Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oAnb4ULQxP.exe

Overview

General Information

Sample name:oAnb4ULQxP.exe
renamed because original name is a hash value
Original sample name:F32E537683D968304CA7C5BE6A0A22C8.exe
Analysis ID:1579463
MD5:f32e537683d968304ca7c5be6a0a22c8
SHA1:535583ce14bc0ecc2c2f46344ff1c3cc76740211
SHA256:852a008d3c6ce0c868ebc9e48cce189afb4abee4609dc1f3c05256adc212d865
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • oAnb4ULQxP.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\oAnb4ULQxP.exe" MD5: F32E537683D968304CA7C5BE6A0A22C8)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{"Server": "104.236.39.42", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "NLzwJdZ9VJQw", "Autorun": "false", "Group": "null"}
SourceRuleDescriptionAuthorStrings
oAnb4ULQxP.exeWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x1a0d1b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x1a42b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
SourceRuleDescriptionAuthorStrings
00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0xcd1b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x102b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000000.2131796263.0000000000356000.00000080.00000001.01000000.00000003.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0xcd1b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x102b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x98fb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xac38:$a2: Stub.exe
      • 0xacc8:$a2: Stub.exe
      • 0x66ff:$a3: get_ActivatePong
      • 0x9b13:$a4: vmware
      • 0x998b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x745a:$a6: get_SslClient
      Click to see the 3 entries
      SourceRuleDescriptionAuthorStrings
      0.2.oAnb4ULQxP.exe.29e0000.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.oAnb4ULQxP.exe.29e0000.2.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x7afb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x8e38:$a2: Stub.exe
        • 0x8ec8:$a2: Stub.exe
        • 0x48ff:$a3: get_ActivatePong
        • 0x7d13:$a4: vmware
        • 0x7b8b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x565a:$a6: get_SslClient
        0.2.oAnb4ULQxP.exe.29e0000.2.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x7b8d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 4 entries
            No Sigma rule has matched
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: oAnb4ULQxP.exeAvira: detected
            Source: 00000000.00000002.3386311029.0000000002B31000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "104.236.39.42", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "NLzwJdZ9VJQw", "Autorun": "false", "Group": "null"}
            Source: oAnb4ULQxP.exeReversingLabs: Detection: 44%
            Source: oAnb4ULQxP.exeVirustotal: Detection: 34%Perma Link
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: oAnb4ULQxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: oAnb4ULQxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\a\1\s\x64\Release\ZoomIt64.pdbH source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\Win32\Release\ZoomIt.pdbK source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\Win32\Release\ZoomIt.pdb source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\x64\Release\ZoomIt64.pdb source: oAnb4ULQxP.exe
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00225B77 FindFirstFileExW,0_2_00225B77
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00206FD9 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00206FD9

            Networking

            barindex
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.6:49708 -> 104.236.39.42:8808
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: unknownTCP traffic detected without corresponding DNS query: 104.236.39.42
            Source: oAnb4ULQxP.exeString found in binary or memory: http://schemas.microsof
            Source: oAnb4ULQxP.exeString found in binary or memory: https://www.sysinternals.com
            Source: oAnb4ULQxP.exeString found in binary or memory: https://www.sysinternals.com0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTR
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D92C0 SetWindowsHookExW 0000000D,001D63E0,000000000_2_001D92C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D9210 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalFree,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_001D9210
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D9210 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalFree,CloseClipboard,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_001D9210
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D7470 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_001D7470
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001EC51F DeleteObject,DeleteDC,GdipAlloc,GdipCreateBitmapFromFile,GdipCreateHBITMAPFromBitmap,GetLastError,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateSolidBrush,FillRect,AlphaBlend,SelectObject,DeleteDC,DeleteObject,ReleaseDC,CreateCompatibleDC,SelectObject,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateBitmap,SelectObject,SelectObject,SetTextColor,SetBkMode,SelectObject,SendMessageW,SetTimer,BringWindowToTop,SetForegroundWindow,SetActiveWindow,SetWindowPos,0_2_001EC51F
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001E9ED0 GetClientRect,SetWindowPos,CreateWindowExW,ShowWindow,InvalidateRect,SetForegroundWindow,SetTimer,GetDC,GetCursorPos,GetCursorPos,SetWindowPos,UpdateWindow,RegisterHotKey,RegisterHotKey,RegisterHotKey,GetCursorPos,SetCursorPos,SendMessageW,SetTimer,KillTimer,KillTimer,KillTimer,SetTimer,DestroyWindow,UnregisterHotKey,UnregisterHotKey,UnregisterHotKey,GetAsyncKeyState,GetAsyncKeyState,SendMessageW,KillTimer,IsWindowVisible,DestroyWindow,InvalidateRect,GetCursorPos,SetWindowPos,GetTickCount,ShowWindow,InvalidateRect,ShowWindow,DefWindowProcW,GetWindowLongW,SetWindowLongW,InvalidateRect,RedrawWindow,0_2_001E9ED0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001F36C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SetMessageExtraInfo,SendMessageW,0_2_001F36C0

            System Summary

            barindex
            Source: oAnb4ULQxP.exe, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.0.oAnb4ULQxP.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 0.2.oAnb4ULQxP.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000000.2131796263.0000000000356000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002160000_2_00216000
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_003630D30_2_003630D3
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0022817F0_2_0022817F
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002021400_2_00202140
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C11D70_2_001C11D7
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0036526F0_2_0036526F
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0021125B0_2_0021125B
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001E82900_2_001E8290
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C22C00_2_001C22C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D03400_2_001D0340
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_003643970_2_00364397
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001FE5B00_2_001FE5B0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C22C00_2_001C22C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D86900_2_001D8690
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002006F00_2_002006F0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_003647CF0_2_003647CF
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001CE8100_2_001CE810
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001CE8400_2_001CE840
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0021085C0_2_0021085C
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0021D8D90_2_0021D8D9
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D78E00_2_001D78E0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C22C00_2_001C22C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002299160_2_00229916
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D69900_2_001D6990
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00367AC70_2_00367AC7
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00210B9E0_2_00210B9E
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001E4C100_2_001E4C10
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00209C400_2_00209C40
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001F0D600_2_001F0D60
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001CFE000_2_001CFE00
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001E8E400_2_001E8E40
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001E9ED00_2_001E9ED0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00210EFD0_2_00210EFD
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001D1F300_2_001D1F30
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00213FCA0_2_00213FCA
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00363FC70_2_00363FC7
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: String function: 002088B0 appears 53 times
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: String function: 001CB8D0 appears 35 times
            Source: oAnb4ULQxP.exeStatic PE information: Resource name: BINRES type: PE32+ executable (GUI) x86-64, for MS Windows
            Source: oAnb4ULQxP.exeBinary or memory string: OriginalFilename vs oAnb4ULQxP.exe
            Source: oAnb4ULQxP.exe, 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZoomIt.exeH vs oAnb4ULQxP.exe
            Source: oAnb4ULQxP.exe, 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs oAnb4ULQxP.exe
            Source: oAnb4ULQxP.exeBinary or memory string: OriginalFilenameZoomIt.exeH vs oAnb4ULQxP.exe
            Source: oAnb4ULQxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: oAnb4ULQxP.exe, type: SAMPLEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.0.oAnb4ULQxP.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 0.2.oAnb4ULQxP.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000000.2131796263.0000000000356000.00000080.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, Settings.csBase64 encoded string: 'ywODZf305wWXdAZWhT9HiHVvJUbegV+c8pfaDsV5zHUrGVbCWHK5Oc0pZMncSOyNAaywUaaOZFqLm0346YwaDg==', 'zvwyge4m4aTtV6KENeAXTLml5RnI5h2+/F3gC1dGzwncBzrlg+WGoNGY99nLtW+ycksKaSBUX66r/rJbnnGAUg==', 'IYLsJTMrnn/zfFA3W62/c9RR+E4ApuCfYJfkbL3ls4eNpmHp4Yugh1CJOlbD1Wr9ZE/R62n3d2zqAZjQN5P5kimI3D1FUD+GTvMn/idZdzzMG+/4glTGuOAunTV8juQ7eviHML6HLuUSP7KQZgSDql6AgEf22GBiA7jTUeMe2fm/gU7gzQxIogUw71GsWmrBISTzb1J/7osyrmzKdtF84wKCYLNZ3lSK3ulWqRqv11IIZjq56BMSVENPvpokLjjrEDiWFGentstkuS0dBr1v7qYpWt0eMrabpkMnGwMlIT/ySvFNaXbQeZ1H6NY8krTYXKPJjhZdjvk08oBdrQXD9snIwIEI2loDikWV/uu7m0IxCCsyzONDphhU8DqpXkPSB1KVInXc4pMjhGL4qTR98vtqMui4KB7dF/Lq63WnjpH7zXxx8xNOHnwCOoxAo8HZ7oyxNYGDijrUHLKv4+Ee499D8pUGN7ZdIDLQ0tTMYPA0OZr+JccQ6oV6589k55iiGj1vdU+4i7tua1Shydkj8i5q/YQ6K9/bGZ4SAqRtEUlLPmqz5FHlXkENZLQAE9ff2mzCLCEc92m4AVA4jZ62W48rDYdXN7ZT+bn880sLFMwrhTRXVIZbe59b+EeRVSeKdEwlEUUbCd6U1luawA0oQ7ieh2csqvmzXMg3KADJFMkVxbUwHbsc6+yqq47od7O7DeMTEKv5kl0MPL9eDHqWU9a/RzGpy2YushiEsI/x7jREJlRWdXBWimaU+HTC85LpTIzkj1snLfn6yg6B/dFPmL2KbVo9GPtHVz4XMasOQaloAKPzu8L/QKXS8Th+An2iDMIsPyZ8Fq/QoNvOmtNql8pPu10jHtGuYrPFkxKFMmKICnJpKzjDEGvSw7qzTNSoCqHfaWb8gPCvMbRq0IZpvz7c1JjFbyW4Io7wVnI4rOJ2Kg8nOIqTio9Uk3Uj0IXEIqULjknpZTK13jAMoJ6Z3IPPPx2y8wrX7Tk3RQBcDccFGSK3JjcrvbRxYEcCnV1iNkQcDUKAiLTltqSTxaKH4mmRWGXCdOUdja5TeUtCpSeB7weKfYj9zb32ywvIj1UN19AC9spAmlu2UZKJJx9WJyzXFAQ8JuYU7bEur7m2s3ySyzdG60KrJPocbBxZRVyxghPlOP7+RpSTUoZJSa/JPLdkenyvwOH0LaY644WDJ/tAh3xUE4XVrLhcCW6CjZk/ymK2mk+GaJiKdHqSmbwq6MCJWa1tmJopLnKZD8j0VVT/Z/dnIwLNHlaJ/bN9RuPWsvtMX16RQkJ3e5xfUQMZ07PvYn9fGQLsxOsIzLcRwf3oSG+v98EIxNcrU3F5NFq5hR3y66Bz5ExH3fGNKZRNroT4R4ERd0BtB2JUWYjPMsGH6kSvo6+n5NK31b6o9iIkdFr8eG4LSo6oylMQ4OMsqZIA/HXGUSSnTQ5H+Jqi0F1VSyH5CPOs+aUHvNJooudZJgTP2BDvALpEBpjs/DcAhIvVvCaYrPCipTQZVan7bg0i8XrB21cS5b8WtsatGgEXeWrfvcmfJPetXoEnS+BY3b/8Ap+Dc+sp2t2JMivXoq3dxWKASF+KQEFAihvEH+I8RmNRQpmRbF+yNfZa0LU4eOnc664lazpDJYZm9QRNcjx4fVBUu+bFMkwsZSUFAXj4GzbEc2ueMX/TGaRvdLIN5GXS1b8cL4kpKICG2K0ndsaDjdjF4Y09XqkrIxqFPAtb6mWGrI0bb+lXGM/oDB5evqLKzW0NSGcPwXHxREqnUgeezXTRoijYIomPPQkwZl639zInnfPwGVr3pSGhZW0MVyOzLaIvAt3GH2Y5ZFaTj95po5DruQzB2Js0Z30kZbt+/+gWaNwSud94CCI9OdLq+QsSOxMXBVb+2PGZylLWCZhA7kWvKbQNrQq4o912HPdONQAPmqKYiHrTgqXFLQz97mlBS7qSWi5x5rG4qEHpyPNM4yzGC132uD2xW/RBlxLva+dOTAB41OiRQ8pcF1VME7N4Aev183QNH+f2OiJKuaKSYUT/L6Wx+HtB3/EChDLmJZ2hQrnbpKYAC7GtceJAyvqj23B1aPua+roplCnaAq8hMF36HdHK5dw7Gb0/EdkUBGDNll89jOs5OV3PP7KjEFsCX5MbDMVbxp30jUX6UBdYvGg09pxgFRJ7Dz795qeOfJFxyOuVna4B5N3pqgICGhNd8Xyns6lqsUi8obXQbMETLcy2GuBe1dx7zBIjTWE3nFDxFTlWf7iAajZp+D9xpED4ZOalGshOUisCZRKSqsFgn/sRELJLjYGsRODeJuNLPtd29OIeuOSHC+yXTgeg6JG6d9FU8LZJJ/2+iEplCYc=', 'r85rHPhchJiLNCmS/crTi5FckEdxlrDO5T0Q4QuLKwvW1mMbhLPdJIip3aK3zqmVM72xAQjSYeF7hmv1Wvx3cw==', 'KfSIJNY7/lFwhCcig+Ed65j8ToCy12/TpxSa/5yAQxxHoKlrv3hxbmCJVsvuG2T3sDrHq68ULz3yeDYJ8F3PYQ==', 'VpWsh4IaTeCNJmNS0HPoXNJtZN5eV2icjVTK5qcUZSXPKO4ptAQbswJMTrUgkmgigytBADJo0FPDXTrbnheWrg=='
            Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001DE210 CoCreateInstance,0_2_001DE210
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001F3300 GetModuleFileNameW,_wcsrchr,ExpandEnvironmentStringsW,_wcsrchr,FindResourceW,LoadResource,SizeofResource,LockResource,GetCommandLineW,ShellExecuteExW,GetLastError,DeleteFileW,GetFileAttributesW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,DeleteFileW,0_2_001F3300
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMutant created: NULL
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMutant created: \Sessions\1\BaseNamedObjects\NLzwJdZ9VJQw
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCommand line argument: >"0_2_0022EC90
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: oAnb4ULQxP.exeReversingLabs: Detection: 44%
            Source: oAnb4ULQxP.exeVirustotal: Detection: 34%
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: oAnb4ULQxP.exeStatic file information: File size 4703360 > 1048576
            Source: oAnb4ULQxP.exeStatic PE information: Raw size of .codeex is bigger than: 0x100000 < 0x2e8480
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: oAnb4ULQxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: oAnb4ULQxP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\a\1\s\x64\Release\ZoomIt64.pdbH source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\Win32\Release\ZoomIt.pdbK source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\Win32\Release\ZoomIt.pdb source: oAnb4ULQxP.exe
            Source: Binary string: D:\a\1\s\x64\Release\ZoomIt64.pdb source: oAnb4ULQxP.exe
            Source: oAnb4ULQxP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: oAnb4ULQxP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: oAnb4ULQxP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: oAnb4ULQxP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: oAnb4ULQxP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00200380 LoadLibraryW,GetProcAddress,GetErrorInfo,SimpleUString::operator=,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,SetErrorInfo,0_2_00200380
            Source: oAnb4ULQxP.exeStatic PE information: real checksum: 0x19fa3e should be: 0x487d56
            Source: oAnb4ULQxP.exeStatic PE information: section name: .codeex
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002082ED push ecx; ret 0_2_00208300
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_029E53F9 push es; iretd 0_2_029E53FA
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_029E231A push eax; ret 0_2_029E2324
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_029E1181 push eax; ret 0_2_029E1195
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_029E0C66 push 0000003Eh; retn 0000h0_2_029E0FC0

            Boot Survival

            barindex
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTR
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001FDD00 RegCreateKeyExW,GetModuleFileNameW,RegSetValueExW,RegCloseKey,GetModuleHandleW,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateEventW,CreateEventW,CreateEventW,GetLastError,FindWindowW,FindWindowW,PostMessageW,FindWindowW,Sleep,SetForegroundWindow,SetWindowPos,GetVersion,LoadAcceleratorsW,CoInitialize,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,RegisterClassW,LoadCursorW,RegisterClassW,LoadCursorW,RegisterClassW,CreateWindowExW,ShowWindow,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,GetMessageW,0_2_001FDD00
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTR
            Source: oAnb4ULQxP.exe, oAnb4ULQxP.exe, 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeAPI coverage: 0.5 %
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00225B77 FindFirstFileExW,0_2_00225B77
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00206FD9 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00206FD9
            Source: oAnb4ULQxP.exe, 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vmware
            Source: oAnb4ULQxP.exe, 00000000.00000002.3386784977.0000000004F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C22C0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,0_2_001C22C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_00200380 LoadLibraryW,GetProcAddress,GetErrorInfo,SimpleUString::operator=,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,SetErrorInfo,0_2_00200380
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001C713B SwitchToThread,SwitchToThread,SwitchToThread,GetProcessHeap,HeapFree,0_2_001C713B
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002086AA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002086AA
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002088F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002088F5
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_0020C9B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0020C9B3
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002083DC cpuid 0_2_002083DC
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0022903E
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: EnumSystemLocalesW,0_2_00221641
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_002286C9
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: EnumSystemLocalesW,0_2_00228975
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: EnumSystemLocalesW,0_2_002289C0
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: EnumSystemLocalesW,0_2_00228A5B
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00228AE6
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoW,0_2_00221B50
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoW,0_2_00228D39
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00228E62
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_00206EA1
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: GetLocaleInfoW,0_2_00228F68
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_002077E2 GetSystemTimeAsFileTime,0_2_002077E2
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeCode function: 0_2_001CE030 GetVersionExW,LoadLibraryExW,SetLastError,0_2_001CE030
            Source: C:\Users\user\Desktop\oAnb4ULQxP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.oAnb4ULQxP.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: oAnb4ULQxP.exe PID: 7084, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter
            1
            Scheduled Task/Job
            1
            Scheduled Task/Job
            1
            Virtualization/Sandbox Evasion
            121
            Input Capture
            1
            System Time Discovery
            Remote Services1
            Screen Capture
            1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Disable or Modify Tools
            LSASS Memory121
            Security Software Discovery
            Remote Desktop Protocol121
            Input Capture
            1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API
            Logon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information
            Security Account Manager1
            Virtualization/Sandbox Evasion
            SMB/Windows Admin Shares1
            Archive Collected Data
            SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook121
            Obfuscated Files or Information
            NTDS1
            File and Directory Discovery
            Distributed Component Object Model3
            Clipboard Data
            Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading
            LSA Secrets25
            System Information Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            oAnb4ULQxP.exe45%ReversingLabsWin32.Exploit.DonutMarte
            oAnb4ULQxP.exe35%VirustotalBrowse
            oAnb4ULQxP.exe100%AviraTR/Crypt.XPACK.Gen2
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            https://www.sysinternals.comoAnb4ULQxP.exefalse
              unknown
              http://schemas.microsofoAnb4ULQxP.exefalse
                unknown
                https://www.sysinternals.com0oAnb4ULQxP.exefalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  104.236.39.42
                  unknownUnited States
                  14061DIGITALOCEAN-ASNUStrue
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1579463
                  Start date and time:2024-12-22 14:11:08 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 39s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:4
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:oAnb4ULQxP.exe
                  renamed because original name is a hash value
                  Original Sample Name:F32E537683D968304CA7C5BE6A0A22C8.exe
                  Detection:MAL
                  Classification:mal96.troj.spyw.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 62%
                  • Number of executed functions: 14
                  • Number of non-executed functions: 198
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  No simulations
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.236.39.42DpEHzbOOoB.exeGet hashmaliciousAsyncRATBrowse
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    DIGITALOCEAN-ASNUS2.elfGet hashmaliciousUnknownBrowse
                    • 157.230.201.7
                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                    • 165.22.174.231
                    3.elfGet hashmaliciousUnknownBrowse
                    • 157.245.170.73
                    nshkppc.elfGet hashmaliciousMiraiBrowse
                    • 142.93.67.183
                    arm.elfGet hashmaliciousMirai, MoobotBrowse
                    • 178.128.106.17
                    nsharm7.elfGet hashmaliciousMiraiBrowse
                    • 139.59.86.249
                    hmips.elfGet hashmaliciousMiraiBrowse
                    • 142.93.67.128
                    nshkmpsl.elfGet hashmaliciousMiraiBrowse
                    • 134.209.166.126
                    mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                    • 138.197.23.254
                    nshkarm7.elfGet hashmaliciousMiraiBrowse
                    • 164.90.173.225
                    No context
                    No context
                    No created / dropped files found
                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):3.025980140052925
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:oAnb4ULQxP.exe
                    File size:4'703'360 bytes
                    MD5:f32e537683d968304ca7c5be6a0a22c8
                    SHA1:535583ce14bc0ecc2c2f46344ff1c3cc76740211
                    SHA256:852a008d3c6ce0c868ebc9e48cce189afb4abee4609dc1f3c05256adc212d865
                    SHA512:2cc24cb737796953f99e407adb7eabd5f915ec40962b6fedd26ba4c7b4ac40c581932c4c7ef0ec8dc69e0967399153fb8514f98d84bb799a7e841515354b7eac
                    SSDEEP:49152:idMZdRuGZ2OY7SzJLJz6QijzJfLU5CBAWw:idOdRu6tOcJB6RlL2CBA
                    TLSH:47268EE776A04164E27E62324821463DAA377C2947B346CF5392BE7A2F325CD4D3A317
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.p...#...#...#.{."...#.{."...#.|."...#.|."...#.|."...#.{."...#.{."...#.{."...#...#7..#..."...#..."...#..Y#...#..."...#Rich...
                    Icon Hash:11e88eb2aab23d60
                    Entrypoint:0x4482e3
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x65C2DFAF [Wed Feb 7 01:41:03 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:f1edf524bfb066401b5d21f7db3203e0
                    Signature Valid:
                    Signature Issuer:
                    Signature Validation Error:
                    Error Number:
                    Not Before, Not After
                      Subject Chain
                        Version:
                        Thumbprint MD5:
                        Thumbprint SHA-1:
                        Thumbprint SHA-256:
                        Serial:
                        Instruction
                        call 00007F5500C8F83Ch
                        jmp 00007F5500DDCCF8h
                        mov ecx, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], ecx
                        pop ecx
                        pop edi
                        pop edi
                        pop esi
                        pop ebx
                        mov esp, ebp
                        pop ebp
                        push ecx
                        ret
                        mov ecx, dword ptr [ebp-10h]
                        xor ecx, ebp
                        call 00007F5500C8E93Fh
                        jmp 00007F5500C8EFC2h
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [00493D64h]
                        xor eax, ebp
                        push eax
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [00493D64h]
                        xor eax, ebp
                        push eax
                        mov dword ptr [ebp-10h], eax
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        ret
                        push eax
                        push dword ptr fs:[00000000h]
                        lea eax, dword ptr [esp+0Ch]
                        sub esp, dword ptr [esp+0Ch]
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [eax], ebp
                        mov ebp, eax
                        mov eax, dword ptr [00493D64h]
                        xor eax, ebp
                        push eax
                        mov dword ptr [ebp-10h], esp
                        push dword ptr [ebp-04h]
                        mov dword ptr [ebp-04h], FFFFFFFFh
                        lea eax, dword ptr [ebp-0Ch]
                        mov dword ptr fs:[00000000h], eax
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x908940xf0.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000xf0a20.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x1916000x2828.reloc
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x18f0000x6f48.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x86d700x54.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x86e000x18.rdata
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x86cb00x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x740000x5d4.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x72ad10x72c007daba9eb0444c5660e73db15c21bfbf0False0.5041530501089324data6.559565146924785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x740000x1e99c0x1ea000a06a5ada34c42cc1b75db009b372602False0.37778220663265305OpenPGP Public Key4.828588500153206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x930000xa7cc0x800069093efe7e60a17ffd268620d025f20aFalse0.13385009765625data4.856869755269171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x9e0000xf0a200xf0c00c2b2ba0159cc293f90d29713e10668ceFalse0.4224195628894081data6.304041804913394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x18f0000x6f480x700005ce64b84cb6db07effb81873d9040ffFalse0.7158551897321429data6.666951146105629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        .codeex0x1960000x2e84800x2e8480cd008f521870ccab0e4575a91e4f88a1unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        AFX_DIALOG_LAYOUT0xb6b680x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b700x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b400x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b380x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b300x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b480x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b600x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b500x2dataEnglishUnited States5.0
                        AFX_DIALOG_LAYOUT0xb6b580x2dataEnglishUnited States5.0
                        BINRES0xb6b780xd79b0PE32+ executable (GUI) x86-64, for MS WindowsEnglishUnited States0.44231248301476583
                        RT_CURSOR0x9e8800x134dataEnglishUnited States0.12012987012987013
                        RT_ICON0x9e9d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.44148936170212766
                        RT_ICON0x9ee380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.3114754098360656
                        RT_ICON0x9f7c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.2633677298311445
                        RT_ICON0xa08680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.17842323651452283
                        RT_ICON0xa2e100x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.13610061407652338
                        RT_ICON0xa70380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 0EnglishUnited States0.09375656926634433
                        RT_ICON0xb04e00x2bdePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9770258236865539
                        RT_DIALOG0xb37b00x508dataEnglishUnited States0.39906832298136646
                        RT_DIALOG0xb4e600x51adataEnglishUnited States0.4165390505359878
                        RT_DIALOG0xb60f00xa20dataEnglishUnited States0.3472222222222222
                        RT_DIALOG0xb42080x938dataEnglishUnited States0.338135593220339
                        RT_DIALOG0xb55780x3c8dataEnglishUnited States0.43078512396694213
                        RT_DIALOG0xb34580x358dataEnglishUnited States0.4766355140186916
                        RT_DIALOG0xb59400x5d2dataEnglishUnited States0.37986577181208053
                        RT_DIALOG0xb5f180x1d2dataEnglishUnited States0.5300429184549357
                        RT_DIALOG0xb4b400x31edataEnglishUnited States0.44110275689223055
                        RT_DIALOG0xb3cb80x54cdataEnglishUnited States0.4033923303834808
                        RT_DIALOG0xb53800x1f4dataEnglishUnited States0.532
                        RT_ACCELERATOR0xb6b100x20dataEnglishUnited States1.03125
                        RT_GROUP_CURSOR0x9e9b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                        RT_GROUP_ICON0xb30c00x68dataEnglishUnited States0.7788461538461539
                        RT_VERSION0xb31280x330dataEnglishUnited States0.4522058823529412
                        RT_MANIFEST0x18e5280x4f1XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39209486166007906
                        DLLImport
                        WINMM.dllPlaySoundW
                        gdiplus.dllGdipFree, GdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipGetImageEncodersSize, GdipFillEllipseI, GdipFillRectangleI, GdipDrawPath, GdipDrawEllipseI, GdipDrawRectangleI, GdipDrawLineI, GdipSetSmoothingMode, GdipDeleteGraphics, GdipCreateFromHDC, GdipBitmapApplyEffect, GdipBitmapGetPixel, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromHBITMAP, GdipCreateBitmapFromScan0, GdipCreateBitmapFromFile, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipSaveImageToFile, GdipDisposeImage, GdipCloneImage, GdipSetPenLineJoin, GdipSetPenLineCap197819, GdipDeletePen, GdipCreatePen1, GdipCreateSolidFill, GdipDeleteBrush, GdipCloneBrush, GdipAddPathLineI, GdipClosePathFigure, GdipStartPathFigure, GdipDeletePath, GdipCreatePath, GdipSetEffectParameters, GdipDeleteEffect, GdipCreateEffect, GdiplusShutdown
                        MSIMG32.dllAlphaBlend
                        KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, ExitProcess, GetConsoleCP, IsDebuggerPresent, DebugBreak, OutputDebugStringW, CloseHandle, GetLastError, SetLastError, HeapAlloc, HeapFree, GetProcessHeap, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, SetEvent, ResetEvent, ReleaseSemaphore, ReleaseMutex, WaitForSingleObject, WaitForSingleObjectEx, WaitForMultipleObjectsEx, OpenSemaphoreW, CreateMutexExW, CreateEventExW, CreateSemaphoreExW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameA, GetModuleHandleW, GetModuleHandleExW, GetProcAddress, FormatMessageW, GetVersionExW, LoadLibraryExW, GetStdHandle, GetCommandLineW, GetFileType, LocalAlloc, LocalFree, MulDiv, CompareFileTime, CreateFileW, GetFileTime, GlobalAlloc, GlobalSize, GlobalUnlock, GlobalLock, GlobalFree, ExpandEnvironmentStringsW, DeleteFileW, GetFileAttributesW, Beep, CreateEventW, Sleep, GetCurrentProcess, GetExitCodeProcess, GetCurrentThread, SetThreadPriority, GetVersion, GetTickCount, GetModuleFileNameW, LoadResource, LockResource, SizeofResource, FindResourceW, lstrcpynW, MultiByteToWideChar, CreateThread, TerminateProcess, GetStartupInfoW, ExitThread, UnhandledExceptionFilter, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, CloseThreadpoolWait, SetThreadpoolWait, CreateThreadpoolWait, GetSystemTimeAsFileTime, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, IsProcessorFeaturePresent, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWork, FreeLibraryWhenCallbackReturns, InitOnceComplete, InitOnceBeginInitialize, GetFileInformationByHandleEx, AreFileApisANSI, GetTempPathW, GetFileAttributesExW, FindNextFileW, FindFirstFileExW, FindFirstFileW, FindClose, GetLocaleInfoEx, GetStringTypeW, WideCharToMultiByte, FormatMessageA, SleepConditionVariableSRW, WakeAllConditionVariable, WakeConditionVariable, InitializeConditionVariable, TryAcquireSRWLockExclusive, QueryPerformanceFrequency, QueryPerformanceCounter, SwitchToThread, RaiseException, RtlUnwind, InterlockedPushEntrySList, InitializeCriticalSectionAndSpinCount, FreeLibraryAndExitThread, WriteFile, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, SetConsoleMode, ReadConsoleInputW, FreeLibrary, ReadConsoleW, GetFileSizeEx, TlsAlloc, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, ReadFile, HeapReAlloc, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, HeapSize, WriteConsoleW, SetEndOfFile, LoadLibraryW, TrySubmitThreadpoolCallback, SetUnhandledExceptionFilter, InitializeSListHead
                        USER32.dllGetParent, GetDesktopWindow, SetRect, WindowFromPoint, MapWindowPoints, SetCursorPos, FindWindowW, MessageBoxW, GetWindowTextW, RedrawWindow, InvalidateRect, ReleaseDC, SetActiveWindow, UpdateWindow, LoadIconW, ChangeDisplaySettingsExW, EnumDisplaySettingsW, ShowCursor, SystemParametersInfoW, DrawTextW, TrackPopupMenu, InsertMenuW, DestroyMenu, CreatePopupMenu, TranslateAcceleratorW, LoadAcceleratorsW, KillTimer, SetTimer, GetAsyncKeyState, SetFocus, IsDlgButtonChecked, CheckDlgButton, GetDlgItemTextW, SetDlgItemTextW, DialogBoxParamW, CreateDialogParamW, BringWindowToTop, IsWindowVisible, PostMessageW, SetMessageExtraInfo, GetMessageExtraInfo, RegisterHotKey, RegisterWindowMessageW, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, GetClassNameW, GetForegroundWindow, SendInput, VkKeyScanW, GetKeyState, IsClipboardFormatAvailable, EmptyClipboard, GetClipboardData, SetClipboardData, GetClipboardSequenceNumber, CloseClipboard, OpenClipboard, PostQuitMessage, GetMonitorInfoW, MonitorFromPoint, GetCursorPos, GetDC, SetWindowLongW, GetWindowLongW, OffsetRect, FillRect, ClipCursor, GetClipCursor, GetWindowRect, GetClientRect, SetWindowRgn, EndPaint, BeginPaint, SetForegroundWindow, EnableWindow, ReleaseCapture, SetCapture, GetCapture, SetWindowDisplayAffinity, SetWindowPos, MoveWindow, SetLayeredWindowAttributes, ShowWindow, DestroyWindow, CreateWindowExW, GetClassInfoW, RegisterClassW, DefWindowProcW, DispatchMessageW, TranslateMessage, GetMessageW, LoadCursorW, InflateRect, GetSysColorBrush, SetCursor, SetWindowTextW, GetDlgItem, EndDialog, DialogBoxIndirectParamW, SendMessageW, UnregisterHotKey
                        GDI32.dllDeleteObject, CreateSolidBrush, CreateRectRgnIndirect, CombineRgn, EndPage, StartPage, GetStockObject, StartDocW, SetMapMode, GetDeviceCaps, GetObjectW, MoveToEx, Polygon, DeleteDC, BitBlt, CreateBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateDCW, CreateFontIndirectW, CreatePen, SetBkMode, StretchBlt, SetROP2, SetStretchBltMode, SetTextColor, EndDoc, CreateDIBSection, GetCurrentObject, Ellipse, LineTo, Rectangle, SelectObject
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW, PrintDlgW, ChooseFontW
                        ADVAPI32.dllRegDeleteValueW, RegCreateKeyExW, RegGetValueW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegOpenKeyW, RegCreateKeyW, RegCloseKey
                        SHELL32.dllShell_NotifyIconW, ShellExecuteExW, ShellExecuteW, SHGetKnownFolderItem
                        ole32.dllCoGetApartmentType, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, CoGetObjectContext, CoCreateInstance, CoTaskMemFree, CoInitialize
                        OLEAUT32.dllSetErrorInfo, GetErrorInfo, SysAllocString, SysFreeString, SysStringLen
                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States
                        TimestampSource PortDest PortSource IPDest IP
                        Dec 22, 2024 14:12:08.243618011 CET497088808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:08.363292933 CET880849708104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:08.363411903 CET497088808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:08.386425972 CET497088808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:08.505964041 CET880849708104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:30.260057926 CET880849708104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:30.260284901 CET497088808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:35.299443007 CET497088808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:35.299818993 CET497716606192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:35.419028997 CET880849708104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:35.419455051 CET660649771104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:35.419548988 CET497716606192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:35.419944048 CET497716606192.168.2.6104.236.39.42
                        Dec 22, 2024 14:12:35.539604902 CET660649771104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:57.323232889 CET660649771104.236.39.42192.168.2.6
                        Dec 22, 2024 14:12:57.323354006 CET497716606192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:02.336687088 CET497716606192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:02.337167025 CET498337707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:02.457079887 CET660649771104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:02.457859993 CET770749833104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:02.458101988 CET498337707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:02.458498955 CET498337707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:02.578260899 CET770749833104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:24.351011038 CET770749833104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:24.351118088 CET498337707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:29.352291107 CET498337707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:29.352679014 CET498977707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:29.474224091 CET770749833104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:29.474272013 CET770749897104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:29.474355936 CET498977707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:29.474755049 CET498977707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:29.594980955 CET770749897104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:51.371342897 CET770749897104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:51.371439934 CET498977707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:56.384074926 CET498977707192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:56.384407043 CET499608808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:56.503674030 CET770749897104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:56.503959894 CET880849960104.236.39.42192.168.2.6
                        Dec 22, 2024 14:13:56.504066944 CET499608808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:56.504463911 CET499608808192.168.2.6104.236.39.42
                        Dec 22, 2024 14:13:56.623944044 CET880849960104.236.39.42192.168.2.6

                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Target ID:0
                        Start time:08:12:02
                        Start date:22/12/2024
                        Path:C:\Users\user\Desktop\oAnb4ULQxP.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\oAnb4ULQxP.exe"
                        Imagebase:0x1c0000
                        File size:4'703'360 bytes
                        MD5 hash:F32E537683D968304CA7C5BE6A0A22C8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000000.2131796263.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:false

