Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fqae7BLq4m.exe

Overview

General Information

Sample name:Fqae7BLq4m.exe
renamed because original name is a hash value
Original sample name:6C547F7A7E7964A03945CEF9BD53E792256E2BEB24E15BE780714AE349C8A81B.exe
Analysis ID:1579418
MD5:a994f2b3b899758bddf5f35e407a694d
SHA1:a13dedaceed797a4ee8b399c7db20e88535ab6cc
SHA256:6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
Tags:exeFakeAPPTrojanuser-Panda
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Fqae7BLq4m.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\Fqae7BLq4m.exe" MD5: A994F2B3B899758BDDF5F35E407A694D)
    • cmd.exe (PID: 384 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RuntimeBrokers.exe (PID: 6404 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 384, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 6404, ProcessName: RuntimeBrokers.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Fqae7BLq4m.exeVirustotal: Detection: 19%Perma Link
Source: Fqae7BLq4m.exeReversingLabs: Detection: 26%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E632B1 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,4_2_00E632B1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E62AF0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,CertNameToStrW,CertNameToStrW,CertNameToStrW,4_2_00E62AF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E62CE0 lstrcmpA,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime,4_2_00E62CE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E62DB0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,4_2_00E62DB0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E62EE0 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertFindCertificateInStore,4_2_00E62EE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C280200 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,4_2_6C280200
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C281340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,4_2_6C281340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C27FF50 CryptStringToBinaryA,CryptStringToBinaryA,4_2_6C27FF50
Source: Fqae7BLq4m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmp, libcurl.dll.0.dr
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E4BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,4_2_00E4BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EAF4E8 FindFirstFileExA,4_2_00EAF4E8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2E82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,4_2_6C2E82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2980D0 WSAStartup,getaddrinfo,WSACleanup,socket,WSACleanup,connect,closesocket,freeaddrinfo,WSACleanup,recv,closesocket,WSACleanup,VirtualAlloc,4_2_6C2980D0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libcurl.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: libcurl.dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: libcurl.dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: libcurl.dll.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: RuntimeBrokers.exe, RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: RuntimeBrokers.exe, 00000004.00000002.4516544047.0000000001724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.
Source: RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: RuntimeBrokers.exe, 00000004.00000002.4516544047.0000000001724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkams
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3241CD __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_6C3241CD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2E2720 GetAsyncKeyState,SendMessageW,GetClientRect,SetScrollPos,4_2_6C2E2720
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2C4517 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_6C2C4517
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C281340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,4_2_6C281340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess Stats: CPU usage > 49%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E76520: CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,4_2_00E76520
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E3245C4_2_00E3245C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E346D04_2_00E346D0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E68A704_2_00E68A70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E3B0104_2_00E3B010
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E4F1704_2_00E4F170
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EAB10C4_2_00EAB10C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E722A04_2_00E722A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E772804_2_00E77280
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E9F5204_2_00E9F520
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7F6C44_2_00E7F6C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E8264E4_2_00E8264E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E937DD4_2_00E937DD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E937304_2_00E93730
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EB38684_2_00EB3868
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E5A9A04_2_00E5A9A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E999304_2_00E99930
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E59AC04_2_00E59AC0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E84A4E4_2_00E84A4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E48BE04_2_00E48BE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E99B5F4_2_00E99B5F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EADC994_2_00EADC99
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E99D8E4_2_00E99D8E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7FEAA4_2_00E7FEAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3E2C004_2_6C3E2C00
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C29ECF04_2_6C29ECF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2948304_2_6C294830
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3EA8244_2_6C3EA824
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C406AA24_2_6C406AA2
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2A84BD4_2_6C2A84BD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3E66714_2_6C3E6671
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3F06C64_2_6C3F06C6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2A478E4_2_6C2A478E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2DA1A14_2_6C2DA1A1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2D230B4_2_6C2D230B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2ADC9F4_2_6C2ADC9F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2CBDDD4_2_6C2CBDDD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3E9EA04_2_6C3E9EA0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C293F404_2_6C293F40
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C29B8804_2_6C29B880
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2BD4554_2_6C2BD455
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2DB5AF4_2_6C2DB5AF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2B90AD4_2_6C2B90AD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C29F0B04_2_6C29F0B0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C2BD8B0 appears 70 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C2BF675 appears 182 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E92860 appears 72 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C2BF6DE appears 61 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C2BF77F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E7BF08 appears 67 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E7C7A0 appears 50 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E42450 appears 44 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C29D970 appears 31 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E3E9E0 appears 43 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C2A068B appears 63 times
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: String function: 0040243B appears 37 times
Source: Fqae7BLq4m.exe, 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exe, 00000000.00000003.2042590863.0000000002481000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exeBinary or memory string: OriginalFilenameV vs Fqae7BLq4m.exe
Source: Fqae7BLq4m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RuntimeBrokers.exe.0.drBinary string: @rb-%c%cIsWow64Processkernel32ntdll.dllRtlGetNtVersionNumbersg:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cppStopUnInitcurl init failedcurl_easy_perform failed,{}GetDownloadDownLoadFinish:{}, Size:{}Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36write_data_get_postwrite_data_get_post StopABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}NoteBookDesktopkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClose
Source: classification engineClassification label: mal42.evad.winEXE@6/8@0/0
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E70420 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,CloseHandle,CloseHandle,OpenProcess,CloseHandle,OpenProcessToken,DuplicateTokenEx,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetModuleFileNameW,PathRemoveFileSpecW,LoadLibraryW,4_2_00E70420
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCommand line argument: Np4_2_00EB6F90
Source: Fqae7BLq4m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Fqae7BLq4m.exeVirustotal: Detection: 19%
Source: Fqae7BLq4m.exeReversingLabs: Detection: 26%
Source: RuntimeBrokers.exeString found in binary or memory: --StartTask
Source: RuntimeBrokers.exeString found in binary or memory: --InstallTask
Source: RuntimeBrokers.exeString found in binary or memory: --stop
Source: RuntimeBrokers.exeString found in binary or memory: --start
Source: RuntimeBrokers.exeString found in binary or memory: --install
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile read: C:\Users\user\Desktop\Fqae7BLq4m.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Fqae7BLq4m.exe "C:\Users\user\Desktop\Fqae7BLq4m.exe"
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Firefox Setup 132.0.2.exe.lnk.4.drLNK file: ..\..\Public\Bilite\Firefox Setup 132.0.2.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Fqae7BLq4m.exeStatic file information: File size 70322189 > 1048576
Source: Binary string: \YSS\Release\libcurl.pdb source: RuntimeBrokers.exe, 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmp, libcurl.dll.0.dr
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: libcurl.dll.0.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E455E9 push ebx; retf 4_2_00E455EA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7C7E6 push ecx; ret 4_2_00E7C7F9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7BEE2 push ecx; ret 4_2_00E7BEF5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C29F770 push eax; mov dword ptr [esp], 8007000Eh4_2_6C29F774
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2E0E84 pushfd ; retf 4_2_6C2E0E85
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2AFDC3 push esi; ret 4_2_6C2AFDC5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2BF74D push ecx; ret 4_2_6C2BF760
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeFile created: C:\Users\Public\Bilite\Axialis\libcurl.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2AE96E IsIconic,4_2_6C2AE96E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2D87C4 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,4_2_6C2D87C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2C307D GetParent,IsIconic,GetParent,__EH_prolog3,4_2_6C2C307D
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,4_2_00E76390
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 820Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3832Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3552Jump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeDropped PE file which has not been started: C:\Users\Public\Bilite\Firefox Setup 132.0.2.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-111590
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_4-111127
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAPI coverage: 6.4 %
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 5440Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7164Thread sleep time: -2460000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7164Thread sleep time: -10656000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E4BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,4_2_00E4BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EAF4E8 FindFirstFileExA,4_2_00EAF4E8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2E82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,4_2_6C2E82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7B4C5 IsDebuggerPresent,OutputDebugStringW,4_2_00E7B4C5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2A1028 OutputDebugStringA,GetLastError,4_2_6C2A1028
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EA46B3 mov eax, dword ptr fs:[00000030h]4_2_00EA46B3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E41AD0 GetProcessHeap,4_2_00E41AD0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7C128 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00E7C128
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E7C411 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E7C411
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E9655F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E9655F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3187A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C3187A6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C3F1F38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C3F1F38
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C2BD796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C2BD796
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E3245C _strrchr,_strrchr,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,_strrchr,_strrchr,GetModuleHandleW,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,WaitForSingleObject,PeekMessageW,TranslateMessage,DispatchMessageW,WaitForSingleObject,WaitForSingleObject,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,curl_global_cleanup,MoveFileExW,_strrchr,_strrchr,4_2_00E3245C
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00EB216F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00EB22FE
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00EA92B6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00EB2263
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00EB2218
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00EB238B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00EB25DB
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00EA979F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00EB2704
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00EB28D8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00EB280B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6C406074
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6C4060D3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,4_2_6C2C60F1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6C4061F3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6C4061A8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6C40629A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6C4063A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6C3FBD0B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6C405D86
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_6C405E21
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6C405B35
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6C3FB6EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00EAC3FF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00EAC3FF
Source: C:\Users\user\Desktop\Fqae7BLq4m.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E8D8C9 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,4_2_00E8D8C9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00E8CBF3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,4_2_00E8CBF3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory13
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
Obfuscated Files or Information		LSA Secrets11
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem35
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579418 Sample: Fqae7BLq4m.exe Startdate: 22/12/2024 Architecture: WINDOWS Score: 42 23 Multi AV Scanner detection for submitted file 2->23 25 Sigma detected: Execution from Suspicious Folder 2->25 7 Fqae7BLq4m.exe 9 2->7         started        process3 file4 17 C:\Users\Public\Bilite\...\RuntimeBrokers.exe, PE32 7->17 dropped 19 C:\Users\Public\...\Firefox Setup 132.0.2.exe, PE32 7->19 dropped 21 C:\Users\Public\Bilite\Axialis\libcurl.dll, PE32 7->21 dropped 10 cmd.exe 1 7->10         started        process5 process6 12 RuntimeBrokers.exe 14 10->12         started        15 conhost.exe 10->15         started        signatures7 27 Query firmware table information (likely to detect VMs) 12->27

