a770bc98a5774bd461ebc9500fded15b62475ffdf1ac3ec19
    • Opcode Fuzzy Hash: d6700ce3e451b604a4867f0e0fe22b7f03929138ff27007eda637ce6f1d88459
    • Instruction Fuzzy Hash: 0021D531A01210BBCB319F219C68A5B3768AB41766F290627F915AB391D778EF01C6DA
    Function 004C25C5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C25D1
    • int.LIBCPMT ref: 004C25E4
      • Part of subcall function 004C16DA: std::_Lockit::_Lockit.LIBCPMT ref: 004C16EB
      • Part of subcall function 004C16DA: std::_Lockit::~_Lockit.LIBCPMT ref: 004C1705
    • std::_Facet_Register.LIBCPMT ref: 004C2617
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C262D
    • Concurrency::cancel_current_task.LIBCPMT ref: 004C2638
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
    • String ID: HO[
    • API String ID: 2081738530-177266396
    • Opcode ID: fbe851eac835b5899b5643f104823385747e5965bc840aa45ce505b18409e63d
    • Instruction ID: f4db926c12eec6af5535d89e0c4bdb0ae8e98fe8526e8fd0518bedefe8cd6d6d
    • Opcode Fuzzy Hash: fbe851eac835b5899b5643f104823385747e5965bc840aa45ce505b18409e63d
    • Instruction Fuzzy Hash: 3C01D43A600114BBCB55AB65C905EEE7768DF85724F11424FF802573A1EBB8AF028798
    Function 004C6751 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004C679A
    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004C6805
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C6822
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004C6861
    • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004C68C0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004C68E3
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ByteCharMultiStringWide
    • String ID:
    • API String ID: 2829165498-0
    • Opcode ID: 2781e9fcd670cc6f8c8640b8c949cf1656b92106863f7af17978584bb00a2e8a
    • Instruction ID: 6ead63d353c8ccd2243a5c0d5c157cc15e285738e4b881732e1e23d63ef8307c
    • Opcode Fuzzy Hash: 2781e9fcd670cc6f8c8640b8c949cf1656b92106863f7af17978584bb00a2e8a
    • Instruction Fuzzy Hash: B351D07A50120AABDF60AF55CC44FAB7BA9EF44754F16842EF905A6250DB39CD00CB68
    Function 004C9F0A Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,004C9F01,004C80FB,004C77B5), ref: 004C9F18
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004C9F26
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004C9F3F
    • SetLastError.KERNEL32(00000000,004C9F01,004C80FB,004C77B5), ref: 004C9F91
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 6049e0c36028fe846bff13b38c7cdc6490d067ce3ed2ca417a36132e90f88bfb
    • Instruction ID: 9f62e71f915faba16f617a64bbd84968c2bf2251352954619ec8f63695d7da83
    • Opcode Fuzzy Hash: 6049e0c36028fe846bff13b38c7cdc6490d067ce3ed2ca417a36132e90f88bfb
    • Instruction Fuzzy Hash: DB01D83A20C361BEA7A42A767CCEF672745FB01778724023FF1108A1E6EF5A4D01518D
    Function 004D0E7B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,004E2025,000000FF,?,004D0E0B,004D0F3B,?,004D0DDF,00000000), ref: 004D0EB0
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,004E2025,000000FF,?,004D0E0B,004D0F3B,?,004D0DDF,00000000), ref: 004D0EC2
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,004E2025,000000FF,?,004D0E0B,004D0F3B,?,004D0DDF,00000000), ref: 004D0EE4
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: cfec1d245605b13d0896357a7a08d5c79a46e2d403c6255aedd0482c24b7bdd2
    • Instruction ID: 407de137f6f97285b02752e8bb5b6401058dc16e098bd96e2275aa5b0853b115
    • Opcode Fuzzy Hash: cfec1d245605b13d0896357a7a08d5c79a46e2d403c6255aedd0482c24b7bdd2
    • Instruction Fuzzy Hash: 4E01A731500659EFDB128F41DC49BAFBBB8FB04722F00052BE811A7391EB789900CA58
    Function 004C4D9C Relevance: 7.5, APIs: 5, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 004C4DA3
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C4DAE
    • std::_Lockit::~_Lockit.LIBCPMT ref: 004C4E1C
      • Part of subcall function 004C4EFF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004C4F17
    • std::locale::_Setgloballocale.LIBCPMT ref: 004C4DC9
    • _Yarn.LIBCPMT ref: 004C4DDF
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
    • String ID:
    • API String ID: 1088826258-0
    • Opcode ID: b3ab9adf7c49731727f0eaf465a1c5c043ab6a3c9a20d69b366f41cc45e0b8af
    • Instruction ID: 4518d22efc48399e02261a07613934fa03bd37a4f325e900abf7cb4e1bd4e9b5
    • Opcode Fuzzy Hash: b3ab9adf7c49731727f0eaf465a1c5c043ab6a3c9a20d69b366f41cc45e0b8af