                        Reset < >

                          Execution Graph

                          Execution Coverage:0.8%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:1.4%
                          Total number of Nodes:72
                          Total number of Limit Nodes:6
                          execution_graph 41861 2082e3 41866 208b3f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 41861->41866 41863 2082e8 41867 362bc7 41863->41867 41865 356007 41866->41863 41868 3660bd 41867->41868 41869 362bd1 41867->41869 41870 3660e1 41868->41870 41871 3661cb 41868->41871 41869->41865 41905 36893e 41870->41905 41881 367397 41871->41881 41874 3660f9 41875 36893e LoadLibraryA 41874->41875 41880 366171 41874->41880 41876 36613b 41875->41876 41877 36893e LoadLibraryA 41876->41877 41878 366157 41877->41878 41879 36893e LoadLibraryA 41878->41879 41879->41880 41880->41865 41882 36893e LoadLibraryA 41881->41882 41883 3673ba 41882->41883 41884 36893e LoadLibraryA 41883->41884 41885 3673d2 41884->41885 41886 36893e LoadLibraryA 41885->41886 41887 3673f0 41886->41887 41888 367405 VirtualAlloc 41887->41888 41903 367419 41887->41903 41890 367433 41888->41890 41888->41903 41889 36893e LoadLibraryA 41892 3674b1 41889->41892 41890->41889 41890->41903 41891 36893e LoadLibraryA 41894 367507 41891->41894 41892->41894 41892->41903 41909 368745 41892->41909 41893 367569 41893->41903 41904 3675cb 41893->41904 41913 366527 41893->41913 41894->41891 41894->41893 41894->41903 41898 3676d7 41940 367ac7 LoadLibraryA 41898->41940 41899 36768c 41899->41903 41936 367188 41899->41936 41903->41880 41904->41898 41904->41899 41904->41903 41906 368955 41905->41906 41907 36897c 41906->41907 41946 366a43 LoadLibraryA 41906->41946 41907->41874 41911 36875a 41909->41911 41910 3687d0 LoadLibraryA 41912 3687da 41910->41912 41911->41910 41911->41912 41912->41892 41914 368745 LoadLibraryA 41913->41914 41915 36653b 41914->41915 41918 366543 41915->41918 41941 3687e3 41915->41941 41918->41903 41927 366622 41918->41927 41919 366579 VirtualProtect 41919->41918 41920 36658d 41919->41920 41921 3665a7 VirtualProtect 41920->41921 41922 3687e3 LoadLibraryA 41921->41922 41923 3665c8 41922->41923 41923->41918 41924 3665df VirtualProtect 41923->41924 41924->41918 41925 3665ef 41924->41925 41926 366604 VirtualProtect 41925->41926 41926->41918 41928 368745 LoadLibraryA 41927->41928 41929 366638 41928->41929 41930 3687e3 LoadLibraryA 41929->41930 41931 366648 41930->41931 41932 366651 VirtualProtect 41931->41932 41933 366685 41931->41933 41932->41933 41934 366661 41932->41934 41933->41904 41935 366670 VirtualProtect 41934->41935 41935->41933 41937 3671bb 41936->41937 41938 3672ad SysAllocString 41937->41938 41939 367266 41937->41939 41938->41939 41939->41903 41940->41903 41942 3687fe 41941->41942 41944 36655b 41941->41944 41942->41944 41945 366be8 LoadLibraryA 41942->41945 41944->41918 41944->41919 41945->41944 41946->41906

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00368745: LoadLibraryA.KERNELBASE(00000000,?,?), ref: 003687D7
                          • VirtualProtect.KERNELBASE(00000000,0000000C,00000040,?), ref: 00366582
                          • VirtualProtect.KERNELBASE(00000000,0000000C,?,?), ref: 003665B5
                          • VirtualProtect.KERNELBASE(00000000,0040145E,00000040,?), ref: 003665E8
                          • VirtualProtect.KERNELBASE(00000000,0040145E,?,?), ref: 00366612
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$LibraryLoad
                          • String ID:
                          • API String ID: 895956442-0
                          • Opcode ID: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
                          • Instruction ID: 3ee228f5423b23c6c3d0994b2bb7b9eef7310e67141b6a20fca6c41799a4b24f
                          • Opcode Fuzzy Hash: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
                          • Instruction Fuzzy Hash: E421D8B22043093FE312AE65DC46FB77AECDB45344F04443EFA46D6055EB69A9098275

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 26 368745-368758 27 368770-36877a 26->27 28 36875a-36875d 26->28 29 36877c-368784 27->29 30 368789-368795 27->30 31 36875f-368762 28->31 29->30 32 368798-36879d 30->32 31->27 33 368764-36876e 31->33 34 3687d0-3687d7 LoadLibraryA 32->34 35 36879f-3687aa 32->35 33->27 33->31 38 3687da-3687de 34->38 36 3687c6-3687ca 35->36 37 3687ac-3687c4 call 368e13 35->37 36->32 40 3687cc-3687ce 36->40 37->36 42 3687df-3687e1 37->42 40->34 40->38 42->38
                          APIs
                          • LoadLibraryA.KERNELBASE(00000000,?,?), ref: 003687D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad
                          • String ID: .dll
                          • API String ID: 1029625771-2738580789
                          • Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                          • Instruction ID: ce03123844e255cdef05419650c3586b2c6945b8c279923b0fc1355f2679cac2
                          • Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
                          • Instruction Fuzzy Hash: FA21D6766042859FDB23DFB8C844B6ABBA4AF09324F29866DD8019BA45DF70EC45C790

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 43 366622-36664f call 368745 call 3687e3 48 366685 43->48 49 366651-36665f VirtualProtect 43->49 51 366687-36668a 48->51 49->48 50 366661-366683 call 368db3 VirtualProtect 49->50 50->51
                          APIs
                            • Part of subcall function 00368745: LoadLibraryA.KERNELBASE(00000000,?,?), ref: 003687D7
                          • VirtualProtect.KERNELBASE(00000000,00000004,00000040,?), ref: 0036665A
                          • VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 0036667D
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual$LibraryLoad
                          • String ID:
                          • API String ID: 895956442-0
                          • Opcode ID: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
                          • Instruction ID: e64a99a61cf498ad689a1e0fa6df78ebac5a432d9b3cbea09cd16d200f8c2f77
                          • Opcode Fuzzy Hash: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
                          • Instruction Fuzzy Hash: C6F081B61406047EE6129764DC46FFB36ECDF49650F014518FB06D6084FAA1AA0186B5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 54 367188-3671b5 55 36723d-367244 54->55 56 3671bb-3671ce 54->56 57 367246-36725a 55->57 58 367262-367264 55->58 62 3671d4-367200 call 368720 56->62 63 367271-367274 56->63 57->58 60 367276-367281 58->60 61 367266-36726c 58->61 68 367287-367293 60->68 69 367388 60->69 64 36738c-367396 61->64 76 367236 62->76 77 367202-367211 62->77 63->57 70 367295-36729f 68->70 71 3672a1-3672c9 call 368720 SysAllocString 68->71 69->64 78 3672df-3672e1 70->78 80 3672cd-3672dc 71->80 79 367239-36723b 76->79 77->57 83 367213-367218 77->83 78->69 81 3672e7-3672fb 78->81 79->55 79->57 80->78 81->69 87 367301-367323 81->87 83->79 84 36721a-367230 83->84 88 367234 84->88 87->69 90 367325-367330 87->90 88->79 91 367345-36734e 90->91 92 367332-367343 90->92 96 367350 call 276d007 91->96 97 367350 call 276d01d 91->97 92->91 92->92 93 367356-36736c 94 367381 93->94 95 36736e-36737f 93->95 94->69 95->94 95->95 96->93 97->93
                          APIs
                          • SysAllocString.OLEAUT32(?), ref: 003672B5
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocString
                          • String ID:
                          • API String ID: 2525500382-0
                          • Opcode ID: 3a71c02433a8139c968cc3f30c4dd14e73a6b67554079fc4c70d085402dfb9e4
                          • Instruction ID: dc2e0d91f3219bb17e9c5ae56cfed892125bd7eb698046ff32f8bc2d7eb06662
                          • Opcode Fuzzy Hash: 3a71c02433a8139c968cc3f30c4dd14e73a6b67554079fc4c70d085402dfb9e4
                          • Instruction Fuzzy Hash: D9615C71204206AFD725DF60C884FABB7E8BF49319F548669E949CB205EB30E905CFE1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 98 367397-3673fb call 36893e * 3 105 367425 98->105 106 3673fd-3673ff 98->106 108 367428-367432 105->108 106->105 107 367401-367403 106->107 107->105 109 367405-367417 VirtualAlloc 107->109 110 367433-367456 call 368db3 call 368dd7 109->110 111 367419-367420 109->111 117 3674a0-3674b9 call 36893e 110->117 118 367458-36748e call 368aab call 368981 110->118 111->105 112 367422 111->112 112->105 117->105 124 3674bf 117->124 127 367494-36749a 118->127 128 3676ef-3676f8 118->128 126 3674c5-3674cb 124->126 129 367507-367510 126->129 130 3674cd-3674d3 126->130 127->117 127->128 133 3676ff-367707 128->133 134 3676fa-3676fd 128->134 131 367512-367518 129->131 132 367569-367574 129->132 135 3674d5-3674d8 130->135 136 36751c-367537 call 36893e 131->136 139 367576-36757f call 36668b 132->139 140 36758d-367590 132->140 137 367736 133->137 138 367709-367734 call 368dd7 133->138 134->133 134->137 141 3674ec-3674ee 135->141 142 3674da-3674df 135->142 161 367556-367567 136->161 162 367539-367541 136->162 145 36773a-36775a call 368dd7 137->145 138->145 150 3676eb 139->150 164 367585-36758b 139->164 149 367596-36759f 140->149 140->150 141->129 148 3674f0-3674fe call 368745 141->148 142->141 147 3674e1-3674ea 142->147 174 367760-367762 145->174 175 36775c 145->175 147->135 147->141 158 367503-367505 148->158 151 3675a5-3675ac 149->151 152 3675a1 149->152 150->128 159 3675ae-3675b7 call 366527 151->159 160 3675dc-3675e0 151->160 152->151 158->126 176 3675c5-3675c6 call 366622 159->176 177 3675b9-3675bf 159->177 168 3675e6-367608 160->168 169 367682-367685 160->169 161->132 161->136 162->150 166 367547-367550 162->166 164->151 166->150 166->161 168->150 185 36760e-367621 call 368db3 168->185 171 3676d7-3676d9 call 367ac7 169->171 172 367687-36768a 169->172 184 3676de-3676df 171->184 172->171 178 36768c-36768f 172->178 174->108 175->174 187 3675cb-3675ce 176->187 177->150 177->176 182 367691-367693 178->182 183 3676a8-3676b9 call 367188 178->183 182->183 188 367695-367698 182->188 200 3676ca-3676d5 call 366c54 183->200 201 3676bb-3676c2 call 367767 183->201 189 3676e0-3676e7 184->189 197 367645-36767e 185->197 198 367623-367627 185->198 187->160 194 3675d0-3675d6 187->194 195 36769f-3676a6 call 368335 188->195 196 36769a-36769d 188->196 189->150 191 3676e9 189->191 191->191 194->150 194->160 195->184 196->189 196->195 197->150 211 367680 197->211 198->197 202 367629-36762c 198->202 200->184 208 3676c7 201->208 202->169 206 36762e-367643 call 368bb6 202->206 206->211 208->200 211->169
                          APIs
                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00367411
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
                          • Instruction ID: e17507e773b4717fdc3161a0e29d0f6b3ee7b89fd0c4672e2493534d784050b8
                          • Opcode Fuzzy Hash: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
                          • Instruction Fuzzy Hash: ADB1E371108B02EBDB239F64CC81FABB7E8FF09318F518519F95986149EB31E950CBA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 284 29f0920-29f0940 285 29f094e 284->285 286 29f0942-29f094c 284->286 287 29f0953-29f0955 285->287 286->287 288 29f095b-29f09a4 287->288 289 29f0a40-29f0a9a 287->289 299 29f09a6-29f09aa 288->299 300 29f09b0-29f0a21 288->300 304 29f0aa2-29f0ab2 289->304 299->300 311 29f0a2c 300->311 312 29f0a23 300->312 311->289 312->311
                          Memory Dump Source
                          • Source File: 00000000.00000002.3386242357.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: true
                          • Associated: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_29e0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b527a49ef7bf9214c79b5b0d88a1b35428bceaa443ebb9c0998936f8c7d96ada
                          • Instruction ID: 699974efa820445bbc080becd4c4f2399397a11c31b8ce6fac566a1a9a4fcd15
                          • Opcode Fuzzy Hash: b527a49ef7bf9214c79b5b0d88a1b35428bceaa443ebb9c0998936f8c7d96ada
                          • Instruction Fuzzy Hash: D741C074B042048FDB45DF69C458BAEBBF6EF89200F1484A9E505EB3A2CB74DC05CB90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 29f0dd0-29f0df3 314 29f0e1e-29f0e27 313->314 315 29f0e29-29f0e2f 314->315 316 29f0df5-29f0dfe 314->316 317 29f0e32-29f0f15 316->317 318 29f0e00-29f0e0e 316->318 341 29f0f1d-29f0f35 317->341 318->317 319 29f0e10-29f0e14 318->319 320 29f0e1b 319->320 321 29f0e16-29f0e18 319->321 320->314 321->320
                          Memory Dump Source
                          • Source File: 00000000.00000002.3386242357.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: true
                          • Associated: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_29e0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4190175ff1ea0b4db55c494eda32ebfc1c55bd30e605f3ee5e28b05d976a0cd5
                          • Instruction ID: 640ab438d4d454bce1a79163dcb3623d870df4a0864d0b9bc02c9465cda2d96a
                          • Opcode Fuzzy Hash: 4190175ff1ea0b4db55c494eda32ebfc1c55bd30e605f3ee5e28b05d976a0cd5
                          • Instruction Fuzzy Hash: EA41AB75E00209AFCB44EBB9C44826EBFFAEFC8300F248569D549D7346EA349D428B90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 343 276d5b0-276d5c2 344 276d656-276d65d 343->344 345 276d5c8 343->345 346 276d5ca-276d5d6 344->346 345->346 347 276d662-276d667 346->347 348 276d5dc-276d5fe 346->348 347->348 350 276d600-276d61e 348->350 351 276d66c-276d681 348->351 354 276d626-276d636 350->354 355 276d638-276d640 351->355 354->355 356 276d68e 354->356 357 276d642-276d653 355->357 358 276d683-276d68c 355->358 358->357
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385870485.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_276d000_oAnb4ULQxP.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a3b960a96381bc83b582f915cc9a7c80cb75122f12f6717277194d9d69ba929
                          • Instruction ID: 4baca003b3f9250f9cce31f1b1983a5a5d43fe671e4ed02a71eab710d435ade3
                          • Opcode Fuzzy Hash: 3a3b960a96381bc83b582f915cc9a7c80cb75122f12f6717277194d9d69ba929
                          • Instruction Fuzzy Hash: 9B2100B2614240EFDB24DF10D9C8F36BF61FB88364F248169ED0A4B216C776D456CAA2

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 360 29f05a8-29f05cc 362 29f05ce-29f05e6 360->362 363 29f05e8-29f05f0 360->363 362->363 366 29f05f9-29f0601 363->366 367 29f05f2 363->367 370 29f060a-29f0612 366->370 371 29f0603 366->371 367->366 372 29f0618 370->372 373 29f0614-29f0616 370->373 371->370 374 29f061d-29f061f 372->374 373->374 375 29f0627-29f062f 374->375 376 29f0621 374->376 377 29f0635 375->377 378 29f0631-29f0633 375->378 376->375 379 29f063a-29f063c 377->379 378->379 380 29f063e 379->380 381 29f0644-29f064c 379->381 380->381 382 29f064e-29f0650 381->382 383 29f0652 381->383 384 29f0657-29f0659 382->384 383->384 385 29f066b-29f0671 384->385 386 29f065b-29f0663 384->386 390 29f0678-29f067f 385->390 386->385 389 29f0665 386->389 389->385 391 29f0694-29f069e 390->391 392 29f0681-29f0687 390->392 391->390 395 29f068d 392->395 395->391
                          Memory Dump Source
                          • Source File: 00000000.00000002.3386242357.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: true
                          • Associated: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_29e0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef37460961da7586ecec9a130fe1227ed3c2c835b133d07733b6f47fc3c33e3c
                          • Instruction ID: c1725bceeb4e99936d6642077c42239d4d1ac9a7a14f3b68734cc894f0341436
                          • Opcode Fuzzy Hash: ef37460961da7586ecec9a130fe1227ed3c2c835b133d07733b6f47fc3c33e3c
                          • Instruction Fuzzy Hash: 02216F34A51377CFDBD4AB75E91832E7AECAF84244B404A2A9607C318AEF78C440CB61

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 396 276d5ab-276d5c2 397 276d656-276d65d 396->397 398 276d5c8 396->398 399 276d5ca-276d5d6 397->399 398->399 400 276d662-276d667 399->400 401 276d5dc-276d5fe 399->401 400->401 403 276d600-276d61e 401->403 404 276d66c-276d681 401->404 407 276d626-276d636 403->407 408 276d638-276d640 404->408 407->408 409 276d68e 407->409 410 276d642-276d653 408->410 411 276d683-276d68c 408->411 411->410
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385870485.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_276d000_oAnb4ULQxP.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 619584c3d7e14739f29610ac568831c66e191b9129ef2aa6f0fa2e72a2e39b36
                          • Instruction ID: ab76d979615ad5143254cf1bcfd94a00e8781cc50d2da2475e8205ba91f27e66
                          • Opcode Fuzzy Hash: 619584c3d7e14739f29610ac568831c66e191b9129ef2aa6f0fa2e72a2e39b36
                          • Instruction Fuzzy Hash: D1117F76504284DFCB15CF50D5C4B26BF71FB84314F2486A9DC094B656C33AD456CBA2

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 413 29f1040-29f106e 416 29f1086-29f10c5 413->416 417 29f1070-29f1076 413->417 425 29f10cc-29f10df 416->425 418 29f107a-29f107c 417->418 419 29f1078 417->419 418->416 419->416
                          Memory Dump Source
                          • Source File: 00000000.00000002.3386242357.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: true
                          • Associated: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_29e0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34b3fdae61aa152b970c39af7f15653419193a6711a99ac1dd755d83e36ff0f4
                          • Instruction ID: 192e0d5245f88a1d533acf0437c172a52cda92537c2388256b36baa99bbc7c15
                          • Opcode Fuzzy Hash: 34b3fdae61aa152b970c39af7f15653419193a6711a99ac1dd755d83e36ff0f4
                          • Instruction Fuzzy Hash: 8A11AD30B01215DFCB94EBB9C544A6E7BEAEF89214714487AD50ADBB88EF31DC51CB90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 427 276d01d-276d03d 428 276d03f-276d04a 427->428 429 276d08d-276d095 427->429 430 276d082-276d089 428->430 431 276d04c-276d05a 428->431 429->428 430->431 435 276d08b 430->435 434 276d060 431->434 436 276d063-276d06b 434->436 435->436 437 276d06d-276d075 436->437 438 276d07b-276d080 436->438 437->438 438->437
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385870485.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_276d000_oAnb4ULQxP.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b93dad125eaa9f303e51387a96ecc90e698f177878c6b0440d59eabc5821251
                          • Instruction ID: 893c19b3786e0871844fb655733f52d1565fd9b11ddac18c1361db3ccf340885
                          • Opcode Fuzzy Hash: 3b93dad125eaa9f303e51387a96ecc90e698f177878c6b0440d59eabc5821251
                          • Instruction Fuzzy Hash: 04012671604340DAE7304E25CDC8B77BF88DF81364F18C01AED081B242C7B99845C7B1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 440 276d007-276d03d 441 276d03f-276d04a 440->441 442 276d08d-276d095 440->442 443 276d082-276d089 441->443 444 276d04c-276d05a 441->444 442->441 443->444 448 276d08b 443->448 447 276d060 444->447 449 276d063-276d06b 447->449 448->449 450 276d06d-276d075 449->450 451 276d07b-276d080 449->451 450->451 451->450
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385870485.000000000276D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0276D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_276d000_oAnb4ULQxP.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68d3c30ad921dcfc628460eeacd28f19393b1756d2c5ae8e38bbcb49184470cc
                          • Instruction ID: 2354d8b96326483fea648a1f51dcd22556915cd9d01dc4fecd3bb00f76f97f4a
                          • Opcode Fuzzy Hash: 68d3c30ad921dcfc628460eeacd28f19393b1756d2c5ae8e38bbcb49184470cc
                          • Instruction Fuzzy Hash: 99015E7150E3C09EE7228B258894B66BFB4DF43224F1D81CBDD888F1A3C2695849C772