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Fqae7BLq4m.exe19%VirustotalBrowse
Fqae7BLq4m.exe26%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe5%ReversingLabs
C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tlibcurl.dll.0.drfalse
    		high
    https://update-xztodolist.cqttech.com/api/v1/update/checkamsRuntimeBrokers.exe, 00000004.00000002.4516544047.0000000001724000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.logRuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
        		unknown
        https://sectigo.com/CPS0libcurl.dll.0.drfalse
          		high
          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ylibcurl.dll.0.drfalse
            		high
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0libcurl.dll.0.drfalse
              		high
              http://ocsp.sectigo.com0libcurl.dll.0.drfalse
                		high
                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#libcurl.dll.0.drfalse
                  		high
                  https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModuleRuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
                    		unknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#libcurl.dll.0.drfalse
                      		high
                      https://update-xztodolist.cqttech.com/api/v1/update/checkRuntimeBrokers.exe, RuntimeBrokers.exe, 00000004.00000000.2165191641.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
                        		unknown
                        https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.RuntimeBrokers.exe, 00000004.00000002.4516544047.0000000001724000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#libcurl.dll.0.drfalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1579418
                            Start date and time:2024-12-22 09:31:11 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 9m 44s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:8
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Fqae7BLq4m.exe
                            renamed because original name is a hash value
                            Original Sample Name:6C547F7A7E7964A03945CEF9BD53E792256E2BEB24E15BE780714AE349C8A81B.exe
                            Detection:MAL
                            Classification:mal42.evad.winEXE@6/8@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 93%
                            • Number of executed functions: 128
                            • Number of non-executed functions: 266
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            03:32:15API Interceptor32425x Sleep call for process: RuntimeBrokers.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\Public\Bilite\Axialis\IiViS

                            Download File
                            Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                            File Type:openssl enc'd data with salted password, base64 encoded
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.033214015923012
                            Encrypted:false
                            SSDEEP:3:iqk4fCxGrMbP0aCVot1SNGuD:ilcCxG+0aCVO1M
                            MD5:50E74B5BC067779E678DB0F2A54DEFC8
                            SHA1:13EA01C359FCAE743AC3486C6D3A327E56E63807
                            SHA-256:2EEF31B0CCD84C6A3385A75DCCF1F5EFB0285621DAAA4CDC08D04158B603DEAA
                            SHA-512:6EF7799A0391D8E9BA12BA937C4585C6C8A42A5C62250C5C8F0F6295043E2A3A587EA259A5C51F9CFD2141DA20878FCA8CE2B902F41624BC42C341D81D8AA40E
                            Malicious:false
                            Reputation:low
                            Preview:U2FsdGVkX19kUlCThJUEb9e23b58qaUiAwjQjHvagtVU8kgm3zdqbwKdbKJmtEKf

                            C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

                            Download File
                            Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):777816
                            Entropy (8bit):6.621348016864403
                            Encrypted:false
                            SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                            MD5:30A274E00DA842B09E9763F19777ADED
                            SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                            SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                            SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 5%
                            Reputation:low
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\Public\Bilite\Axialis\libcurl.dll

                            Download File
                            Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2290968
                            Entropy (8bit):6.605466206867334
                            Encrypted:false
                            SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeoyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSeD
                            MD5:DC10EC7E14FF2DE831C6A08BBA41AD88
                            SHA1:56B5E56DA9F3346E4AEE57FB3E29286AFA792F0E
                            SHA-256:03ED8F64CDCA65B75F8ACC23EBA7CBBDF1BF2B7446159F07A909CE65BDD553EC
                            SHA-512:DB3081C52AA19D8E6E873D532D293D34F83B215F930C11A0A8B99A13D0D5D6966D83EAD1D2AC0C8AA1F480BEFC9B6274B9560A30163276AE1FBD8C40862EC117
                            Malicious:false
                            Reputation:low
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe

                            Download File
                            Process:C:\Users\user\Desktop\Fqae7BLq4m.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                            Category:dropped
                            Size (bytes):68284584
                            Entropy (8bit):7.999992371883463
                            Encrypted:true
                            SSDEEP:1572864:QHms4Lp3eKMWTi1hdM0C49TEX+tWBrhCJOfH:TNlfD46Xh
                            MD5:23F241F690F1F73A272EC524FB0537A7
                            SHA1:E9C8177734425D5A5544B6BD6BE6D5B4627E1FE1
                            SHA-256:F451E97BF0F25CC841366C190F62C8037577EC2EBC5A67DD524396559134F3B8
                            SHA-512:8E574C0069B8D3EBE8E43DFFA3DE6A9BECBFDF3681E88801D93FB81AD623490ECA7852DA933198E40F10BAB9E249D8E3509D0AC505575FC151D768E799F03957
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`Y.`Y.`YM.nY.`Y&.dY.`Y..?Y.`Y..=Y.`Y.aYb.`Y&.jY.`Y&.kY..`Yv.fY.`YRich.`Y........................PE..L...9m.[.........................@...O...P...`....@..........................`.............................................L[.......`..L...........X...P5..................................................................0.......................UPX0.....@..............................UPX1.........P......................@....rsrc........`......................@..............................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-22.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):2007
                            Entropy (8bit):5.124551002248184
                            Encrypted:false
                            SSDEEP:48:oLXX/5epsht6q46EAga8uaP2A28fPeA38XPD:o9/8AJ8fOA28fGA38Xb
                            MD5:2FB4ECB24625F18EC2F831286F7A9579
                            SHA1:B1CC62EF74AF5A8D0CA5DAF47BD4D12EF0BDA50F
                            SHA-256:DAE53B6AE68D02570A5160B52F68B488590F1807DF5B52F770CEC657479C9E66
                            SHA-512:4BFF6C767634F7AEED5551F650A34214F4D06CB504CBE153EBE719674064F51986C2829CE7A007E556CEA4A39286D60849AA8081EE02DDFC7B45EFC0CD733ACC
                            Malicious:false
                            Reputation:low
                            Preview:[2024-12-22 04:40:10.135] [info] [5476] [application.cpp Run: 51] curl init res:2..[2024-12-22 04:40:10.146] [info] [5476] [application.cpp Run: 64] CreateEvent [764]..[2024-12-22 04:40:10.149] [info] [5476] [application.cpp Run: 76] CXZShellExecute init..[2024-12-22 04:40:10.150] [info] [5476] [application.cpp Run: 78] CXZUpdateModule init..[2024-12-22 04:40:10.150] [info] [5476] [application.cpp Run: 80] Timer init..[2024-12-22 04:40:10.160] [info] [5476] [application.cpp Run: 82] ServiceMgr Run..[2024-12-22 04:40:10.217] [info] [5476] [application.cpp Run: 84] ThreadPoolMgr Run..[2024-12-22 04:40:10.218] [info] [5476] [application.cpp Run: 87] Running m_hWndAsy:197660..[2024-12-22 04:40:10.218] [info] [5476] [application.cpp Run: 107] Message Loop..[2024-12-22 04:40:19.451] [info] [2788] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-22 04:40:22.333] [error] [2788] [mmcurl.cpp Get: 128] curl init failed..[2024-12-22 04:40:25.484] [info] [2788] [xzupd