    • Instruction Fuzzy Hash: 20019A79A001909BCB46EF61D995A7D77A1BB84315B16800FE81217392CB3C6E06DB89
    Function 004D6888 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D6A20
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D6A33
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: ^hM$^hM
    • API String ID: 885266447-1182382858
    • Opcode ID: 45b46c6b2c2186212d6ff6c47f8f5ca8bfd23470a37298ba18f8160f25da4a9b
    • Instruction ID: 011d7d848b220e993517c8d16e6758193a646962e2b5a5d96f27b63fc37fc775
    • Opcode Fuzzy Hash: 45b46c6b2c2186212d6ff6c47f8f5ca8bfd23470a37298ba18f8160f25da4a9b
    • Instruction Fuzzy Hash: C55191B1A00148AFCF14CF99C8A1AAEBBB2EF49350F15815BE895A7351D339ED42CF54
    Function 004C28E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3_catch_strlen
    • String ID: input string: $xN[
    • API String ID: 3133806014-4158660745
    • Opcode ID: 8d9fe5703f8e829ccf08b5ec7fd768545cff65b4d1467ccb19f041f2ba01df28
    • Instruction ID: 530fdb0df99ebb75456f6fe3a2f747d05f297172d9beb560d3abb8f6af535347
    • Opcode Fuzzy Hash: 8d9fe5703f8e829ccf08b5ec7fd768545cff65b4d1467ccb19f041f2ba01df28
    • Instruction Fuzzy Hash: 7F41B579B002008FCBA0DB69CAC0E6D77B1BB48734F29424FE415A73A2C6F5AC41CB59
    Function 004CB052 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004CB003,00000000,?,005B54C4,?,?,?,004CB1A6,00000004,InitializeCriticalSectionEx,004E4C70,InitializeCriticalSectionEx), ref: 004CB05F
    • GetLastError.KERNEL32(?,004CB003,00000000,?,005B54C4,?,?,?,004CB1A6,00000004,InitializeCriticalSectionEx,004E4C70,InitializeCriticalSectionEx,00000000,?,004CAF5D), ref: 004CB069
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004CB091
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: 3b4bed5e43fbb8e18260c01669b98aa2e4aa05eadd58102deb05afa84dec4115
    • Instruction ID: 3fa1d5d944ec88fda4182c2850afaa244d7e92f9c382a351ba988cfd133321b0
    • Opcode Fuzzy Hash: 3b4bed5e43fbb8e18260c01669b98aa2e4aa05eadd58102deb05afa84dec4115
    • Instruction Fuzzy Hash: 70E01274640344B7DB211F72EC4AF1A3A54AB40B55F144076FA0CAD1E1D7659A5085CC
    Function 004D582E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 004D5891
      • Part of subcall function 004D98E5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004D89AA,?,00000000,-00000008), ref: 004D9991
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004D5AEC
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004D5B34
    • GetLastError.KERNEL32 ref: 004D5BD7
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
    • String ID:
    • API String ID: 2112829910-0
    • Opcode ID: 376bea2b079986c3fd21da8065f4e56178424d44a7a334b16c85a8fc1e156455
    • Instruction ID: 8d9c77296adcd51c308c30d7adce332801e7059f6727de08bae5cc0b719456b0
    • Opcode Fuzzy Hash: 376bea2b079986c3fd21da8065f4e56178424d44a7a334b16c85a8fc1e156455
    • Instruction Fuzzy Hash: A8D18CB5D006589FCB05CFA8C890AADBBB5FF09314F28416BE456E7341EB34A946CF54
    Function 004CA021 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: b07fb726297c6d7aa63ecfb1a985e229bcfc2ebf46f8a60382e72262c784082d
    • Instruction ID: f8a42183039e9f6e8ad5a29d6db9ca25d05c471e2c1f0b9d6a7e39d5156b8a7b
    • Opcode Fuzzy Hash: b07fb726297c6d7aa63ecfb1a985e229bcfc2ebf46f8a60382e72262c784082d
    • Instruction Fuzzy Hash: 4551E37960120AAFDB698F56C841F7A77A4EF00718F18412FE84147391DB39AC61DB9A
    Function 004E0616 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • WriteConso.KERNEL32(00000000,00000000,?,00000000,00000000,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000), ref: 004E062D
    • GetLastError.KERNEL32(?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?,?,?,004D61B2,00000000), ref: 004E0639
      • Part of subcall function 004E05FF: CloseHandle.KERNEL32(FFFFFFFE,004E0649,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?,?), ref: 004E060F
    • ___initconout.LIBCMT ref: 004E0649
      • Part of subcall function 004E05C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004E05F0,004DF036,?,?,004D5C2B,?,00000000,00000000,?), ref: 004E05D4
    • WriteConso.KERNEL32(00000000,00000000,?,00000000,?,004DF049,00000000,00000001,00000000,?,?,004D5C2B,?,00000000,00000000,?), ref: 004E065E
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: ConsoWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 1327366883-0
    • Opcode ID: 6ff8b9b6e930565a6bb9a9dfd0105c9818d80cd778a287d3665571bfa8dcf1a3