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 453 29f0a80-29f0a9a 456 29f0aa2-29f0ab2 453->456
                          Memory Dump Source
                          • Source File: 00000000.00000002.3386242357.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E0000, based on PE: true
                          • Associated: 00000000.00000002.3386222685.00000000029E0000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_29e0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 907b4ed58f84136460d3fe715b861a05fd8899697da274068ae2187e63765a5b
                          • Instruction ID: 91223b9bc64112c36bc7554a13880c1c46de863fb1e57d0321a1f431630fc937
                          • Opcode Fuzzy Hash: 907b4ed58f84136460d3fe715b861a05fd8899697da274068ae2187e63765a5b
                          • Instruction Fuzzy Hash: 31E0C2353002104F8344963EE88885FBBEEEFC9121354487AF10DC7351CD74CC014390
                          APIs
                          • BringWindowToTop.USER32(?), ref: 001F0E01
                          • SetFocus.USER32 ref: 001F0E0D
                          • SetForegroundWindow.USER32 ref: 001F0E19
                          • EndDialog.USER32(?,00000000), ref: 001F0E22
                          • SetForegroundWindow.USER32(?), ref: 001F0E36
                          • SetActiveWindow.USER32(?), ref: 001F0E3D
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000043), ref: 001F0E50
                          • GetDlgItem.USER32(?,0000041A), ref: 001F0E5C
                          • GetWindowRect.USER32(00000000,?), ref: 001F0E75
                          • SendMessageW.USER32(?,0000133E), ref: 001F0EC3
                          • CreateDialogParamW.USER32(?,?,001F2230,00000000), ref: 001F0ED9
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 001F0F21
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 001F0F4F
                          • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000090), ref: 001F0F92
                          • GetDlgItem.USER32(000003F6,00000403), ref: 001F0FF0
                          • SendMessageW.USER32(00000000), ref: 001F0FF7
                          • GetDlgItem.USER32(000003F6), ref: 001F1013
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F1027
                          • GetDlgItem.USER32(000003F7), ref: 001F104C
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F1060
                          • GetDlgItem.USER32(000003F7,00000000), ref: 001F1071
                          • EnableWindow.USER32(00000000), ref: 001F107E
                          • GetDlgItem.USER32(0000041D,00000000), ref: 001F108D
                          • EnableWindow.USER32(00000000), ref: 001F1094
                          • GetDlgItem.USER32(0000041C,00000000), ref: 001F10A3
                          • EnableWindow.USER32(00000000), ref: 001F10AA
                          • GetDlgItem.USER32(000003F7), ref: 001F10CC
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F10E0
                          • GetDlgItem.USER32(000003F8), ref: 001F10FC
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F1110
                          • GetDlgItem.USER32(00009C4B), ref: 001F112C
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F1140
                          • GetDlgItem.USER32(00009C47), ref: 001F115C
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F1170
                          • GetDlgItem.USER32(00000424), ref: 001F118C
                          • SendMessageW.USER32(00000000,00000401,?,00000000), ref: 001F11A0
                          • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000001,?), ref: 001F11D0
                          • RegQueryValueExW.ADVAPI32(?,Zoomit,00000000,?,?,?), ref: 001F120C
                          • RegCloseKey.ADVAPI32(?), ref: 001F121E
                          • CheckDlgButton.USER32(?,00000413,00000000), ref: 001F123C
                          • CheckDlgButton.USER32(00000421,00000000), ref: 001F1255
                          • GetDlgItem.USER32(00000420,00000406), ref: 001F126E
                          • SendMessageW.USER32(00000000), ref: 001F1275
                          • GetDlgItem.USER32(00000420), ref: 001F1288
                          • SendMessageW.USER32(00000000,00000405,00000001,00000003), ref: 001F129D
                          • SetDlgItemTextW.USER32(00000451,?), ref: 001F12C5
                          • GetDlgItem.USER32(00000451,000000C5), ref: 001F12DF
                          • SendMessageW.USER32(00000000), ref: 001F12E6
                          • GetDlgItem.USER32(000003FE,00000465), ref: 001F12FF
                          • SendMessageW.USER32(00000000), ref: 001F1306
                          • SetDlgItemTextW.USER32(00000452,?), ref: 001F132E
                          • GetDlgItem.USER32(00000452,000000C5), ref: 001F1348
                          • SendMessageW.USER32(00000000), ref: 001F134F
                          • GetDlgItem.USER32(000003FF,00000465), ref: 001F1368
                          • SendMessageW.USER32(00000000), ref: 001F136F
                          • CheckDlgButton.USER32(00000412,00000000), ref: 001F1388
                          • CheckDlgButton.USER32(00000425,00000000), ref: 001F13A1
                          • GetDlgItem.USER32(00000422,00000143), ref: 001F13DE
                          • SendMessageW.USER32(00000000), ref: 001F13E5
                          • GetDlgItem.USER32(00000422,0000014E), ref: 001F1408
                          • SendMessageW.USER32(00000000), ref: 001F140F
                          • GetDlgItem.USER32(00000423,00000143), ref: 001F147B
                          • SendMessageW.USER32(00000000), ref: 001F1482
                          • GetDlgItem.USER32(00000423,0000014E), ref: 001F14AC
                          • SendMessageW.USER32(00000000), ref: 001F14B3
                          • GetDlgItem.USER32(00000426,00000143), ref: 001F1615
                          • SendMessageW.USER32(00000000), ref: 001F161C
                          • GetDlgItem.USER32(00000426), ref: 001F1687
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001F169B
                          • GetDlgItem.USER32(00000426,0000014E), ref: 001F175E
                          • SendMessageW.USER32(00000000), ref: 001F1765
                          • GetFileAttributesW.KERNEL32(0025BAC0), ref: 001F176C
                          • SetDlgItemTextW.USER32(0000042E,0025BAC0), ref: 001F179D
                          • GetDlgItem.USER32(0000042F,00000406), ref: 001F17BA
                          • SendMessageW.USER32(00000000), ref: 001F17C1
                          • GetDlgItem.USER32(0000042F), ref: 001F17D4
                          • SendMessageW.USER32(00000000,00000405,00000001,00000037), ref: 001F17E3
                          • GetParent.USER32(?), ref: 001F1808
                          • UnregisterHotKey.USER32(00000000,00000000), ref: 001F1819
                          • UnregisterHotKey.USER32(00000000,00000003), ref: 001F181E
                          • UnregisterHotKey.USER32(00000000,00000001), ref: 001F1823
                          • UnregisterHotKey.USER32(00000000,00000002), ref: 001F1828
                          • UnregisterHotKey.USER32(00000000,00000004), ref: 001F182D
                          • UnregisterHotKey.USER32(00000000,00000005), ref: 001F1832
                          • UnregisterHotKey.USER32(00000000,00000006), ref: 001F1837
                          • UnregisterHotKey.USER32(00000000,00000007), ref: 001F183C
                          • UnregisterHotKey.USER32(00000000,00000008), ref: 001F1841
                          • UnregisterHotKey.USER32(00000000,00000009), ref: 001F1846
                          • UnregisterHotKey.USER32(00000000,0000000A), ref: 001F184B
                          • PostMessageW.USER32(?,00000400,00000000,00000000), ref: 001F185D
                          • ShellExecuteW.SHELL32(?,open,?,00000000,00000000,00000001), ref: 001F1897
                          • ShowWindow.USER32(?,00000000), ref: 001F18C7
                          • SendMessageW.USER32(0000130B,00000000,00000000), ref: 001F18D8
                          • ShowWindow.USER32(00000000,00000005), ref: 001F18F1
                          • EndDialog.USER32(?,00000000), ref: 001F1917
                          • GetParent.USER32(?), ref: 001F1905
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000000,?,?,?,?,001F1945,00000000), ref: 001F2EE4
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000003,?,?,?,?,001F1945,00000000), ref: 001F2EFC
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000001,?,?,?,?,001F1945,00000000), ref: 001F2F14
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000002,?,?,?,?,001F1945,00000000), ref: 001F2F2C
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000009,?,?,?,?,001F1945,00000000), ref: 001F2F44
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,0000000A,?,00000000,?,001F1945,00000000), ref: 001F2F5A
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000007,?,?,?,?,001F1945,00000000), ref: 001F2F72
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000008,?,00000000,?,001F1945,00000000), ref: 001F2F88
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000004,?,?,?,?,?,001F1945,00000000), ref: 001F2FA5
                            • Part of subcall function 001F2EC0: RegisterHotKey.USER32(001F1945,00000005,?,00000000,?,001F1945,00000000), ref: 001F2FC0
                          • GetOpenFileNameW.COMDLG32(?,?,?,?,?,76945540), ref: 001F2318
                          • GetFileAttributesW.KERNEL32(?,?,?,?,?,76945540), ref: 001F232D
                          • MessageBoxW.USER32(?,The specified file is inacessible,ZoomIt,00000010), ref: 001F2345
                          • SetDlgItemTextW.USER32(0000042E,?), ref: 001F2362
                          • GetDC.USER32(?), ref: 001F238D
                          • CreateCompatibleDC.GDI32(00000000), ref: 001F23B2
                          • ReleaseDC.USER32(?,00000000), ref: 001F23C6
                          • ChooseFontW.COMDLG32(0000003C), ref: 001F2456
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 001F247B
                          • DialogBoxParamW.USER32(ADVANCEDBREAK,?,Function_00024C10,00000000,?), ref: 001F2499
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Item$Message$Send$Window$Unregister$Register$ButtonCheckDialogText$EnableFile$AttributesCreateForegroundOpenParamParentRectShow$ActiveBringChooseCloseCompatibleExecuteFocusFontInvalidateNamePointsPostQueryReleaseShellValue
                          • String ID: %2.1f$%s: %s$0$<$ADVANCEDBREAK$Default$Error configuring auto start$Filepath$L$Q $Sample$Software\Microsoft\Windows\CurrentVersion\Run$Software\Sysinternals\Zoomit$The specified break timer hotkey is already in use.Select a different break timer hotkey.$The specified draw w/out zoom hotkey is already in use.Select a different draw w/out zoom hotkey.$The specified file is inacessible$The specified live-type hotkey is already in use.Select a different live-type hotkey.$The specified live-zoom toggle hotkey is already in use.Select a different zoom toggle hotkey.$The specified record hotkey is already in use.Select a different record hotkey.$The specified snip hotkey is already in use.Select a different snip hotkey.$The specified zoom toggle hotkey is already in use.Select a different zoom toggle hotkey.$Zoom$ZoomIt$Zoomit$open
                          • API String ID: 1165411458-1789503449
                          • Opcode ID: 17a4912bef2b104a2af036df57623723e1253b791bb13dabe3dbed5bb5d09b53
                          • Instruction ID: ddd52bfb082439fe79129c7565b48d47e7e7aa492144a1cdaf0abe5183474550
                          • Opcode Fuzzy Hash: 17a4912bef2b104a2af036df57623723e1253b791bb13dabe3dbed5bb5d09b53
                          • Instruction Fuzzy Hash: C9D27171B40318AFDB21AF64EC4DFAA7BB8EB09701F108095F609E71A1DB749A90CF55
                          APIs
                          • IsDlgButtonChecked.USER32(?,00000403), ref: 001E4C6C
                          • GetDlgItem.USER32(?,0000040F), ref: 001E4C82
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4C8C
                          • IsDlgButtonChecked.USER32(?,00000403), ref: 001E4C99
                          • GetDlgItem.USER32(?,000003F9), ref: 001E4CB2
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4CB6
                          • IsDlgButtonChecked.USER32(?,00000403), ref: 001E4CC3
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4CE3
                          • GetDlgItem.USER32(?,00000416), ref: 001E4CF9
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4D03
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4D10
                          • GetDlgItem.USER32(?,00000417), ref: 001E4D29
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4D2D
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4D3A
                          • GetDlgItem.USER32(?,00000410), ref: 001E4D53
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4D57
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4D64
                          • GetDlgItem.USER32(?,000003FA), ref: 001E4D7D
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4D81
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4D8E
                          • GetDlgItem.USER32(?,00000405), ref: 001E4DA7
                          • EnableWindow.USER32(00000000,00000000), ref: 001E4DAB
                          • EndDialog.USER32(?,?), ref: 001E4DE0
                          • IsDlgButtonChecked.USER32(?,00000403), ref: 001E4DF1
                          • IsDlgButtonChecked.USER32(?,00000404), ref: 001E4E03
                          • IsDlgButtonChecked.USER32(?,00000416), ref: 001E4E15
                          • GetFileAttributesW.KERNEL32(0025BF78), ref: 001E4E35
                          • MessageBoxW.USER32(?,The specified sound file is inacessible,Adanced Break Options Error,00000010), ref: 001E4E49
                          • GetDlgItem.USER32(?,000003F9), ref: 001E53A7
                          • GetDlgItem.USER32(?,000003FA), ref: 001E53BA
                          • CheckDlgButton.USER32(?,00000404,00000000), ref: 001E53D7
                          • CheckDlgButton.USER32(?,00000403,00000000), ref: 001E53EB
                          • CheckDlgButton.USER32(?,00000412,00000000), ref: 001E53FF
                          • CheckDlgButton.USER32(?,00000416,00000000), ref: 001E5413
                          • GetDlgItem.USER32(?,00000402), ref: 001E542C
                          • EnableWindow.USER32(00000000), ref: 001E542F
                          • GetDlgItem.USER32(?,0000040F), ref: 001E5442
                          • EnableWindow.USER32(00000000), ref: 001E5445
                          • GetDlgItem.USER32(?,000003F9), ref: 001E544F
                          • EnableWindow.USER32(00000000), ref: 001E5452
                          • GetDlgItem.USER32(?,00000401), ref: 001E545C
                          • EnableWindow.USER32(00000000), ref: 001E545F
                          • _wcsrchr.LIBVCRUNTIME ref: 001E54A0
                          • _wcsrchr.LIBVCRUNTIME ref: 001E54B3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Button$Item$CheckedEnableWindow$Check$_wcsrchr$AttributesDialogFileMessage
                          • String ID: %d%%$Adanced Break Options Error$L$The specified background file is inacessible$The specified sound file is inacessible
                          • API String ID: 989187664-1000416805
                          • Opcode ID: 075573f974f9389f21c386d298c40308f3df79c41c6ee0b12d3d3802810252d6
                          • Instruction ID: ffd893c6c20604908956a85e306cabea3baf1d30022e2e64fa16addc986a87b1
                          • Opcode Fuzzy Hash: 075573f974f9389f21c386d298c40308f3df79c41c6ee0b12d3d3802810252d6
                          • Instruction Fuzzy Hash: D042E7B1900758ABDB20AB70AC8AFAE777CFF08705F1040A9F605A71D2DB719A55CF58
                          APIs
                          • RegCreateKeyExW.ADVAPI32(80000001,Software\Sysinternals\Zoomit,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001FDD76
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000102), ref: 001FDD8E
                          • RegSetValueExW.ADVAPI32(?,FilePath,00000000,00000001,?,00000000), ref: 001FDDED
                          • RegCloseKey.ADVAPI32(?), ref: 001FDDF9
                          • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process), ref: 001FDE14
                          • GetProcAddress.KERNEL32(00000000), ref: 001FDE21
                          • GetCurrentProcess.KERNEL32(00000000), ref: 001FDE30
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Module$AddressCloseCreateCurrentFileHandleNameProcProcessValue
                          • String ID: ACCELERATORS$CreateDirect3D11DeviceFromDXGIDevice$CreateDirect3D11SurfaceFromDXGISurface$D3D11CreateDevice$DwmIsCompositionEnabled$EnableThemeDialogTexture$FilePath$GetDpiForWindow$GetMonitorInfoA$GetPointerPenInfo$GetPointerType$IsWow64Process$Local\ZoomitActive$MagInitialize$MagSetFullscreenTransform$MagSetInputTransform$MagSetWindowFilterList$MagSetWindowSource$MagSetWindowTransform$MagShowSystemCursor$MagnifierClass$MonitorFromPoint$NULLCURSOR$SHAutoComplete$SHQueryUserNotificationState$SetLayeredWindowAttributes$SetProcessDPIAware$Shlwapi.dll$Software\Sysinternals\Zoomit$SystemParametersInfoForDpi$User32.dll$ZoomIt$ZoomIt - Sysinternals: www.sysinternals.com$Zoomit Zoom Window$ZoomitActive$ZoomitClass$d3d11.dll$dwmapi.dll$kernel32.dll$magnification.dll$shell32.dll$user32.dll$uxtheme.dll
                          • API String ID: 394684921-734397289
                          • Opcode ID: 7f526c0535e8d6ed47fc83819bad5ac25a537f3037692f1bdda7bd1991f61362
                          • Instruction ID: 6e6b095c87788cc7b4892ba7361854aa4efd586b3be90ca6655b20ccb3c170f3
                          • Opcode Fuzzy Hash: 7f526c0535e8d6ed47fc83819bad5ac25a537f3037692f1bdda7bd1991f61362
                          • Instruction Fuzzy Hash: 9BF1C9B1E90308ABDB20BB70BC4FFAA76A8AB65B05F100495F604B71D1DBF59560CF94
                          APIs
                          • GetClientRect.USER32(?,?), ref: 001E9F26
                          • SetWindowPos.USER32(00000000,?,?,?,?,00000000), ref: 001E9F42
                          • CreateWindowExW.USER32(00000000,Magnifier,MagnifierWindow,50000001,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001E9FBF
                          • ShowWindow.USER32(?,00000005), ref: 001E9FCD
                          • InvalidateRect.USER32(00000000,00000001), ref: 001E9FDD
                          • SetForegroundWindow.USER32(?), ref: 001E9FEE
                          • SetTimer.USER32(?,00000001,006DDD00,00000000), ref: 001EA029
                          • GetDC.USER32(00000000), ref: 001EA05A
                          • GetCursorPos.USER32(?), ref: 001EA06A
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 001EA0CC
                          • UpdateWindow.USER32(?), ref: 001EA0D3
                          • RegisterHotKey.USER32(?,00000000,00000002,00000026), ref: 001EA14C
                          • RegisterHotKey.USER32(?,00000001,00000002,00000028), ref: 001EA155
                          • GetCursorPos.USER32(0025C854), ref: 001EA188
                          • SetCursorPos.USER32 ref: 001EA196
                          • SendMessageW.USER32(?,00000113,00000000,00000000), ref: 001EA1A6
                          • SetTimer.USER32(?,00000000,00000014,00000000), ref: 001EA1B3
                          • GetAsyncKeyState.USER32(000000A2), ref: 001EA292
                          • SendMessageW.USER32(?,0000020A,00000000), ref: 001EA2C8
                          • IsWindowVisible.USER32(?), ref: 001EA3A0
                          • DestroyWindow.USER32(?), ref: 001EA3C3
                          • DefWindowProcW.USER32(?,?,?,?), ref: 001EAA04
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$Cursor$MessageRectRegisterSendTimer$AsyncClientCreateDestroyForegroundInvalidateProcShowStateUpdateVisible
                          • String ID: Magnifier$MagnifierWindow
                          • API String ID: 3481467829-2051631249
                          • Opcode ID: fd16bb8f84c714252f1059d4fcf1a98c787593211c86d5398e02d59e1a8d12bb
                          • Instruction ID: 463d2cf500041df7f0e247edc47032dd715244d5a916a41db1390324f7c90799
                          • Opcode Fuzzy Hash: fd16bb8f84c714252f1059d4fcf1a98c787593211c86d5398e02d59e1a8d12bb
                          • Instruction Fuzzy Hash: 9272D231A107489FDB16DF76FC8DBAD77A5FF59302F64422AE502A72A1E7706880CB44
                          APIs
                          • DeleteObject.GDI32 ref: 001EC591
                          • DeleteDC.GDI32 ref: 001EC59D
                          • GdipAlloc.GDIPLUS(00000010), ref: 001EC5AF
                          • GdipCreateBitmapFromFile.GDIPLUS ref: 001EC5D6
                          • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00000000,00000010), ref: 001EC5F7
                          • GetLastError.KERNEL32 ref: 001EC63B
                          • GetDC.USER32(00000000), ref: 001EC679
                          • CreateCompatibleDC.GDI32(00000000), ref: 001EC6AB
                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 001EC6C6
                          • SelectObject.GDI32(00000000,00000000), ref: 001EC6D4
                          • CreateSolidBrush.GDI32(00000000), ref: 001EC6DE
                          • FillRect.USER32(?,0025C5A8,00000000), ref: 001EC6F2
                          • AlphaBlend.MSIMG32(?,00000000,00000000,?,?,?,?,?,004F0000), ref: 001EC734
                          • SelectObject.GDI32(?,00000000), ref: 001EC742
                          • DeleteDC.GDI32(?), ref: 001EC749
                          • DeleteObject.GDI32(00000000), ref: 001EC750
                          • ReleaseDC.USER32(00000000,?), ref: 001EC75E
                          • CreateCompatibleDC.GDI32 ref: 001EC775
                          • SelectObject.GDI32(00000000), ref: 001EC787
                          • CreateFontIndirectW.GDI32(0025BA48), ref: 001EC7E7
                          • CreateFontIndirectW.GDI32(0025BA48), ref: 001EC806
                          • CreateCompatibleDC.GDI32 ref: 001EC813
                          • GetDeviceCaps.GDI32(0000000C), ref: 001EC82C
                          • GetDeviceCaps.GDI32(0000000E), ref: 001EC83F
                          • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 001EC891
                          • SelectObject.GDI32(00000000), ref: 001EC8A9
                          • SetTextColor.GDI32 ref: 001EC8B7
                          • SetBkMode.GDI32(00000001), ref: 001EC8C5
                          • SelectObject.GDI32 ref: 001EC8D7
                          • SendMessageW.USER32(?,00000113,00000000,00000000), ref: 001EC8FF
                          • SetTimer.USER32(?,00000000,000003E8,00000000), ref: 001EC914
                          • BringWindowToTop.USER32(?), ref: 001EC920
                          • SetForegroundWindow.USER32(?), ref: 001EC92C
                          • SetActiveWindow.USER32(?), ref: 001EC938
                          • SetWindowPos.USER32(?,000000FE,00000040), ref: 001EC960
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$Object$Select$BitmapCompatibleDeleteWindow$Gdip$CapsDeviceFontFromIndirect$ActiveAllocAlphaBlendBringBrushColorErrorFileFillForegroundLastMessageModeRectReleaseSendSolidTextTimer
                          • String ID: Error loading background bitmap$gfff
                          • API String ID: 1331132768-1645011511
                          • Opcode ID: 5f2669dc58870ac0fc0218444b696b8af5c60a595b13073934e2700c3fa95372
                          • Instruction ID: 4485be7edaaa7f4917246af4f68f944a87dbca80f57ea9ace2dfa90558b207fa
                          • Opcode Fuzzy Hash: 5f2669dc58870ac0fc0218444b696b8af5c60a595b13073934e2700c3fa95372
                          • Instruction Fuzzy Hash: 3BC17F71904758AFCB15AF60FC0DBA97BB1EB08302F2440D9FA09A6270E7757954DF58
                          APIs
                          • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\windows nt\currentversion,?), ref: 001CE8D6
                          • RegQueryValueExW.ADVAPI32(?,ProductName,00000000,?,?,00000208,?,?,?,00000000,75B4EB20), ref: 001CE901
                          • RegCloseKey.ADVAPI32(?,?,?,?,00000000,75B4EB20), ref: 001CE92F
                          • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels,?), ref: 001CE9D7
                          • RegQueryValueExW.ADVAPI32(00000000,NanoServer,00000000,?,00000000,00000004,?,?,?,00000000,75B4EB20), ref: 001CE9FE
                          • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,75B4EB20), ref: 001CEA26
                          • GetStdHandle.KERNEL32(000000F5,?,?,?,00000000,00000000), ref: 001CEA32
                          • GetFileType.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 001CEA39
                          • LocalAlloc.KERNEL32(00000040,000003E8,?,?,?,00000000,75B4EB20), ref: 001CEA4F
                          • DialogBoxIndirectParamW.USER32(00000000,00000000,00000000,Function_0000E140,?), ref: 001CEC19
                          • LocalFree.KERNEL32(00000000), ref: 001CEC23
                          • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 001CEC43
                          • RegSetValueExW.ADVAPI32(00000000,EulaAccepted,00000000,00000004,00000000,00000004,?,?,00000000,00000000), ref: 001CEC62
                          • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000000), ref: 001CEC6E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseValue$LocalOpenQuery$AllocCreateDialogFileFreeHandleIndirectParamType
                          • String ID: %c$%ls$&Agree$&Decline$&Print$Accept Eula (Y/N)?$EulaAccepted$License Agreement$MS Shell Dlg$NanoServer$ProductName$RICHEDIT$Riched32.dll$Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels$Software\Microsoft\windows nt\currentversion$Software\Sysinternals\%s$This is the first run of this program. You must accept EULA to continue.$Use -accepteula to accept EULA.$You can also use the /accepteula command-line switch to accept the EULA.$iotuap
                          • API String ID: 4128462074-1896805070
                          • Opcode ID: 11cf7e4dbb0b4f04b852998d6b96aca592a291e6ddc9331fc4c79f18edebff82
                          • Instruction ID: 2dbbe8efb177c33330135fffbd7f79e32d4ce2983a7de6df6fd9356a6d7787a1
                          • Opcode Fuzzy Hash: 11cf7e4dbb0b4f04b852998d6b96aca592a291e6ddc9331fc4c79f18edebff82
                          • Instruction Fuzzy Hash: 91C136B19107289BCB309F24DC05F9AB7F8EF20304F40496DFA49A3252D775EA958F98
                          APIs
                          • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\windows nt\currentversion,?), ref: 001CE8D6
                          • RegQueryValueExW.ADVAPI32(?,ProductName,00000000,?,?,00000208,?,?,?,00000000,75B4EB20), ref: 001CE901
                          • RegCloseKey.ADVAPI32(?,?,?,?,00000000,75B4EB20), ref: 001CE92F
                          • RegOpenKeyW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels,?), ref: 001CE9D7
                          • RegQueryValueExW.ADVAPI32(00000000,NanoServer,00000000,?,00000000,00000004,?,?,?,00000000,75B4EB20), ref: 001CE9FE
                          • RegCloseKey.ADVAPI32(00000000,?,?,?,00000000,75B4EB20), ref: 001CEA26
                          • GetStdHandle.KERNEL32(000000F5,?,?,?,00000000,00000000), ref: 001CEA32
                          • GetFileType.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 001CEA39
                          • LocalAlloc.KERNEL32(00000040,000003E8,?,?,?,00000000,75B4EB20), ref: 001CEA4F
                          • DialogBoxIndirectParamW.USER32(00000000,00000000,00000000,Function_0000E140,?), ref: 001CEC19
                          • LocalFree.KERNEL32(00000000), ref: 001CEC23
                          • RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 001CEC43
                          • RegSetValueExW.ADVAPI32(00000000,EulaAccepted,00000000,00000004,00000000,00000004,?,?,00000000,00000000), ref: 001CEC62
                          • RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000000), ref: 001CEC6E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseValue$LocalOpenQuery$AllocCreateDialogFileFreeHandleIndirectParamType
                          • String ID: %c$&Agree$&Decline$&Print$Accept Eula (Y/N)?$EulaAccepted$License Agreement$MS Shell Dlg$NanoServer$ProductName$RICHEDIT$Riched32.dll$Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels$Software\Microsoft\windows nt\currentversion$Software\Sysinternals\%s$You can also use the /accepteula command-line switch to accept the EULA.$iotuap
                          • API String ID: 4128462074-2005152718
                          • Opcode ID: a94bf81bacadd86e404eaefd51692e4925466710a42b241ae584aa41c3ed74ba
                          • Instruction ID: 699c08a97301499b96b38f6bedbca5668ff26c577dc46deab7bb0469be882099
                          • Opcode Fuzzy Hash: a94bf81bacadd86e404eaefd51692e4925466710a42b241ae584aa41c3ed74ba
                          • Instruction Fuzzy Hash: 28C114B19107299BCB309F24DC05F9AB7F8EF10304F40896DFA49A3252D775EA958F98
                          APIs
                          • __Mtx_unlock.LIBCPMT ref: 001D6A1E
                          • SendInput.USER32(00000001,?,0000001C,00000020,00000000), ref: 001D6A63
                          • __Mtx_unlock.LIBCPMT ref: 001D6ACE
                          • SendInput.USER32(00000001,00000001,0000001C,00000020), ref: 001D6B11
                          • __Mtx_unlock.LIBCPMT ref: 001D6B5D
                          • SendInput.USER32(00000001,00000001,0000001C,00000008), ref: 001D6B9C
                          • __Mtx_unlock.LIBCPMT ref: 001D6C07
                          • SendInput.USER32(00000001,00000001,0000001C,00000008), ref: 001D6C4A
                          • __Mtx_unlock.LIBCPMT ref: 001D6C9A
                          • SendInput.USER32(00000001,00000001,0000001C,000000A0), ref: 001D6CDD
                          • SendInput.USER32(00000001,00000001,0000001C,00000025), ref: 001D6D93
                          • __Mtx_unlock.LIBCPMT ref: 001D6E02
                          • SendInput.USER32(00000001,00000001,0000001C,00000025), ref: 001D6E49
                          • __Mtx_unlock.LIBCPMT ref: 001D6E95
                          • SendInput.USER32(00000001,00000001,0000001C,000000A0), ref: 001D6EDC
                          • __Mtx_unlock.LIBCPMT ref: 001D6F28
                          • SendInput.USER32(00000001,00000001,0000001C,000000A2), ref: 001D6F6B
                            • Part of subcall function 001D9040: SendInput.USER32(00000001,00000001,0000001C,?,76951FD0), ref: 001D90AB
                            • Part of subcall function 001D90E0: SendInput.USER32(00000001,00000001,0000001C,?,76951FD0), ref: 001D9156
                          • __Mtx_unlock.LIBCPMT ref: 001D6FF7
                          • SendInput.USER32(00000001,00000001,0000001C,000000A2), ref: 001D703E
                          • __Mtx_unlock.LIBCPMT ref: 001D6D4C
                            • Part of subcall function 001D3190: __alldvrm.LIBCMT ref: 001D31F3
                            • Part of subcall function 001D3190: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D3216
                          • OpenClipboard.USER32(00000000), ref: 001D7091
                          • CloseClipboard.USER32 ref: 001D709B
                          • GetClipboardSequenceNumber.USER32 ref: 001D70A5
                          • CloseClipboard.USER32 ref: 001D70AD
                          • __Mtx_unlock.LIBCPMT ref: 001D7143
                          • SendInput.USER32(00000001,00000001,0000001C,00000027), ref: 001D7190
                          • __Mtx_unlock.LIBCPMT ref: 001D71FF
                          • SendInput.USER32(00000001,00000001,0000001C,00000027), ref: 001D7246
                          • VkKeyScanW.USER32(00000063), ref: 001D7431
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D7451
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D7462
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputSend$Mtx_unlock$Clipboard$CloseCpp_errorThrow_std::_$NumberOpenScanSequenceUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 594461360-0
                          • Opcode ID: 5c0dec002af2ca41464d779a0a3531003fbf3fb8d9f4814420f6758f477988a9
                          • Instruction ID: 676a50ded79c64d7319a429f076eabe2515809926279fd84631b0305f8057ff6
                          • Opcode Fuzzy Hash: 5c0dec002af2ca41464d779a0a3531003fbf3fb8d9f4814420f6758f477988a9
                          • Instruction Fuzzy Hash: B35213B0D103099ADB16DBA4DC46BADB7B4FF54305F24022BE810A73D2FB70A959CB56
                          APIs
                          • __Mtx_unlock.LIBCPMT ref: 001D7E85
                          • SendInput.USER32(00000001,?,0000001C,0000000D,?,00000000), ref: 001D7ECE
                          • __Mtx_unlock.LIBCPMT ref: 001D7F3D
                          • __Mtx_unlock.LIBCPMT ref: 001D7FCD
                          • SendInput.USER32(00000001,?,0000001C,00000026,?,?,?,00000000), ref: 001D801A
                          • __Mtx_unlock.LIBCPMT ref: 001D8089
                          • __Mtx_unlock.LIBCPMT ref: 001D8116
                          • SendInput.USER32(00000001,?,0000001C,00000028,?,?,?,?,?,00000000), ref: 001D8163
                          • __Mtx_unlock.LIBCPMT ref: 001D81D2
                          • SendInput.USER32(00000001,00000001,0000001C,00000028,?,?,?,?,?,00000000), ref: 001D8219
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D82B5
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D82C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Mtx_unlock$InputSend$Cpp_errorThrow_std::_
                          • String ID: ($2$H$[/paste]$[down]$[end]$[enter]$[left]$[paste]$[pause:$[right]$[up]
                          • API String ID: 2097290378-1981377369
                          • Opcode ID: 0efdcf230912abee0a5c5a0ecab9c66695a04f643a714576b8f96f878059199d
                          • Instruction ID: 848fc54ef4da80c990ddac05816c2e43553c00a6528c607e554c51888e23d17b
                          • Opcode Fuzzy Hash: 0efdcf230912abee0a5c5a0ecab9c66695a04f643a714576b8f96f878059199d
                          • Instruction Fuzzy Hash: B1522270D102088BCF15DFA8D859BEEB7B5EF19305F10412AE815A73C2FB74AA49CB64
                          APIs
                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001F3358
                          • _wcsrchr.LIBVCRUNTIME ref: 001F3396
                          • ExpandEnvironmentStringsW.KERNEL32(%TEMP%,?,00000104), ref: 001F33CA
                          • _wcsrchr.LIBVCRUNTIME ref: 001F33D9
                          • FindResourceW.KERNEL32(00000000,RCZOOMIT64,BINRES), ref: 001F3417
                          • LoadResource.KERNEL32(00000000,00000000), ref: 001F342A
                          • SizeofResource.KERNEL32(00000000,00000000), ref: 001F3435
                          • LockResource.KERNEL32(00000000), ref: 001F343E
                          • GetCommandLineW.KERNEL32 ref: 001F34A7
                          • ShellExecuteExW.SHELL32(0000003C), ref: 001F34C4
                          • GetLastError.KERNEL32 ref: 001F34CE
                          • DeleteFileW.KERNEL32(?), ref: 001F34EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Resource$File_wcsrchr$CommandDeleteEnvironmentErrorExecuteExpandFindLastLineLoadLockModuleNameShellSizeofStrings
                          • String ID: %TEMP%$64.exe$<$BINRES$Error launching 64-bit version$RCZOOMIT64
                          • API String ID: 1227472162-3149844433
                          • Opcode ID: c5cb1cbc07f71e98b5eca9f154b7282c883545d6a51dc36e8cbc56254c421db0
                          • Instruction ID: 917492c89217027e1678f64e6cae0c5eb2edd04c9b5f8108ce52bc0150f27692
                          • Opcode Fuzzy Hash: c5cb1cbc07f71e98b5eca9f154b7282c883545d6a51dc36e8cbc56254c421db0
                          • Instruction Fuzzy Hash: F251B3B191061CABDB10EFA0EC89BDE77B9EF98710F1002D5F61DA2191DB715AE48F50
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 001D930E
                          • CloseClipboard.USER32 ref: 001D9318
                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 001D94FD
                          • CompareFileTime.KERNEL32(?,0025B5A8), ref: 001D9510
                          • CloseHandle.KERNEL32(00000000), ref: 001D9537
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D95C8
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000), ref: 001D95FC
                          • SetWindowsHookExW.USER32(0000000D,001D63E0,00000000), ref: 001D960A
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001D9648
                          • TranslateMessage.USER32(?), ref: 001D9658
                          • DispatchMessageW.USER32(?), ref: 001D965E
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001D966E
                          • UnhookWindowsHookEx.USER32 ref: 001D967A
                          • GetKeyState.USER32(000000A0), ref: 001D968F
                          • __Mtx_unlock.LIBCPMT ref: 001D96E8
                          • SendInput.USER32(00000001,?,0000001C,000000A0), ref: 001D972F
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D9753
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D9764
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Cpp_errorThrow_std::_$ClipboardCloseFileHandleHookTimeWindows$CompareDispatchInputModuleMtx_unlockOpenSendStateTranslateUnhook
                          • String ID:
                          • API String ID: 478997424-0
                          • Opcode ID: 8bcec1182388b31a812187db17d12cfdf52d7df1e2c76136e26085f901fe615a
                          • Instruction ID: 3548b27567475aafe3438b2b1296dcec1c1ffdc5b103b986c340eb8a7be4d4a6
                          • Opcode Fuzzy Hash: 8bcec1182388b31a812187db17d12cfdf52d7df1e2c76136e26085f901fe615a
                          • Instruction Fuzzy Hash: F1C13730A003049BDB21AFB8FD09BAA77B4FF15305F54416AE901E73D2EB71A945CB64
                          APIs
                          • GdipCreateFromHDC.GDIPLUS(?,?,FE025AF7), ref: 001E82CC
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,?,?,FE025AF7), ref: 001E82E3
                          • GdipCreatePen1.GDIPLUS(00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E834D
                          • GdipSetPenLineCap197819.GDIPLUS(00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E8362
                          • GdipAlloc.GDIPLUS(0000000C,00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E83A5
                          • GdipCreateSolidFill.GDIPLUS(?,00000000,0000000C,00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E83F1
                          • InflateRect.USER32(?,00000005,00000005), ref: 001E8424
                          • InflateRect.USER32(?,00000005,00000005), ref: 001E8455
                          • GdipDrawRectangleI.GDIPLUS(00000000,00000000,?,00000000,?,?,00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004), ref: 001E8506
                            • Part of subcall function 001E77E0: GdipAlloc.GDIPLUS(00000010,FE025AF7), ref: 001E7882
                            • Part of subcall function 001E77E0: GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E78AC
                            • Part of subcall function 001E77E0: GdipGetImageGraphicsContext.GDIPLUS(?,00000000,?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E78D1
                          • GdipDeletePen.GDIPLUS(00000000,00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E869F