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-23.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1018
                            Entropy (8bit):5.136786547431531
                            Encrypted:false
                            SSDEEP:24:oV5hAr/iehFW2jijFzhPWqAr8D6INFW2jD6INPW62Arn39:oxAp8PF1PBAK6c8q6cPH2AL39
                            MD5:874C990388AE9A2A6949B8655D590D19
                            SHA1:9B16FB05502D7ACAE1C2A5309E55EB15B805B8DF
                            SHA-256:27F2BC4BEE41CC7C62AC25361F3504359DA4A983716CE6AAB3B7C47E729843FC
                            SHA-512:574BF7C6458AB3627D3587DD0340E3FB1A8BC4BC4BE105E09A8D648CEF3A95B6E82DC20940AE7A9306F201B66D4FF654554A9C5DBEBDE6AA72181D10BB4B733D
                            Malicious:false
                            Reputation:low
                            Preview:[2024-12-23 05:40:33.105] [info] [728] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-23 06:34:48.013] [error] [728] [mmcurl.cpp Get: 128] curl init failed..[2024-12-23 07:50:09.824] [info] [728] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-23 07:50:09.825] [info] [728] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-23 14:06:10.389] [info] [6612] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-23 15:03:07.750] [error] [6612] [mmcurl.cpp Get: 128] curl init failed..[2024-12-23 16:14:53.700] [info] [6612] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-23 16:14:53.700] [info] [6612] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-23 23:01:13.456] [info] [4568] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-23 23:49:47.388] [error] [4568] [mmcurl.cpp Get: 128]

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-24.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):638
                            Entropy (8bit):5.143487473071031
                            Encrypted:false
                            SSDEEP:12:oVOF2FWqBjFF2kGCpOalL3VArEjvoVxn3VFWqBjxK3VkGCY:oVq2FW2j/2PWXLFArtZFFW2j4FPD
                            MD5:948B90E247C0C18074F3A321ED413FDA
                            SHA1:942222EB8201AC9E04D1880E40B5C5C594726A4C
                            SHA-256:174913EEB7567DBB9E6615246AD1CB00556F2ACA090F0757375BE249E8697844
                            SHA-512:A064E6CD0A21D74F4F5EB74197608BA5B3C2FF6C8274C5EAE703C7CA26E5113EE00D97EE26C1F53CACE67362CDC2BDAE689EC05E5E22FA6EF2988C6F49D5269D
                            Malicious:false
                            Reputation:low
                            Preview:[2024-12-24 00:30:32.864] [info] [4568] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-24 00:30:32.869] [info] [4568] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-24 06:33:49.360] [info] [3376] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-24 07:14:10.003] [error] [3376] [mmcurl.cpp Get: 128] curl init failed..[2024-12-24 08:01:48.904] [info] [3376] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-24 08:01:48.905] [info] [3376] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..

                            C:\Users\user\Desktop\Firefox Setup 132.0.2.exe.lnk

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Dec 22 07:32:03 2024, mtime=Sun Dec 22 07:32:12 2024, atime=Tue Dec 3 12:11:47 2024, length=68284584, window=hide
                            Category:dropped
                            Size (bytes):1106
                            Entropy (8bit):4.692402331898535
                            Encrypted:false
                            SSDEEP:12:8eXu0UYluCECHqXeWX1CACmq2Yh+g5FDtYjA4UXJIKGjF0avtaxoxP4t2YZ/elFH:8e7q9AhPDyAT5sdvtu4Fqygm
                            MD5:A1D3F27C99FF7768B385131F86A1CA3B
                            SHA1:FC595E2AE355E158175A5F9DAC101433B10DB079
                            SHA-256:884C382C113E515944364FC8AE783C4E3BA4F943CC1CF833613A5B22F5D8691F
                            SHA-512:5EF482444F6B0C23ACE2A4238579ABF227FF48A46C3A36F6702712F9CE33510B590CBF995A4B4FFBC914B203F0E6D480CBC8BA7B99E851827E04E7E4BDD7642A
                            Malicious:false
                            Preview:L..................F.... ...v...KT..J.^.KT......E...............................P.O. .:i.....+00.../C:\...................x.1.....DW(m..Users.d......OwH.Y.D....................:.....NvM.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y.D..Public..f......O.I.Y.D....+...............<.....&..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y.D..Bilite..>......Y.D.Y.D....Q.........................B.i.l.i.t.e.......2......Yxi .FIREFO~1.EXE..d......Y.D.Y.D....!.....................1.).F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e......._...............-.......^..............x.....C:\Users\Public\Bilite\Firefox Setup 132.0.2.exe..-.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.F.i.r.e.f.o.x. .S.e.t.u.p. .1.3.2...0...2...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......932923...........hT..CrF.f4... .x.2=.b...,...W..hT..CrF.f4... .x.2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.999987563129512
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:Fqae7BLq4m.exe
                            File size:70'322'189 bytes
                            MD5:a994f2b3b899758bddf5f35e407a694d
                            SHA1:a13dedaceed797a4ee8b399c7db20e88535ab6cc
                            SHA256:6c547f7a7e7964a03945cef9bd53e792256e2beb24e15be780714ae349c8a81b
                            SHA512:3eb57e03e42b3a0ad54b885f042d70dc2ccd490d493faa0c5f36b5628751d3092ebd986a9ab38e46dd0854257672dddc3bb37a8df4e152776a6306caeabc8d00
                            SSDEEP:1572864:T6GU+TLvNqXhlk5jR/7ouTb4CYw1UnxcpMP0s/gH6iERvUUzVwDVuPOtW:Tauehlk/k8ww1UnqpMPHKAUU+gOY
                            TLSH:C8F73310E3A057B8F873007D5426CF9BE205ABA757D261637608073B31ADEEFFA065A5
                            File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................

                            File Icon

                            Icon Hash:878fd7f3b9353593

                            Static PE Info

                            General

                            Entrypoint:0x411def
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:b5a014d7eeb4c2042897567e1288a095

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            push FFFFFFFFh
                            push 00414C50h
                            push 00411F80h
                            mov eax, dword ptr fs:[00000000h]
                            push eax
                            mov dword ptr fs:[00000000h], esp
                            sub esp, 68h
                            push ebx
                            push esi
                            push edi
                            mov dword ptr [ebp-18h], esp
                            xor ebx, ebx
                            mov dword ptr [ebp-04h], ebx
                            push 00000002h
                            call dword ptr [00413184h]
                            pop ecx
                            or dword ptr [00419924h], FFFFFFFFh
                            or dword ptr [00419928h], FFFFFFFFh
                            call dword ptr [00413188h]
                            mov ecx, dword ptr [0041791Ch]
                            mov dword ptr [eax], ecx
                            call dword ptr [0041318Ch]
                            mov ecx, dword ptr [00417918h]
                            mov dword ptr [eax], ecx
                            mov eax, dword ptr [00413190h]
                            mov eax, dword ptr [eax]
                            mov dword ptr [00419920h], eax
                            call 00007F4EA4AD8BD2h
                            cmp dword ptr [00417710h], ebx
                            jne 00007F4EA4AD8ABEh
                            push 00411F78h
                            call dword ptr [00413194h]
                            pop ecx
                            call 00007F4EA4AD8BA4h
                            push 00417048h
                            push 00417044h
                            call 00007F4EA4AD8B8Fh
                            mov eax, dword ptr [00417914h]
                            mov dword ptr [ebp-6Ch], eax
                            lea eax, dword ptr [ebp-6Ch]
                            push eax
                            push dword ptr [00417910h]
                            lea eax, dword ptr [ebp-64h]
                            push eax
                            lea eax, dword ptr [ebp-70h]
                            push eax
                            lea eax, dword ptr [ebp-60h]
                            push eax
                            call dword ptr [0041319Ch]
                            push 00417040h
                            push 00417000h
                            call 00007F4EA4AD8B5Ch