    • Instruction ID: 93934a9356787c62b20f84325b131c10896ce8c0f73639908e311d7458e7f49d
    • Opcode Fuzzy Hash: 6ff8b9b6e930565a6bb9a9dfd0105c9818d80cd778a287d3665571bfa8dcf1a3
    • Instruction Fuzzy Hash: E0F03736400199BBCF125F97EC48E8A3F65FF48362B044569F9199A131C6718A60DF98
    Function 004C263E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: H_prolog3_catch_strlen
    • String ID: pO[
    • API String ID: 3133806014-552102644
    • Opcode ID: 3e8597b8314083715665bcefcdd1caccbcb09d2d4b06288dd44d082b74bdf497
    • Instruction ID: cb0539e37111b0a531ff75cf1df551e198b85516c1fafe135bf601d745433259
    • Opcode Fuzzy Hash: 3e8597b8314083715665bcefcdd1caccbcb09d2d4b06288dd44d082b74bdf497
    • Instruction Fuzzy Hash: 57716078E012058FCB64DF99D980EADB7F1BF48314B24825EE415AB392D7B8AD42CF54
    Function 004C9D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 004C9D4F
    • __IsNonwritableInCurrentImage.LIBCMT ref: 004C9E03
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 427bb8b9c59822d2145f1adf9cd135c67b1e5b617d440f5eee92f3a9aa7a84f5
    • Instruction ID: 5a6075f1bb3929a43a19bd17cde543692e1711d423893af617633a9855f86066
    • Opcode Fuzzy Hash: 427bb8b9c59822d2145f1adf9cd135c67b1e5b617d440f5eee92f3a9aa7a84f5
    • Instruction Fuzzy Hash: 4941C638A00218ABCF50DF59C888F9EBBB1AF45318F14815FE8156B392D7399E11CB95
    Function 004CA61D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?), ref: 004CA642
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: 45d56c5c9a639abef8bb38956ac9f455838d8e473b16656e60d6e2e8d98527d2
    • Instruction ID: 877cc43cdc847d85da4bf6c1fdace910be984000e653ca669e3fc15e4d46042a
    • Opcode Fuzzy Hash: 45d56c5c9a639abef8bb38956ac9f455838d8e473b16656e60d6e2e8d98527d2
    • Instruction Fuzzy Hash: 1641473590020DAFCF16CF98CD85FAEBBB5BF48308F19405EF90466251D7399960DB5A
    Function 004C693B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004C72E3
    • ___raise_securityfailure.LIBCMT ref: 004C73CB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: `Q[
    • API String ID: 3761405300-3901748827
    • Opcode ID: 09228daee5f0710627490194a0cd5330037726245915be5a6ad9e31a7db4cb2c
    • Instruction ID: cc20897adb86d7c0ebbd48e76711b00a73fe05f3e8181254e79fa2449b2609e9
    • Opcode Fuzzy Hash: 09228daee5f0710627490194a0cd5330037726245915be5a6ad9e31a7db4cb2c
    • Instruction Fuzzy Hash: E52125B8502B009BD799DF29F985704BBA4FB68300F54422AE5049B3B1F3B46989EF49
    Function 004C73E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004C73EB
    • ___raise_securityfailure.LIBCMT ref: 004C74A8
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: FeaturePresentProcessor___raise_securityfailure
    • String ID: `Q[
    • API String ID: 3761405300-3901748827
    • Opcode ID: 1ba1338820687ad6800a1742a3ee74ea73f9eb03fcb4ff23fecaf11688f66fa7
    • Instruction ID: 6956842c869adc949f369f0e500d65e3bb2b7acb5701eb83606abc6077522c09
    • Opcode Fuzzy Hash: 1ba1338820687ad6800a1742a3ee74ea73f9eb03fcb4ff23fecaf11688f66fa7
    • Instruction Fuzzy Hash: BC11C3B8516B449BDB8ADF29F981744BBA4FB68300B04535AE9089B370F370694DEF45
    Function 004C1605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 004C160C
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004C1644
      • Part of subcall function 004C4E9A: _Yarn.LIBCPMT ref: 004C4EB9
      • Part of subcall function 004C4E9A: _Yarn.LIBCPMT ref: 004C4EDD
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.2066068405.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
    • Associated: 00000002.00000002.2066041307.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066112606.00000000004E3000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066133134.00000000004EE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000002.00000002.2066199717.00000000005B6000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_4c0000_aO1TcEaxfW.jbxd
    Similarity
    • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
    • String ID: bad locale name
    • API String ID: 1908188788-1405518554
    • Opcode ID: f05da5a036d7ccd16b7466ff5816ad52d35535dece5a10e40359ffd68c79ca9f
    • Instruction ID: 84514c555865795cd5b8bde9f2ca37c0846846fc85f46d95b794e10b63ab47ca
    • Opcode Fuzzy Hash: f05da5a036d7ccd16b7466ff5816ad52d35535dece5a10e40359ffd68c79ca9f
    • Instruction Fuzzy Hash: 72F017B5506B909E83709FBB8581947FBE4BE29311394CA2FE1DEC3A11D734A504CB6E