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000000,00000000,00000002,00000002,00000002,00000000,00000000,00000000,00000000,00000000,00000004,?,?,FE025AF7), ref: 001E86A5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Create$AllocDeleteFromGraphicsInflateRect$BitmapCap197819ContextDrawFillImageLineModePen1RectangleScan0SmoothingSolid
                          • String ID: ppp
                          • API String ID: 2333669212-3565861256
                          • Opcode ID: 6dffac361c770a1cb1bc11c2febbf96b71c3a12b7916e701ae36881f6818be68
                          • Instruction ID: b6e2599db7e9754f5a3022bb3eab1c29295f0eb07fe00208f61eddf423619458
                          • Opcode Fuzzy Hash: 6dffac361c770a1cb1bc11c2febbf96b71c3a12b7916e701ae36881f6818be68
                          • Instruction Fuzzy Hash: 9BD19071900654AFDB15DF95DC85FBEBBB8EF49300F088149FA09AB296DB31A904CB61
                          APIs
                          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,FE025AF7), ref: 002003E6
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 002003EC
                          • GetErrorInfo.OLEAUT32(00000000,?,?,?,?,FE025AF7), ref: 0020042C
                          • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 002004A1
                          • LoadLibraryW.KERNEL32(?,.dll,?,00000000,00000000,?,?,?,?,FE025AF7), ref: 002004B2
                          • GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 002004D8
                          • FreeLibrary.KERNEL32(00000000,00000000,DllGetActivationFactory,?,00000000,?,.dll,?,00000000,00000000,?,?,?,?,FE025AF7), ref: 002004E2
                          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,FE025AF7), ref: 00200505
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0020050B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Library$AddressLoadProc$ErrorFreeInfoSimpleString::operator=
                          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                          • API String ID: 2527767913-2454113998
                          • Opcode ID: 1b82dfc608f39a766d0f5a24b216d25aa1369ea953f3bb73a013ccb1bf39d2ea
                          • Instruction ID: fafc7e5896be2b600529757ccbb9f5d91da46ffe1b3971a24333850e88920699
                          • Opcode Fuzzy Hash: 1b82dfc608f39a766d0f5a24b216d25aa1369ea953f3bb73a013ccb1bf39d2ea
                          • Instruction Fuzzy Hash: 15619E71920319ABDB15EFA4DC81BEEBBB4BF58310F504129E515A72D2DB70A920CF61
                          APIs
                          • __Mtx_unlock.LIBCPMT ref: 001D8AC3
                          • SendInput.USER32(00000001,00000001,0000001C,000000A2,?,?,?,00000000), ref: 001D8B06
                          • __Mtx_unlock.LIBCPMT ref: 001D8BCA
                          • SendInput.USER32(00000001,00000001,0000001C,000000A2,?,?,?,?,?,00000000), ref: 001D8C17
                          • __Mtx_unlock.LIBCPMT ref: 001D8C8D
                          • SendInput.USER32(00000001,00000001,0000001C,00000008), ref: 001D8CD0
                          • __Mtx_unlock.LIBCPMT ref: 001D8D48
                          • SendInput.USER32(00000001,00000001,0000001C,00000008), ref: 001D8D8F
                          • VkKeyScanW.USER32(00000076), ref: 001D8E59
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D8E7E
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D8E8F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputMtx_unlockSend$Cpp_errorThrow_std::_$Scan
                          • String ID: d$d$d$d
                          • API String ID: 36684784-3382918743
                          • Opcode ID: 80e65443fe8842ae68ee2772ad80a9ec37b7a689244afec2ff351aa4c8f0db3f
                          • Instruction ID: a23bbd7d971a38c553290902e0b8a3e930d18ef3e546833e960e714588befa6a
                          • Opcode Fuzzy Hash: 80e65443fe8842ae68ee2772ad80a9ec37b7a689244afec2ff351aa4c8f0db3f
                          • Instruction Fuzzy Hash: C7222770D10308CBDB25DFA8DC55BAEB7B4FF59309F14412AE805A7392EB30A958CB65
                          APIs
                            • Part of subcall function 001E0FF0: InterlockedPushEntrySList.KERNEL32(0025B250,?,?,FE025AF7), ref: 001E10D6
                          • AcquireSRWLockExclusive.KERNEL32(00000000,FE025AF7,FE025AF7,?,?,?,00000000,0022FC90,000000FF,?,00000000,00000000,00000000), ref: 001FEA0C
                          • SetEvent.KERNEL32(00000000,?,?,00000000,0022FC90,000000FF,?,00000000,00000000,00000000), ref: 001FEA20
                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00000000,0022FC90,000000FF,?,00000000), ref: 001FEABB
                          • WaitForSingleObjectEx.KERNEL32(00000000,000000C8,00000000,?,?,00000000,0022FC90,000000FF,?,00000000), ref: 001FEAD6
                            • Part of subcall function 001CD910: GetLastError.KERNEL32(?,00000018,001CBFDF,?,001CC196,FE025AF7,00000018,?,000000FF,?,001CC0F2,FE025AF7,FE025AF7), ref: 001CDB64
                          • AcquireSRWLockExclusive.KERNEL32(00000000,FE025AF7,00000000,?,?,00000000,00000000), ref: 001FEC21
                          • WaitForSingleObjectEx.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 001FEC43
                          • WaitForSingleObjectEx.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 001FEC5B
                          • SetEvent.KERNEL32(00000000,?,?,00000000,00000000), ref: 001FEC77
                          • SetEvent.KERNEL32(00000000), ref: 001FECDB
                          • ReleaseSRWLockExclusive.KERNEL32(00000000), ref: 001FECF5
                          • CoCreateFreeThreadedMarshaler.OLE32(00000000,00000000,00000000,?,00000000), ref: 001FEE39
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveLock$EventObjectSingleWait$AcquireRelease$CreateEntryErrorFreeInterlockedLastListMarshalerPushThreaded
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\result_macros.h$W
                          • API String ID: 46316352-2083354221
                          • Opcode ID: 8043684a6f70258fb9d61b7aae584bf3bb2af97c0306f18b015d8bc2e38a120f
                          • Instruction ID: 20c4b4ad3c66f5f0294e6aa0b7cbbe98318d421ca2f9f2fc34ae927919ef26be
                          • Opcode Fuzzy Hash: 8043684a6f70258fb9d61b7aae584bf3bb2af97c0306f18b015d8bc2e38a120f
                          • Instruction Fuzzy Hash: D9628A74A00609DFDB20DF68C884BBABBF5FF54310F158569E91A9B2A0DB75ED40CB90
                          APIs
                          • MulDiv.KERNEL32(00000000,00000064), ref: 00200E0F
                          • MulDiv.KERNEL32(00000000,00000064), ref: 00200E23
                          • MulDiv.KERNEL32(00000000,00000022,00000000), ref: 00200E42
                            • Part of subcall function 001E0A20: InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001E0AFB
                          • MulDiv.KERNEL32(00000000,00000022,00000000), ref: 00200E5C
                            • Part of subcall function 001FFFC0: InterlockedPushEntrySList.KERNEL32(0025B250,?,?,FE025AF7), ref: 00200099
                            • Part of subcall function 001FF600: InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FF6E3
                          • MulDiv.KERNEL32(00000022,00000000,?), ref: 00200E7E
                          • MulDiv.KERNEL32(00000022,00000000,00000000), ref: 00200E9A
                          • GetProcessHeap.KERNEL32(?,?,?,?,?,0025B04C,?,00000000,?,00000000,?,00000000,?,?), ref: 00201446
                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,0025B04C,?,00000000,?,00000000,?,00000000,?,?), ref: 0020144C
                            • Part of subcall function 00200240: InterlockedPushEntrySList.KERNEL32(0025B250,?,?,FE025AF7), ref: 00200319
                            • Part of subcall function 001FFE10: InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FFEF3
                            • Part of subcall function 001FF940: InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FFA1F
                            • Part of subcall function 001CD910: GetLastError.KERNEL32(?,00000018,001CBFDF,?,001CC196,FE025AF7,00000018,?,000000FF,?,001CC0F2,FE025AF7,FE025AF7), ref: 001CDB64
                          • ___std_exception_copy.LIBVCRUNTIME ref: 0020192E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush$Heap$ErrorFreeLastProcess___std_exception_copy
                          • String ID: $/$/$W
                          • API String ID: 3392060327-2514158930
                          • Opcode ID: b18baf16f33ffbdb7cfa1ed65a820378f6c8a6fe8036bcfb4c0df2186b038a59
                          • Instruction ID: f0262a4c3910af2cd42582ee785ec3d04a343c5c159b7564cd8cf6141c0502ba
                          • Opcode Fuzzy Hash: b18baf16f33ffbdb7cfa1ed65a820378f6c8a6fe8036bcfb4c0df2186b038a59
                          • Instruction Fuzzy Hash: 88D24770910309CFEB24CFA4C884BAEBBF5BF54304F1485ADE409AB292DB75AA55CF50
                          Strings
                          • Failed to initialize AudioGraph!, xrefs: 001C753D
                          • #, xrefs: 001C8288
                          • Failed to initialize input audio node!, xrefs: 001C802C
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #$Failed to initialize AudioGraph!$Failed to initialize input audio node!
                          • API String ID: 0-1461948192
                          • Opcode ID: 623f99dcff11f1e0e2219f1a20fc518cace1f875bbb31348701310bd2a500b57
                          • Instruction ID: 0572e299d1f73ec84c47298d3f49656a1b2346286a1fb68b3b01486afa78a146
                          • Opcode Fuzzy Hash: 623f99dcff11f1e0e2219f1a20fc518cace1f875bbb31348701310bd2a500b57
                          • Instruction Fuzzy Hash: EFC217B4A05606EFDB59DF64C590BEAFBB4BF29300F10416DE819A7341EB70AA54CF90
                          APIs
                          • GetFileAttributesExW.KERNEL32(00000003,00000000,?,?,00000000), ref: 00207071
                          • GetLastError.KERNEL32 ref: 0020707B
                          • FindFirstFileW.KERNEL32(00000003,?), ref: 00207092
                          • GetLastError.KERNEL32 ref: 0020709D
                          • FindClose.KERNEL32(00000000), ref: 002070A9
                          • ___std_fs_open_handle@16.LIBCPMT ref: 00207162
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                          • String ID:
                          • API String ID: 2340820627-0
                          • Opcode ID: 4eff7d56750faa29c901bc89f23b0e3ee7a35fd078452bb42116aeeaa4aedaf7
                          • Instruction ID: 45e23a657c6c5287a258ad3f08165db4091f70d20cc359450ddb650e36dbaa27
                          • Opcode Fuzzy Hash: 4eff7d56750faa29c901bc89f23b0e3ee7a35fd078452bb42116aeeaa4aedaf7
                          • Instruction Fuzzy Hash: E3718D75E2471A9FCB24CF68DC88BAAB7B4BF05310F104295E859E32D1DB70A965CB90
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 001D7473
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 001D747F
                          • GetClipboardData.USER32(0000000D), ref: 001D748B
                          • CloseClipboard.USER32 ref: 001D7497
                          • GlobalSize.KERNEL32(00000000), ref: 001D74A4
                          • GlobalLock.KERNEL32(00000000), ref: 001D74B8
                          • GlobalUnlock.KERNEL32(00000000), ref: 001D7501
                          • CloseClipboard.USER32 ref: 001D7507
                          • GlobalUnlock.KERNEL32(00000000), ref: 001D7514
                          • CloseClipboard.USER32 ref: 001D751A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Clipboard$Global$Close$Unlock$AvailableDataFormatLockOpenSize
                          • String ID:
                          • API String ID: 240886624-0
                          • Opcode ID: 713e5b40659ec9912b68dc1118e8269d8a9aa607e9a57a48df3a62ed904b1a38
                          • Instruction ID: 0a8444b4fbafd3e3b376655abe76c970dd94a092e904f710ca9e5a152e6bd9eb
                          • Opcode Fuzzy Hash: 713e5b40659ec9912b68dc1118e8269d8a9aa607e9a57a48df3a62ed904b1a38
                          • Instruction Fuzzy Hash: 8611E9313145015BD7213BB8FC4C77BBAA4EF84766F41417AF946C22D4FF64E8458661
                          APIs
                          • OpenClipboard.USER32(00000000), ref: 001D9223
                          • EmptyClipboard.USER32 ref: 001D922D
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,001D89F6,00000000,?,00000000), ref: 001D9259
                          • GlobalLock.KERNEL32(00000000), ref: 001D9266
                          • GlobalUnlock.KERNEL32(00000000), ref: 001D9273
                          • GlobalFree.KERNEL32(00000000), ref: 001D927A
                          • CloseClipboard.USER32 ref: 001D9280
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$Clipboard$AllocCloseEmptyFreeLockOpenUnlock
                          • String ID:
                          • API String ID: 3707603888-0
                          • Opcode ID: 0ccf7c4833e2f6510fcfd2dd6cbafb718c8d7443617269b9e50a203d9ca3550c
                          • Instruction ID: 4f72c6286b3d4117dcacf177f12239fbab9874f1ca4be807b49514aa2d2ae9f8
                          • Opcode Fuzzy Hash: 0ccf7c4833e2f6510fcfd2dd6cbafb718c8d7443617269b9e50a203d9ca3550c
                          • Instruction Fuzzy Hash: B511C235240210A7CF103BA8FC1DBFE7B78EFC5B56F4500AEF94A87220DB21A842C660
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 001C23C9
                          • IsDebuggerPresent.KERNEL32 ref: 001C24FC
                          • OutputDebugStringW.KERNEL32(00000000), ref: 001C25A3
                          • GetCurrentThreadId.KERNEL32 ref: 001C270B
                          • IsDebuggerPresent.KERNEL32 ref: 001C282D
                          • OutputDebugStringW.KERNEL32(00000000), ref: 001C28A2
                          • GetCurrentThreadId.KERNEL32 ref: 001C2A47
                          • IsDebuggerPresent.KERNEL32 ref: 001C2B69
                          • OutputDebugStringW.KERNEL32(00000000), ref: 001C2BDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentDebugDebuggerOutputPresentStringThread
                          • String ID:
                          • API String ID: 4268342597-0
                          • Opcode ID: 37991b5227715b57208ce10f72e9a73b1bf5e4093b153df4fb9fee9087ba703e
                          • Instruction ID: 1d66e21bfe10ff4cf6531902aa4f63e703ccc273c86abf8adca1bd54e35e114a
                          • Opcode Fuzzy Hash: 37991b5227715b57208ce10f72e9a73b1bf5e4093b153df4fb9fee9087ba703e
                          • Instruction Fuzzy Hash: B44228749043199BDB25CF65DC88BEAB7F8AB28304F04419DE959E32A1E734DAC4CF64
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00229146
                          • IsValidCodePage.KERNEL32(00000000), ref: 00229184
                          • IsValidLocale.KERNEL32(?,00000001), ref: 00229197
                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 002291DF
                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 002291FA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                          • String ID: |?$
                          • API String ID: 415426439-3329722059
                          • Opcode ID: 0ca8efa89dc562a1015edc1523e346194b70e1f642f2d36eb95371dbc6dc34f2
                          • Instruction ID: 0671939d7eaee2d6e8c49745286b8abb768672e1fa082007b7c00ec8e039ee43
                          • Opcode Fuzzy Hash: 0ca8efa89dc562a1015edc1523e346194b70e1f642f2d36eb95371dbc6dc34f2
                          • Instruction Fuzzy Hash: C551A27192022ABBDB10DFE5EC45ABE73B8FF08700F154569B914E7191EB70DAA08F61
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: __floor_pentium4
                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                          • API String ID: 4168288129-2761157908
                          • Opcode ID: 2b2802f7decd8b6abe1f1ed1fb14a84fa79239c7f816a485d55add39814563ea
                          • Instruction ID: 16db28100cfc01259ff05b36b2f6d1810d3cf63d0b7cd4004af4c10e8899e8c3
                          • Opcode Fuzzy Hash: 2b2802f7decd8b6abe1f1ed1fb14a84fa79239c7f816a485d55add39814563ea
                          • Instruction Fuzzy Hash: DCD24971E282299FDB64CE68ED447EAB7B5FB44304F1441EAD40DE7240EB78AE918F41
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • GetACP.KERNEL32(?,?,?,?,?,?,0021E6B3,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00228788
                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0021E6B3,?,?,?,00000055,?,-00000050,?,?), ref: 002287BF
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00228922
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CodeInfoLocalePageValid
                          • String ID: utf8$|?$
                          • API String ID: 607553120-3224357909
                          • Opcode ID: e22d8d9b9e3f3e54c320e0338c54328c7895c1cbfcf1d4a06956966ac7d80b77
                          • Instruction ID: 3fdbeafac649060929ead37692471f7304f94803a5fd5fe739297e977352658d
                          • Opcode Fuzzy Hash: e22d8d9b9e3f3e54c320e0338c54328c7895c1cbfcf1d4a06956966ac7d80b77
                          • Instruction Fuzzy Hash: D4711A35622326BAE724AFB4EC42FBB73A8EF44740F104429F505D7181FE74E9708A51
                          APIs
                          • GetLocaleInfoW.KERNEL32(?,2000000B,00229174,00000002,00000000,?,?,?,00229174,?,00000000), ref: 00228EFB
                          • GetLocaleInfoW.KERNEL32(?,20001004,00229174,00000002,00000000,?,?,?,00229174,?,00000000), ref: 00228F24
                          • GetACP.KERNEL32(?,?,00229174,?,00000000), ref: 00228F39
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID: ACP$OCP
                          • API String ID: 2299586839-711371036
                          • Opcode ID: 3d1dbda2fcb8a7c49cb8f24e7e1cb4fbc91d7a8a35ee979dc03b67ddcc8eb096
                          • Instruction ID: 2ba65db45502fcd1522701454bcaf9ab54bf621ea07e4b3f9f0715f9da238d4d
                          • Opcode Fuzzy Hash: 3d1dbda2fcb8a7c49cb8f24e7e1cb4fbc91d7a8a35ee979dc03b67ddcc8eb096
                          • Instruction Fuzzy Hash: BF21A722632122BADB349F94EA04A9773A7EB50F60B974464F80AD7514EF32DD50C350
                          APIs
                          • GetKeyState.USER32(000000A2), ref: 001F36D0
                          • GetKeyState.USER32(000000A0), ref: 001F36E0
                          • GetKeyState.USER32(000000A1), ref: 001F36EC
                          • SetMessageExtraInfo.USER32(FF515700), ref: 001F36FB
                          • SendMessageW.USER32(?,?,?,?), ref: 001F370B
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: State$Message$ExtraInfoSend
                          • String ID:
                          • API String ID: 4165561956-0
                          • Opcode ID: 755498f262642bd8822697243f35d359afc4d6dba6a998c5c0224332057c3d36
                          • Instruction ID: 8a07e99e07eca016ebaa045b9bd7e0de75d7f05a6596630495a7b2750b482a49
                          • Opcode Fuzzy Hash: 755498f262642bd8822697243f35d359afc4d6dba6a998c5c0224332057c3d36
                          • Instruction Fuzzy Hash: 25E06537A0022977DA003BD9AC09EEE7E58DF557B6F520060FB44A706186A1650146F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 837ed9dd603977fb789d57ce762a3b1eb5c54fedffd8b80e4f6680a889eb79c8
                          • Instruction ID: 7093b2e81ec11c60fda4d0f4ef0c927ee65b3e84d0e786e3701aa18f116474dd
                          • Opcode Fuzzy Hash: 837ed9dd603977fb789d57ce762a3b1eb5c54fedffd8b80e4f6680a889eb79c8
                          • Instruction Fuzzy Hash: C7025B71E1021A9BDF14CFA8C8846EEFBF5FF58314F248269D919A7381D731AA51CB90
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002086B6
                          • IsDebuggerPresent.KERNEL32 ref: 00208782
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002087A2
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 002087AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                          • String ID:
                          • API String ID: 254469556-0
                          • Opcode ID: 76b999f09032a05e4969b211142d01d49c39a93d97e69baed56616fcb99a189f
                          • Instruction ID: ac582058bb4d7e3cbddf3dd81e32670502ad96ef714c7b447a4a9fb8c7d046e1
                          • Opcode Fuzzy Hash: 76b999f09032a05e4969b211142d01d49c39a93d97e69baed56616fcb99a189f
                          • Instruction Fuzzy Hash: F9311875D1131C9BDB10EFA4D989BCDBBB8AF08700F1040EAE54DAB291EB715A888F44
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                          • String ID: [(][0-9]+[)]$$46%$exists$9%
                          • API String ID: 593203224-3756384537
                          • Opcode ID: 2e7fd377232f2867f829b34565f80d9bedf16c8c1df2b79983173a886358f18a
                          • Instruction ID: 920763fd9201cce904d6eba8af260dc4c59663cb204d96e0c8e27e50494c945f
                          • Opcode Fuzzy Hash: 2e7fd377232f2867f829b34565f80d9bedf16c8c1df2b79983173a886358f18a
                          • Instruction Fuzzy Hash: 83621271D10299CBDF28CB64CD98BEDB7B5AF55304F108299E40AA7292EB746F84CF50
                          APIs
                          • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,?,?,?,001FCE59,?,?,?,?,?,?,0023289D,000000FF), ref: 00206EB6
                          • FormatMessageA.KERNEL32(00001300,00000000,FE025AF7,?,00000000,00000000,00000000,?,?,?,001FCE59,?,?), ref: 00206ED8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FormatInfoLocaleMessage
                          • String ID: !x-sys-default-locale
                          • API String ID: 4235545615-2729719199
                          • Opcode ID: 32fb77708eab342632fb89729bc9188ef70d91c01fc347e807a4e949e026b4a6
                          • Instruction ID: ed0b8d6975db2072544f5e0ac3464c7bd34b1d45cada61dd20010559220f4ab0
                          • Opcode Fuzzy Hash: 32fb77708eab342632fb89729bc9188ef70d91c01fc347e807a4e949e026b4a6
                          • Instruction Fuzzy Hash: 2DE06DB6561208BFFB04AFA1DC0FDFBBB6DEB05790F004155BD01E2190E2B06E10CAA0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                          • String ID: 0123456789ABCDEFabcdef-+XxPp$gfff
                          • API String ID: 593203224-2564223115
                          • Opcode ID: 6b6fd522514fa85d72dadbf8c49968ad6ae9ee325e06bd02e48cd6e576c2bbd1
                          • Instruction ID: f5032a70b0db1daf0f37215ec036c6b1de68c94dabbf9aa1b98fb2f0b4f34834
                          • Opcode Fuzzy Hash: 6b6fd522514fa85d72dadbf8c49968ad6ae9ee325e06bd02e48cd6e576c2bbd1
                          • Instruction Fuzzy Hash: 44238B74604296EFEB29CF29C050775B7B1BF56304F6481AAD88A8F392D735DC82CB61
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00228B3A
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00228B84
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00228C4A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale$ErrorLast
                          • String ID:
                          • API String ID: 661929714-0
                          • Opcode ID: 7c2208f94f2a9dd41bbee2168229f17c65881c5ec39f4f2de00385acf00ee172
                          • Instruction ID: 2c1a464c4dc6441c04abd11db3b2db1f9c2f4508750d643175aaa309b65e3d55
                          • Opcode Fuzzy Hash: 7c2208f94f2a9dd41bbee2168229f17c65881c5ec39f4f2de00385acf00ee172
                          • Instruction Fuzzy Hash: 6C61C871522127AFEB289F64EC82BB673A8EF14300F14417AED05C6595EB74DDA4CF50
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0020CAAB
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0020CAB5
                          • UnhandledExceptionFilter.KERNEL32(0025BC18,?,?,?,?,?,00000000), ref: 0020CAC2
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: cdcaeac0dbae9dc1e279c45ead030e0318bfb1ba9e1d699e0e2fc81d2a1cc876
                          • Instruction ID: 51e927fd3f26ecf08f33a4fcdff03597585684a487d976564ba39417f53f271a
                          • Opcode Fuzzy Hash: cdcaeac0dbae9dc1e279c45ead030e0318bfb1ba9e1d699e0e2fc81d2a1cc876
                          • Instruction Fuzzy Hash: 1F31D47491131C9BCB21DF68DC8878DBBB4AF08310F6041EAE41DA7291EB709F958F44
                          APIs
                          • GetVersionExW.KERNEL32(00000114), ref: 001CE089
                          • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 001CE0B7
                          • SetLastError.KERNEL32(00000057), ref: 001CE0D3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastLibraryLoadVersion
                          • String ID:
                          • API String ID: 2860043691-0
                          • Opcode ID: d3d4ee0e624c9fed45d568cc69783826551c61faea327b83dbb1eb01287a6d6a
                          • Instruction ID: 201380c460533e308908c4078f66b5de943f1f8b5c5d48a4f2f0558e5658d565
                          • Opcode Fuzzy Hash: d3d4ee0e624c9fed45d568cc69783826551c61faea327b83dbb1eb01287a6d6a
                          • Instruction Fuzzy Hash: 4711D631B0011C97DB249F649C46BEEB7A8EB54710F0041AAF90997281DB71AE508AD1
                          APIs
                          • CoCreateInstance.OLE32(?,00000000,00000001,0023DD84,?,FE025AF7,?,?,?,002309FE,000000FF), ref: 001DE264
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\result_macros.h, xrefs: 001DE284
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInstance
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\result_macros.h
                          • API String ID: 542301482-2692935960
                          • Opcode ID: e8436f7eb9dc9b64ff1c889d3a2926b8e6bf005fb5899cdca5aed3815b49f15a
                          • Instruction ID: 441b4459c118cf9fc90f2e7f41fd7af00eb7cd208a1af6aaa628a41e147f9cdc
                          • Opcode Fuzzy Hash: e8436f7eb9dc9b64ff1c889d3a2926b8e6bf005fb5899cdca5aed3815b49f15a
                          • Instruction Fuzzy Hash: 3F018FB1644348FFDB10CF48DC05FDABBF8EB09B10F004659F81597280D3B5AA108B90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: ($t#
                          • API String ID: 4129690577-1111744622
                          • Opcode ID: 337efa55da602934c2b6712758d07fc4449319be75d5025c3ce14a632e685438
                          • Instruction ID: 533901bb4117512db24e69195be0c45a8f2cbaa3f8d3b75588ad5ecdc7988535
                          • Opcode Fuzzy Hash: 337efa55da602934c2b6712758d07fc4449319be75d5025c3ce14a632e685438
                          • Instruction Fuzzy Hash: D8423D71E10319DFEB14CFA4C848B9DBBB5BF55304F1081AEE509AB292D771AA58CF50
                          Strings
                          • 0123456789ABCDEFabcdef-+Xx, xrefs: 001D1FD2
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_$Lockit::_Lockit::~_
                          • String ID: 0123456789ABCDEFabcdef-+Xx
                          • API String ID: 593203224-2799312399
                          • Opcode ID: 02e19c138b3bd5c32ca3d1cb1292a4884e7fdbf86b7a97c7a73bed960d1d400d
                          • Instruction ID: 712c3c684204d150472bb2acf8963ecfce5e4691535d46b9e6dcde6b8f59c004
                          • Opcode Fuzzy Hash: 02e19c138b3bd5c32ca3d1cb1292a4884e7fdbf86b7a97c7a73bed960d1d400d
                          • Instruction Fuzzy Hash: A3C29D34604255CFDB28CF28C450BB9B7F1AF66304F64859ED8A68B392D735ED82DB60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
                          • Instruction ID: 5ed6f2683bc17ed45e350fdc422ac022ecaeaa5d26b817e865ef573f642cd0bc
                          • Opcode Fuzzy Hash: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
                          • Instruction Fuzzy Hash: 1F72B430618F498FDB6ADF28C8857A973E5FB98314F15862DD88BC7245DF34E9428B81
                          APIs
                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0021D8D4,?,?,00000008,?,?,0022E9DB,00000000), ref: 0021DB06
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExceptionRaise
                          • String ID:
                          • API String ID: 3997070919-0
                          • Opcode ID: 12716dd9f186492ea53c2a4d59df2d0b165b098fa5a76738c96357a7bfa306b4
                          • Instruction ID: 11df5f4ab412b57a7f772d2b6fd0154809d7bb2071e3f85049835df3f63fd20b
                          • Opcode Fuzzy Hash: 12716dd9f186492ea53c2a4d59df2d0b165b098fa5a76738c96357a7bfa306b4
                          • Instruction Fuzzy Hash: 25B17131524609DFD715CF28C48ABA57BE0FF15364F258658E8DACF2A1C375EAA2CB40
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002083F2
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor
                          • String ID:
                          • API String ID: 2325560087-0
                          • Opcode ID: 0072de2ee1241d2fb6ff1df07a2eac55831d120c6f60cbd0f517a69f9e42cd54
                          • Instruction ID: b695d9583583c4d6d5b9a9afafb4c5e7446df4d812c15357413e54cb373b2416
                          • Opcode Fuzzy Hash: 0072de2ee1241d2fb6ff1df07a2eac55831d120c6f60cbd0f517a69f9e42cd54
                          • Instruction Fuzzy Hash: CC5191B19213169FDB14CF58EC857AEBBF0FB48312F24806AD445EB291DB749950CF54
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7077ee9ec7625e702289ab791cde4c9155740266c258e26a431972a3f242c72
                          • Instruction ID: 1035564fd08ea0b320851827167d4fafc932954248e2ec42c98c86a4e0bef509
                          • Opcode Fuzzy Hash: c7077ee9ec7625e702289ab791cde4c9155740266c258e26a431972a3f242c72
                          • Instruction Fuzzy Hash: C041D675815629AFCB10DFA9DC89EAABBB8AF45304F1482D9F40DD3201EA349E948F50
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 8881a2d629f7e300a64694aa838e0d2244f41f830304576dbc169b41fb38cf23
                          • Instruction ID: 8ef121e23094e5711df40bc06aabad55d15b3b8ea5a998b815c0ae5fa1964158
                          • Opcode Fuzzy Hash: 8881a2d629f7e300a64694aa838e0d2244f41f830304576dbc169b41fb38cf23
                          • Instruction Fuzzy Hash: 10D1CB30A206078FCB28CF68C5806FAB7F1FF68710B644659D6669B695C770ADF2CB50
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 4c883e312120c05bbad3f9b24658024831fe4aac0b94c4635baaa46ad1697851
                          • Instruction ID: 407ab893897d8cf721cc22000293a58eed9f1a3ce560bc06ea433f3f5e6bcbc2
                          • Opcode Fuzzy Hash: 4c883e312120c05bbad3f9b24658024831fe4aac0b94c4635baaa46ad1697851
                          • Instruction Fuzzy Hash: F1C1AE3092060B8ECB24CFA8C5C46FABBF1EF25314B244B1AD45697691C7B1ADE5CF91
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00228D8D
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale
                          • String ID:
                          • API String ID: 3736152602-0
                          • Opcode ID: 8a76b662b953b177cc689f460394e22cc71048077bcbadc422f1acca7fd0beec
                          • Instruction ID: b0fa8dfc0f21547e3cae92600164adb9dea4861c8e1131748f56af292a0456e6
                          • Opcode Fuzzy Hash: 8a76b662b953b177cc689f460394e22cc71048077bcbadc422f1acca7fd0beec
                          • Instruction Fuzzy Hash: 5821B632522217BBDB289F64EC91ABA73A8EF24304F10007AFD01D6181EF34ED649B54
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: ab5050ff386c780b00cd7cf44a5e6366ec44392e220811e09ce6b24aa419e434
                          • Instruction ID: dda164fc48cf281d3333f1ab53cdc10a853cdaaddea98d7b9c1abfdf59cd4791
                          • Opcode Fuzzy Hash: ab5050ff386c780b00cd7cf44a5e6366ec44392e220811e09ce6b24aa419e434
                          • Instruction Fuzzy Hash: 7EB1D430A2060B9ACB34DF68C581AFEB7F1EF68300F104519DA56D7A90DA71ADF6CB51
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: 65ee1d2e4bb6c4958f559fdd2a58d00339a99df3a8e4e9fcb2a84a44d681176a
                          • Instruction ID: e5c19b69a798033ad7e88556b2baa353c20d3fb161ad52d09ad37536a3a9afce
                          • Opcode Fuzzy Hash: 65ee1d2e4bb6c4958f559fdd2a58d00339a99df3a8e4e9fcb2a84a44d681176a
                          • Instruction Fuzzy Hash: 82B1077092470B8BDB24CF68C5E56FEB7E0AF24714F14061EE59297692C7B09EE1CB90
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • EnumSystemLocalesW.KERNEL32(00228AE6,00000001,00000000,?,-00000050,?,0022911A,00000000,?,?,?,00000055,?), ref: 00228A32
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: fbbcdbfebd55c258d3203b5f7df156af35e353089a779ffdafa2248fdc35fcad
                          • Instruction ID: 81998d0d461a2d829973ae9d5fb4eace3bae76f10ecbdb9ae92fa4bb3b137e93
                          • Opcode Fuzzy Hash: fbbcdbfebd55c258d3203b5f7df156af35e353089a779ffdafa2248fdc35fcad
                          • Instruction Fuzzy Hash: C9112937210301AFDB189F78D8915BAB7D2FF84358B14442DE94647740EB71B952CB40
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00228D02,00000000,00000000,?), ref: 00228F94
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$InfoLocale
                          • String ID:
                          • API String ID: 3736152602-0
                          • Opcode ID: 6af238194e5876b5e422970ec45340e5a43990d69e9f90f279a3f75431c2c411
                          • Instruction ID: 69306254fcc82edc934753f6eb920c19ed441e55a184e79475d96638feb48d07
                          • Opcode Fuzzy Hash: 6af238194e5876b5e422970ec45340e5a43990d69e9f90f279a3f75431c2c411
                          • Instruction Fuzzy Hash: 2A012632621122BFDB185AA0ED05ABB3799EB40355F054429FD06A3580FE70FD61C690
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • EnumSystemLocalesW.KERNEL32(00228D39,00000001,00000000,?,-00000050,?,002290E2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00228AA5
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: abfbbaa86ab9ed9de78276cc8eaceb5fd1619aa4d7de837d1da56ff49681f487
                          • Instruction ID: 951a551986add3850ecbda99bb857d2f9c0d8ca18785d484d887d94b78a64666
                          • Opcode Fuzzy Hash: abfbbaa86ab9ed9de78276cc8eaceb5fd1619aa4d7de837d1da56ff49681f487
                          • Instruction Fuzzy Hash: 1BF0F6362113157FDB249FB5F891A7A7BD1EF81368B05842EF9054B680CE71EC52CB50
                          APIs
                            • Part of subcall function 0021BBE1: EnterCriticalSection.KERNEL32(-0025D0E8,?,0021D12A,00000001,002504F8,0000000C,0021D3F5,0025BF40), ref: 0021BBF0
                          • EnumSystemLocalesW.KERNEL32(00221634,00000001,00250678,0000000C,00221A4C,00000000), ref: 00221679
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CriticalEnterEnumLocalesSectionSystem
                          • String ID:
                          • API String ID: 1272433827-0
                          • Opcode ID: a285f95a4865329edec7d7ce3d759059b64b3ae3e4084b3abf6898241eb688fe
                          • Instruction ID: 99e41347e596e0f7bfe69c384c1345a938aa83a92c5fca7d2d83d30570e548d0
                          • Opcode Fuzzy Hash: a285f95a4865329edec7d7ce3d759059b64b3ae3e4084b3abf6898241eb688fe
                          • Instruction Fuzzy Hash: E9F04972A60304EFD710EF98F846B9DB7F0EB55721F10815AF815DB2A1CB7559218F84
                          APIs
                            • Part of subcall function 0021FB20: GetLastError.KERNEL32(0025BF50,0025BF40,00227F16,00250818,0000000C,0021FECD,0025BF4C,?,00211E8D,00000000,0025BF4C,?,00000000,0025BF40), ref: 0021FB24
                            • Part of subcall function 0021FB20: SetLastError.KERNEL32(00000000,00253FD0,?,?,?,00000000,?,0025BF40,0025BF40,00000000), ref: 0021FBC6
                          • EnumSystemLocalesW.KERNEL32(002288CE,00000001,00000000,?,?,0022913C,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 002289AC
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$EnumLocalesSystem
                          • String ID:
                          • API String ID: 2417226690-0
                          • Opcode ID: 3c501e8cb1c5685e9d8f3c7d38eea0ba5b49d0cf0cbb28ac6c9edfcb88a63059
                          • Instruction ID: 65650c8eeb3f259766bf191706facb4b10cdbcb3dac1af1de73abf735fc36f62
                          • Opcode Fuzzy Hash: 3c501e8cb1c5685e9d8f3c7d38eea0ba5b49d0cf0cbb28ac6c9edfcb88a63059
                          • Instruction Fuzzy Hash: B4F0E53630021667CB14AF75E85567ABF94EFC1754B4A4068FA098B250CA71E992C790
                          APIs
                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0021F229,?,20001004,00000000,00000002,?,?,0021E81B), ref: 00221B84
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 7ee6dd5ad275888f74675e4aa6fd47fd740963ac867613b4ed62aa132107314a
                          • Instruction ID: 1d0a754b67a465a9791bb8c9274308b5c4081680a23d290148b36763267d0d5e
                          • Opcode Fuzzy Hash: 7ee6dd5ad275888f74675e4aa6fd47fd740963ac867613b4ed62aa132107314a
                          • Instruction Fuzzy Hash: FAE01A36550228BBCF122FA1EC09E9E7A29AF65762F014011FD05651208B729931AA91
                          APIs
                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,0020591F,?,?,?,?,001D303E), ref: 002077FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$FileSystem
                          • String ID:
                          • API String ID: 2086374402-0
                          • Opcode ID: 02bb0914394db88b837b0def1511077f2eaf7cc108b3f5223afc240c2b4e6673
                          • Instruction ID: c6b90eaddc5b8515cc6c4b6064d52b1dd4d8fb541a01d0c2e8b2af0dbf22746d
                          • Opcode Fuzzy Hash: 02bb0914394db88b837b0def1511077f2eaf7cc108b3f5223afc240c2b4e6673
                          • Instruction Fuzzy Hash: CBD0A9329153289BCA023F94BC0C89DBB18DB05B523000052E905561218A7038209BD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
                          • Instruction ID: 449a94d79a48d06e5450102cfbd1908bf9679f2bf00ecf606a656dcdb97051f1
                          • Opcode Fuzzy Hash: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
                          • Instruction Fuzzy Hash: 08429C71608301AFDB26CF24C844B6BB7E8FF88714F55892DF9859B245EB70E845CB91
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
                          • Instruction ID: 8487f8e1b208a716ddc41013b726b831930cbf718b85d81b16bfc3fd94057d89
                          • Opcode Fuzzy Hash: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
                          • Instruction Fuzzy Hash: BAD18830718B498BDB2ADF29D8596AEB7E5FF58701F01422DE84BC3245DF30EA558B81
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                          • Instruction ID: 09b21d5064c637b62112c9e8646d919cb03ab352ac02ebc9de794646b9af3be5
                          • Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
                          • Instruction Fuzzy Hash: 63D16031918A088FDB5AEF28D8896EA77E1FF99300F04466DE85BC7155DF30E945CB82
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f0b87ab59d02df5b27080d187023637c9ec3bc55e457cd63934972a219d1c7b8
                          • Instruction ID: 9f8d66d733db336491df85c8a3077e03a1fe86997943f12a96b7b7d7589e61ef
                          • Opcode Fuzzy Hash: f0b87ab59d02df5b27080d187023637c9ec3bc55e457cd63934972a219d1c7b8
                          • Instruction Fuzzy Hash: A8F16674A00259DFDB29CF58C480BA9BBB2EF59300F64416EE8869B391D735ED42CB60
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
                          • Instruction ID: 8c9701870dfeab736998806831822e8d1f80dffb01b996dfec4743c88ab4ba97
                          • Opcode Fuzzy Hash: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
                          • Instruction Fuzzy Hash: 4EB1A830B14E094BCB5AEF28C8D56BAB3D1FB99301F55C229D44AC724DDB34E956C781
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast
                          • String ID:
                          • API String ID: 1452528299-0
                          • Opcode ID: 4e60a8bd6f2d463e0073ed7f0fe8df687870d852760c4ec0a036ff7af818ecb8
                          • Instruction ID: 0cd0ed7f0b3afde55c6635a04224124b86374951025e03c24166d419735a38d1
                          • Opcode Fuzzy Hash: 4e60a8bd6f2d463e0073ed7f0fe8df687870d852760c4ec0a036ff7af818ecb8