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                            RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                            RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                            RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                            RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                            RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                            RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                            RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                            RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                            Imports

                            DLLImport
                            COMCTL32.dll
                            KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                            USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                            GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                            SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                            ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                            OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                            MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:32:02
                            Start date:22/12/2024
                            Path:C:\Users\user\Desktop\Fqae7BLq4m.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Fqae7BLq4m.exe"
                            Imagebase:0x400000
                            File size:70'322'189 bytes
                            MD5 hash:A994F2B3B899758BDDF5F35E407A694D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:03:32:15
                            Start date:22/12/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:03:32:15
                            Start date:22/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:03:32:15
                            Start date:22/12/2024
                            Path:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Imagebase:0xe30000
                            File size:777'816 bytes
                            MD5 hash:30A274E00DA842B09E9763F19777ADED
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 5%, ReversingLabs
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:17.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:26.9%
                              Total number of Nodes:1421
                              Total number of Limit Nodes:14
                              execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8243 4024c4 8244 40245a 45 API calls 8243->8244 8245 4024cd 8244->8245 8246 4024d2 8245->8246 8247 4024d3 VirtualAlloc 8245->8247 8248 4096c7 _EH_prolog 8262 4096fa 8248->8262 8249 40971c 8250 409827 8283 40118a 8250->8283 8252 409851 8256 40985e ??2@YAPAXI 8252->8256 8253 40983c 8334 409425 8253->8334 8254 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8254->8262 8258 409878 8256->8258 8257 40969d 8 API calls 8257->8262 8263 409925 ??2@YAPAXI 8258->8263 8264 4098c2 8258->8264 8268 409530 3 API calls 8258->8268 8270 409425 ctype 3 API calls 8258->8270 8272 4099a2 8258->8272 8277 409a65 8258->8277 8293 409fb4 8258->8293 8297 408ea4 8258->8297 8340 409c13 ??2@YAPAXI 8258->8340 8342 409f49 8258->8342 8260 40e959 VirtualFree ??3@YAXPAX free free ctype 8260->8262 8262->8249 8262->8250 8262->8254 8262->8257 8262->8260 8327 4095b7 8262->8327 8331 409403 8262->8331 8263->8258 8337 409530 8264->8337 8268->8258 8270->8258 8273 409530 3 API calls 8272->8273 8274 4099c7 8273->8274 8275 409425 ctype 3 API calls 8274->8275 8275->8249 8279 409530 3 API calls 8277->8279 8280 409a84 8279->8280 8281 409425 ctype 3 API calls 8280->8281 8281->8249 8284 401198 GetDiskFreeSpaceExW 8283->8284 8285 4011ee SendMessageW 8283->8285 8284->8285 8286 4011b0 8284->8286 8291 4011d6 8285->8291 8286->8285 8287 401f9d 19 API calls 8286->8287 8288 4011c9 8287->8288 8289 407717 25 API calls 8288->8289 8290 4011cf 8289->8290 8290->8291 8292 4011e7 8290->8292 8291->8252 8291->8253 8292->8285 8294 409fdd 8293->8294 8346 409dff 8294->8346 8620 40aef3 8297->8620 8300 408ec1 8300->8258 8302 408fd5 8638 408b7c 8302->8638 8303 408f0d ??2@YAPAXI 8312 408ef5 8303->8312 8305 408f31 ??2@YAPAXI 8305->8312 8312->8302 8312->8303 8312->8305 8680 40cdb8 ??2@YAPAXI 8312->8680 8328 4095c6 8327->8328 8330 4095cc 8327->8330 8328->8262 8329 4095e2 _CxxThrowException 8329->8328 8330->8328 8330->8329 8332 40e8e2 4 API calls 8331->8332 8333 40940b 8332->8333 8333->8262 8335 40e8da ctype 3 API calls 8334->8335 8336 409433 8335->8336 8338 408963 ctype 3 API calls 8337->8338 8339 40953b 8338->8339 8341 409c45 8340->8341 8341->8258 8345 409f4e 8342->8345 8343 409f75 8343->8258 8344 409cde 110 API calls 8344->8345 8345->8343 8345->8344 8348 409e04 8346->8348 8347 409e3a 8347->8258 8348->8347 8350 409cde 8348->8350 8351 409cf8 8350->8351 8355 401626 8351->8355 8418 40db1f 8351->8418 8352 409d2c 8352->8348 8356 401642 8355->8356 8362 401638 8355->8362 8421 40a62f _EH_prolog 8356->8421 8358 40166f 8489 40eca9 8358->8489 8359 401411 2 API calls 8361 401688 8359->8361 8363 401962 ??3@YAXPAX 8361->8363 8364 40169d 8361->8364 8362->8352 8368 40eca9 VariantClear 8363->8368 8447 401329 8364->8447 8367 4016a8 8451 401454 8367->8451 8368->8362 8371 401362 2 API calls 8372 4016c7 ??3@YAXPAX 8371->8372 8377 4016d9 8372->8377 8404 401928 ??3@YAXPAX 8372->8404 8374 40eca9 VariantClear 8374->8362 8375 4016fa 8376 40eca9 VariantClear 8375->8376 8378 401702 ??3@YAXPAX 8376->8378 8377->8375 8379 401764 8377->8379 8388 401725 8377->8388 8378->8358 8382 4017a2 8379->8382 8383 401789 8379->8383 8380 40eca9 VariantClear 8381 401737 ??3@YAXPAX 8380->8381 8381->8358 8385 4017c4 GetLocalTime SystemTimeToFileTime 8382->8385 8386 4017aa 8382->8386 8384 40eca9 VariantClear 8383->8384 8387 401791 ??3@YAXPAX 8384->8387 8385->8386 8386->8388 8389 4017e1 8386->8389 8390 4017f8 8386->8390 8387->8358 8388->8380 8456 403354 lstrlenW 8389->8456 8480 40301a GetFileAttributesW 8390->8480 8394 401934 GetLastError 8394->8404 8395 401818 ??2@YAPAXI 8397 401824 8395->8397 8396 40192a 8396->8394 8493 40db53 8397->8493 8400 40190f 8403 40eca9 VariantClear 8400->8403 8401 40185f GetLastError 8496 4012f7 8401->8496 8403->8404 8404->8374 8405 401871 8406 403354 86 API calls 8405->8406 8409 40187f ??3@YAXPAX 8405->8409 8407 4018cc 8406->8407 8407->8409 8411 40db53 2 API calls 8407->8411 8410 40189c 8409->8410 8412 40eca9 VariantClear 8410->8412 8413 4018f1 8411->8413 8414 4018aa ??3@YAXPAX 