                          • Instruction Fuzzy Hash: 83B10531520712ABDB28EFA4DC92BB7B3A8EB54308F54456DE943C6580FE74E9A5CB10
                          Memory Dump Source
                          • Source File: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
                          • Instruction ID: 580cf4382c122f05410c3ef7c04074886a1f70d11d119c0d745fac767a9e5db9
                          • Opcode Fuzzy Hash: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
                          • Instruction Fuzzy Hash: 66A11B71508A4C8FDB55EF28C889AEA77F5FB68315F10466EE84BC7160EB30E644CB81
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3aab6ee694c42e86ca2dd3080dce5644151496d13a16f7ce65cdd4dc621d05ab
                          • Instruction ID: bc565b71a0eee2eb3788c74f32ecc50184cda5edb730048fd7b7bf9ca1d97e19
                          • Opcode Fuzzy Hash: 3aab6ee694c42e86ca2dd3080dce5644151496d13a16f7ce65cdd4dc621d05ab
                          • Instruction Fuzzy Hash: 53719766830B89ADD343DF34B86C414A3B9EEAE2D2350B317F145B6165FB7096D2DA04
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aba8982f4695bd4c2df1c5b2c6f35f86b87caa030e041fa3bcfd059bb2419e59
                          • Instruction ID: c9813f435696a62ce43fb9b8f22afc3b9992fae2ebf94f11d01321c9b859f5ff
                          • Opcode Fuzzy Hash: aba8982f4695bd4c2df1c5b2c6f35f86b87caa030e041fa3bcfd059bb2419e59
                          • Instruction Fuzzy Hash: DA518272D1011AEFDF04DF95C840AEEBBF2FF98300F598459E919AB201D7749A90DB90
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                          • Instruction ID: 7a5e660a0c0f5d9e672d41e30ab3bfa8ed6def37cceb3dd63b7f576dea211d9f
                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                          • Instruction Fuzzy Hash: E4110677A2128347F7048F2ED5B86B7A3D5EBCD32172D4267D0434B6DBD12299E19600
                          APIs
                          • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 001E7A54
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,00000000,?), ref: 001E7A62
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000,00000000,00000004,00000000,?), ref: 001E7AC3
                          • GdipCreatePath.GDIPLUS(00000000,00000000,?,?,00000000,00000000,00000000,00000004,00000000,?), ref: 001E7AF0
                          • GdipStartPathFigure.GDIPLUS(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000004,00000000,?), ref: 001E7AFB
                          • GdipAddPathLineI.GDIPLUS(00000000,?,?,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000004,00000000,?), ref: 001E7B1F
                          • GdipAddPathLineI.GDIPLUS(00000000,?,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 001E7B48
                          • GdipAddPathLineI.GDIPLUS(00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 001E7B75
                          • GdipAddPathLineI.GDIPLUS(00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 001E7B8F
                          • GdipAddPathLineI.GDIPLUS(00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 001E7BAB
                          • GdipSetPenLineJoin.GDIPLUS(00000000,00000002,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,?,?), ref: 001E7BC0
                          • GdipDrawPath.GDIPLUS(?,00000000,00000000,00000000,00000002,00000000,?,?,?,?,00000000,?,?,?,?,00000000), ref: 001E7BDA
                          • GdipDeletePath.GDIPLUS(00000000,?,00000000,00000000,00000000,00000002,00000000,?,?,?,?,00000000,?,?,?,?), ref: 001E7BE2
                          • GdipDeletePen.GDIPLUS(00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,?,?,?,00000000,?,?,?), ref: 001E7BEA
                          • GdipDeleteGraphics.GDIPLUS(?,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,?,?,?,00000000,?,?), ref: 001E7BF0
                          • GdipCreateFromHDC.GDIPLUS(?,?), ref: 001E7C4F
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,?,?), ref: 001E7C5A
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E7CBB
                          • GdipCreatePath.GDIPLUS(00000000,?,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E7CD0
                          • GdipStartPathFigure.GDIPLUS(00000000,00000000,?,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E7CDB
                          • GdipSetPenLineJoin.GDIPLUS(00000000,00000002,00000000,00000000,?,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E7CF0
                          • GdipAddPathLineI.GDIPLUS(00000000,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00000000,00000000,00000000,00000004), ref: 001E7D13
                          • GdipClosePathFigure.GDIPLUS(00000000,00000000,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 001E7D26
                          • GdipStartPathFigure.GDIPLUS(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00000000,00000000), ref: 001E7D39
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Path$Line$Create$Figure$DeleteStart$FromJoinModePen1Smoothing$CloseDrawGraphics
                          • String ID:
                          • API String ID: 2221234890-0
                          • Opcode ID: c4716b704eb266ed2bfa238984458bbf527f961177bb611a1593dc6cbe8d5b97
                          • Instruction ID: 3b240c759cab1b68b135ecd8ff3c332389fe9e7a4f1afe24ba9f07858d524708
                          • Opcode Fuzzy Hash: c4716b704eb266ed2bfa238984458bbf527f961177bb611a1593dc6cbe8d5b97
                          • Instruction Fuzzy Hash: 4DD12BB0A10218AFDB15EFA5DC41AFEBBF9EF48341F408169F905B6291D734AE548F60
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 001CF00A
                          • LoadCursorW.USER32(00000000,00007F03), ref: 001CF016
                          • GetStockObject.GDI32(00000004), ref: 001CF021
                          • RegisterClassW.USER32(00000000), ref: 001CF034
                          • GetLastError.KERNEL32 ref: 001CF045
                          • GetModuleHandleW.KERNEL32(00000000), ref: 001CF06A
                          • GetClassInfoW.USER32(00000000,?,?), ref: 001CF075
                          • CreateWindowExW.USER32(00080088,?,00000000,80000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001CF0F9
                          • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001CF115
                          • DestroyWindow.USER32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 001CF11C
                          • SetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 001CF123
                          • DestroyWindow.USER32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 001CF135
                          • ShowWindow.USER32(Function_0000EE20,00000005,?,?,00000000,00000000,00000000,00000000), ref: 001CF15E
                          • SetForegroundWindow.USER32(Function_0000EE20), ref: 001CF166
                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000002,?,?,00000000,00000000,00000000,00000000), ref: 001CF177
                          • ShowWindow.USER32(Function_0000EE20,00000005,?,?,00000000,00000000,00000000,00000000), ref: 001CF181
                          • SetForegroundWindow.USER32(Function_0000EE20), ref: 001CF189
                          • GetClipCursor.USER32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 001CF193
                          • ClipCursor.USER32(?,?,?,00000000,00000000,00000000,00000000), ref: 001CF19D
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001CF1B7
                          • TranslateMessage.USER32(?), ref: 001CF1C7
                          • DispatchMessageW.USER32(?), ref: 001CF1CD
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001CF1E9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$Message$CursorErrorLast$ClassClipDestroyForegroundHandleModuleShow$AttributesCreateDispatchInfoLayeredLoadObjectRegisterStockTranslate
                          • String ID: D:\a\1\s\SelectRectangle.cpp
                          • API String ID: 2016539888-2408268097
                          • Opcode ID: 90141a85fba4761a804129cb04a262980786a0c7ab7e7ae383e8c45156f42b62
                          • Instruction ID: 35a475c8d1d583f8b936b3cdd270d94f5f7de8cc3814fc337e95dcbc28ae5425
                          • Opcode Fuzzy Hash: 90141a85fba4761a804129cb04a262980786a0c7ab7e7ae383e8c45156f42b62
                          • Instruction Fuzzy Hash: 77819175E00309ABDF10EFB4EC49F9EBBB9AF25300F144169F605AB191D770B9958B60
                          APIs
                          • GetKeyState.USER32(00000009), ref: 001EE828
                          • GdipCreateFromHDC.GDIPLUS(?), ref: 001EE84E
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,?), ref: 001EE85C
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000), ref: 001EE8B2
                          • GdipCreatePath.GDIPLUS(00000000,?,?,?,00000000,00000000), ref: 001EE8D0
                          • GdipDrawPath.GDIPLUS(00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EE920
                          • GdipDeletePath.GDIPLUS(?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EE92B
                          • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000), ref: 001EE936
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?), ref: 001EE93C
                          • GdipSetPenLineJoin.GDIPLUS(00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EE8E3
                            • Part of subcall function 001E4BE0: GdipAddPathLineI.GDIPLUS(?,?,?,?,?), ref: 001E4BF4
                          • SetRect.USER32(0025C564), ref: 001EE9C2
                          • SetROP2.GDI32(0000000D), ref: 001EE9D7
                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,40CC0020), ref: 001EEA2C
                          • DeleteObject.GDI32 ref: 001EEA3F
                          • CreatePen.GDI32(00000000,000000FF), ref: 001EEA58
                          • SelectObject.GDI32(00000000), ref: 001EEA6A
                          • SetRect.USER32(0025C564,00000000,?,00000000), ref: 001EEAC3
                          • GdipCreateFromHDC.GDIPLUS(00000000), ref: 001EEB0C
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,00000000), ref: 001EEB1A
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000), ref: 001EEB70
                          • GdipCreatePath.GDIPLUS(00000000,?,?,?,00000000,00000000), ref: 001EEB8E
                          • GdipSetPenLineJoin.GDIPLUS(00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EEBA1
                          • GdipDrawPath.GDIPLUS(00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EEBDE
                          • GdipDeletePath.GDIPLUS(?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EEBE9
                          • GdipDeletePen.GDIPLUS(00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?,?,00000000), ref: 001EEBF4
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000,?,?), ref: 001EEBFA
                          • InvalidateRect.USER32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,00000000,00000002,00000000), ref: 001EEC09
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$CreateDeletePath$LineRect$DrawFromGraphicsJoinModeObjectPen1Smoothing$InvalidateSelectState
                          • String ID:
                          • API String ID: 3826590989-0
                          • Opcode ID: ccb0c59fdbc5eacffaf95ee7969e518d291901bf0c0524f635ff711c7c7ab2b6
                          • Instruction ID: fe4e721b44ae22b3db0af42882936dbe97e3f84effd7846aae99b0d7d367a45c
                          • Opcode Fuzzy Hash: ccb0c59fdbc5eacffaf95ee7969e518d291901bf0c0524f635ff711c7c7ab2b6
                          • Instruction Fuzzy Hash: 63C1F370914348AFEB22AF60FC09B697BB4FB54306F50418AF508B21A2F77579A0DF09
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 001CE4C3
                          • PrintDlgW.COMDLG32(00000042), ref: 001CE4DA
                          • LoadCursorW.USER32(00000000,00007F02), ref: 001CE4FC
                          • SetCursor.USER32(00000000,?,?,?), ref: 001CE503
                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 001CE517
                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 001CE521
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 001CE52A
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001CE533
                          • SetMapMode.GDI32(00000000,00000001), ref: 001CE556
                          • InflateRect.USER32(?,FFFFFA60,FFFFFA60), ref: 001CE5A6
                          • StartDocW.GDI32(00000000,?), ref: 001CE5D8
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001CE5EE
                          • StartPage.GDI32(00000000), ref: 001CE5F6
                          • SendMessageW.USER32(?,00000439,00000001,?), ref: 001CE608
                          • EndPage.GDI32(00000000), ref: 001CE60F
                          • StartPage.GDI32(00000000), ref: 001CE62D
                          • SendMessageW.USER32(?,00000439,00000001,?), ref: 001CE63F
                          • EndPage.GDI32(00000000), ref: 001CE646
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CapsDevicePage$MessageSendStart$Cursor$HandleInflateLoadModeModulePrintRect
                          • String ID: B
                          • API String ID: 971824570-1255198513
                          • Opcode ID: 896a99345edd709d7d7d2dc046d5c8e1d3486be818bc69edcdebc7098910736c
                          • Instruction ID: 548f2046d34084c14c0670fb05a9e3f50876cf5298dd148ff72d796b7ba9d849
                          • Opcode Fuzzy Hash: 896a99345edd709d7d7d2dc046d5c8e1d3486be818bc69edcdebc7098910736c
                          • Instruction Fuzzy Hash: A7512671E0021CABDF20AFA5ED49B9DBBB5FF48310F2052A9F605B7291DB746A448F50
                          APIs
                          • GdipAlloc.GDIPLUS(00000010,FE025AF7), ref: 001E7F08
                          • GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E7F39
                          • GdipGetImageGraphicsContext.GDIPLUS(?,00000000,?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E7F51
                          • GdipDeleteGraphics.GDIPLUS(00000000,?,00000000,?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E7F59
                          • GdipGetImageGraphicsContext.GDIPLUS(?,00000000,00000000,?,00000000,?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E7F6F
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000010,FE025AF7), ref: 001E7F85
                          • GdipDrawLineI.GDIPLUS(00000000,?,?,?,?,?,00000000,00000010,FE025AF7), ref: 001E7FCB
                          • GdipFillEllipseI.GDIPLUS(00000000,00000000,00000000,00000000,?,?,00000000,00000010,FE025AF7), ref: 001E7FE8
                          • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 001E8070
                          • CreateCompatibleDC.GDI32(?), ref: 001E807C
                          • SelectObject.GDI32(00000000,?), ref: 001E8089
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 001E80A6
                          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 001E81F1
                          • DeleteObject.GDI32(?), ref: 001E81FA
                          • DeleteDC.GDI32(?), ref: 001E8207
                          • SelectObject.GDI32(?,?), ref: 001E8216
                          • DeleteObject.GDI32(?), ref: 001E821F
                          • DeleteDC.GDI32(?), ref: 001E8226
                          • GdipDeleteGraphics.GDIPLUS(?), ref: 001E822B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Delete$Graphics$Object$Create$ContextImageSelect$AllocBitmapCompatibleDrawEllipseFillFromLineScan0Section
                          • String ID: (
                          • API String ID: 2929231942-3887548279
                          • Opcode ID: c61452355a9f8ab84d3ee472e464afc46a3db7383cb94282867cee7d6f57efb9
                          • Instruction ID: e8e5a3e43d4005bef6e80544304c8a85ccadc2ba60d276a39a0610c0dde6657c
                          • Opcode Fuzzy Hash: c61452355a9f8ab84d3ee472e464afc46a3db7383cb94282867cee7d6f57efb9
                          • Instruction Fuzzy Hash: 1EE1F3B1E002589FDF14DFA9CD84B9DBBB5FF48300F24816AE909AB251EB31A955CF50
                          APIs
                          • GetDlgItem.USER32(00000426), ref: 001F1687
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001F169B
                          • GetDlgItem.USER32(00000426,0000014E), ref: 001F175E
                          • SendMessageW.USER32(00000000), ref: 001F1765
                          • GetFileAttributesW.KERNEL32(0025BAC0), ref: 001F176C
                          • GetDlgItem.USER32(0000042F,00000406), ref: 001F17BA
                          • SendMessageW.USER32(00000000), ref: 001F17C1
                          • GetDlgItem.USER32(0000042F), ref: 001F17D4
                          • SendMessageW.USER32(00000000,00000405,00000001,00000037), ref: 001F17E3
                          • GetParent.USER32(?), ref: 001F1808
                          • UnregisterHotKey.USER32(00000000,00000000), ref: 001F1819
                          • UnregisterHotKey.USER32(00000000,00000003), ref: 001F181E
                          • UnregisterHotKey.USER32(00000000,00000001), ref: 001F1823
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ItemMessageSend$Unregister$AttributesFileParent
                          • String ID: 0
                          • API String ID: 4126499568-4108050209
                          • Opcode ID: 4c678b51fa78160cf40a30332be0f95c4f7f73f46c04ae3612eab1c64a4680a0
                          • Instruction ID: 59ccf2fd6e851ca2a2fb6228b544d4fe627c0e4544cc5412faf539a592d54f7c
                          • Opcode Fuzzy Hash: 4c678b51fa78160cf40a30332be0f95c4f7f73f46c04ae3612eab1c64a4680a0
                          • Instruction Fuzzy Hash: 7731B231B40318BBE721AB60AC4EF7E3F75EB46B61F108096F709AA1D0CBB429519F55
                          APIs
                          • GdipCreateFromHDC.GDIPLUS(?,?), ref: 001E74CB
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,?,?), ref: 001E74D7
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E753A
                          • GdipSetPenLineCap197819.GDIPLUS(?,00000002,00000002,00000002,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E754D
                          • GdipCreatePath.GDIPLUS(00000000,00000000,?,00000002,00000002,00000002,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E756E
                          • GdipStartPathFigure.GDIPLUS(00000000,00000000,00000000,?,00000002,00000002,00000002,?,?,00000000,00000000,00000000,00000004,?,?), ref: 001E757B
                          • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,00000000,00000000,00000000,?,00000002,00000002,00000002,?,?,00000000,00000000), ref: 001E759B
                          • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00000002,00000002), ref: 001E75BD
                          • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001E75E3
                          • GdipAddPathLineI.GDIPLUS(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001E7605
                          • GdipAddPathLineI.GDIPLUS(?,?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 001E7624
                          • GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,?,?,?), ref: 001E7647
                          • GdipSetPenLineJoin.GDIPLUS(?,00000002,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,?), ref: 001E765F
                          • GdipDrawPath.GDIPLUS(00000000,?,00000000,?,00000002,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001E767A
                          • GdipDeletePath.GDIPLUS(00000000,00000000,?,00000000,?,00000002,?,?,?,?,?,?,?,?,00000000,?), ref: 001E7683
                          • GdipDeletePen.GDIPLUS(00000000,00000000,00000000,?,00000000,?,00000002,?,?,?,?,?,?,?,?,00000000), ref: 001E768C
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000000,00000000,00000000,?,00000000,?,00000002,?,?,?,?,?,?,?,?), ref: 001E7692
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Path$Line$CreateDelete$Cap197819DrawFigureFromGraphicsJoinModePen1SmoothingStart
                          • String ID:
                          • API String ID: 463050347-0
                          • Opcode ID: 6180505cf9d9525c0d8de28b1676f90e2a6fab6a5a9d4e1fcc8742d9db5779eb
                          • Instruction ID: 96592604485586855907607705986a9485945fd30a552ac99fd16061f87a8c37
                          • Opcode Fuzzy Hash: 6180505cf9d9525c0d8de28b1676f90e2a6fab6a5a9d4e1fcc8742d9db5779eb
                          • Instruction Fuzzy Hash: 89B19E706283409FD716EF35C841A6EBBE5FFD9384F408B2EF886A2261E730D9518B41
                          APIs
                          • SetWindowLongW.USER32(?,000000EB,?), ref: 001CEE36
                          • GetWindowLongW.USER32(?,000000EB), ref: 001CEE4A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: LongWindow
                          • String ID:
                          • API String ID: 1378638983-0
                          • Opcode ID: 3542003fa3e08fa0f128b8084b12664eb20d55635b67bb84583a30f1eb3d421a
                          • Instruction ID: d5675337fe527deb4ba0d76c4d1377ee47f950196dc8225b18e13253084d0450
                          • Opcode Fuzzy Hash: 3542003fa3e08fa0f128b8084b12664eb20d55635b67bb84583a30f1eb3d421a
                          • Instruction Fuzzy Hash: 6D819C71804258AFDB25AFA4EC48FBE7BB9FB14300F14057EFA1292262D735E945CB50
                          APIs
                          • GdipCreateFromHDC.GDIPLUS(?), ref: 001EEDF0
                          • GdipSetSmoothingMode.GDIPLUS(00000000,00000004,?), ref: 001EEE04
                          • GdipCreatePen1.GDIPLUS(?,?,00000000,00000000), ref: 001EEE5A
                          • GdipCreatePath.GDIPLUS(00000000,?,?,?,00000000,00000000), ref: 001EEE78
                          • GdipSetPenLineJoin.GDIPLUS(00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EEE8B
                          • GdipDrawPath.GDIPLUS(?,00000000,?,?,?,00000000,00000002,00000000,?,?,?,00000000,00000000), ref: 001EEED4
                          • GdipDeletePath.GDIPLUS(?), ref: 001EEF68
                          • GdipDeletePen.GDIPLUS(?,?), ref: 001EEF73
                          • GdipDeleteGraphics.GDIPLUS(?,?,?), ref: 001EEF7E
                          • SetROP2.GDI32(0000000A), ref: 001EEFB4
                          • GetStockObject.GDI32(00000005), ref: 001EEFD3
                          • SelectObject.GDI32(00000000), ref: 001EEFE6
                          • SetROP2.GDI32(0000000D), ref: 001EEFFA
                          • InvalidateRect.USER32(?,00000000,00000000), ref: 001EF0C2
                          • DeleteObject.GDI32(?), ref: 001EF0CE
                          • SelectObject.GDI32(?), ref: 001EF0E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$DeleteObject$CreatePath$Select$DrawFromGraphicsInvalidateJoinLineModePen1RectSmoothingStock
                          • String ID: gfff$gfff
                          • API String ID: 1352868750-3084402119
                          • Opcode ID: 8f328cc0af7b2ed196afde2a949bcc56c084330e7a09863a096ebb2235ae8a7a
                          • Instruction ID: 5f67b222206f8294d6b343b32fd4d768b870b14ce580f796cf57140bb3f0e412
                          • Opcode Fuzzy Hash: 8f328cc0af7b2ed196afde2a949bcc56c084330e7a09863a096ebb2235ae8a7a
                          • Instruction Fuzzy Hash: 6291AC71914318AFDB61AFA5FC09B587BB1FB54302F6041A9F508A62A2F73179A0DF48
                          APIs
                          • FormatMessageW.KERNEL32(00001200,00000000,?,00000400,?,00000100,00000000,FE025AF7,?,00000000), ref: 001C6095
                          • GetCurrentThreadId.KERNEL32 ref: 001C6104
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentFormatMessageThread
                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $,I#$CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
                          • API String ID: 2411632146-2496393309
                          • Opcode ID: c8afdee8c5d39d1eff064cf956b699ed53c52b3d1971a22b6b9cb0c609f27f63
                          • Instruction ID: addd9e2b64f0b86f3a1518e9b23fc123a4abfc107bdba1d9a5fb9b0978554f2a
                          • Opcode Fuzzy Hash: c8afdee8c5d39d1eff064cf956b699ed53c52b3d1971a22b6b9cb0c609f27f63
                          • Instruction Fuzzy Hash: D161E4B4A50705ABDB24AB64CC49F7BB7B8EFA5705F04099DF80693682E770F950CB60
                          APIs
                          • CreateCompatibleBitmap.GDI32(?,?), ref: 001ECC59
                          • CreateCompatibleDC.GDI32 ref: 001ECC6B
                          • SelectObject.GDI32(00000000,?), ref: 001ECC7E
                          • SetStretchBltMode.GDI32(?,00000003), ref: 001ECC8C
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,00000000,40CC0020), ref: 001ECCE4
                          • _wcsrchr.LIBVCRUNTIME ref: 001ECD10
                          • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 001ECD63
                          • GdipGetImageEncodersSize.GDIPLUS(00000000,?,?,00000000,?), ref: 001ECD8A
                          • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 001ECDC1
                          • GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 001ECE57
                          • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 001ECE60
                          • GdipDisposeImage.GDIPLUS(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 001ECE67
                          • DeleteDC.GDI32(?), ref: 001ECE72
                          • SetCursorPos.USER32(?,?), ref: 001ECE90
                          • ClipCursor.USER32(?), ref: 001ECE9D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Image$Create$BitmapCompatibleCursorEncodersStretch$ClipDeleteDisposeErrorFileFromLastModeObjectSaveSelectSize_wcsrchr
                          • String ID: .png$image/png
                          • API String ID: 2000974223-3310276845
                          • Opcode ID: 918ec5a8b705f1ebd6d60264cf1b728e9080cb8576cbeb5161f52ff884a168f5
                          • Instruction ID: cae8740a602999f402a65c2abb299f6735561182f640c89fdb4f9a8465e4293d
                          • Opcode Fuzzy Hash: 918ec5a8b705f1ebd6d60264cf1b728e9080cb8576cbeb5161f52ff884a168f5
                          • Instruction Fuzzy Hash: AA71D171C08B589FCB229B61ED05BEABB74FF14305F1041D5E90DA6161E7367A91CF80
                          APIs
                          • CreateEventExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3E97
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3EAE
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3EC0
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3EC8
                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3ED9
                          • CreateEventExW.KERNEL32(00000000,00000000,00000001,001F0003,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3EEC
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3EF9
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F05
                          • CloseHandle.KERNEL32(001F0003,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F0D
                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F1E
                          • CreateEventExW.KERNEL32(00000000,00000000,00000001,001F0003,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F31
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F3E
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F4A
                          • CloseHandle.KERNEL32(001F0003,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F51
                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0022F35F,000000FF), ref: 001C3F5C
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001C3F8E, 001C3FA1, 001C3FB4
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\result_macros.h, xrefs: 001C3F7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CloseCreateEventHandle
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\result_macros.h
                          • API String ID: 1050354699-685488538
                          • Opcode ID: 984151a89626e168f7042a9c14c968473be2a7f8d79eb1ba3bbdafedd27079db
                          • Instruction ID: 190ed75b4b4b8558eee90ec1336fae4cb314441c2bff0482036677ff05ee109e
                          • Opcode Fuzzy Hash: 984151a89626e168f7042a9c14c968473be2a7f8d79eb1ba3bbdafedd27079db
                          • Instruction Fuzzy Hash: 6F515AB0A0070AABEB10DFA5DD5AB5ABBF8BF14700F004519E514E7280DBB5EA50CBE1
                          APIs
                          • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 001C9602
                          • CloseHandle.KERNEL32(?), ref: 001C964F
                          • SetLastError.KERNEL32(?), ref: 001C965C
                          • CloseHandle.KERNEL32(00000000), ref: 001C9681
                          • SetLastError.KERNEL32(?), ref: 001C968E
                          • GetLastError.KERNEL32 ref: 001C969F
                          • ReleaseMutex.KERNEL32(00000000), ref: 001C96A9
                          • SetLastError.KERNEL32(00000000), ref: 001C96BA
                          • CloseHandle.KERNEL32(00000000), ref: 001C96D0
                          • CloseHandle.KERNEL32(00000000), ref: 001C96E2
                          • CloseHandle.KERNEL32(?), ref: 001C96F4
                          • GetProcessHeap.KERNEL32(00000000), ref: 001C9701
                          • HeapFree.KERNEL32(00000000), ref: 001C9708
                          • ReleaseMutex.KERNEL32(00000000), ref: 001C971A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ErrorLast$HeapMutexRelease$FreeObjectProcessSingleWait
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h
                          • API String ID: 2004680502-2419448822
                          • Opcode ID: 0bbabe4db4397a813071ed9b3da25cd45fec3b2508991c4522f5b372c7045713
                          • Instruction ID: b79d5e3853111b64e5b64ae50f6141fddc3591428843f269d3e2b0159d95b4be
                          • Opcode Fuzzy Hash: 0bbabe4db4397a813071ed9b3da25cd45fec3b2508991c4522f5b372c7045713
                          • Instruction Fuzzy Hash: 3291E531A40719ABDB24AF69DC49F9AB7ACAF71720F00412DF959D7281DB70ED40CBA0
                          APIs
                          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,FE025AF7), ref: 001C37DF
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001C37E5
                          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage), ref: 001C3819
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001C381F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                          • API String ID: 2574300362-2454113998
                          • Opcode ID: 9ac5d66d8c09da9518d8d6b2478ef93eab55d92d35a482d16f7dd1781f9215e7
                          • Instruction ID: be2a168a4315f213cfd4f6e326d734914ea84a8c26fffaf4229aec634a89a106
                          • Opcode Fuzzy Hash: 9ac5d66d8c09da9518d8d6b2478ef93eab55d92d35a482d16f7dd1781f9215e7
                          • Instruction Fuzzy Hash: 0B717D71A00219AFDF25EFA8D891FAEB7B4EF68714F14412DE811E7290DB70DA50CB50
                          APIs
                          • AcquireSRWLockExclusive.KERNEL32(00000000,?,?), ref: 001CB296
                          • WaitForSingleObjectEx.KERNEL32(00000000,00000000,00000000,?,?), ref: 001CB2AD
                          • WaitForSingleObjectEx.KERNEL32(?,00000000,00000000,?,?), ref: 001CB2C7
                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?), ref: 001CB2E4
                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?), ref: 001CB379
                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,?), ref: 001CB38E
                          • ResetEvent.KERNEL32(00000000,?,?), ref: 001CB397
                          • WaitForMultipleObjectsEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,?), ref: 001CB42D
                          Strings
                          • Must initialize audio sample generator before use!, xrefs: 001CB538
                          • Must start audio sample generator before calling this method!, xrefs: 001CB56C
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001CB5A3, 001CB5B6
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveLock$ReleaseWait$ObjectSingle$AcquireEventMultipleObjectsReset
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$Must initialize audio sample generator before use!$Must start audio sample generator before calling this method!
                          • API String ID: 1842578734-102911022
                          • Opcode ID: 42002184cdd849535c3e02dc3b052cf80ae4d25242a27f3bde4de194dca4b1a4
                          • Instruction ID: d01da4bfa8f37229a23bdf0de35024c0d94fa5783e4aa8868016062a025ed421
                          • Opcode Fuzzy Hash: 42002184cdd849535c3e02dc3b052cf80ae4d25242a27f3bde4de194dca4b1a4
                          • Instruction Fuzzy Hash: 5BB1E371A046049FCB28DF68D886FAEB7F5EFA9310F04866DE856D7691DB70E900CB50
                          APIs
                          • CreateSemaphoreExW.KERNEL32(00000000,?,00000001,?,00000000,001F0003,?,00000104,_p0,00000000,00000000,?), ref: 001C58D0
                          • GetLastError.KERNEL32 ref: 001C5938
                          • GetLastError.KERNEL32 ref: 001C5946
                          • CloseHandle.KERNEL32(?), ref: 001C5954
                          • SetLastError.KERNEL32(?), ref: 001C5968
                          • CreateSemaphoreExW.KERNEL32(00000000,?,00000001,?,00000000,001F0003,?,00000104,0023478C), ref: 001C59BA
                          • GetLastError.KERNEL32 ref: 001C5A01
                          • GetLastError.KERNEL32 ref: 001C5A0A
                          • CloseHandle.KERNEL32(?), ref: 001C5A0F
                          • SetLastError.KERNEL32(00000000), ref: 001C5A1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$CloseCreateHandleSemaphore
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$_p0$wil
                          • API String ID: 2276426104-4230274945
                          • Opcode ID: 8e5fe38f5c73997f713f653603c4607e7ca8b7ec475bb61b529cf8396c67d5cb
                          • Instruction ID: 64a0318c4d9bc6d7a6adbe64145c8ab9be13164e2dbe0884add50403c809144b
                          • Opcode Fuzzy Hash: 8e5fe38f5c73997f713f653603c4607e7ca8b7ec475bb61b529cf8396c67d5cb
                          • Instruction Fuzzy Hash: 2651FA71B006199BDB24EF75DC89FAA77A8EF24750F0041ADF909D7281DB70ED908BA0
                          APIs
                          • SetLayeredWindowAttributes.USER32(?,00000000,000000BF,00000002,?,00000000,?,?,?,?,?,?,?,?,001CF55F), ref: 001CEE98
                          • GetWindowLongW.USER32(?,000000EC), ref: 001CEEA3
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001CEEB2
                          • EnableWindow.USER32(?,00000000), ref: 001CEEBD
                          • OffsetRect.USER32(?,00000000,00000000), ref: 001CEEEB
                            • Part of subcall function 001CF790: MulDiv.KERNEL32(?,00000002,00000060), ref: 001CF79B
                            • Part of subcall function 001CED90: RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,UBR,00000010,00000000,?,?), ref: 001CEDD0
                            • Part of subcall function 001CED90: GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 001CEDEA
                            • Part of subcall function 001CED90: GetProcAddress.KERNEL32(00000000), ref: 001CEDF1
                          • InflateRect.USER32(?,00000000,00000000), ref: 001CEF14
                          • OffsetRect.USER32(?,?,?), ref: 001CEF2A
                          • GetWindowRect.USER32(?,?), ref: 001CEF3E
                          • MoveWindow.USER32(?,?,?,001CF55F,?,00000001), ref: 001CEF5A
                          • CreateRectRgnIndirect.GDI32(?), ref: 001CEF6A
                          • InflateRect.USER32(?,00000000,00000000), ref: 001CEF76
                          • CreateRectRgnIndirect.GDI32(?), ref: 001CEF80
                          • CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 001CEF89
                          • SetWindowRgn.USER32(?,00000000,00000001), ref: 001CEF98
                          • DeleteObject.GDI32(00000000), ref: 001CEFA3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: RectWindow$CreateIndirectInflateLongOffset$AddressAttributesCombineDeleteEnableHandleLayeredModuleMoveObjectProcValue
                          • String ID:
                          • API String ID: 2055800946-0
                          • Opcode ID: 51a12c83686feb9e126b0826bc0713e157e8c777ab70a81f3b256d456f8be88e
                          • Instruction ID: 9349b88134c357705ecd1771eba2d6ed9a4397d2fe42bd53a094dde43d6290b7
                          • Opcode Fuzzy Hash: 51a12c83686feb9e126b0826bc0713e157e8c777ab70a81f3b256d456f8be88e
                          • Instruction Fuzzy Hash: 49411C72900208AFDF01AFA4ED89FAE7F7CEB09711F1441A5FA05E7162D731A9448B60
                          APIs
                          • GetCurrentProcessId.KERNEL32(00000040,?), ref: 001C5165
                          • CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001), ref: 001C5195
                          • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 001C51C0
                          • ReleaseMutex.KERNEL32(?,00000000,00000000,00000000), ref: 001C53B7
                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 001C53CA
                            • Part of subcall function 001C62F0: GetLastError.KERNEL32(FE025AF7,?,00000000,0022F520,000000FF), ref: 001C631D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$Local\SM0:%lu:%lu:%hs$wil
                          • API String ID: 908355122-2224554449
                          • Opcode ID: 0b9a02a493347e3546d1091c6ef2e347fb659593e37ef3e8e674e56a5afcc8b3
                          • Instruction ID: 03f653d19ea72f36f031da2ff1a90edc0b453f031a75263a0e4c0628249db141
                          • Opcode Fuzzy Hash: 0b9a02a493347e3546d1091c6ef2e347fb659593e37ef3e8e674e56a5afcc8b3
                          • Instruction Fuzzy Hash: B481B875A40719ABDB10EF64DC8AF9A77A9AF75700F004599F508DB281DBB4FE80CB90
                          APIs
                          • DeleteObject.GDI32(?), ref: 001F62DD
                          • GetDlgItem.USER32(?,?), ref: 001F631D
                          • SendMessageW.USER32(00000000,00000031,?,?), ref: 001F6333
                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 001F6354
                          • CreateFontIndirectW.GDI32(?), ref: 001F636B
                          • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 001F6382
                          • GetWindowTextW.USER32(00000000,?,00000040), ref: 001F638E
                          • GetWindowRect.USER32(00000000,?), ref: 001F639C
                          • MapWindowPoints.USER32(00000000,?,00000002), ref: 001F63B3
                          • GetDC.USER32(00000000), ref: 001F63BA
                          • SelectObject.GDI32(00000000), ref: 001F63C9
                          • DrawTextW.USER32(00000000,?,?,?,00000424), ref: 001F6404
                          • ReleaseDC.USER32(00000000,00000000), ref: 001F640C
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,?,00000006), ref: 001F6448
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$Object$MessageSendText$CreateDeleteDrawFontIndirectItemPointsRectReleaseSelect
                          • String ID:
                          • API String ID: 1345737623-0
                          • Opcode ID: 6cd9addfeea2c137e9e26832b8033a186b865f96d9929605211e6b5d9b93bef0
                          • Instruction ID: 979212d3c2a26de37adaf940865484dae51f7438f519acd42107fcce68712fa9
                          • Opcode Fuzzy Hash: 6cd9addfeea2c137e9e26832b8033a186b865f96d9929605211e6b5d9b93bef0