8412->8414 8415 4018f5 GetLastError 8413->8415 8416 401906 ??3@YAXPAX 8413->8416 8414->8358 8415->8409 8416->8400 8612 40da56 8418->8612 8422 40a738 8421->8422 8423 40a66a 8421->8423 8424 40a687 8422->8424 8425 40a73d 8422->8425 8423->8424 8426 40a704 8423->8426 8427 40a679 8423->8427 8434 40a6ad 8424->8434 8525 40a3b0 8424->8525 8428 40a6f2 8425->8428 8431 40a747 8425->8431 8433 40a699 8425->8433 8426->8434 8499 40e69c 8426->8499 8427->8428 8429 40a67e 8427->8429 8521 40ed34 8428->8521 8437 40a684 8429->8437 8446 40a6b2 8429->8446 8431->8428 8431->8446 8433->8434 8513 40ed59 8433->8513 8508 40ecae 8434->8508 8436 40a71a 8502 40eced 8436->8502 8437->8424 8437->8433 8443 40eca9 VariantClear 8444 40166b 8443->8444 8444->8358 8444->8359 8446->8434 8517 40ed79 8446->8517 8448 401340 8447->8448 8449 40112b 2 API calls 8448->8449 8450 40134b 8449->8450 8450->8367 8452 4012f7 2 API calls 8451->8452 8453 401462 8452->8453 8540 4013e2 8453->8540 8455 40146d 8455->8371 8457 4024fc 2 API calls 8456->8457 8458 403375 8457->8458 8459 40112b 2 API calls 8458->8459 8462 403385 8458->8462 8459->8462 8461 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8463 4033e8 8461->8463 8464 4033f2 8461->8464 8462->8461 8472 403477 8462->8472 8543 401986 CreateDirectoryW 8462->8543 8465 40301a 22 API calls 8463->8465 8466 401986 4 API calls 8464->8466 8469 4033f8 ??3@YAXPAX 8464->8469 8465->8464 8478 403405 8466->8478 8467 4034a7 8468 407776 55 API calls 8467->8468 8475 4034b1 ??3@YAXPAX 8468->8475 8477 4034bc 8469->8477 8470 40340a 8549 407776 8470->8549 8472->8467 8472->8469 8473 40346b ??3@YAXPAX 8473->8477 8474 40341d memcpy 8474->8478 8475->8477 8477->8388 8478->8470 8478->8473 8478->8474 8479 401986 4 API calls 8478->8479 8479->8478 8481 403037 8480->8481 8487 401804 8480->8487 8482 403048 8481->8482 8483 40303b SetLastError 8481->8483 8484 403051 8482->8484 8486 40305f FindFirstFileW 8482->8486 8482->8487 8483->8487 8568 402fed 8484->8568 8486->8484 8488 403072 FindClose CompareFileTime 8486->8488 8487->8394 8487->8395 8487->8396 8488->8484 8488->8487 8490 40ec65 8489->8490 8491 40ec86 VariantClear 8490->8491 8492 40ec9d 8490->8492 8491->8362 8492->8362 8609 40db3c 8493->8609 8497 40112b 2 API calls 8496->8497 8498 401311 8497->8498 8498->8405 8500 4012f7 2 API calls 8499->8500 8501 40e6a9 8500->8501 8501->8436 8529 40ecd7 8502->8529 8505 40ed12 8506 40a726 ??3@YAXPAX 8505->8506 8507 40ed17 _CxxThrowException 8505->8507 8506->8434 8507->8506 8532 40ec65 8508->8532 8510 40ecba 8511 40a7b2 8510->8511 8512 40ecbe memcpy 8510->8512 8511->8443 8512->8511 8514 40ed62 8513->8514 8515 40ed67 8513->8515 8516 40ecd7 VariantClear 8514->8516 8515->8434 8516->8515 8518 40ed82 8517->8518 8519 40ed87 8517->8519 8520 40ecd7 VariantClear 8518->8520 8519->8434 8520->8519 8522 40ed42 8521->8522 8523 40ed3d 8521->8523 8522->8434 8524 40ecd7 VariantClear 8523->8524 8524->8522 8526 40a3c2 8525->8526 8527 40a3de 8526->8527 8536 40eda0 8526->8536 8527->8434 8530 40eca9 VariantClear 8529->8530 8531 40ecdf SysAllocString 8530->8531 8531->8505 8531->8506 8533 40ec6d 8532->8533 8534 40ec86 VariantClear 8533->8534 8535 40ec9d 8533->8535 8534->8510 8535->8510 8537 40edae 8536->8537 8538 40eda9 8536->8538 8537->8527 8539 40ecd7 VariantClear 8538->8539 8539->8537 8541 401398 2 API calls 8540->8541 8542 4013f2 8541->8542 8542->8455 8544 4019c7 8543->8544 8545 401997 GetLastError 8543->8545 8544->8462 8546 4019b1 GetFileAttributesW 8545->8546 8548 4019a6 8545->8548 8546->8544 8546->8548 8547 4019a7 SetLastError 8547->8462 8548->8544 8548->8547 8550 401f9d 19 API calls 8549->8550 8551 40778a wvsprintfW 8550->8551 8552 407859 8551->8552 8553 4077ab GetLastError FormatMessageW 8551->8553 8556 4076a8 25 API calls 8552->8556 8554 4077d9 FormatMessageW 8553->8554 8555 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8553->8555 8554->8552 8554->8555 8560 4076a8 8555->8560 8558 407865 8556->8558 8558->8469 8561 407715 ??3@YAXPAX LocalFree 8560->8561 8562 4076b7 8560->8562 8561->8558 8563 40661a 2 API calls 8562->8563 8564 4076c6 IsWindow 8563->8564 8565 4076ef 8564->8565 8566 4076dd IsBadReadPtr 8564->8566 8567 4073d1 21 API calls 8565->8567 8566->8565 8567->8561 8574 402c86 8568->8574 8570 402ff6 8571 403017 8570->8571 8572 402ffb GetLastError 8570->8572 8571->8487 8573 403006 8572->8573 8573->8487 8575 402c93 GetFileAttributesW 8574->8575 8576 402c8f 8574->8576 8577 402ca4 8575->8577 8578 402ca9 8575->8578 8576->8570 8577->8570 8579 402cc7 8578->8579 8580 402cad SetFileAttributesW 8578->8580 8585 402b79 8579->8585 8582 402cc3 8580->8582 8583 402cba DeleteFileW 8580->8583 8582->8570 8583->8570 8586 4024fc 2 API calls 8585->8586 8587 402b90 8586->8587 8588 40254d 2 API calls 8587->8588 8589 402b9d FindFirstFileW 8588->8589 8590 402c55 SetFileAttributesW 8589->8590 8603 402bbf 8589->8603 8592 402c60 RemoveDirectoryW 8590->8592 8593 402c78 ??3@YAXPAX 8590->8593 8591 401329 2 API calls 8591->8603 8592->8593 8594 402c6d ??3@YAXPAX 8592->8594 8595 402c80 8593->8595 8594->8595 8595->8570 8597 40254d 2 API calls 8597->8603 8598 402c24 SetFileAttributesW 8598->8593 8602 402c2d DeleteFileW 8598->8602 8599 402bef lstrcmpW 8600 402c05 lstrcmpW 8599->8600 8601 402c38 FindNextFileW 8599->8601 8600->8601 8600->8603 8601->8603 8604 402c4e FindClose 8601->8604 8602->8603 8603->8591 8603->8593 8603->8597 8603->8598 8603->8599 8603->8601 8605 402b79 2 API calls 8603->8605 8606 401429 8603->8606 8604->8590 8605->8603 8607 401398 2 API calls 8606->8607 8608 401433 8607->8608 8608->8603 8610 40db1f 2 API calls 8609->8610 8611 401857 8610->8611 8611->8400 8611->8401 8617 40d985 8612->8617 8615 40da65 CreateFileW 8616 40da8a 8615->8616 8616->8352 8618 40d98f CloseHandle 8617->8618 8619 40d99a 8617->8619 8618->8619 8619->8615 8619->8616 8621 40af0c 8620->8621 8636 408ebd 8620->8636 8621->8636 8713 40ac7a 8621->8713 8623 40af3f 8624 40ac7a 7 API calls 8623->8624 8625 40b0cb 8623->8625 8629 40af96 8624->8629 8627 40e959 ctype 4 API calls 8625->8627 8626 40afbd 8720 40e959 8626->8720 8627->8636 8629->8625 8629->8626 8630 40b043 8631 40e959 ctype 4 API calls 8630->8631 8634 40b07f 8631->8634 8632 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8633 40afc6 8632->8633 8633->8630 8633->8632 8635 40e959 ctype 4 API calls 8634->8635 8635->8636 8636->8300 8637 4065ea InitializeCriticalSection 8636->8637 8637->8312 8732 4086f0 8638->8732 8681 40cdc7 8680->8681 8682 408761 4 API calls 8681->8682 8683 40cdde 8682->8683 8683->8312 8714 40e8da ctype 3 API calls 8713->8714 8715 40ac86 8714->8715 8724 40e811 8715->8724 8717 40aca2 8717->8623 8718 409403 4 API calls 8719 40ac90 8718->8719 8719->8717 8719->8718 8721 40e93b 8720->8721 