                          • Instruction Fuzzy Hash: 73418E71600318AFEB14AB64EC89FBA7778EB05701F1040D8FB09A6190DB706A858F65
                          APIs
                          • RegCreateKeyExW.ADVAPI32(80000001,0025BF38,00000000,00000000,00000000,00020006,00000000,0025BF3C,00000000,7693B660,00000000), ref: 001F6522
                          • RegSetValueExW.ADVAPI32(0025BF3C,9526E850,00000000,00000004,?,00000004,?), ref: 001F6579
                          • RegCreateKeyExW.ADVAPI32(?,00000402,00000000,00000000,00000000,00020006,00000000,?,00000000,?,00000000), ref: 001F662E
                          • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,?,?,00000000), ref: 001F6667
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001F6684
                          • RegCloseKey.ADVAPI32(0025BF3C), ref: 001F66A9
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000,?,?,?,?,00000000), ref: 001F66E6
                          • RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 001F6737
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 001F6745
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseCreateValue$Delete
                          • String ID: P6%
                          • API String ID: 416952627-1374007952
                          • Opcode ID: 957f615c5933829ce52516ce68fbc03b518b83d288a5ccdfe328c51d3e81f8c0
                          • Instruction ID: cd3b3811b943a914a1bf22f4919d4740ee67b1f8f72d71977cce7f8a60488267
                          • Opcode Fuzzy Hash: 957f615c5933829ce52516ce68fbc03b518b83d288a5ccdfe328c51d3e81f8c0
                          • Instruction Fuzzy Hash: 33816A75A40208EFEB259F94DD45FEDBBB9EF08B10F244019FB41BA1A0D7B2A910DB54
                          APIs
                          • GetDlgItem.USER32(?,000001F4), ref: 001CE184
                          • GetSysColorBrush.USER32(00000005), ref: 001CE190
                          • GetDlgItem.USER32(?,000001F4), ref: 001CE1D5
                          • EndDialog.USER32(?,00000000), ref: 001CE1EC
                          • SetWindowTextW.USER32(?,?), ref: 001CE2E4
                          • GetDlgItem.USER32(?,000001F4), ref: 001CE302
                          • SendMessageW.USER32(00000000), ref: 001CE30B
                          • GetDlgItem.USER32(?,000001F4), ref: 001CE321
                          • SendMessageW.USER32(00000000), ref: 001CE324
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Item$MessageSend$BrushColorDialogTextWindow
                          • String ID: %s License Agreement
                          • API String ID: 1092124246-1285993597
                          • Opcode ID: a45397be21377aac351ef338f632a7e8de309f5c68b66c47beae831253800cc0
                          • Instruction ID: de7e8547967621e1e9c4233ec8a298729e122706f848315f1189d6b1fa6d9b0b
                          • Opcode Fuzzy Hash: a45397be21377aac351ef338f632a7e8de309f5c68b66c47beae831253800cc0
                          • Instruction Fuzzy Hash: 15513A71A403099BDB24DF28EC4DFEA77A9EB65300F1441EDF506A7292DB71EE508B50
                          APIs
                          • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001F2BD0
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00020019,?), ref: 001F2C2A
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000004,00000004,?,?,00000000,00020019,?), ref: 001F2C69
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000004,?,?,00000000,00020019,?), ref: 001F2CA2
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000004,00000004,?,?,00000000,00020019,?), ref: 001F2CDE
                          • RegCloseKey.ADVAPI32(00000000,00020019,?), ref: 001F2D15
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000004,?,?,00000000,00020019,?), ref: 001F2D53
                          • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?,?), ref: 001F2D8A
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 001F2DCD
                          • RegCloseKey.ADVAPI32(?), ref: 001F2DE1
                          • RegOpenKeyExW.ADVAPI32(00000001,?,00000000,00020019,?), ref: 001F2E0A
                          • RegCloseKey.ADVAPI32(?), ref: 001F2E6C
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID:
                          • API String ID: 1586453840-0
                          • Opcode ID: be44dd77c274d5974ed310fcc2df07a9d3543747f1c7d7755ed9587ef3e4ee80
                          • Instruction ID: 491b5722189a715aa5353b9a59ded6a3a27fca51900fd34cd7d19c9d865e781f
                          • Opcode Fuzzy Hash: be44dd77c274d5974ed310fcc2df07a9d3543747f1c7d7755ed9587ef3e4ee80
                          • Instruction Fuzzy Hash: 8EA11875E00218EBDB11DF98EC84FADBBB8BF09700F144159FA51BB250D771A901DB60
                          APIs
                            • Part of subcall function 0022C6B8: CreateFileW.KERNEL32(00000000,00000000,?,0022CA1A,?,?,00000000,?,0022CA1A,00000000,0000000C), ref: 0022C6D5
                          • GetLastError.KERNEL32 ref: 0022CA85
                          • __dosmaperr.LIBCMT ref: 0022CA8C
                          • GetFileType.KERNEL32(00000000), ref: 0022CA98
                          • GetLastError.KERNEL32 ref: 0022CAA2
                          • __dosmaperr.LIBCMT ref: 0022CAAB
                          • CloseHandle.KERNEL32(00000000), ref: 0022CACB
                          • CloseHandle.KERNEL32(?), ref: 0022CC18
                          • GetLastError.KERNEL32 ref: 0022CC4A
                          • __dosmaperr.LIBCMT ref: 0022CC51
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                          • String ID: AE"
                          • API String ID: 4237864984-3598173249
                          • Opcode ID: 9e39dcb7095142dde9d0fca06834ef226edd4c3e707dbef3a5f629bf8475a857
                          • Instruction ID: 18df89351e5b3c24d5ca26ad7f5ee23878151f4d40a3453efbde165539150b34
                          • Opcode Fuzzy Hash: 9e39dcb7095142dde9d0fca06834ef226edd4c3e707dbef3a5f629bf8475a857
                          • Instruction Fuzzy Hash: B9A12D32A20169AFDF19EFA8EC55BAD3BA1AB06314F240199F8019F3D1C7359866CB51
                          APIs
                          • GdipAlloc.GDIPLUS(00000010,FE025AF7), ref: 001E7882
                          • GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E78AC
                          • GdipGetImageGraphicsContext.GDIPLUS(?,00000000,?,?,00000000,0026200A,00000000,?,00000010,FE025AF7), ref: 001E78D1
                          • GdipDrawLineI.GDIPLUS(?,?,?,?,?,?,00000010,FE025AF7), ref: 001E7935
                          • GdipCreateSolidFill.GDIPLUS(FF000000,?,00000010,FE025AF7), ref: 001E7953
                          • GdipFillEllipseI.GDIPLUS(?,00000000,00000000,00000000,?,?,FF000000,?,00000010,FE025AF7), ref: 001E7967
                          • GdipDeleteBrush.GDIPLUS(00000000,?,00000000,00000000,00000000,?,?,FF000000,?,00000010,FE025AF7), ref: 001E79A0
                          • GdipBitmapUnlockBits.GDIPLUS(00000000,00000000,00000000,00000000,?,?,FF000000,?,00000010,FE025AF7), ref: 001E79EA
                          • GdipDeleteGraphics.GDIPLUS(?), ref: 001E7A0F
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$BitmapCreateDeleteFillGraphics$AllocBitsBrushContextDrawEllipseFromImageLineScan0SolidUnlock
                          • String ID:
                          • API String ID: 2710849743-0
                          • Opcode ID: c1c5c66c80bc3ad5e592b4fd369da3fc0a1c873c0c15d44e7b16823b16a0cb6d
                          • Instruction ID: 2989047a84bae8f09ec0e58de634c4fce18c001c8176ab7074012d58aa233b8c
                          • Opcode Fuzzy Hash: c1c5c66c80bc3ad5e592b4fd369da3fc0a1c873c0c15d44e7b16823b16a0cb6d
                          • Instruction Fuzzy Hash: 288106B19006599FDF10DFA9CD85AEEBBF9FF48314F118129F918A7281D734A9118FA0
                          APIs
                          • SysStringLen.OLEAUT32(00000000), ref: 001CCA8A
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCAA7
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCABB
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCAD3
                          • SysStringLen.OLEAUT32(00000000), ref: 001CCAE4
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCAF7
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCB0B
                          • SysFreeString.OLEAUT32(00000000), ref: 001CCB1F
                          • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 001CCB42
                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CCB61
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001CCB67
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: String$Free$Heap$FormatMessageProcess
                          • String ID:
                          • API String ID: 441299210-0
                          • Opcode ID: c9a2b7d43bf56f51763ec557ffd6bae125787ba086840959489af8bcdb828508
                          • Instruction ID: c521ff9a8119b4e3880b9e0f80df7b8f6f15535556974359d069e4432d5f652d
                          • Opcode Fuzzy Hash: c9a2b7d43bf56f51763ec557ffd6bae125787ba086840959489af8bcdb828508
                          • Instruction Fuzzy Hash: 5A31FDB0A00218BBDF10EBE5DD45FAEB7B8AF14740F148469F915A7281D775EE208F94
                          APIs
                          • RegisterHotKey.USER32(001F1945,00000000,?,?,?,?,001F1945,00000000), ref: 001F2EE4
                          • RegisterHotKey.USER32(001F1945,00000003,?,?,?,?,001F1945,00000000), ref: 001F2EFC
                          • RegisterHotKey.USER32(001F1945,00000001,?,?,?,?,001F1945,00000000), ref: 001F2F14
                          • RegisterHotKey.USER32(001F1945,00000002,?,?,?,?,001F1945,00000000), ref: 001F2F2C
                          • RegisterHotKey.USER32(001F1945,00000009,?,?,?,?,001F1945,00000000), ref: 001F2F44
                          • RegisterHotKey.USER32(001F1945,0000000A,?,00000000,?,001F1945,00000000), ref: 001F2F5A
                          • RegisterHotKey.USER32(001F1945,00000007,?,?,?,?,001F1945,00000000), ref: 001F2F72
                          • RegisterHotKey.USER32(001F1945,00000008,?,00000000,?,001F1945,00000000), ref: 001F2F88
                          • RegisterHotKey.USER32(001F1945,00000004,?,?,?,?,?,001F1945,00000000), ref: 001F2FA5
                          • RegisterHotKey.USER32(001F1945,00000005,?,00000000,?,001F1945,00000000), ref: 001F2FC0
                          • RegisterHotKey.USER32(001F1945,00000006,?,00000000,?,001F1945,00000000), ref: 001F2FDB
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Register
                          • String ID:
                          • API String ID: 2794398274-0
                          • Opcode ID: 3fedb28f0024d2599e2713c58ab6c6a061ca35cfbc05fdade12d524065659010
                          • Instruction ID: 5e56d6840c7475e3dee47bb692c9630945d7bed889db64e952a6ec2155363fd2
                          • Opcode Fuzzy Hash: 3fedb28f0024d2599e2713c58ab6c6a061ca35cfbc05fdade12d524065659010
                          • Instruction Fuzzy Hash: C7318DB16403247AF622DB2ABC08F76B2ECEF5D742F512005FB40D60A0D7B4EA119A7C
                          APIs
                          • UnregisterHotKey.USER32(001F1FA1,00000000,76947310,?,?,001F1FA1,00000000), ref: 001F6281
                          • UnregisterHotKey.USER32(001F1FA1,00000003,?,001F1FA1,00000000), ref: 001F6286
                          • UnregisterHotKey.USER32(001F1FA1,00000001,?,001F1FA1,00000000), ref: 001F628B
                          • UnregisterHotKey.USER32(001F1FA1,00000002,?,001F1FA1,00000000), ref: 001F6290
                          • UnregisterHotKey.USER32(001F1FA1,00000004,?,001F1FA1,00000000), ref: 001F6295
                          • UnregisterHotKey.USER32(001F1FA1,00000005,?,001F1FA1,00000000), ref: 001F629A
                          • UnregisterHotKey.USER32(001F1FA1,00000006,?,001F1FA1,00000000), ref: 001F629F
                          • UnregisterHotKey.USER32(001F1FA1,00000007,?,001F1FA1,00000000), ref: 001F62A4
                          • UnregisterHotKey.USER32(001F1FA1,00000008,?,001F1FA1,00000000), ref: 001F62A9
                          • UnregisterHotKey.USER32(001F1FA1,00000009,?,001F1FA1,00000000), ref: 001F62AE
                          • UnregisterHotKey.USER32(001F1FA1,0000000A,?,001F1FA1,00000000), ref: 001F62B3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Unregister
                          • String ID:
                          • API String ID: 315482161-0
                          • Opcode ID: 192421514dc8559acb8d847ba1d0dd7a2d6efa054fca8d0478532a62ee77bacb
                          • Instruction ID: 0d348984311684e153356efc5e3ff201b2901456b59f1f745625fe5550e60ef5
                          • Opcode Fuzzy Hash: 192421514dc8559acb8d847ba1d0dd7a2d6efa054fca8d0478532a62ee77bacb
                          • Instruction Fuzzy Hash: 78F04E15B8022831E43226665C8AF7F6E2DDBC2FB1F01401BF3086A0C05A992402AAE2
                          APIs
                          • WaitForSingleObject.KERNEL32(?,00000000,00000000), ref: 001C6ACD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ObjectSingleWait
                          • String ID: wil
                          • API String ID: 24740636-1589926490
                          • Opcode ID: a91bcacaef206221f9a10c5a650789e9e76cdd038a0f10bb1a652088c14c5b3e
                          • Instruction ID: f929833690ab2ab551cfcbebd7088a21f75bbf16df173c8f3e62329cf1adeeb1
                          • Opcode Fuzzy Hash: a91bcacaef206221f9a10c5a650789e9e76cdd038a0f10bb1a652088c14c5b3e
                          • Instruction Fuzzy Hash: 6941FC76740218B7DB20AA68FC07FB93358CF66B15F1005B9FE08EA2C0D7B1ED655296
                          APIs
                          • CreateThreadpoolWait.KERNEL32(001FC350,?,00000000), ref: 001E0937
                          • CloseThreadpoolWait.KERNEL32(?,FE025AF7), ref: 001E094E
                          • SetThreadpoolWait.KERNEL32(00000000,?,00000000,FE025AF7), ref: 001E0979
                          • LoadLibraryW.KERNEL32(kernel32.dll,SetThreadpoolWaitEx,00000000,?,00000000,FE025AF7), ref: 001E09AA
                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 001E09B0
                          • GetCurrentProcess.KERNEL32 ref: 001E09E6
                          • SetThreadpoolWait.KERNEL32(00000000,00000000,?), ref: 001E09F3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ThreadpoolWait$AddressCloseCreateCurrentLibraryLoadProcProcess
                          • String ID: SetThreadpoolWaitEx$kernel32.dll
                          • API String ID: 2441295170-77615690
                          • Opcode ID: 5f73f92c6935448e726a55a86ec594d35e4a4829da1699dba57ca9318f1aed00
                          • Instruction ID: f33209bb912d4f238808ffdbf0e35732ffd4f3e439fb2bc7ab2110c5ab4f24c0
                          • Opcode Fuzzy Hash: 5f73f92c6935448e726a55a86ec594d35e4a4829da1699dba57ca9318f1aed00
                          • Instruction Fuzzy Hash: 2331E471A00B49AAE721DFA5DD41B7FB7B8EF09740F10462AF516D3282EB74E9508B90
                          APIs
                          • EnumDisplaySettingsW.USER32(00000000,000000FF,?), ref: 001E8945
                          • ChangeDisplaySettingsExW.USER32(\\.\DISPLAY2,?,00000000,10000001,00000000), ref: 001E8999
                          • ChangeDisplaySettingsExW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 001E89A6
                          • GetLastError.KERNEL32 ref: 001E89AC
                          • FindWindowW.USER32(ZoomitClass,00000000), ref: 001E89CE
                          • SetWindowPos.USER32(00000000), ref: 001E89D5
                          • SetCursorPos.USER32(?,?), ref: 001E89EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: DisplaySettings$ChangeWindow$CursorEnumErrorFindLast
                          • String ID: ZoomitClass$\\.\DISPLAY2
                          • API String ID: 4050245988-61546998
                          • Opcode ID: a7542abb4288be6f597f08291e591c8f42b7c73262737c82f6e2673296202d85
                          • Instruction ID: d0e520b7c037737ddd297f5ff8e8a6182b69249d08511320c428af2ee4d4d140
                          • Opcode Fuzzy Hash: a7542abb4288be6f597f08291e591c8f42b7c73262737c82f6e2673296202d85
                          • Instruction Fuzzy Hash: B721C431A00229ABDB20DB65DC48FAEBBB8EB45754F100195F90DF7281CB71AD808BE0
                          APIs
                          • IsWindowVisible.USER32(?), ref: 001E8BFD
                          • SetForegroundWindow.USER32 ref: 001E8C0D
                          • MessageBoxW.USER32(?,?,ZoomIt,00000010), ref: 001E8C22
                          • IsWindowVisible.USER32(?), ref: 001E8C32
                          • MoveWindow.USER32(00000000,00000000,00000000,00000000,00000000), ref: 001E8C47
                          • ShowWindow.USER32(00000008), ref: 001E8C5B
                          • ShowWindow.USER32(00000000), ref: 001E8C65
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$ShowVisible$ForegroundMessageMove
                          • String ID: %s: %s$ZoomIt
                          • API String ID: 1721305305-1171031162
                          • Opcode ID: 9bb981f5c62fe2b3e1e024b35f08179779c37f849e39c3d24f851155f61bd67b
                          • Instruction ID: 7598d5a5d0bb9e5abc6b8cb62839435f46d1ecdf6cd08c9773228b54b6100f84
                          • Opcode Fuzzy Hash: 9bb981f5c62fe2b3e1e024b35f08179779c37f849e39c3d24f851155f61bd67b
                          • Instruction Fuzzy Hash: 6D115E71A01208ABDB21AF74FD49AAD7BBCBB04709F1040A5F955E3260DF306E549B94
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv
                          • String ID: :$f$f$f$p$p$p
                          • API String ID: 3732870572-1434680307
                          • Opcode ID: 27d4cf2ad177503dd7851865d7500a83843520c2e03e113d6e103432cac3b1db
                          • Instruction ID: 791e129c1a8aa7eb72d38c5c47cd6a7125121afa7d43e7390b7eb47d39978d0d
                          • Opcode Fuzzy Hash: 27d4cf2ad177503dd7851865d7500a83843520c2e03e113d6e103432cac3b1db
                          • Instruction Fuzzy Hash: 01028075A20219DADF248F74D4C96EDB7FAFB60B18FA04145E414BB280DF348EE88B55
                          APIs
                          • type_info::operator==.LIBVCRUNTIME ref: 0020BA31
                          • ___TypeMatch.LIBVCRUNTIME ref: 0020BB3F
                          • CatchIt.LIBVCRUNTIME ref: 0020BB90
                          • _UnwindNestedFrames.LIBCMT ref: 0020BC91
                          • CallUnexpected.LIBVCRUNTIME ref: 0020BCAC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                          • String ID: csm$csm$csm
                          • API String ID: 4119006552-393685449
                          • Opcode ID: 7868019a7b9e1d14e92f1c16400e9c5039bdd845aa7358550ad387311ab5cd36
                          • Instruction ID: d8d72b23db6d824091e9cd3e66121b3e6856f796fccb739eabeeef2281c34ec6
                          • Opcode Fuzzy Hash: 7868019a7b9e1d14e92f1c16400e9c5039bdd845aa7358550ad387311ab5cd36
                          • Instruction Fuzzy Hash: 6EB17C7182030AAFCF26DFA4C9819AEBBB5FF18314F14415AE8116B293D731DA61CF91
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000), ref: 001CC622
                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 001CC628
                          • SetErrorInfo.OLEAUT32(00000000,00000000,00000000,00000000), ref: 001CC63A
                          • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000), ref: 001CC672
                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000), ref: 001CC691
                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001CC697
                          • SetErrorInfo.OLEAUT32(00000000,00000000,?,00000000,?,?,?,?,001CDB44), ref: 001CC6D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$ErrorFreeInfoProcess$FormatMessage
                          • String ID: L#
                          • API String ID: 5449149-446359015
                          • Opcode ID: 3f405dd9638b25bc042dee8cf29181c001adb67712472a862893f907450428b8
                          • Instruction ID: 57063fb2b8eb20d944ec41aa345592c91273a2c509bbe99555ad72041fa0163d
                          • Opcode Fuzzy Hash: 3f405dd9638b25bc042dee8cf29181c001adb67712472a862893f907450428b8
                          • Instruction Fuzzy Hash: 7F418EB0640319ABE714DF64CD02FAA77A8EF24724F10822DF9299B3C1DB75E911CB95
                          APIs
                          • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,FE025AF7), ref: 001C4D34
                          • SetEvent.KERNEL32(?), ref: 001C4D5C
                          • CloseHandle.KERNEL32(?,FE025AF7), ref: 001C4DCB
                          • CloseHandle.KERNEL32(?,FE025AF7), ref: 001C4DDD
                          • CloseHandle.KERNEL32(?,FE025AF7), ref: 001C4DEF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$EventObjectSingleWait
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$Must initialize audio sample generator before use!
                          • API String ID: 2857295742-3061329012
                          • Opcode ID: 825bbfe19269b1113f28a709c0d93224d6c805496348f57dea6da0e3b7ecd3bb
                          • Instruction ID: fab7a2b9539948a8413b8f89511ff683f3893574b489199bcffe4c76859c9952
                          • Opcode Fuzzy Hash: 825bbfe19269b1113f28a709c0d93224d6c805496348f57dea6da0e3b7ecd3bb
                          • Instruction Fuzzy Hash: AF518871618205ABDB20EFB4DC66FAA77A9AF35B00F01092CF456E7281DB74E940CB60
                          APIs
                          • OpenSemaphoreW.KERNEL32(001F0003,00000000,?,?,00000104,_p0), ref: 001CB66F
                          • GetLastError.KERNEL32 ref: 001CB67B
                          • CloseHandle.KERNEL32(00000000), ref: 001CB707
                          • CloseHandle.KERNEL32(00000000), ref: 001CB753
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseHandle$ErrorLastOpenSemaphore
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$_p0$wil
                          • API String ID: 3583359621-4230274945
                          • Opcode ID: 12980d59d45938570766694cff3af9b9a31e26e3a51e97c67e5a82bac15d5af4
                          • Instruction ID: a89287122e03b297ba1a779c88b1d41b88a76b76937b9a6649d0c199ccd4d367
                          • Opcode Fuzzy Hash: 12980d59d45938570766694cff3af9b9a31e26e3a51e97c67e5a82bac15d5af4
                          • Instruction Fuzzy Hash: 5641C575B4031DABDB10EF64DC86FAA73A8EF65700F104199F908DB281D771EE908BA1
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D3466
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D3488
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D34A8
                          • __Getctype.LIBCPMT ref: 001D3562
                          • std::_Facet_Register.LIBCPMT ref: 001D35B6
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D35CE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                          • String ID: ,I#
                          • API String ID: 1102183713-1305142184
                          • Opcode ID: 33f11463b9413510062900a0314c26f6446f679050a32a74b20476b3c8eaf352
                          • Instruction ID: f826157a8c9b9c37540f364fd049f41e5fefe30fbf512f79e3e81078b6b892e2
                          • Opcode Fuzzy Hash: 33f11463b9413510062900a0314c26f6446f679050a32a74b20476b3c8eaf352
                          • Instruction Fuzzy Hash: 9D51B071D00759CFDB21CF58E845BAABBB4FF14314F24825AE855A7352E730EA90CB91
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 001C638D
                          • GetProcessHeap.KERNEL32 ref: 001C63DC
                          • HeapAlloc.KERNEL32(00000000,00000000,0000000C), ref: 001C63EA
                          • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 001C6408
                          • GetProcAddress.KERNEL32(00000000,RtlDisownModuleHeapAllocation), ref: 001C6418
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AddressAllocCurrentHandleModuleProcProcessThread
                          • String ID: RtlDisownModuleHeapAllocation$ntdll.dll
                          • API String ID: 645693534-704576883
                          • Opcode ID: 49bc0fa5f5fcc5f936713d2602dada9d865e18a01aeb1cb37b73e3d2f2a43504
                          • Instruction ID: f514c703b76b3d9237eb3e00b06440c65e50f7d5307d2efcd1f09a94b5f90a45
                          • Opcode Fuzzy Hash: 49bc0fa5f5fcc5f936713d2602dada9d865e18a01aeb1cb37b73e3d2f2a43504
                          • Instruction Fuzzy Hash: 3F418B72A057049FDB28DF69E944B6ABBE4FB55751F14817EE809D7350EB31E800CB90
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000000), ref: 001EE41E
                          • DeleteObject.GDI32 ref: 001EE53F
                          • CreateFontIndirectW.GDI32(0025BA48), ref: 001EE591
                          • SelectObject.GDI32(00000000), ref: 001EE5A3
                          • KillTimer.USER32(?,00000000), ref: 001EE682
                          • SetTimer.USER32(?,00000000,000003E8,00000000), ref: 001EE697
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000000), ref: 001EE6A7
                          • ClipCursor.USER32(00000000), ref: 001EE71A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InvalidateObjectRectTimer$ClipCreateCursorDeleteFontIndirectKillSelect
                          • String ID:
                          • API String ID: 1777162000-0
                          • Opcode ID: 93b20d3ebac80cf26a4609af7496e5795e3d3f44f60d64f062de97274f11b941
                          • Instruction ID: 4887fe763ce401762648255a735c5d95553fc691132d7dc6c96f0af83ad5f8bb
                          • Opcode Fuzzy Hash: 93b20d3ebac80cf26a4609af7496e5795e3d3f44f60d64f062de97274f11b941
                          • Instruction Fuzzy Hash: 12C12731904B489FD71A9B3BBC49B6877A1AF69306F298749F905B62F1F7307494CB04
                          APIs
                          • RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,UBR,00000010,00000000,?,?), ref: 001CEDD0
                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 001CEDEA
                          • GetProcAddress.KERNEL32(00000000), ref: 001CEDF1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProcValue
                          • String ID: RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$ntdll.dll
                          • API String ID: 144840598-2478976890
                          • Opcode ID: e48edb124ee8690b69c9eac3809b91aee37014df47f37e64a05825a4b5dcc8ed
                          • Instruction ID: e6cd9ef8ff6cbebeb29f69cc3059b11827df442e896304895a769f8beee483b9
                          • Opcode Fuzzy Hash: e48edb124ee8690b69c9eac3809b91aee37014df47f37e64a05825a4b5dcc8ed
                          • Instruction Fuzzy Hash: 1C01367175131CABD724AF64EC4AFE9B7B8DB05700F000199BA09A7280DB70AA54CF94
                          APIs
                          • GetModuleHandleW.KERNEL32(user32.dll,GetDpiForWindow,?,001CF360,?,FE025AF7), ref: 001CF63D
                          • GetProcAddress.KERNEL32(00000000), ref: 001CF644
                          • GetDC.USER32(00000000), ref: 001CF659
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 001CF664
                          • DeleteDC.GDI32(00000000), ref: 001CF671
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCapsDeleteDeviceHandleModuleProc
                          • String ID: GetDpiForWindow$user32.dll
                          • API String ID: 1360483479-1345785904
                          • Opcode ID: 34c44fb258317e2c76f456466b79a0420919e1a113674661317444342cc78759
                          • Instruction ID: 0117b798c2cc5bbff270467868106aafefc50d125e9e8e734fbdc3af25a98702
                          • Opcode Fuzzy Hash: 34c44fb258317e2c76f456466b79a0420919e1a113674661317444342cc78759
                          • Instruction Fuzzy Hash: C3E0923634072467CA113BF5BC0DF5A3F1DEB86B56F0000B5FB09D2260DB20D8018AA1
                          APIs
                          • VkKeyScanW.USER32(00000000), ref: 001D834D
                          • __Mtx_unlock.LIBCPMT ref: 001D84A0
                          • SendInput.USER32(00000001,00000001,0000001C,000000A0), ref: 001D84E3
                          • SendInput.USER32(00000001,00000001,0000001C), ref: 001D858D
                          • __Mtx_unlock.LIBCPMT ref: 001D85E3
                          • SendInput.USER32(00000001,?,0000001C,000000A0), ref: 001D862A
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D866F
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D8680
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InputSend$Cpp_errorMtx_unlockThrow_std::_$Scan
                          • String ID:
                          • API String ID: 713818903-0
                          • Opcode ID: 9c70ccc7a83b12bf0cb49aa2553e1ab467dc18a09b5df4bf5cb1049899024b5c
                          • Instruction ID: 4e7b5315c4a34ecc4863fbb0c0f58d54f5d95f3bffdddf724aac4149ce63e09a
                          • Opcode Fuzzy Hash: 9c70ccc7a83b12bf0cb49aa2553e1ab467dc18a09b5df4bf5cb1049899024b5c
                          • Instruction Fuzzy Hash: 7E911270D103089BDF25EBA8EC49BFDB7B4AB19315F14421BF804A3392EB749994CB65
                          APIs
                          • GetErrorInfo.OLEAUT32(00000000,00000000,FE025AF7,?,?,?,?,001CDB44,001CDB7F), ref: 001C42F4
                          • SysFreeString.OLEAUT32(?), ref: 001C4369
                          • SysStringLen.OLEAUT32(00000000), ref: 001C43DB
                          • GetProcessHeap.KERNEL32(-000000FF,?,?,?,?,?,?,001CDB44), ref: 001C4417
                          • HeapFree.KERNEL32(00000000,-000000FF,?,?,?,?,?,?,001CDB44), ref: 001C441D
                          • GetProcessHeap.KERNEL32(-000000FF,00000000,00000000,00000000,?,?,?,?,001CDB44), ref: 001C4440
                          • HeapFree.KERNEL32(00000000,-000000FF,00000000,00000000,00000000,?,?,?,?,001CDB44), ref: 001C4446
                          • SysFreeString.OLEAUT32(00000000), ref: 001C4453
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap$String$Process$ErrorInfo
                          • String ID:
                          • API String ID: 3725924239-0
                          • Opcode ID: 121966d22d5053ebfc46da14b98113b3f9fb6adad2aa588a37dc61ac884155fb
                          • Instruction ID: 92abc7c386d66b636a2f90bd15d874892c7836f42cbaa76b355498388248b428
                          • Opcode Fuzzy Hash: 121966d22d5053ebfc46da14b98113b3f9fb6adad2aa588a37dc61ac884155fb
                          • Instruction Fuzzy Hash: 88517274A04215AFDF18EFA4D890FAEBBB9FF64310F20456DE91597281DB34DA14CBA0
                          APIs
                          • GdipGetImageWidth.GDIPLUS(?,?), ref: 001E5683
                          • GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 001E569D
                          • GdipCreateEffect.GDIPLUS(?,?), ref: 001E56DF
                          • GdipSetEffectParameters.GDIPLUS(00000000,?,00000008,?,?), ref: 001E5701
                          • GdipFree.GDIPLUS(00000000,00000000,?,00000008,?,?), ref: 001E5728
                          • GdipBitmapApplyEffect.GDIPLUS(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000008,?,?), ref: 001E5750
                          • GdipFree.GDIPLUS(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000008,?,?), ref: 001E575F
                          • GdipDeleteEffect.GDIPLUS(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000008,?,?), ref: 001E5767
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Effect$FreeImage$ApplyBitmapCreateDeleteHeightParametersWidth
                          • String ID:
                          • API String ID: 578888708-0
                          • Opcode ID: f183f8c6446fb4cd2c267af080b5f04e3fcdb7ce16fad03bc816c65e2ef1c2af
                          • Instruction ID: c7beef39921971e9b2366aac0a994130a00bc65565d3863f3244188d62d0debd
                          • Opcode Fuzzy Hash: f183f8c6446fb4cd2c267af080b5f04e3fcdb7ce16fad03bc816c65e2ef1c2af
                          • Instruction Fuzzy Hash: 4931C5B0C1020DAADF00EFA5D945BEEFBB8BF08304F108155E914B6291D775AA68CFA0
                          APIs
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001E71A3
                          • CreateCompatibleDC.GDI32(00000000), ref: 001E71AD
                          • SelectObject.GDI32(00000000,00000000), ref: 001E71BA
                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 001E71D8
                          • GdipAlloc.GDIPLUS(00000010,?,?,00000000), ref: 001E71E0
                          • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,00000000,00000010,?,?), ref: 001E7204
                          • DeleteDC.GDI32(00000000), ref: 001E7217
                          • DeleteObject.GDI32(00000000), ref: 001E7220
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$BitmapCompatibleDeleteGdipObject$AllocFromSelect
                          • String ID:
                          • API String ID: 948071966-0
                          • Opcode ID: 75ab37dedafbf4598a8945bdbab66f215c6ad8611e9f586685ed30d9786820dd
                          • Instruction ID: c04dbc1dfb5e77d82b7ca6f4e9e2275ab0a100a320d4e2673158f4639c47cab8
                          • Opcode Fuzzy Hash: 75ab37dedafbf4598a8945bdbab66f215c6ad8611e9f586685ed30d9786820dd
                          • Instruction Fuzzy Hash: BC114C72900218FBCB14AFE4ED09F9EBFB8FF08B51F114099FA04A3250D371A9519BA1
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: _strrchr
                          • String ID:
                          • API String ID: 3213747228-0
                          • Opcode ID: 7d1babd9b586f751ff1cef77c5d95683f213fae3503485eaf89484c1b58f161a
                          • Instruction ID: 99874719ece184d9dd9f6edf03c761fd6a5b04a1b0df95fa124de9af1c34b8a3
                          • Opcode Fuzzy Hash: 7d1babd9b586f751ff1cef77c5d95683f213fae3503485eaf89484c1b58f161a
                          • Instruction Fuzzy Hash: 39B14472920376BFDB118FA4D8C1BBE7BA9EF55310F148155E904AB283D2B4D931CBA0
                          APIs
                          • ___std_exception_copy.LIBVCRUNTIME ref: 001D402E
                          • ___std_exception_copy.LIBVCRUNTIME ref: 001D40CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___std_exception_copy
                          • String ID: G` $ G` $G` $G`
                          • API String ID: 2659868963-1303474065
                          • Opcode ID: f82324f7a6a4222fc15c09e756bc64b84ae171f6ad8ca51e27b17f3ecd7a0fec
                          • Instruction ID: c299712549febe63e17f345d98c3c5fe51ba40ed2c221eebe7c8ef2969268713
                          • Opcode Fuzzy Hash: f82324f7a6a4222fc15c09e756bc64b84ae171f6ad8ca51e27b17f3ecd7a0fec
                          • Instruction Fuzzy Hash: 0771A271D103089FDB14CFA8C845AEDFBB5FF49310F14821AE425AB791E770A990CB51
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0020596B
                          • GetCurrentThreadId.KERNEL32 ref: 00205988
                          • GetCurrentThreadId.KERNEL32 ref: 002059A9
                          • GetCurrentThreadId.KERNEL32 ref: 00205A29
                          • __Xtime_diff_to_millis2.LIBCPMT ref: 00205A41
                          • GetCurrentThreadId.KERNEL32 ref: 00205A6B
                          • GetCurrentThreadId.KERNEL32 ref: 00205AB1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CurrentThread$Xtime_diff_to_millis2
                          • String ID:
                          • API String ID: 1280559528-0
                          • Opcode ID: a4cee2fd88c33be99ff77747d27c506598eb6989631d6fce1c1a46fd8e124cb2
                          • Instruction ID: 5261a89cf196d630ab7109a32de96517c41169249efde329cded6bc60ec33517
                          • Opcode Fuzzy Hash: a4cee2fd88c33be99ff77747d27c506598eb6989631d6fce1c1a46fd8e124cb2
                          • Instruction Fuzzy Hash: AA515131A20B26CFCF10DF68D9C556AB7F5EF18310B254599D84A9B292DB30ED91CFA0
                          APIs
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001D9D24
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Concurrency::cancel_current_task
                          • String ID: ,$,I#$.$false$true
                          • API String ID: 118556049-267996440
                          • Opcode ID: 7b0e0df70663cc1f50a37b1498b1071a76eaf3f5779f989d8c369d67437afb4c
                          • Instruction ID: 3d354b438aac8d64c54b35f65ed307466fcd05636b01756013a28d466fd4951b
                          • Opcode Fuzzy Hash: 7b0e0df70663cc1f50a37b1498b1071a76eaf3f5779f989d8c369d67437afb4c
                          • Instruction Fuzzy Hash: AF5181B1D0035C9BDB21DFA4C845BEEBBF8EF04704F10425AE815AB681E774A654CB90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,001CDDB2,00000400,?,001CDDCE,00000400), ref: 001CCD06
                          • HeapAlloc.KERNEL32(00000000,00000000,001CDDB2,00000400,?,001CDDCE,00000400), ref: 001CCD0C
                          • AcquireSRWLockExclusive.KERNEL32(?,FE025AF7,000003FF,001CDDCE,00000000,?,?,?,?,0024CD84,length), ref: 001CCDB5
                          • ReleaseSRWLockExclusive.KERNEL32(?,001CDDCE,00000000,?,?,?,?,0024CD84), ref: 001CCE46
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveHeapLock$AcquireAllocProcessRelease
                          • String ID: length
                          • API String ID: 2353542611-25009842
                          • Opcode ID: 8539a561ad0602f4cba30592ecab2a38ec1afc35346ec41545c7e8101f14f8b4
                          • Instruction ID: 35f078218450bdd7bb71f2111ffc31009fd3a5bc0e8191d3a9942e5aa53a12d4
                          • Opcode Fuzzy Hash: 8539a561ad0602f4cba30592ecab2a38ec1afc35346ec41545c7e8101f14f8b4
                          • Instruction Fuzzy Hash: 3741F571D00209ABCB14EFA8C841FDEBBB8EF25710F10852AF95597282E775EA44CBD1
                          APIs
                          • GetProcAddress.KERNEL32(00000000), ref: 001CE757
                          • GetCommandLineW.KERNEL32(0025B260), ref: 001CE76C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCommandLineProc
                          • String ID: -accepteula$/accepteula$CommandLineToArgvW$Shell32.dll
                          • API String ID: 2738745670-2252253654
                          • Opcode ID: e19cd3b5672398217597f59af764edf11703bb6514c5a983819c7e86b8e68585
                          • Instruction ID: 92c03a59f5f2a17c1159bb8fa30a0e6b6d852b84e499184b2298464dd106b0bb
                          • Opcode Fuzzy Hash: e19cd3b5672398217597f59af764edf11703bb6514c5a983819c7e86b8e68585
                          • Instruction Fuzzy Hash: B641FE326103269FDB109F64EC85F6AB7E6EB60345F41003AEC05D7251EB32DC61CB91
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D32C3
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D32E5
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D3305
                          • std::_Facet_Register.LIBCPMT ref: 001D33FD
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D3415
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                          • String ID: ,I#
                          • API String ID: 459529453-1305142184
                          • Opcode ID: 00242d0644c859635a5e7b4a69990c408923c495c7d9f6f7d01c45140044af78
                          • Instruction ID: f2788734829f359e5ec395880062659916d6a14edf647fe999311f7a06ddc7f3
                          • Opcode Fuzzy Hash: 00242d0644c859635a5e7b4a69990c408923c495c7d9f6f7d01c45140044af78
                          • Instruction Fuzzy Hash: 2A51BD71900755DFDB21CF54D945BAEBBB4FB04710F24825AE866A7392EB30EA40CB91
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 0020B417
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0020B41F
                          • _ValidateLocalCookies.LIBCMT ref: 0020B4A8
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 0020B4D3
                          • _ValidateLocalCookies.LIBCMT ref: 0020B528