8722 40e8da ctype 3 API calls 8721->8722 8723 40e943 ??3@YAXPAX 8722->8723 8723->8633 8725 40e8a5 8724->8725 8726 40e824 8724->8726 8725->8719 8727 40e833 _CxxThrowException 8726->8727 8728 40e863 ??2@YAPAXI 8726->8728 8729 40e895 ??3@YAXPAX 8726->8729 8727->8726 8728->8726 8730 40e879 memcpy 8728->8730 8729->8725 8730->8729 8733 40e8da ctype 3 API calls 8732->8733 8734 4086f8 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408700 8735->8736 8737 40e8da ctype 3 API calls 8736->8737 8738 408708 8737->8738 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9148 40509b _wtol 9150 4050b1 9148->9150 9463 404405 9150->9463 9151 4050d6 9152 403d71 6 API calls 9151->9152 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9620 404996 9154->9620 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9162 407776 55 API calls 9160->9162 9161 4050ee ??3@YAXPAX 9638 403e70 9161->9638 9170 4050ec 9162->9170 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9177 405173 9165->9177 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9174 4052f2 9169->9174 9170->9161 9171 4051fa 9171->9170 9172 40522a 9171->9172 9176 405213 _wtol 9171->9176 9173 403d71 6 API calls 9172->9173 9182 405289 9173->9182 9175 40538d ??2@YAPAXI 9174->9175 9178 401329 2 API calls 9174->9178 9184 405399 9175->9184 9176->9172 9177->9166 9177->9170 9177->9171 9177->9172 9181 401429 2 API calls 9177->9181 9179 405327 9178->9179 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9177 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9197 4053f6 9194->9197 9196 40536e 9195->9196 9198 40254d 2 API calls 9196->9198 9199 4025ae 2 API calls 9197->9199 9200 405377 9198->9200 9201 4053fe 9199->9201 9200->9175 9491 404e3f 9201->9491 9206 40546f 9208 405534 9206->9208 9211 403d71 6 API calls 9206->9211 9207 402844 10 API calls 9209 405441 9207->9209 9210 40e8da ctype 3 API calls 9208->9210 9209->9206 9214 407776 55 API calls 9209->9214 9212 40553c 9210->9212 9213 405493 9211->9213 9215 405573 9212->9215 9669 403093 9212->9669 9213->9208 9221 40549d 9213->9221 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9161 9218->9170 9223 405588 wsprintfW 9219->9223 9224 4055ed 9219->9224 9230 401411 2 API calls 9219->9230 9231 401329 ??2@YAPAXI ??3@YAXPAX 9219->9231 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221->9218 9643 404cbc 9221->9643 9222 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9222->9225 9226 401411 2 API calls 9223->9226 9519 404603 9224->9519 9225->9218 9226->9219 9229 4054cc 9229->9218 9232 407776 55 API calls 9229->9232 9230->9219 9231->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9233 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9581 404034 9240->9581 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9252 40243b lstrcmpW 9245->9252 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9251 405969 9249->9251 9250 401411 ??2@YAPAXI ??3@YAXPAX 9250->9268 9253 405979 9251->9253 9255 401f9d 19 API calls 9251->9255 9254 4059fe 9252->9254 9736 403b40 9253->9736 9256 405a12 9254->9256 9259 401329 2 API calls 9254->9259 9255->9253 9587 403b59 9256->9587 9258 401362 2 API calls 9258->9268 9259->9256 9262 4055f6 9262->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9262->9275 9279 4057dd _wtol 9262->9279 9296 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9262->9296 9710 40484d 9262->9710 9721 40408b 9262->9721 9264 4073d1 21 API calls 9267 40599c ctype 9264->9267 9265 401329 2 API calls 9265->9268 9266 405a4d 9270 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9270 9310 405a61 9266->9310 9756 4082e9 9266->9756 9271 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9271 9268->9240 9268->9241 9268->9247 9268->9250 9268->9258 9268->9265 9273 402f6c 7 API calls 9268->9273 9578 40243b 9268->9578 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9270->9266 9271->9170 9273->9268 9275->9262 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9310 9279->9262 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302 405bf3 9280->9302 9281 405a9f GetKeyState 9281->9310 9282 405c6c 9283 405ca2 9282->9283 9284 405c74 9282->9284 9288 4012f7 2 API calls 9283->9288 9798 403f85 9284->9798 9286 401429 ??2@YAPAXI ??3@YAXPAX 9286->9310 9289 405cb0 9288->9289 9292 403b59 15 API calls 9289->9292 9297 405cb9 9292->9297 9293 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9293->9298 9294 40243b lstrcmpW 9294->9310 9295 401362 2 API calls 9299 405c91 ??3@YAXPAX 9295->9299 9296->9170 9301 405cca ??3@YAXPAX 9297->9301 9305 401362 2 API calls 9297->9305 9298->9302 9306 405cd9 9299->9306 9300 401329 ??2@YAPAXI ??3@YAXPAX 9300->9310 9301->9306 9302->9293 9303 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302->9303 9303->9302 9304 405bcd ??3@YAXPAX 9304->9310 9305->9301 9307 405d24 9306->9307 9308 405d16 9306->9308 9811 40786b 9307->9811 9594 404a44 9308->9594 9310->9277 9310->9280 9310->9281 9310->9282 9310->9286 9310->9294 9310->9300 9310->9302 9310->9303 9310->9304 9783 407613 9310->9783 9792 407674 9310->9792 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 401411 2 API calls 9316->9318 9319 406373 9316->9319 9320 405d95 9318->9320 9321 4063f7 ctype 9319->9321 9324 40243b lstrcmpW 9319->9324 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9326 406461 9323->9326 9327 406467 ??3@YAXPAX 9323->9327 9325 4063a4 9324->9325 9325->9321 9848 403f48 9325->9848 9326->9327 9328 403e70 ctype 4 API calls 9327->9328 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9339 405de5 9335->9339 9340 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9340 9337 4012f7 2 API calls 9336->9337 9342 406432 9337->9342 9338 4073d1 21 API calls 9343 4063e0 ??3@YAXPAX 9338->9343 9830 4043c6 9339->9830 9344 406312 9340->9344 9341 40243b lstrcmpW 9341->9364 9853 404aff 9342->9853 9343->9321 9347 40636a ??3@YAXPAX 9344->9347 9350 404034 21 API calls 9344->9350 9346 405e45 9352 401329 2 API calls 9346->9352 9347->9319 9355 406321 9350->9355 9356 405e4e 9352->9356 9353 4043c6 2 API calls 9354 405e0e 9353->9354 9357 401362 2 API calls 9354->9357 9838 4048ab 9355->9838 9361 403b7f 19 API calls 9356->9361 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9357->9362 9359 40626b ??3@YAXPAX ??3@YAXPAX 9359->9344 9360 401329 2 API calls 9360->9364 9377 405e57 9361->9377 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9341 9364->9346 9364->9359 9364->9360 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9346 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9347 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9359 9378 405f61 _wtol 9377->9378 9379 403bce lstrlenW lstrlenW _wcsnicmp 9377->9379 9380 406025 9377->9380 9378->9377 9379->9377 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9614 4021ed 9409->9614 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9344 9414->9340 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9421 40254d 2 API calls 9418->9421 9422 406282 9419->9422 9423 40618c 9419->9423 9421->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 401429 ??2@YAPAXI ??3@YAXPAX 9448->9453 9449 402b5f 9449->9446 9451 401411 2 API calls 9451->9453 9453->9448 9453->9449 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9148 9460->9150 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9151 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9207 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 40243b lstrcmpW 9519->9520 9521 40461c 9520->9521 9522 40466c 9521->9522 9524 401329 2 API calls 9521->9524 9523 40243b lstrcmpW 9522->9523 9525 40468a 9523->9525 9526 404633 9524->9526 9529 40243b lstrcmpW 9525->9529 9527 401f9d 19 API calls 9526->9527 9528 40463a 9527->9528 9531 40254d 2 API calls 9528->9531 9530 4046a2 9529->9530 9533 40243b lstrcmpW 9530->9533 9532 404643 9531->9532 9534 401329 2 API calls 9532->9534 9535 4046ba 9533->9535 9536 40465c 9534->9536 9538 40243b lstrcmpW 9535->9538 9537 401f9d 19 API calls 9536->9537 9539 404663 9537->9539 9540 4046d2 9538->9540 9541 40254d 2 API calls 9539->9541 9542 4046e9 9540->9542 9543 4046d9 lstrcmpiW 9540->9543 9541->9522 9544 40243b lstrcmpW 9542->9544 9543->9542 9545 4046ff 9544->9545 9546 40243b lstrcmpW 9545->9546 9547 40472c 9546->9547 9548 404739 9547->9548 9946 403d1f 9547->9946 9550 40243b lstrcmpW 9548->9550 9554 40474d 9550->9554 9551 40476d 9552 40243b lstrcmpW 9551->9552 9559 404780 9552->9559 9554->9551 9555 40243b lstrcmpW 9554->9555 9950 403cc6 9554->9950 9555->9554 9556 4047a0 9558 40243b lstrcmpW 9556->9558 9560 4047ac 9558->9560 9559->9556 9561 40243b lstrcmpW 9559->9561 9954 403cf7 9559->9954 9562 40243b lstrcmpW 9560->9562 9561->9559 9563 4047bd 9562->9563 9564 40243b lstrcmpW 9563->9564 9565 4047ce 9564->9565 9566 4047e4 9565->9566 9567 4047db _wtol 9565->9567 9568 40243b lstrcmpW 9566->9568 9567->9566 9569 4047f0 9568->9569 9570 404800 9569->9570 9571 4047f7 _wtol 9569->9571 9572 40243b lstrcmpW 9570->9572 9571->9570 9573 40480c 9572->9573 9574 40243b lstrcmpW 9573->9574 9575 404824 9574->9575 9576 40243b lstrcmpW 9575->9576 9577 40483c 9576->9577 9577->9262 9962 4023dd 9578->9962 9582 404045 9581->9582 9583 404088 9581->9583 9584 4012f7 2 API calls 9582->9584 9585 403b7f 19 API calls 9582->9585 9583->9245 9583->9246 9584->9582 9586 404062 SetEnvironmentVariableW ??3@YAXPAX 9585->9586 9586->9582 9586->9583 9588 40393b 7 API calls 9587->9588 9589 403b69 9588->9589 9590 4039f6 7 API calls 9589->9590 9591 403b74 9590->9591 9592 4027c7 6 API calls 9591->9592 9593 403b7a 9592->9593 9593->9266 9739 4083b6 9593->9739 9966 408676 9594->9966 9596 404a55 ??2@YAPAXI 9597 404a64 9596->9597 9611 40dcfb 3 API calls 9597->9611 9598 404a85 9968 40a7de _EH_prolog 9598->9968 9984 40b2fc 9598->9984 9599 404a95 9600 404ab3 9599->9600 9601 404a99 9599->9601 9603 404ada ??2@YAPAXI 9600->9603 9607 403354 86 API calls 9600->9607 9602 407776 55 API calls 9601->9602 9606 404aa1 9602->9606 9604 404ae6 9603->9604 9605 404aed 9603->9605 10009 404292 9604->10009 9990 40150b 9605->9990 9606->9312 9609 404ac6 9607->9609 9609->9603 9609->9606 9611->9598 9615 402200 LoadLibraryA GetProcAddress 9614->9615 9616 4021fb 9614->9616 9617 40221b 9615->9617 9618 402223 9615->9618 9616->9410 9616->9415 9616->9416 9617->9616 9618->9617 10472 4021b9 LoadLibraryA GetProcAddress 9618->10472 9621 40661a 2 API calls 9620->9621 9622 4049af 9621->9622 9623 401f9d 19 API calls 9622->9623 9624 4049bd 9623->9624 9625 4024fc 2 API calls 9624->9625 9626 4049c7 9625->9626 9627 4049fd 9626->9627 9629 40254d ??2@YAPAXI ??3@YAXPAX 9626->9629 9628 40254d 2 API calls 9627->9628 9630 404a0a 9628->9630 9629->9626 9631 401f9d 19 API calls 9630->9631 9632 404a11 9631->9632 9633 40254d 2 API calls 9632->9633 9634 404a1b 9633->9634 9635 4073d1 21 API calls 9634->9635 9636 404a30 ??3@YAXPAX 9635->9636 9637 404a41 ctype 9636->9637 9637->9170 9639 40e8da ctype 3 API calls 9638->9639 9640 403e7e 9639->9640 9641 40e8da ctype 3 API calls 9640->9641 9642 40e943 ??3@YAXPAX 9641->9642 9642->9164 9644 40db53 2 API calls 9643->9644 9645 404ce8 9644->9645 9646 404d44 9645->9646 9648 4024fc 2 API calls 9645->9648 9647 4025ae 2 API calls 9646->9647 9649 404d4c 9647->9649 9650 404cf7 9648->9650 9651 403e86 2 API calls 9649->9651 9654 404db5 ??3@YAXPAX 9650->9654 9656 403354 86 API calls 9650->9656 9652 404d59 9651->9652 9653 403ef6 2 API calls 9652->9653 9655 404d66 9653->9655 9668 404db1 9654->9668 9657 403ef6 2 API calls 9655->9657 9658 404d1b 9656->9658 9659 404d73 9657->9659 9658->9654 9661 40db53 2 API calls 9658->9661 9660 403ef6 2 API calls 9659->9660 9662 404d80 9660->9662 9663 404d37 9661->9663 9664 40dd5f 2 API calls 9662->9664 9663->9654 9665 404d3b ??3@YAXPAX 9663->9665 9666 404d94 9664->9666 9665->9646 9666->9654 9667 404d9d ??3@YAXPAX 9666->9667 9667->9668 9668->9229 9670 4025ae 2 API calls 9669->9670 9686 4030a8 9670->9686 9671 403301 9672 403344 ??3@YAXPAX 9671->9672 9673 40334e 9672->9673 9673->9215 9673->9222 9674 401411 ??2@YAPAXI ??3@YAXPAX 9674->9686 9676 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9676->9686 9677 401362 2 API calls 9678 4030f3 ??3@YAXPAX ??3@YAXPAX 9677->9678 9679 403303 9678->9679 9678->9686 10480 4029c3 9679->10480 9683 40331c ??3@YAXPAX 9683->9673 9684 4031e5 strncmp 9685 4031d0 strncmp 9684->9685 9684->9686 9685->9684 9685->9686 9686->9671 9686->9674 9686->9676 9686->9677 9686->9679 9686->9684 9687 401362 2 API calls 9686->9687 9688 402640 2 API calls 9686->9688 9691 402640 ??2@YAPAXI ??3@YAXPAX 9686->9691 9693 4023dd lstrcmpW 9686->9693 9694 402f6c 7 API calls 9686->9694 9696 403330 9686->9696 9697 4032b2 lstrcmpW 9686->9697 9701 401329 2 API calls 9686->9701 10474 402986 9686->10474 10479 402425 ??3@YAXPAX ??3@YAXPAX 9686->10479 9689 403252 ??3@YAXPAX 9687->9689 9688->9685 9690 402a69 9 API calls 9689->9690 9692 403263 lstrcmpW 9690->9692 9691->9686 9692->9686 9693->9686 9694->9686 9699 402f6c 7 API calls 9696->9699 9697->9686 9698 4032c0 lstrcmpW 9697->9698 9698->9686 9700 40333c 9699->9700 10498 402425 ??3@YAXPAX ??3@YAXPAX 9700->10498 9701->9686 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9262 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9262 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9264 9740 408646 9739->9740 9752 4083d5 ctype 9739->9752 9740->9270 9741 40243b lstrcmpW 9741->9752 9742 40661a 2 API calls 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 407776 55 API calls 9749->9752 