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 24dc648df3bdbf10223d09e8c7e197b4e737a6e9654aeb162a8c74b190a190f1
                          • Instruction ID: ed9fc72e05ee6109f4762fe1537297c05f0fc4f97208dfaf766c886935071ff7
                          • Opcode Fuzzy Hash: 24dc648df3bdbf10223d09e8c7e197b4e737a6e9654aeb162a8c74b190a190f1
                          • Instruction Fuzzy Hash: BC41C334A203099BCF21DF68D894A9EBBB5EF45324F548195EC146B3D3D731AA21CF90
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D3621
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D363F
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D365F
                          • std::_Facet_Register.LIBCPMT ref: 001D3726
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D373E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                          • String ID: ,I#
                          • API String ID: 459529453-1305142184
                          • Opcode ID: e6ed1f6b95277be0b6a24b042db33e9ad899768c6796728ed6ee75bdded15dbe
                          • Instruction ID: 641bf9a9cba47a90efbd90236b0720b4bdc90772187e3f68a1b1bb8498ce1055
                          • Opcode Fuzzy Hash: e6ed1f6b95277be0b6a24b042db33e9ad899768c6796728ed6ee75bdded15dbe
                          • Instruction Fuzzy Hash: A541BEB19017159FCB15CF58D885AAABBB5FB04710F25415AE826AB381E730EE41CFD2
                          APIs
                          • ___std_exception_copy.LIBVCRUNTIME ref: 001E2EE9
                          • ___std_exception_copy.LIBVCRUNTIME ref: 001E2F24
                          • ___std_exception_destroy.LIBVCRUNTIME ref: 001E2F5C
                          • ___std_exception_destroy.LIBVCRUNTIME ref: 001E2F76
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___std_exception_copy___std_exception_destroy
                          • String ID: ,I#$9%
                          • API String ID: 2970364248-2984632962
                          • Opcode ID: 42cef15ebd144312856b50a63316c81270febd7241ff51621bd57fa56f7f7e4f
                          • Instruction ID: 8fb44e40657da47ec204f279bdf8772a7cfc45b2397c2848128b1a1018e76e63
                          • Opcode Fuzzy Hash: 42cef15ebd144312856b50a63316c81270febd7241ff51621bd57fa56f7f7e4f
                          • Instruction Fuzzy Hash: 40418FB1D203489BCB10DFA5D885BDEFBF8EF49314F14426AE810A3691DB759954CF90
                          APIs
                          • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 001E6F00
                          • GetLastError.KERNEL32(?,?,?), ref: 001E6F0F
                          • CreateCompatibleDC.GDI32(?), ref: 001E6F29
                          • SelectObject.GDI32(00000000,?), ref: 001E6F37
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 001E6F5B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$CompatibleErrorLastObjectSectionSelect
                          • String ID: (
                          • API String ID: 4249600791-3887548279
                          • Opcode ID: df6ce10be9c1a1745f005d756d344c590877bf9c9f77903201b9a95c6e3fea49
                          • Instruction ID: f6e01f236835f365665892105ac03c44162776f39f8b4ddb1f341cbf0fb9489c
                          • Opcode Fuzzy Hash: df6ce10be9c1a1745f005d756d344c590877bf9c9f77903201b9a95c6e3fea49
                          • Instruction Fuzzy Hash: 2B31C375E01209EFDB04DFA9E884AEEBBF5FF48311F10815AF916A7250DB71A9508F50
                          APIs
                          • FreeLibrary.KERNEL32(00000000,?,0022191D,0021D3F5,0000000C,00000000,0025BF40,00000000,?,00221B2A,00000022,FlsSetValue,002432EC,CONIN$,0025BF40), ref: 002218CF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeLibrary
                          • String ID: api-ms-$ext-ms-
                          • API String ID: 3664257935-537541572
                          • Opcode ID: 0643f305973ccf4a1fa7c36746967bc6e2bf8fc776a23566591623b1e217c769
                          • Instruction ID: a1ed396386b2c36e32a8a7665d3f100d7a828c8e7d39e651f1a53343d6c21869
                          • Opcode Fuzzy Hash: 0643f305973ccf4a1fa7c36746967bc6e2bf8fc776a23566591623b1e217c769
                          • Instruction Fuzzy Hash: 5E21D872A21322B7E7219FA1BC89E5A3768AB71770F150160F916A72D0E770ED31C6D1
                          APIs
                          • GetProcessHeap.KERNEL32(FE025AF7,00000000,00000000,00000000,0022F380,000000FF,?,001C5255,00000008,00000040), ref: 001C8CC4
                          • HeapAlloc.KERNEL32(00000000,00000008,001C5255,?,001C5255,00000008,00000040), ref: 001C8CD3
                          • GetModuleHandleW.KERNEL32(ntdll.dll,?,001C5255,00000008,00000040), ref: 001C8CF1
                          • GetProcAddress.KERNEL32(00000000,RtlDisownModuleHeapAllocation), ref: 001C8D01
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AddressAllocHandleModuleProcProcess
                          • String ID: RtlDisownModuleHeapAllocation$ntdll.dll
                          • API String ID: 3242894177-704576883
                          • Opcode ID: d778e22dfbe0f73792478eec2e32881225fa0ba38efaa96039aa7b13ffe3ca5c
                          • Instruction ID: 830cc4611fe0cf9fb637821cc52c553c99d61b4217a37eeed53f9801ae884ec0
                          • Opcode Fuzzy Hash: d778e22dfbe0f73792478eec2e32881225fa0ba38efaa96039aa7b13ffe3ca5c
                          • Instruction Fuzzy Hash: FB019631615744ABDB119FA5FD88F757BB8EB19B61F004169F806C3390EB34D800C760
                          APIs
                          • CreateSolidBrush.GDI32(00000000), ref: 001E578C
                          • FillRect.USER32(?,?,00000000), ref: 001E579B
                          • DeleteObject.GDI32(00000000), ref: 001E57A2
                          • GetSysColorBrush.USER32(00000005), ref: 001E57AD
                          • FillRect.USER32(?,?,00000000), ref: 001E57BA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: BrushFillRect$ColorCreateDeleteObjectSolid
                          • String ID: K
                          • API String ID: 133592406-856455061
                          • Opcode ID: e6e57b65c21c475c30781d4025afadefb336e1996f0d477d7a69c1a3c0a4f0e5
                          • Instruction ID: 9f5158f98e72613d5e1932af6a3568a27715bf09ccd79409245b51ca5cd33d71
                          • Opcode Fuzzy Hash: e6e57b65c21c475c30781d4025afadefb336e1996f0d477d7a69c1a3c0a4f0e5
                          • Instruction Fuzzy Hash: E2E0E532104518FBCB012F90FC0CAAA3F29FB053AAF0480A0FB0D85020C73159209BA0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 563648e1215a3471a6ea611ed2ad4bf707f26a6e37003910fe00629ed8e9c4d1
                          • Instruction ID: 5dfd79801650ca6763b5054af7d98db84252d5f4fb7a7ae3f421402a8b302a9f
                          • Opcode Fuzzy Hash: 563648e1215a3471a6ea611ed2ad4bf707f26a6e37003910fe00629ed8e9c4d1
                          • Instruction Fuzzy Hash: 08B11670A20369BFDB11DFD8E881BAE7BB0EF05314F244299F4099B292C7B19961CF51
                          APIs
                            • Part of subcall function 0020623B: __EH_prolog3.LIBCMT ref: 00206242
                            • Part of subcall function 0020623B: std::_Lockit::_Lockit.LIBCPMT ref: 0020624D
                            • Part of subcall function 0020623B: std::locale::_Setgloballocale.LIBCPMT ref: 00206268
                            • Part of subcall function 0020623B: _Yarn.LIBCPMT ref: 0020627E
                            • Part of subcall function 0020623B: std::_Lockit::~_Lockit.LIBCPMT ref: 002062BB
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001E204F
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001E2071
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001E2091
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001E20BF
                          • std::_Facet_Register.LIBCPMT ref: 001E2165
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001E217F
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3RegisterSetgloballocaleYarnstd::locale::_
                          • String ID:
                          • API String ID: 248158571-0
                          • Opcode ID: 7c24b13472a0e23bc213deb9f795a900459bd648377ca06e81fe9ea8547d8c7d
                          • Instruction ID: e08e1f804f7d68d132f2e8fb18b6672a595330c9dc9e8955bb25e2acf8ee7a6f
                          • Opcode Fuzzy Hash: 7c24b13472a0e23bc213deb9f795a900459bd648377ca06e81fe9ea8547d8c7d
                          • Instruction Fuzzy Hash: 7651B075900758CFCB15DF98D8557AEBBB4FB54324F284059E805A7392E730AE01CFA1
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorMtx_unlockThrow_std::_$Cnd_broadcastCurrentThread
                          • String ID:
                          • API String ID: 3121442025-0
                          • Opcode ID: 1df519486343de4cd5ec6d0e8b5fc48adb2a6fe1fc46655617c2156e5955128a
                          • Instruction ID: 3e3af2fd68f735ce8db9a8e7a5cf82551e6479cb207dbd91f9b1c1a0039aa6fe
                          • Opcode Fuzzy Hash: 1df519486343de4cd5ec6d0e8b5fc48adb2a6fe1fc46655617c2156e5955128a
                          • Instruction Fuzzy Hash: 4841FF70A097099FDB25DF24C88476AB7B4FF05324F148669EA258B382EB31E955CBC1
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D378D
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D37B0
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D37D0
                          • std::_Facet_Register.LIBCPMT ref: 001D3845
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 001D385D
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001D3876
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                          • String ID:
                          • API String ID: 2081738530-0
                          • Opcode ID: 45ad7ab11e8520986e7c53bc505114e2e9ad6e5d1e37ec62e0726aef99893e2e
                          • Instruction ID: 78a54f06614b8a9d6d4c2062b445a190bf95d997ea1f08e749eb0e8e00cc1e43
                          • Opcode Fuzzy Hash: 45ad7ab11e8520986e7c53bc505114e2e9ad6e5d1e37ec62e0726aef99893e2e
                          • Instruction Fuzzy Hash: 9631C2B5900715CFCB16DF54E884AAEBBB5FB04720F15825AE81667391E730AE00CFD2
                          APIs
                          • GetLastError.KERNEL32(?,?,0020B59B,00208E0F,0020500C,FE025AF7,?,?,?,00000000,002332BF,000000FF,?,001CC433,?,?), ref: 0020B5B2
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0020B5C0
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0020B5D9
                          • SetLastError.KERNEL32(00000000,?,0020B59B,00208E0F,0020500C,FE025AF7,?,?,?,00000000,002332BF,000000FF,?,001CC433,?,?), ref: 0020B62B
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: e5682233b587d5729f1eb276086f54cd35717702222a503aa21836844bd35beb
                          • Instruction ID: e8ebf03bb5d4808d6cb10c0ebea8760e20435fa47fc2f0c290ad173420c72728
                          • Opcode Fuzzy Hash: e5682233b587d5729f1eb276086f54cd35717702222a503aa21836844bd35beb
                          • Instruction Fuzzy Hash: A701F57263A7125EE73A2BB47C894662BACEB517B17300329F520410F3EF624D309944
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FF6E3
                            • Part of subcall function 0020CD8D: IsProcessorFeaturePresent.KERNEL32(00000017,0020C9B2,?,0020C921,?,0025BF40,0020CB30,?,?,?,?,?,00000000,0025BF40,0025BF40), ref: 0020CDA9
                            • Part of subcall function 001CD910: GetLastError.KERNEL32(?,00000018,001CBFDF,?,001CC196,FE025AF7,00000018,?,000000FF,?,001CC0F2,FE025AF7,FE025AF7), ref: 001CDB64
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FF88F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush$ErrorFeatureLastPresentProcessor
                          • String ID: ($#$#
                          • API String ID: 1119611969-174476448
                          • Opcode ID: 6fd25e2fea0b5a9f4cdd8a4f87e576335e080dd2dd361a40a2fd45c02a917351
                          • Instruction ID: 0694ffe39e30b69b15bd8af7835f5b5b7d858063b064654b70ab9afd740ec8f9
                          • Opcode Fuzzy Hash: 6fd25e2fea0b5a9f4cdd8a4f87e576335e080dd2dd361a40a2fd45c02a917351
                          • Instruction Fuzzy Hash: 6AB16D75A012199FDB11DF94D881BAEBBB8FF19714F10416EEA05EB340D771AA44CBE0
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?,?,FE025AF7), ref: 00200099
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?,?,FE025AF7), ref: 002001D9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: )$P#$`#
                          • API String ID: 4129690577-211417682
                          • Opcode ID: a38e258752cddd573086874892b4c36e85493f42ee8ea956a97231a02b088207
                          • Instruction ID: 6e2f21e113af8cc54b5a3ae140aee9ec0ba78262a454d391e194ac068a6a51b9
                          • Opcode Fuzzy Hash: a38e258752cddd573086874892b4c36e85493f42ee8ea956a97231a02b088207
                          • Instruction Fuzzy Hash: 73816E7191120AAFDB05DF98D881BEEF7F9FF58304F10452AE915E7281DB70AA54CBA0
                          APIs
                          • LoadLibraryW.KERNEL32(combase.dll,RoGetAgileReference,?,00234BB8,00000000,FE025AF7,000003FF), ref: 001C3BF8
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001C3BFE
                          • CoCreateInstance.OLE32(00234C84,00000000,00000001,00234BE8,00000000,?,00234BB8,00000000,FE025AF7,000003FF), ref: 001C3C3E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressCreateInstanceLibraryLoadProc
                          • String ID: RoGetAgileReference$combase.dll
                          • API String ID: 3919134875-3498391780
                          • Opcode ID: de881b56f9db58afdc3957eadde090252c51cc740c99b1e7bb7c4da4ace1f12c
                          • Instruction ID: 44a398da430d9fb41c9252f60cf6a96bb393cc70a70aa5c99b67225e9deec48e
                          • Opcode Fuzzy Hash: de881b56f9db58afdc3957eadde090252c51cc740c99b1e7bb7c4da4ace1f12c
                          • Instruction Fuzzy Hash: CE517DB0600209AFDB14DF54D845FAAB7B4FF65714F10C56EE8299B390EB75EA01CB50
                          APIs
                          • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException,FE025AF7,?,00000000,?,?,?,?,001CDB44), ref: 001CCBBC
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001CCBC2
                          • GetErrorInfo.OLEAUT32(00000000,?), ref: 001CCC1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressErrorInfoLibraryLoadProc
                          • String ID: RoOriginateLanguageException$combase.dll
                          • API String ID: 1186719886-3996158991
                          • Opcode ID: 6eafc86e6004d7f4388e9d513caa0b395bdae60175a970c940d9b4fc64fae6b0
                          • Instruction ID: fee0f7f11b095745cb4f52df9a2424eee8d2a4531d9d3834db1d93c64cb1a457
                          • Opcode Fuzzy Hash: 6eafc86e6004d7f4388e9d513caa0b395bdae60175a970c940d9b4fc64fae6b0
                          • Instruction Fuzzy Hash: DF318170A4020AABDB24DFA4ED41FAEB7B4FB64711F10452DF819EB690D770ED008BA5
                          APIs
                          • DrawTextW.USER32(?,?,00000001,?,00000400), ref: 001E86FA
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,40CC0020), ref: 001E8720
                          • DrawTextW.USER32(?,?,00000001,?,00000000), ref: 001E8730
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,40CC0020), ref: 001E873D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: DrawText$InvalidateRect
                          • String ID: |
                          • API String ID: 2869007148-2343686810
                          • Opcode ID: 78720fbd1728ca4c37a1d8168b88b06f3574a44101e28e7ff911e0dd56b3e11a
                          • Instruction ID: d7cc3706f5196c5f97ef4c10d38be6c7e0541d74393aad13ec88f97c0a3862fd
                          • Opcode Fuzzy Hash: 78720fbd1728ca4c37a1d8168b88b06f3574a44101e28e7ff911e0dd56b3e11a
                          • Instruction Fuzzy Hash: 9001CC71240205BFEB10DF58ED89FAA7BADEB48700F148055FB04DB195C7B1F8118B61
                          APIs
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001F64BC
                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 001F64CB
                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 001F64D7
                          • DeleteDC.GDI32(00000000), ref: 001F64E1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CapsDevice$CreateDelete
                          • String ID: DISPLAY
                          • API String ID: 1414271107-865373369
                          • Opcode ID: ef79d14226ef387b2fb29c4945e3f30bc333ab4c9ec236e6b7e4d0371d387983
                          • Instruction ID: 8d719ce97574ec67d872d3d5077f78dfd4535f599fd26a68ae93c08bd8182c52
                          • Opcode Fuzzy Hash: ef79d14226ef387b2fb29c4945e3f30bc333ab4c9ec236e6b7e4d0371d387983
                          • Instruction Fuzzy Hash: 42018431B80704ABDB159F65FC4DFA677A8FF95B01F048259FB098A190EBB1E450CB10
                          APIs
                          • LoadIconW.USER32(APPICON), ref: 001E8AF6
                          • lstrcpynW.KERNEL32(?,ZoomIt,0000000E), ref: 001E8B10
                          • Shell_NotifyIconW.SHELL32(00000002,000003BC), ref: 001E8B2B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Icon$LoadNotifyShell_lstrcpyn
                          • String ID: APPICON$ZoomIt
                          • API String ID: 1755092107-89435440
                          • Opcode ID: 89d94927e9272679130eeb21bb071334ad3b2f584063e4391e953533bcfe35fa
                          • Instruction ID: 1d83736d1ffb46138296aa0cb94dd7634d5d62cec910d12dca368a6a3ac5ac72
                          • Opcode Fuzzy Hash: 89d94927e9272679130eeb21bb071334ad3b2f584063e4391e953533bcfe35fa
                          • Instruction Fuzzy Hash: DF112170A11318AFDB269F54EC09B99BBBCAB05709F0000D9F549A7281DB746B948F45
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FE025AF7,0025BF40,?,00000000,0022F380,000000FF,?,00212933,?,?,00212907,0025BF40), ref: 0021298C
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0021299E
                          • FreeLibrary.KERNEL32(00000000,?,00000000,0022F380,000000FF,?,00212933,?,?,00212907,0025BF40), ref: 002129C0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 79f66ae80301c0282653989664acc5cfc846d0ca013220bed17c633d41b4bebe
                          • Instruction ID: 57e35def178387e40b2b6a862521b104f57357ca3f2712ea8efbc346ca775922
                          • Opcode Fuzzy Hash: 79f66ae80301c0282653989664acc5cfc846d0ca013220bed17c633d41b4bebe
                          • Instruction Fuzzy Hash: 3701A732A50629EFCB159F44DC09FEEB7F8FB14B51F000665F812A22D0DB74A960CA90
                          APIs
                          • GetProcessHeap.KERNEL32(?,00000000,?,00000000,0025B144), ref: 001E3CEC
                          • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0025B144), ref: 001E3CF2
                          • GetProcessHeap.KERNEL32(?,00000000,?,00000000,0025B144), ref: 001E3D17
                          • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0025B144), ref: 001E3D1D
                          • Concurrency::details::_ContextCallback::_CallInContext.LIBCPMT ref: 001E3EA8
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$ContextFreeProcess$CallCallback::_Concurrency::details::_
                          • String ID:
                          • API String ID: 1811661268-0
                          • Opcode ID: a8af5950df85059a57498d3202acd70008a3417e267738eafc0a222be0c2dfa0
                          • Instruction ID: 751ee478a154af2ce6b4c31b8d39cb4dd41075d43d4e6b7740cac74e4d71d61d
                          • Opcode Fuzzy Hash: a8af5950df85059a57498d3202acd70008a3417e267738eafc0a222be0c2dfa0
                          • Instruction Fuzzy Hash: 33D19CB0A01649DFDB14CFA9C948BEEBBF4FF08314F244659E825A7281D7759A05CBA0
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorMtx_unlockThrow_std::_$CurrentThread
                          • String ID:
                          • API String ID: 1315262506-0
                          • Opcode ID: 7643614aeecfb3e58bcd68d194cf00b39e42940a06be3dd200f8f1732bbc85ad
                          • Instruction ID: 1bc43bd0b75b79a72e5670c6f84792fd1c52acb63507587d070a706a4ae650c0
                          • Opcode Fuzzy Hash: 7643614aeecfb3e58bcd68d194cf00b39e42940a06be3dd200f8f1732bbc85ad
                          • Instruction Fuzzy Hash: F14126719047199FDB21DB28C84577ABBA4FF01350F088166DA15972C1EF70ED54CB91
                          APIs
                            • Part of subcall function 001E6E90: CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 001E6F00
                            • Part of subcall function 001E6E90: GetLastError.KERNEL32(?,?,?), ref: 001E6F0F
                          • GdipBitmapGetPixel.GDIPLUS(?,00000000,00000000,?), ref: 001E591D
                          • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 001E5984
                          • SelectObject.GDI32(?,?), ref: 001E598E
                          • DeleteObject.GDI32(?), ref: 001E5997
                          • DeleteDC.GDI32(?), ref: 001E599E
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteObject$BitmapCreateErrorGdipLastPixelSectionSelect
                          • String ID:
                          • API String ID: 581365887-0
                          • Opcode ID: 8d3a27e17c5b069a7f4cb96d1fd422a0302b9a28dea4cab3f75239da3317fb99
                          • Instruction ID: 4471391255e0cd445577056934e28ddf714185f153b476afa1da1e011019e426
                          • Opcode Fuzzy Hash: 8d3a27e17c5b069a7f4cb96d1fd422a0302b9a28dea4cab3f75239da3317fb99
                          • Instruction Fuzzy Hash: 9331C171900649EFCB15DF95DC84EEEBBB9EF08314F448198EA05AB242C731ED02CBA1
                          APIs
                          • GetProcessHeap.KERNEL32(?,00000000,?,001C186B,?,?), ref: 001CC35F
                          • HeapFree.KERNEL32(00000000,00000000,001C186B,?,00000000,?,001C186B,?,?), ref: 001CC369
                          • GetProcessHeap.KERNEL32(00000000,001C186F,?,?,00000000,?,001C186B,?,?), ref: 001CC38B
                          • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,001C186B,?,?), ref: 001CC392
                          • GetProcessHeap.KERNEL32(?,?,00000000,?,001C186B,?,?), ref: 001CC3E9
                          • HeapFree.KERNEL32(00000000,00000000,001C186B,?,?,00000000,?,001C186B,?,?), ref: 001CC3F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$Free$Alloc
                          • String ID:
                          • API String ID: 3689955550-0
                          • Opcode ID: 870e1be23a8baf9f7a5da08b0e223299d88f789c6a5337670c14eb87873c2ab4
                          • Instruction ID: 77239c897bf8dddfa94a29d4fef12377a401d98d99e1d57a2b5d22c9263b2c7b
                          • Opcode Fuzzy Hash: 870e1be23a8baf9f7a5da08b0e223299d88f789c6a5337670c14eb87873c2ab4
                          • Instruction Fuzzy Hash: B721DA726413129BDB186F59FC48B96BB68FF25331F11826AF91987290D771EC11CBD0
                          APIs
                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 001F2636
                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 001F2656
                          • CreateCompatibleDC.GDI32(?), ref: 001F2675
                          • SelectObject.GDI32(00000000,00000000), ref: 001F2682
                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,40CC0020), ref: 001F26A0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CompatibleCreate$Bitmap$ObjectSelect
                          • String ID:
                          • API String ID: 3563067329-0
                          • Opcode ID: 61ad5b3b8dc2e74ee29775a82471ed70b7a935aa396992f3cf0fb2904ef8cb38
                          • Instruction ID: 7f40a81333a4b9947d3025763468c9eff40eaf92878774585922f0dfe1e495fb
                          • Opcode Fuzzy Hash: 61ad5b3b8dc2e74ee29775a82471ed70b7a935aa396992f3cf0fb2904ef8cb38
                          • Instruction Fuzzy Hash: 8C218E71200205EFDF159FA5EC44F6A7BA9EF18310F140028FE05D6261D731E810DB65
                          APIs
                          • GdipAlloc.GDIPLUS(00000010), ref: 001E7748
                          • GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010), ref: 001E7776
                          • GdipGetImageGraphicsContext.GDIPLUS(?,00000000,?,?,00000000,0026200A,00000000,?,00000010), ref: 001E7794
                          • GdipDrawLineI.GDIPLUS(00000000,?,?,?,?,?,00000010), ref: 001E77C7
                          • GdipDeleteGraphics.GDIPLUS(00000000,00000000,?,?,?,?,?,00000010), ref: 001E77CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Gdip$Graphics$AllocBitmapContextCreateDeleteDrawFromImageLineScan0
                          • String ID:
                          • API String ID: 2922471967-0
                          • Opcode ID: fe8b73a85022443b9917c1154a67f15073357447e331c61b09c1febc10eb064e
                          • Instruction ID: f88022ebc3a71000ce42ad47d1c97693f95e872a626aa1102e7bbac87afcba7b
                          • Opcode Fuzzy Hash: fe8b73a85022443b9917c1154a67f15073357447e331c61b09c1febc10eb064e
                          • Instruction Fuzzy Hash: 3D113AB2911208EFDB10EFA9CD41EAEBBF8EF54740F118159F918A7251C770AE109B90
                          APIs
                          • __EH_prolog3.LIBCMT ref: 00206242
                          • std::_Lockit::_Lockit.LIBCPMT ref: 0020624D
                          • std::_Lockit::~_Lockit.LIBCPMT ref: 002062BB
                            • Part of subcall function 0020639D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002063B5
                          • std::locale::_Setgloballocale.LIBCPMT ref: 00206268
                          • _Yarn.LIBCPMT ref: 0020627E
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                          • String ID:
                          • API String ID: 1088826258-0
                          • Opcode ID: 76e82c45fb057dc58140dc8cda1b6dad0fa12e0804cb34c5a3cb82236c9775af
                          • Instruction ID: 1b6a06099c3f3bf63bf702146e769dfee008e79b2fcae06b88f253276605eaa2
                          • Opcode Fuzzy Hash: 76e82c45fb057dc58140dc8cda1b6dad0fa12e0804cb34c5a3cb82236c9775af
                          • Instruction Fuzzy Hash: 9A019A75A107219FCB06EF20E85A67D7BA2BF85710B144049E801173C2CF74AA22CFD5
                          APIs
                          • AcquireSRWLockExclusive.KERNEL32(?,FE025AF7), ref: 001C8931
                            • Part of subcall function 001C3110: InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001C31EF
                          • ReleaseSRWLockExclusive.KERNEL32(?,00000000,?), ref: 001C8C26
                          • SetEvent.KERNEL32(00000000,00000000,?), ref: 001C8C2F
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001C8C85
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveLock$AcquireEntryEventInterlockedListPushRelease
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h
                          • API String ID: 1711949707-2419448822
                          • Opcode ID: 7d87c7c7efc6c230b5e25ae75b2aa3314e9e169f19d6f6f0910f6c0e70d1d084
                          • Instruction ID: 186c57effc6acd612dd8713e414c6dd83058afc42a754be24e0dfb8483480ada
                          • Opcode Fuzzy Hash: 7d87c7c7efc6c230b5e25ae75b2aa3314e9e169f19d6f6f0910f6c0e70d1d084
                          • Instruction Fuzzy Hash: D1C157709012099FDB15DFA4D884FEEBBB8FF28304F14456DE815A7291DB31EA04CBA4
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FFBB3
                            • Part of subcall function 0020CD8D: IsProcessorFeaturePresent.KERNEL32(00000017,0020C9B2,?,0020C921,?,0025BF40,0020CB30,?,?,?,?,?,00000000,0025BF40,0025BF40), ref: 0020CDA9
                            • Part of subcall function 001CD910: GetLastError.KERNEL32(?,00000018,001CBFDF,?,001CC196,FE025AF7,00000018,?,000000FF,?,001CC0F2,FE025AF7,FE025AF7), ref: 001CDB64
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FFD5F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush$ErrorFeatureLastPresentProcessor
                          • String ID: $$8#
                          • API String ID: 1119611969-417349458
                          • Opcode ID: c6f35403e9393f123a4c0b42ea86e3e5c2a9406d92a5d85ff205ee45e9f319d8
                          • Instruction ID: 921693be750ab5df223d71c245ed98e634fd7744c7d23ec685539ce32b2fed06
                          • Opcode Fuzzy Hash: c6f35403e9393f123a4c0b42ea86e3e5c2a9406d92a5d85ff205ee45e9f319d8
                          • Instruction Fuzzy Hash: 62B15BB5A002199FCB11DF94D881FAEBBB8FF19714F10416AEA05EB341D771AA45CBE0
                          APIs
                          • ResetEvent.KERNEL32(00000000,FE025AF7,?,?), ref: 001FF0B4
                          • WaitForMultipleObjectsEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000), ref: 001FF19F
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001FF2F8
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001FF2E3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Concurrency::cancel_current_taskEventMultipleObjectsResetWait
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h
                          • API String ID: 109737328-2419448822
                          • Opcode ID: c38caaad9f52523e4406f8b6f32985f09a8ef2b80d063d16bc407bb037363b62
                          • Instruction ID: 17738f1ede5e9040631952e7256884db0f96268f5cd740c9ce9a6653337a34dc
                          • Opcode Fuzzy Hash: c38caaad9f52523e4406f8b6f32985f09a8ef2b80d063d16bc407bb037363b62
                          • Instruction Fuzzy Hash: 18A18071E042099BCB14CFB8C845BAEBBB5AF59314F14422DF915E7391EB70E942CB90
                          APIs
                          • EncodePointer.KERNEL32(00000000,?), ref: 0020BCDC
                          • CatchIt.LIBVCRUNTIME ref: 0020BDC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CatchEncodePointer
                          • String ID: MOC$RCC
                          • API String ID: 1435073870-2084237596
                          • Opcode ID: 9873609d8901887932aaf2ccd1601b3822e74dd244b74f1b675eefcbaceccf57
                          • Instruction ID: 158e26d8a2afb1d1f2a14fea1d5161e398992e09787c022480ba011164af311c
                          • Opcode Fuzzy Hash: 9873609d8901887932aaf2ccd1601b3822e74dd244b74f1b675eefcbaceccf57
                          • Instruction Fuzzy Hash: 8E415E7191020AAFCF26DF94CC81AEEBBB5FF48304F1481A9F91467292D7359960DF50
                          APIs
                          • AcquireSRWLockExclusive.KERNEL32(?,FE025AF7,00000001,?,?,000000FF,?,00201E9D,?,?,001F61AD,?,?,001F08B2), ref: 001FEF3E
                          • SetEvent.KERNEL32(00000000,?,000000FF,?,00201E9D), ref: 001FEF5C
                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 001FEFFA
                            • Part of subcall function 001CD910: GetLastError.KERNEL32(?,00000018,001CBFDF,?,001CC196,FE025AF7,00000018,?,000000FF,?,001CC0F2,FE025AF7,FE025AF7), ref: 001CDB64
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001FF012
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveLock$AcquireErrorEventLastRelease
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h
                          • API String ID: 1590585915-2419448822
                          • Opcode ID: 70c1159b69e43f45aa03ecf0d981638869a75aa180d79ffc7d03655379f838da
                          • Instruction ID: 066bcf37fa5c55febccd5d6ddd97feca185f64f25cc83a34b511faebed1f495a
                          • Opcode Fuzzy Hash: 70c1159b69e43f45aa03ecf0d981638869a75aa180d79ffc7d03655379f838da
                          • Instruction Fuzzy Hash: DE316D71A0020AAFDB04DFA5D845BBAB7B8EF55704F10056DF619E7250DB71E901CBA0
                          APIs
                          • std::_Ref_count_base::_Decref.LIBCPMT ref: 00205096
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: DecrefRef_count_base::_std::_
                          • String ID: MOC$RCC$csm
                          • API String ID: 1456557076-2671469338
                          • Opcode ID: 7e14744e9fb41d69e2a9d141d1ccd56a02d4bd48ffe6a0ad4f2012092da193f5
                          • Instruction ID: 87fe47346739742e4e92b4e4e5299c9b44e75543e9d2f40ef507caa2cfd727af
                          • Opcode Fuzzy Hash: 7e14744e9fb41d69e2a9d141d1ccd56a02d4bd48ffe6a0ad4f2012092da193f5
                          • Instruction Fuzzy Hash: FE21F471421B26DBCF24DF64C445B6FB3B9EF08320F548519E801872C2D774A960CEC1
                          APIs
                          • MessageBoxW.USER32(?,?,ZoomIt,00000000), ref: 001EF754
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID: byte limit)$Unsupported DemoType file size ($ZoomIt
                          • API String ID: 2030045667-480577459
                          • Opcode ID: b87d56b791f6806c5c419b5987907c1ccc82de968b06f4bc31298b9b2a45a6b3
                          • Instruction ID: b12a4c6b6644be2f2078e83f9a7fcfcbad197031cd86cf7651ccbf29e4ef22db
                          • Opcode Fuzzy Hash: b87d56b791f6806c5c419b5987907c1ccc82de968b06f4bc31298b9b2a45a6b3
                          • Instruction Fuzzy Hash: 1F318D70D153598BEB14EF20D95ABA9B374AF69308F1082DAE40D27192EFB06AC4CF50
                          APIs
                          • WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,?,?,?,?,?,?,Must initialize audio sample generator before use!), ref: 001CAF30
                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,Must initialize audio sample generator before use!), ref: 001CAF50
                          Strings
                          • Must initialize audio sample generator before use!, xrefs: 001CAF5F
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001CAF96, 001CAFAF
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EventObjectSingleWait
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h$Must initialize audio sample generator before use!
                          • API String ID: 582559000-3061329012
                          • Opcode ID: 25dac14576b34417d79910d2b4afc3deb520c97bae4d9aa1a93c8669455226a0
                          • Instruction ID: bd13a9f1ef1685c855576a4c551aaba2bdf4ccdb77f5e4f18cc186631425062d
                          • Opcode Fuzzy Hash: 25dac14576b34417d79910d2b4afc3deb520c97bae4d9aa1a93c8669455226a0
                          • Instruction Fuzzy Hash: E511CEB06142086BCB10EB64DC56FAE37ADAF36704F40055CF589A7191CBB0FC508B62
                          APIs
                          • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000101,?), ref: 001CE375
                          • RegQueryValueExW.ADVAPI32(00000000,EulaAccepted,00000000,00000000,00000000,?), ref: 001CE39B
                          • RegCloseKey.ADVAPI32(00000000), ref: 001CE3A6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: EulaAccepted
                          • API String ID: 3677997916-921354838
                          • Opcode ID: 84d97cfa296374b925af605aa954f8b43d1a1ef44c85348895d51c23b4935ee4
                          • Instruction ID: 971b0b437e6131c11789353d827a93c3e50275d4dcd3f8b4446d740dfe161dbe
                          • Opcode Fuzzy Hash: 84d97cfa296374b925af605aa954f8b43d1a1ef44c85348895d51c23b4935ee4
                          • Instruction Fuzzy Hash: B0013C75A40208BBDF21DFA0ED09FDDBBB9EB04711F1041E5FE05E2290E775AB249A80
                          APIs
                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 001E8B75
                          • MessageBoxW.USER32(?,?,ZoomIt,00000010), ref: 001E8BA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message$Format
                          • String ID: %s: %s$ZoomIt
                          • API String ID: 3443136239-1171031162
                          • Opcode ID: 30a69596ad028ce2500eab7d725783b47512622e6212956d873ae78f25932fc1
                          • Instruction ID: fd71ab8b4599061a8a10b293d34b5f0a8164d51cbe8467d34deb98b984733170
                          • Opcode Fuzzy Hash: 30a69596ad028ce2500eab7d725783b47512622e6212956d873ae78f25932fc1
                          • Instruction Fuzzy Hash: B4018175A4020CBBDB10AF54EC06FEE77BCEB09B00F104095FA44B7181DAB07A988B94
                          APIs
                          • LoadLibraryW.KERNEL32(combase.dll,RoTransformError), ref: 001C3A6E
                          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001C3A74
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoTransformError$combase.dll
                          • API String ID: 2574300362-573582502
                          • Opcode ID: f58e75995b833bcd7fd22087229f12c51c26820d794098fc88c98f3326cabf74
                          • Instruction ID: fe4e460a6f18302a4e2d6846cdb18f0a3ff23aad6aa7f5572d259ed6237bb2e8
                          • Opcode Fuzzy Hash: f58e75995b833bcd7fd22087229f12c51c26820d794098fc88c98f3326cabf74
                          • Instruction Fuzzy Hash: F7F0E9B464131166CB297AAC5C5DF093248A770304F54CC3DF8A8FB291E724DE704B56
                          APIs
                          • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0020C658,?,?,00000000,?,?,?,0020C782,00000002,FlsGetValue,00240728,FlsGetValue), ref: 0020C6B4
                          • GetLastError.KERNEL32(?,0020C658,?,?,00000000,?,?,?,0020C782,00000002,FlsGetValue,00240728,FlsGetValue,?,?,0020B5C5), ref: 0020C6BE
                          • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0020C6E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID: api-ms-
                          • API String ID: 3177248105-2084034818
                          • Opcode ID: 69fc922fdb7baa71477b04d5e954592441da20cd245a2a56cf20612f587f1525
                          • Instruction ID: abffb80ffcde57987c2b7d2d8e054039b75e1f1db54d348e2089b80570be51a2
                          • Opcode Fuzzy Hash: 69fc922fdb7baa71477b04d5e954592441da20cd245a2a56cf20612f587f1525
                          • Instruction Fuzzy Hash: 06E04871290309B7EF602F90FC0AB593F59AB50B50F244060F90DE44E1EB73E8B19944
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00206EFA
                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00206F06
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetTempPath2W$kernel32.dll
                          • API String ID: 1646373207-1846531799
                          • Opcode ID: d161f7b1eae00bd7da8b0db083f77bb9f77f90dba81c2f5eb50c5848ca236b78
                          • Instruction ID: 63b602b45c758e6549779ee0216d85ace0d6aa3fa0a83bd8ef7a258945e63111
                          • Opcode Fuzzy Hash: d161f7b1eae00bd7da8b0db083f77bb9f77f90dba81c2f5eb50c5848ca236b78
                          • Instruction Fuzzy Hash: 5AE01232A406296BCB217BD1FD0D84F7F28EB167E17404062FD49A7260CA31AC709BD0
                          APIs
                          • GetModuleHandleW.KERNEL32(kernelbase.dll), ref: 001CB7C8
                          • GetProcAddress.KERNEL32(00000000,RaiseFailFastException), ref: 001CB7D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: RaiseFailFastException$kernelbase.dll
                          • API String ID: 1646373207-919018592
                          • Opcode ID: 641c60a745b54e70b9e3d8e4baabc43196ab351d0ab16d962051b68a2f6a87eb
                          • Instruction ID: 7a50e7f0a141f7fb5e850c669b697a9b55319aaf110738f8b657c8910af44902
                          • Opcode Fuzzy Hash: 641c60a745b54e70b9e3d8e4baabc43196ab351d0ab16d962051b68a2f6a87eb
                          • Instruction Fuzzy Hash: 2DC08C723C8788AB960037E27C4EF26375C8922F14B0000D9F548C1880EA51F060C160
                          APIs
                          • GetConsoleOutputCP.KERNEL32(FE025AF7,00000000,00000000,?), ref: 00222EEF
                            • Part of subcall function 00221F8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,0025BF40,00000000,0025BF40,?,?,00220F2B,?,00000000,00253FD0), ref: 00221FEC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00223141
                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00223187
                          • GetLastError.KERNEL32 ref: 0022322A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                          • String ID:
                          • API String ID: 2112829910-0
                          • Opcode ID: 99f5c0fbfcf988f4abf8657b60811acaddeb86992c748d8cd4225ca2dec2c228
                          • Instruction ID: 79934a125b9830cc5f344e6332a2f0fcc6a68e617b71ddab3bbd7b92d8186265
                          • Opcode Fuzzy Hash: 99f5c0fbfcf988f4abf8657b60811acaddeb86992c748d8cd4225ca2dec2c228
                          • Instruction Fuzzy Hash: CFD18A75D10268EFCB15CFE8E880AADBBB4FF09310F24416AE856EB351D635AA51CF50
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Mtx_unlock
                          • String ID:
                          • API String ID: 1418687624-0
                          • Opcode ID: a66c3f98cc39a5ecba3959a225e260837f7fd6db740ce1b4ff225cd473392ad6
                          • Instruction ID: e55ae6156032d74ad6d0136b76f15a7956a04c99fcef23b996a9dd859efbf5d4
                          • Opcode Fuzzy Hash: a66c3f98cc39a5ecba3959a225e260837f7fd6db740ce1b4ff225cd473392ad6
                          • Instruction Fuzzy Hash: CF51B771A0020DEFCB14DFA8D981AAEB7B9FF44314F104169E91597281DB71E915CFD0
                          APIs
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001F6E52
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001F6E57
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001F6E5C
                          • Concurrency::cancel_current_task.LIBCPMT ref: 001F6E61
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Concurrency::cancel_current_task
                          • String ID:
                          • API String ID: 118556049-0
                          • Opcode ID: 9ec6caab8e39b0bd0f7410c56b64cbc5b5f30d6282c632dfc0c7950663be3f23
                          • Instruction ID: 496a7f3d72e28b704551c319b809d2398967b956ffc9b514be51c2f77efbc984
                          • Opcode Fuzzy Hash: 9ec6caab8e39b0bd0f7410c56b64cbc5b5f30d6282c632dfc0c7950663be3f23
                          • Instruction Fuzzy Hash: C851F4B6600219DBCB14DF59C480A79B7E1FF98310B25856DED998B342EB31ECA1CB90
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustPointer
                          • String ID:
                          • API String ID: 1740715915-0
                          • Opcode ID: 14546363f6e799d43f95087ee807051b9606538a9164256f9cddc573fd04ffa5
                          • Instruction ID: b62bb15f53c5d640a7f52358c8e4916a44728babeb7864966b449a070891c7a7
                          • Opcode Fuzzy Hash: 14546363f6e799d43f95087ee807051b9606538a9164256f9cddc573fd04ffa5
                          • Instruction Fuzzy Hash: F251B076A21703AFEB3A9F15D845B7AB3A4FF84711F18412DE841466E3DB31AC60CB94
                          APIs
                          • __Mtx_unlock.LIBCPMT ref: 001FA276
                          • __Mtx_unlock.LIBCPMT ref: 001FA287
                            • Part of subcall function 001F84B0: __Cnd_broadcast.LIBCPMT ref: 001F84DC
                            • Part of subcall function 001F84B0: __Mtx_unlock.LIBCPMT ref: 001F84E2
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001FA2C3
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001FA2CE
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Mtx_unlock$Cpp_errorThrow_std::_$Cnd_broadcast
                          • String ID:
                          • API String ID: 4207855644-0
                          • Opcode ID: 6c27639663a12271311decfcb325b3202800773f1d94a014de033a695ac456c6
                          • Instruction ID: 96f44e4d4bd855f0bfe39e439319f72cd1ba9ae38b518bef1ea34a0f40ab1df8
                          • Opcode Fuzzy Hash: 6c27639663a12271311decfcb325b3202800773f1d94a014de033a695ac456c6
                          • Instruction Fuzzy Hash: 515159B0E01609DFDB14DFA4C994BAEBBB4BF05304F20416DE819A7392DB35AA15CF91
                          APIs
                          • CoGetObjectContext.OLE32(00234C58,00000000,FE025AF7,?,00000000,?,?,00000000,0022FD2D,000000FF,?,00000000), ref: 001CD5EE
                          • TrySubmitThreadpoolCallback.KERNEL32(001CD790,?,00000000), ref: 001CD64A
                          • CoGetApartmentType.OLE32(00000000,?,FE025AF7,?,00000000,?,?,00000000,0022FD2D,000000FF,?,00000000), ref: 001CD664
                          • TrySubmitThreadpoolCallback.KERNEL32(001CC720,00000000,00000000), ref: 001CD6F0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CallbackSubmitThreadpool$ApartmentContextObjectType
                          • String ID:
                          • API String ID: 1491026569-0
                          • Opcode ID: 7ec0ab24a2ac2d7f7c0ac073818442729107a9036ac364a49396f0ce1806e428
                          • Instruction ID: c14a9bed231d6686c3176ffc548796b67926fa1217c2d240f87e145b255342e4
                          • Opcode Fuzzy Hash: 7ec0ab24a2ac2d7f7c0ac073818442729107a9036ac364a49396f0ce1806e428
                          • Instruction Fuzzy Hash: 7641BF76504219AFDB14DF99E845FAAB7A8FB64310F00813EE81D8B740EB31EA50CB51
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorMtx_unlockThrow_std::_
                          • String ID:
                          • API String ID: 2243708590-0
                          • Opcode ID: d1ffd790315299a0f6186568c4bc2ae8920bc378b1fc725517f600f1b9773ddd
                          • Instruction ID: 351d277e2c3519a21c9cf904654b3ab59960a74489eea236880b9d18f235bdc9
                          • Opcode Fuzzy Hash: d1ffd790315299a0f6186568c4bc2ae8920bc378b1fc725517f600f1b9773ddd
                          • Instruction Fuzzy Hash: 0651B0B0A0470AAFDB24CF64C588B7AFBB1FF05315F148229E929976D1DB30A955CB81
                          APIs
                          • BitBlt.GDI32(?,?,?,0000000B,0000000B,?,00000000,00000000,40CC0020), ref: 001F3134
                          • BitBlt.GDI32(?,00000000,00000000,0000000F,0000000F,?,?,?,40CC0020), ref: 001F3236
                          • SystemParametersInfoW.USER32(0000003B,00000008,0025BF70,00000002), ref: 001F3256
                          • SendMessageW.USER32(?,00000201,000000FF), ref: 001F3272
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoMessageParametersSendSystem
                          • String ID:
                          • API String ID: 3487539347-0
                          • Opcode ID: 2490e8415adecd3617b4c7813457be702387cf166677bcf48e8c87eb0ae4b278
                          • Instruction ID: e6062da3727386668283b93952dfab44946c954c71e71597e29a3f1808c8dc63
                          • Opcode Fuzzy Hash: 2490e8415adecd3617b4c7813457be702387cf166677bcf48e8c87eb0ae4b278
                          • Instruction Fuzzy Hash: 6841D970710208AFEF1A9F3CEC59B797696EF89705F158339F615A61E4E770AC808B14
                          APIs
                            • Part of subcall function 001CCA30: SysStringLen.OLEAUT32(00000000), ref: 001CCA8A
                            • Part of subcall function 001CCA30: SysFreeString.OLEAUT32(00000000), ref: 001CCAA7
                            • Part of subcall function 001CCA30: SysFreeString.OLEAUT32(00000000), ref: 001CCABB
                            • Part of subcall function 001CCA30: SysFreeString.OLEAUT32(00000000), ref: 001CCAD3
                          • GetProcessHeap.KERNEL32(?,?), ref: 001C87B3
                          • HeapFree.KERNEL32(00000000,?,?), ref: 001C87B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeString$Heap$Process
                          • String ID: `M#$winrt::hresult_error: %ls
                          • API String ID: 2604458438-3945820870
                          • Opcode ID: c2990f5abc3e89eca2df79a42f693180bfde4bc53ec14f430adff3c166cd4cde
                          • Instruction ID: 5047da5dcf5f21f62140e2f720e8e38576bcc6c0476bc22ae07184905e6c247a
                          • Opcode Fuzzy Hash: c2990f5abc3e89eca2df79a42f693180bfde4bc53ec14f430adff3c166cd4cde
                          • Instruction Fuzzy Hash: 72310170A10308ABD714DF68C941BA6B3B4FF25724F20836DFC1997682EB30E990CB90
                          APIs
                            • Part of subcall function 00221F8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,0025BF40,00000000,0025BF40,?,?,00220F2B,?,00000000,00253FD0), ref: 00221FEC
                          • GetLastError.KERNEL32 ref: 00225998
                          • __dosmaperr.LIBCMT ref: 0022599F
                          • GetLastError.KERNEL32(?,?,?,?), ref: 002259D9
                          • __dosmaperr.LIBCMT ref: 002259E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                          • String ID:
                          • API String ID: 1913693674-0
                          • Opcode ID: 6d039806e5586fa0366f026b18e61b9645d70a2f86a9424f97eb1236d2752933
                          • Instruction ID: 928d6aeabe3b4367573512717b09375628c9629ed629500f1ac1f9068c8f6264
                          • Opcode Fuzzy Hash: 6d039806e5586fa0366f026b18e61b9645d70a2f86a9424f97eb1236d2752933
                          • Instruction Fuzzy Hash: 3C219571620A36FFDB20AFA5E88096A77A8EF11364710C525F91997151DB31ECB08BD0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b5827cb92f6cb8c79175e909190f0534cc8d8f85d0bd773459d335a95fcdf11
                          • Instruction ID: 87b10471ac6a36f3d5e062901824e1b533f2e4bf0bd16576178a130fafa208db
                          • Opcode Fuzzy Hash: 9b5827cb92f6cb8c79175e909190f0534cc8d8f85d0bd773459d335a95fcdf11
                          • Instruction Fuzzy Hash: BC21A771224206EFCB10AF64DC819EE7BE9EF703547228526FA1587251D770ECB49BD0
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 002268DD
                            • Part of subcall function 00221F8B: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,0025BF40,00000000,0025BF40,?,?,00220F2B,?,00000000,00253FD0), ref: 00221FEC
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00226915
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00226935
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                          • String ID:
                          • API String ID: 158306478-0
                          • Opcode ID: 5fd030da15927ee2fd710a960eb159e1e0af3084bae9e46cc4d0c5dbbc8af345
                          • Instruction ID: f6ec97c66cfc20655928c21966439fcc4da1b2a62d7a1d9fc2c96ceb2aa2425f
                          • Opcode Fuzzy Hash: 5fd030da15927ee2fd710a960eb159e1e0af3084bae9e46cc4d0c5dbbc8af345
                          • Instruction Fuzzy Hash: 5811C4F2932236BFA6212BF27CCDCAF696CDE453943610615FC01A5101EF70AD6185B1
                          APIs
                          • GetMessageExtraInfo.USER32 ref: 001F35F8
                          • ClipCursor.USER32(00000000,?,?,?,?,?,?,?,?,001ED56A,?,0025C5A4,?,?,?,?), ref: 001F3616
                          • GetClipCursor.USER32(?,?,?,?,?,?,?,001ED56A,?,0025C5A4,?,?,?,?), ref: 001F3695
                          • ClipCursor.USER32(?,?,?,?,?,?,?,001ED56A,?,0025C5A4,?,?,?,?), ref: 001F36A3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ClipCursor$ExtraInfoMessage
                          • String ID:
                          • API String ID: 2069943561-0
                          • Opcode ID: 777c9dbf8b623dfa06b20cf22316b2421ae4c2a5c8b75d1974427cab9b8623ed
                          • Instruction ID: 1a1fda54e00cd221fcf7c8b94b4c1082315908f37dee06ddb278d2e1874f80cf
                          • Opcode Fuzzy Hash: 777c9dbf8b623dfa06b20cf22316b2421ae4c2a5c8b75d1974427cab9b8623ed
                          • Instruction Fuzzy Hash: BD21C830A0421C9BDF05EF79E5496BDB7F4DF88210F1542AAFC0AA7241EB34AED0CA50
                          APIs
                          • DeleteObject.GDI32(?), ref: 001E9BC9
                          • GetStockObject.GDI32(00000011), ref: 001E9C3C
                          • GetObjectW.GDI32(00000000,0000005C,?), ref: 001E9C49
                          • CreateFontIndirectW.GDI32(?), ref: 001E9C5A
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Object$CreateDeleteFontIndirectStock
                          • String ID:
                          • API String ID: 1113379131-0
                          • Opcode ID: ff56644b3da0bb7407cc466483ee11ff3b3c77429dac985a4583df4c45f5e45f
                          • Instruction ID: 9731e5bf3ddc2d9dff66c595f259c1252f25920bf84926b8b594ba2debcfecfd
                          • Opcode Fuzzy Hash: ff56644b3da0bb7407cc466483ee11ff3b3c77429dac985a4583df4c45f5e45f
                          • Instruction Fuzzy Hash: D8215171A4071DAFDB14EF65EC4DBAEB7B8EB44701F100095AA09AB280DB74AA458F94
                          APIs
                            • Part of subcall function 00207521: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,00207573,001FD910,?,002075B4,001FD910,?,001FD910,00000000,?,FE025AF7,?), ref: 0020752D
                          • __Mtx_unlock.LIBCPMT ref: 00207601
                          • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,FE025AF7,?,?,?,0022F380,000000FF), ref: 00207627
                          • __Mtx_unlock.LIBCPMT ref: 0020765D
                          • __Cnd_broadcast.LIBCPMT ref: 0020766C
                            • Part of subcall function 0020769E: std::_Throw_Cpp_error.LIBCPMT ref: 002076BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Mtx_unlock$CallbackCnd_broadcastCpp_errorFreeHandleLibraryModuleReturnsThrow_Whenstd::_
                          • String ID:
                          • API String ID: 3453748511-0
                          • Opcode ID: b28e02b4797d526ffc832aa46aa7126816c0109b75d7fe937e51b30eea7c389f
                          • Instruction ID: d82ef030656fe9133d7d9248a1cd5dacc6bddef386bcf481c7b1873b1e3b1e7e
                          • Opcode Fuzzy Hash: b28e02b4797d526ffc832aa46aa7126816c0109b75d7fe937e51b30eea7c389f
                          • Instruction Fuzzy Hash: 6211B632E18B115BCB256F65EC16A6F7B78EB45761B24001AF802972D2DF36F821CE54
                          APIs
                          • __Mtx_unlock.LIBCPMT ref: 001D8F02
                          • SendInput.USER32(00000001,?,0000001C,0000001B), ref: 001D8F49
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D8F55
                          • std::_Throw_Cpp_error.LIBCPMT ref: 001D8F66
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorThrow_std::_$InputMtx_unlockSend
                          • String ID:
                          • API String ID: 600990989-0
                          • Opcode ID: 7ffda2cb20a24641be09b1b5f3d5be9e204a9af7961eeb12f500a399059a0073
                          • Instruction ID: c933507f3c2673b0b5ba030d49624f86f3512dd792697dd583abae8c3e7fcc3d
                          • Opcode Fuzzy Hash: 7ffda2cb20a24641be09b1b5f3d5be9e204a9af7961eeb12f500a399059a0073
                          • Instruction Fuzzy Hash: 3F11237195030D9BDF05EBA4DC067AE7769EB05306F200256F904A32C2FB71A9688A99
                          APIs
                          • IsWindowVisible.USER32 ref: 001EF3B5
                          • SendMessageW.USER32(?,00000312,00000000,00000000), ref: 001EF3D7
                          • SendMessageW.USER32(?,00000312,00000000,00000000), ref: 001EF3FE
                          • SendMessageW.USER32(?,00000201,00000000), ref: 001EF435
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessageSend$VisibleWindow
                          • String ID:
                          • API String ID: 1853625526-0
                          • Opcode ID: 3033b61fa5000a268ee6c299212771ad1d88d15e4e2e0280fbf2156771457815
                          • Instruction ID: 02cc95bab7ab0e6dfbb62d475f9cfc6a4e48c21f104c25e2c28559013c35d39b
                          • Opcode Fuzzy Hash: 3033b61fa5000a268ee6c299212771ad1d88d15e4e2e0280fbf2156771457815
                          • Instruction Fuzzy Hash: 1911DB31A483086FEB255B10FC55B783B61FB44711F3500AAF905BB2E1EBB52890DF58
                          APIs
                          • WideCharToMultiByte.KERNEL32(00000000,00000400,FE025AF7,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,001DEC45,FE025AF7,?,00000000,00000000), ref: 00206F87
                          • GetLastError.KERNEL32(?,001DEC45,FE025AF7,?,00000000,00000000,00000000,FE025AF7,00000000), ref: 00206F93
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,FE025AF7,00000000,00000000,00000000,00000000,00000000,?,001DEC45,FE025AF7,?,00000000,00000000,00000000,FE025AF7), ref: 00206FB9
                          • GetLastError.KERNEL32(?,001DEC45,FE025AF7,?,00000000,00000000,00000000,FE025AF7,00000000), ref: 00206FC5
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharErrorLastMultiWide
                          • String ID:
                          • API String ID: 203985260-0
                          • Opcode ID: b950de58de4ed608c8687d106632af4dd97a4570e1fc77195214463d83e27db6
                          • Instruction ID: e74f74bb5126649049a12828615ec87c50ae5d1bd4757519cb51600a8b7b1eaf
                          • Opcode Fuzzy Hash: b950de58de4ed608c8687d106632af4dd97a4570e1fc77195214463d83e27db6
                          • Instruction Fuzzy Hash: A901FF3661065ABBCF221E51AC0CD9B3E67EBD97A0B108014FE0696560C6319871A7A1
                          APIs
                          • GetWindowLongW.USER32(FE025AF7,000000EC), ref: 001E887C
                          • SetWindowLongW.USER32(FE025AF7,000000EC,00000000), ref: 001E8891
                          • RedrawWindow.USER32(FE025AF7,00000000,00000000,00000485,?,00000002,?,00000000), ref: 001E88C1
                          • SetWindowLongW.USER32(FE025AF7,000000EC,00000000), ref: 001E88D3
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Window$Long$Redraw
                          • String ID:
                          • API String ID: 533842358-0
                          • Opcode ID: de3e7b69443bbd9181651226141efde85b5d547ec55537735b801d0576762213
                          • Instruction ID: 001411c2a339d6df17915c4635ce8e6d3304238ec5457fa597825471ae7f51bc
                          • Opcode Fuzzy Hash: de3e7b69443bbd9181651226141efde85b5d547ec55537735b801d0576762213
                          • Instruction Fuzzy Hash: E9F02831144A10B7D6057B55BC0EFFA3B1CDB01322F504161F625A50E1CBB82900CB98
                          APIs
                          • BitBlt.GDI32(001EF1E5,00000000,00000000,?,?,?,00000000,00000000,40CC0020), ref: 001F25B6
                          • DeleteObject.GDI32(?), ref: 001F25C4
                          • DeleteDC.GDI32(?), ref: 001F25CC
                          • Beep.KERNEL32(000002BC,000000C8), ref: 001F25EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Delete$BeepObject
                          • String ID:
                          • API String ID: 2985197040-0
                          • Opcode ID: 85cd89f53b767b2a53dea2957df4cf5513a17f63d0085a68801d7026dcffd3bf
                          • Instruction ID: 1c9ff74f71e32d40d1f7b8fc43f560eae8299c868c384bdac5fe44ecbbf9640c
                          • Opcode Fuzzy Hash: 85cd89f53b767b2a53dea2957df4cf5513a17f63d0085a68801d7026dcffd3bf
                          • Instruction Fuzzy Hash: 9DF06D32240614FBDB216F94FC09FDABF65EF44B21F204065FF48A61A0C372B8619B95
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Cpp_errorThrow_std::_$Cnd_broadcastMtx_unlock
                          • String ID:
                          • API String ID: 2961400768-0
                          • Opcode ID: 16c2e5a2f311e8a706f2533f308c6d6629e7da6e205587002752cd958a90465c
                          • Instruction ID: 8e41694911aa8e9d06968abd23ab6d6ede177d668c67a314b8000c241c2f6970
                          • Opcode Fuzzy Hash: 16c2e5a2f311e8a706f2533f308c6d6629e7da6e205587002752cd958a90465c
                          • Instruction Fuzzy Hash: 14F0F672510B055BD310AF549806A6777E9AF51311F004019F608476C3DB30F867CF91
                          APIs
                          • SystemParametersInfoW.USER32(0000003B,00000008,0025BF70,00000002), ref: 001E8A30
                          • SystemParametersInfoW.USER32(0000003A,00000008,0025BF70,00000000), ref: 001E8A4F
                          • SystemParametersInfoW.USER32(0000003B,00000008,00000000,00000002), ref: 001E8A71
                          • GetLastError.KERNEL32 ref: 001E8A7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoParametersSystem$ErrorLast
                          • String ID:
                          • API String ID: 546530044-0
                          • Opcode ID: c7777a1c2333c364e29999cce8d9b010c7a7bc4accd487e2b922ccd8248b2877
                          • Instruction ID: 44726bf3ed324d627246506eb01b30aaa859ffba01a120f29b54662f8f86cd4e
                          • Opcode Fuzzy Hash: c7777a1c2333c364e29999cce8d9b010c7a7bc4accd487e2b922ccd8248b2877
                          • Instruction Fuzzy Hash: A2F062307C0748AAEB219F60BC0EB5C7A68BB01B47F4081D6FA49665C0DFB06559CB95
                          APIs
                          • WriteConsoleW.KERNEL32(00000000,00000000,0025BF40,00000000,00000000,?,0022B2F6,00000000,00000001,?,?,?,0022327E,?,00000000,00000000), ref: 0022DD90
                          • GetLastError.KERNEL32(?,0022B2F6,00000000,00000001,?,?,?,0022327E,?,00000000,00000000,?,?,?,00223858,?), ref: 0022DD9C
                            • Part of subcall function 0022DD62: CloseHandle.KERNEL32(FFFFFFFE,0022DDAC,?,0022B2F6,00000000,00000001,?,?,?,0022327E,?,00000000,00000000,?,?), ref: 0022DD72
                          • ___initconout.LIBCMT ref: 0022DDAC
                            • Part of subcall function 0022DD24: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0022DD53,0022B2E3,?,?,0022327E,?,00000000,00000000,?), ref: 0022DD37
                          • WriteConsoleW.KERNEL32(00000000,00000000,0025BF40,00000000,?,0022B2F6,00000000,00000001,?,?,?,0022327E,?,00000000,00000000,?), ref: 0022DDC1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                          • String ID:
                          • API String ID: 2744216297-0
                          • Opcode ID: 99faf3ed052b77160d1a02f0bf8094c6cd6504610ddab1367011621da61e2d8c
                          • Instruction ID: d2532b14e01a4f0de31107ffb68605c7e50d3c1ae0be04056d2b377bf89d3b7c
                          • Opcode Fuzzy Hash: 99faf3ed052b77160d1a02f0bf8094c6cd6504610ddab1367011621da61e2d8c
                          • Instruction Fuzzy Hash: 6AF01C3B510629BBCF223FD1FC08A897F26EB497A5F454550FA0996161C63298709B90
                          APIs
                          • ClipCursor.USER32(00000024,?,?,001CF46A,FE025AF7), ref: 001CF26E
                          • GetLastError.KERNEL32(00000000,?,?,001CF46A,FE025AF7), ref: 001CF280
                          • DestroyWindow.USER32(?,?,001CF46A,FE025AF7), ref: 001CF289
                          • SetLastError.KERNEL32(00000000,?,001CF46A,FE025AF7), ref: 001CF290
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorLast$ClipCursorDestroyWindow
                          • String ID:
                          • API String ID: 3846995125-0
                          • Opcode ID: b50ee4e4c168728add2e4073fe10e2e968ad11278934c5970d7208271d8b1c87
                          • Instruction ID: 282b0ecfa4d8ff24075a6c9f87e7c8d9e0a57aea6fbdb74a11e6cc2219bb4cd2
                          • Opcode Fuzzy Hash: b50ee4e4c168728add2e4073fe10e2e968ad11278934c5970d7208271d8b1c87
                          • Instruction Fuzzy Hash: 6CF08272510B92ABD7059B75E9CCB86BB98BF69304F14826AE24083911C7B5F4E5C7E0
                          APIs
                          • ReadConsoleInputW.KERNEL32(001CE95F,0000000C,00250268,00000000,?,00212DFC,?,00000001,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222090
                          • GetLastError.KERNEL32(?,00212DFC,?,00000001,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 0022209C
                            • Part of subcall function 00222113: CloseHandle.KERNEL32(FFFFFFFE,00222041,?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222123
                          • ___initconin.LIBCMT ref: 002220AC
                            • Part of subcall function 00221FF7: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,0022206C,00212DC6,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 0022200A
                          • ReadConsoleInputW.KERNEL32(001CE95F,0000000C,00250268,?,00212DFC,?,00000001,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 002220C0
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
                          • String ID:
                          • API String ID: 838051604-0
                          • Opcode ID: f9b7404aa42639b8176e39acf875054abd94233ec778adccf005800c373f9dc5
                          • Instruction ID: 8d82c8276720a31dc080b3025b2352f7418f165efbd0d607505ce511c90db1c1
                          • Opcode Fuzzy Hash: f9b7404aa42639b8176e39acf875054abd94233ec778adccf005800c373f9dc5
                          • Instruction Fuzzy Hash: 48F01C36000225BBCF123FD4FC088997F22FB59361B414150FA1C96130CB3299789B94
                          APIs
                          • GetConsoleMode.KERNEL32(001CE95F,00000000,?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222025
                          • GetLastError.KERNEL32(?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?,?,?,?,?,00000000,75B4EB20), ref: 00222031
                            • Part of subcall function 00222113: CloseHandle.KERNEL32(FFFFFFFE,00222041,?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222123
                          • ___initconin.LIBCMT ref: 00222041
                            • Part of subcall function 00221FF7: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,0022206C,00212DC6,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 0022200A
                          • GetConsoleMode.KERNEL32(001CE95F,?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?,?,?,?,?,00000000), ref: 0022204F
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                          • String ID:
                          • API String ID: 3067319862-0
                          • Opcode ID: 467e6a70b27b76a803a3137643a1b7b52b02fdd712c7dd7162a29304af23ea65
                          • Instruction ID: d262e009438f5ead45cea57220ad498154f7228f7b2432ef37b59b2963ad7944
                          • Opcode Fuzzy Hash: 467e6a70b27b76a803a3137643a1b7b52b02fdd712c7dd7162a29304af23ea65
                          • Instruction Fuzzy Hash: 4AE01A36510225BBCF253BE5BC0C8997E55EB143A17020160FE0D92130CA32ACB5AB90
                          APIs
                          • SetConsoleMode.KERNEL32(001CE95F,00000000,?,00212DE3,00000000,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 002220DC
                          • GetLastError.KERNEL32(?,00212DE3,00000000,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?,?,?,?,?,00000000), ref: 002220E8
                            • Part of subcall function 00222113: CloseHandle.KERNEL32(FFFFFFFE,00222041,?,00212DDB,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222123
                          • ___initconin.LIBCMT ref: 002220F8
                            • Part of subcall function 00221FF7: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,0022206C,00212DC6,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 0022200A
                          • SetConsoleMode.KERNEL32(001CE95F,?,00212DE3,00000000,?,00250288,00000038,00212D78,00250268,0000000C,001CE95F,Accept Eula (Y/N)?), ref: 00222106
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                          • String ID:
                          • API String ID: 3067319862-0
                          • Opcode ID: 2a21035caff774535a2cd1e2804d67398087850bb68a0e20b999bb3a505c3b8f
                          • Instruction ID: 72da3d0d5e7b39871c4ad261433bebcf898f9eab26bd7ab09654342b790eb3fb
                          • Opcode Fuzzy Hash: 2a21035caff774535a2cd1e2804d67398087850bb68a0e20b999bb3a505c3b8f
                          • Instruction Fuzzy Hash: D3E01A37510125BBCB253BE6BC0C859BE55EB043A17014165FE0DA2121CA329CB48A90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: x>%$x>%
                          • API String ID: 0-180963616
                          • Opcode ID: e4e1dbb5526ceda7784a4b88bc74fb30a2052cd2e0e0c82aef9b4c5e5b7e2ff6
                          • Instruction ID: 7afc78b21c8bbccf7be852b648dd248a4191860f6a05e20b4d9f80cb1b5bf7f3
                          • Opcode Fuzzy Hash: e4e1dbb5526ceda7784a4b88bc74fb30a2052cd2e0e0c82aef9b4c5e5b7e2ff6
                          • Instruction Fuzzy Hash: 28B15372914225BADB20DFE4DC82FEB77ECAB09740F144566FE15EB182E670E9148F90
                          APIs
                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001D78B5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Ios_base_dtorstd::ios_base::_
                          • String ID: !$P
                          • API String ID: 323602529-1548567959
                          • Opcode ID: 9583ff508a0971af080c6b5c8dee68312579253fbf1739ef14fc6557d163d46a
                          • Instruction ID: ae4e744ba399387855e2170b353f4f75faaf15b37e959def3cc16dce62846eda
                          • Opcode Fuzzy Hash: 9583ff508a0971af080c6b5c8dee68312579253fbf1739ef14fc6557d163d46a
                          • Instruction Fuzzy Hash: EEA12B749142588FDB65CF58C899BEDB7B4BF18304F14859AE90D6B381EB70AA88CF50
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv
                          • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                          • API String ID: 3732870572-1956417402
                          • Opcode ID: eb3d6869d064495538bcc0862e589cb2f9da346afaa6c9fea09efe257b5402e0
                          • Instruction ID: 655aac8fa01a915e5e2e8e488d9e860c09d0e9dc1097dac1b4827d768e10f11b
                          • Opcode Fuzzy Hash: eb3d6869d064495538bcc0862e589cb2f9da346afaa6c9fea09efe257b5402e0
                          • Instruction Fuzzy Hash: DE51D370B2439A5BEB259F6C885C7BEBBBAAF45310F14406BE4C1972C2C2B099718B50
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FFEF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: #$5
                          • API String ID: 4129690577-1427938059
                          • Opcode ID: 1ec6ee76680aec32268e3ff4cbbbb28b298551a322209a6dfa81f473f3117e4d
                          • Instruction ID: 4f0d8cd1ce319bbea84239f243837741894736c74befd86f5661604ee17a3ff6
                          • Opcode Fuzzy Hash: 1ec6ee76680aec32268e3ff4cbbbb28b298551a322209a6dfa81f473f3117e4d
                          • Instruction Fuzzy Hash: 28515BB5A002199FCB11DF94C885FAEBBB8FF19314F10416DEA15EB351D771AA05CBA0
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001FF543
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: $$8#
                          • API String ID: 4129690577-417349458
                          • Opcode ID: 3baeaed8c936acff442e58e93104d7b780e24db9475d7918e91aee6ea819526d
                          • Instruction ID: d8f20124cd5dd31a0e9b507be93a1495a3a369690608d23d9302f4314996c019
                          • Opcode Fuzzy Hash: 3baeaed8c936acff442e58e93104d7b780e24db9475d7918e91aee6ea819526d
                          • Instruction Fuzzy Hash: 66516C75A012199FCB10DF94C881BAEBBB8FF19314F10416EEA05EB351D771AA05CBE0
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001E0F3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: -$@N#
                          • API String ID: 4129690577-1814346488
                          • Opcode ID: dee7d83003c33ea2b89c8a7f31c412f3eec540243a9e9b1ed4a2755e846edd3c
                          • Instruction ID: 64141ef8976739a8e2ed447d04df7bd047940da1c761405bcc35f8eb2391af84
                          • Opcode Fuzzy Hash: dee7d83003c33ea2b89c8a7f31c412f3eec540243a9e9b1ed4a2755e846edd3c
                          • Instruction Fuzzy Hash: 81515AB5A012199FCB11DF94D881BEEBBB8FF18710F10016AE915EB380D771AA54CBE0
                          APIs
                          • InterlockedPushEntrySList.KERNEL32(0025B250,?), ref: 001C305F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: EntryInterlockedListPush
                          • String ID: -$@N#
                          • API String ID: 4129690577-1814346488
                          • Opcode ID: aed9f86d91552aaae6d58a48e29fdd00505e8c7d812ef9c45065770dacb2d466
                          • Instruction ID: dc39bc3cb023408b1066aa4696db6053601091dbc86e5b1d802156ed498cba9e
                          • Opcode Fuzzy Hash: aed9f86d91552aaae6d58a48e29fdd00505e8c7d812ef9c45065770dacb2d466
                          • Instruction Fuzzy Hash: AF5149B5A012199FDB10DF98D881FAEBBB8FF18710F10416AE915E7381D731AA54CBE0
                          APIs
                          • AcquireSRWLockExclusive.KERNEL32(?,FE025AF7), ref: 001C6655
                          • ReleaseSRWLockExclusive.KERNEL32(?,?,FE025AF7), ref: 001C6669
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExclusiveLock$AcquireRelease
                          • String ID: `M#
                          • API String ID: 17069307-1344688648
                          • Opcode ID: e14329fe443a235cd98b45c875bf8eaf0c9106653b4216d604630760b8cb5e2f
                          • Instruction ID: ae17fa012f39ef2bfa82fd02759b7324ac7cc00fc4c341419035f307c27f2e1d
                          • Opcode Fuzzy Hash: e14329fe443a235cd98b45c875bf8eaf0c9106653b4216d604630760b8cb5e2f
                          • Instruction Fuzzy Hash: 893103719107089BC710DF68D801B9AB7F8FF69710F10466AFD4597642E771FA90CBA0
                          APIs
                          • std::_Lockit::_Lockit.LIBCPMT ref: 001D3E1B
                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001D3E6A
                            • Part of subcall function 00206338: _Yarn.LIBCPMT ref: 00206357
                            • Part of subcall function 00206338: _Yarn.LIBCPMT ref: 0020637B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                          • String ID: bad locale name
                          • API String ID: 1908188788-1405518554
                          • Opcode ID: 3efef29e9ccda4c7afb2040c46a75be2454382b395e2f120d0a80a4a4ce3502d
                          • Instruction ID: 4238fd55174ef59090fed8217693e6a6fc857c383568e0efd7efae057defab37
                          • Opcode Fuzzy Hash: 3efef29e9ccda4c7afb2040c46a75be2454382b395e2f120d0a80a4a4ce3502d
                          • Instruction Fuzzy Hash: D2119EB1914B84DFD320CF68C805757BBF4EB19710F008A5EE49AC3B81D775A6148BA5
                          APIs
                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00208A2E
                          • ___raise_securityfailure.LIBCMT ref: 00208AEB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: FeaturePresentProcessor___raise_securityfailure
                          • String ID: ?!
                          • API String ID: 3761405300-3092246690
                          • Opcode ID: a1606bf0078ca9bb9ad0ffe6c07669a8178f8e746a852e5449d382f5a7b07437
                          • Instruction ID: adb6cecc1aaf06e4be66af7c96136104f33880e5b7e689543d88c76ff0cc4156
                          • Opcode Fuzzy Hash: a1606bf0078ca9bb9ad0ffe6c07669a8178f8e746a852e5449d382f5a7b07437
                          • Instruction Fuzzy Hash: 95118BB59523099FD701DF19FD49A507FB4FB49342B20506AE809DB3A1F7709541CF49
                          APIs
                          • CloseHandle.KERNEL32 ref: 001C4C9A
                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,0000093E,D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h), ref: 001C4CC7
                          Strings
                          • D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h, xrefs: 001C4CA9
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseExclusiveHandleLockRelease
                          • String ID: D:\a\1\s\packages\Microsoft.Windows.ImplementationLibrary.1.0.230411.1\include\wil\resource.h
                          • API String ID: 858866997-2419448822
                          • Opcode ID: 5325e7831819ff6689f8d706eea0e749d72a0093cd50c2ad38b00e84d43e1720
                          • Instruction ID: 8e0d848605170b41a1f5e2d63f26679c117901cb12677a25d24a616f3891286a
                          • Opcode Fuzzy Hash: 5325e7831819ff6689f8d706eea0e749d72a0093cd50c2ad38b00e84d43e1720
                          • Instruction Fuzzy Hash: D3E01270715309ABEF14EBB5AE5EF16379C5F21B04B140499B604D76A0DB64FD50CA28
                          APIs
                          • ___std_exception_copy.LIBVCRUNTIME ref: 001E27FC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___std_exception_copy
                          • String ID: ,I#$9%
                          • API String ID: 2659868963-2984632962
                          • Opcode ID: e9034eb852885f11dcebdaf3335a8bed812416667e389f9cdb59dd93caaefd5b
                          • Instruction ID: 8b5406cc15dafc5a04958cb11e4341064bce1301573d74f44e9ffce4a3f07022
                          • Opcode Fuzzy Hash: e9034eb852885f11dcebdaf3335a8bed812416667e389f9cdb59dd93caaefd5b
                          • Instruction Fuzzy Hash: BDF037B18343089FC710DFA8D80158AFBFCAF15301F10869AE884A7201E7B166A4CFD5
                          APIs
                          • MessageBoxW.USER32(?,No DemoType file specified,ZoomIt,00000000), ref: 001EF639
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID: No DemoType file specified$ZoomIt
                          • API String ID: 2030045667-2018602021
                          • Opcode ID: fe194f7cd4efd64f244ea031ff1b991ecb6e234ea14545280c7b317a615c3828
                          • Instruction ID: b8f8227ce13c75eb23adc057cfac0d27bc9a4c104dd42a232117f02f46f05111
                          • Opcode Fuzzy Hash: fe194f7cd4efd64f244ea031ff1b991ecb6e234ea14545280c7b317a615c3828
                          • Instruction Fuzzy Hash: 1DE08C72B487088BD715AB10B942B69B761EB84710F2001AAE80A673C2CBA639208A44
                          APIs
                          • MessageBoxW.USER32(?,Unrecognized DemoType file content,ZoomIt,00000000), ref: 001EF783
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: Message
                          • String ID: Unrecognized DemoType file content$ZoomIt
                          • API String ID: 2030045667-671319558
                          • Opcode ID: 85d60145c82fa812399b3445e82e52f20117b2c4471528515a3c9bc91b60cfbc
                          • Instruction ID: cbcf813d12dad89ee91de3df5a3380a62fae9dacfcced7b780fb57f0b9576a99
                          • Opcode Fuzzy Hash: 85d60145c82fa812399b3445e82e52f20117b2c4471528515a3c9bc91b60cfbc
                          • Instruction Fuzzy Hash: 17E08C32B887088BD7159B10B942B68B761EB84B11F2001ABE80A673C2CBA629208A44
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3384805225.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                          • Associated: 00000000.00000002.3384773758.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384868835.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384899796.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384920139.0000000000254000.00000008.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3384937520.000000000025E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.3385036665.0000000000356000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1c0000_oAnb4ULQxP.jbxd
                          Yara matches
                          Similarity
                          • API ID: H_prolog3
                          • String ID: <%$|<%
                          • API String ID: 431132790-1644463525
                          • Opcode ID: ebe1b02e7c26791a04202194a91f656cde5a6808962762ccc0a7507235881ed5
                          • Instruction ID: 1b3156a51c5f7ad2a3084aef62bbb2df9e8e712b5629da804ebf992ce28aa271
                          • Opcode Fuzzy Hash: ebe1b02e7c26791a04202194a91f656cde5a6808962762ccc0a7507235881ed5
                          • Instruction Fuzzy Hash: 94E04FB09703069ADB00EBA4890B7AE7970BB05B97F50D559F890762D2CBB487384F99