9750 403f48 4 API calls 9750->9752 9751 4073d1 21 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9766 408333 9761->9766 10521 4019f0 GetStdHandle WriteFile 9761->10521 9765 40243b lstrcmpW 9768 408351 9765->9768 9767 408344 9766->9767 10522 4019f0 GetStdHandle WriteFile 9766->10522 9767->9765 9769 40835f 9768->9769 10523 4019f0 GetStdHandle WriteFile 9768->10523 9771 40243b lstrcmpW 9769->9771 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9310 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9310 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9807 403fcf 9802->9807 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9807 9806 402535 2 API calls 9808 403ff2 wsprintfW 9806->9808 9807->9806 9809 404009 GetFileAttributesW 9807->9809 9810 40402d 9807->9810 9808->9807 9809->9807 9809->9810 9810->9295 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9338 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022ea 9901->9902 9903 4022be ??2@YAPAXI 9901->9903 9902->9453 9903->9902 9904 4022cf ??3@YAXPAX 9903->9904 9904->9902 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9921 40437e 9920->9921 9923 4022b0 2 API calls 9921->9923 9925 404387 9923->9925 9924 404373 9928 403ec1 9924->9928 9926 4025f6 2 API calls 9925->9926 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9924 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9924 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 403d3d 9946->9947 9958 403c63 9947->9958 9951 403cd3 9950->9951 9952 403c63 _wtol 9951->9952 9953 403cf4 9952->9953 9953->9554 9955 403d04 9954->9955 9956 403c63 _wtol 9955->9956 9957 403d1c 9956->9957 9957->9559 9959 403c6d 9958->9959 9960 403c88 _wtol 9959->9960 9961 403cc1 9959->9961 9960->9959 9961->9548 9965 4023e8 9962->9965 9963 4023f4 lstrcmpW 9964 402411 9963->9964 9963->9965 9964->9268 9965->9963 9965->9964 9967 408679 9966->9967 9967->9596 9969 40a7fe 9968->9969 9970 40b2fc 11 API calls 9969->9970 9971 40a823 9970->9971 9972 40a845 9971->9972 9973 40a82c 9971->9973 10014 40cc59 _EH_prolog 9972->10014 10017 40a3fe 9973->10017 9985 40b30d 9984->9985 9989 40dcfb 3 API calls 9985->9989 9986 40b321 9987 40b331 9986->9987 10453 40b163 9986->10453 9987->9599 9989->9986 9991 40151e 9990->9991 9992 401329 2 API calls 9991->9992 9993 40152b 9992->9993 9994 401429 2 API calls 9993->9994 9995 401534 CreateThread 9994->9995 9996 401563 9995->9996 9997 401568 WaitForSingleObject 9995->9997 10466 40129c 9995->10466 9998 40786b 23 API calls 9996->9998 9999 401585 9997->9999 10000 4015b7 9997->10000 9998->9997 10003 4015a3 9999->10003 10006 401594 9999->10006 10001 4015b3 10000->10001 10002 4015bf GetExitCodeThread 10000->10002 10001->9606 10004 4015d6 10002->10004 10005 407776 55 API calls 10003->10005 10004->10001 10004->10006 10007 401605 SetLastError 10004->10007 10005->10001 10006->10001 10008 407776 55 API calls 10006->10008 10007->10006 10008->10001 10010 401411 2 API calls 10009->10010 10011 4042ab 10010->10011 10012 401411 2 API calls 10011->10012 10013 4042b7 10012->10013 10013->9605 10025 40c9fc 10014->10025 10436 40a28e 10017->10436 10047 40a0bf 10025->10047 10181 40a030 10047->10181 10182 40e8da ctype 3 API calls 10181->10182 10183 40a039 10182->10183 10184 40e8da ctype 3 API calls 10183->10184 10185 40a041 10184->10185 10186 40e8da ctype 3 API calls 10185->10186 10187 40a049 10186->10187 10188 40e8da ctype 3 API calls 10187->10188 10189 40a051 10188->10189 10190 40e8da ctype 3 API calls 10189->10190 10191 40a059 10190->10191 10192 40e8da ctype 3 API calls 10191->10192 10193 40a061 10192->10193 10194 40e8da ctype 3 API calls 10193->10194 10195 40a06b 10194->10195 10196 40e8da ctype 3 API calls 10195->10196 10197 40a073 10196->10197 10198 40e8da ctype 3 API calls 10197->10198 10199 40a080 10198->10199 10200 40e8da ctype 3 API calls 10199->10200 10201 40a088 10200->10201 10202 40e8da ctype 3 API calls 10201->10202 10203 40a095 10202->10203 10204 40e8da ctype 3 API calls 10203->10204 10205 40a09d 10204->10205 10206 40e8da ctype 3 API calls 10205->10206 10207 40a0aa 10206->10207 10208 40e8da ctype 3 API calls 10207->10208 10209 40a0b2 10208->10209 10437 40e8da ctype 3 API calls 10436->10437 10438 40a29c 10437->10438 10454 40f0b6 GetLastError 10453->10454 10456 40b17e 10454->10456 10455 40b192 10455->9987 10456->10455 10457 40adc3 3 API calls 10456->10457 10458 40b1b6 memcpy 10457->10458 10463 40b1d9 10458->10463 10459 40b297 ??3@YAXPAX 10459->10455 10460 40b2a2 ??3@YAXPAX 10460->10455 10462 40b27a memmove 10462->10463 10463->10459 10463->10460 10463->10462 10464 40b2ac memcpy 10463->10464 10465 40dcfb 3 API calls 10464->10465 10465->10460 10467 4012a5 10466->10467 10468 4012b8 10466->10468 10467->10468 10469 4012a7 Sleep 10467->10469 10470 4012f1 10468->10470 10471 4012e3 EndDialog 10468->10471 10469->10467 10471->10470 10473 4021db 10472->10473 10473->9617 10475 4025ae 2 API calls 10474->10475 10476 402992 10475->10476 10477 4029be 10476->10477 10478 402640 2 API calls 10476->10478 10477->9686 10478->10476 10479->9686 10481 4029d2 10480->10481 10482 4029de 10480->10482 10499 4019f0 GetStdHandle WriteFile 10481->10499 10484 4025ae 2 API calls 10482->10484 10488 4029e8 10484->10488 10485 4029d9 10497 402425 ??3@YAXPAX ??3@YAXPAX 10485->10497 10486 402a13 10487 40272e 3 API calls 10486->10487 10489 402a25 10487->10489 10488->10486 10492 402640 2 API calls 10488->10492 10490 402a33 10489->10490 10491 402a47 10489->10491 10493 407776 55 API calls 10490->10493 10494 407776 55 API calls 10491->10494 10492->10488 10495 402a42 ??3@YAXPAX ??3@YAXPAX 10493->10495 10494->10495 10495->10485 10497->9683 10498->9672 10499->10485 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9766 10522->9767 10523->9769 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8037 40f3f1 8040 4024e7 8037->8040 8045 40245a 8040->8045 8043 4024f5 8044 4024f6 malloc 8046 40246a 8045->8046 8052 402466 8045->8052 8047 40247a GlobalMemoryStatusEx 8046->8047 8046->8052 8048 402488 8047->8048 8047->8052 8048->8052 8053 401f9d 8048->8053 8052->8043 8052->8044 8057 401fb4 8053->8057 8054 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8055 402095 SetLastError 8054->8055 8056 40201d ??2@YAPAXI GetEnvironmentVariableW 8054->8056 8060 401fdb 8055->8060 8061 4020ac 8055->8061 8058 40207e ??3@YAXPAX 8056->8058 8059 40204c GetLastError 8056->8059 8057->8054 8057->8060 8067 402081 8058->8067 8059->8058 8062 402052 8059->8062 8073 407717 8060->8073 8064 4020cb lstrlenA ??2@YAPAXI 8061->8064 8080 401f47 8061->8080 8062->8067 8068 40205c lstrcmpiW 8062->8068 8065 402136 MultiByteToWideChar 8064->8065 8066 4020fc GetLocaleInfoW 8064->8066 8065->8060 8066->8065 8071 402123 _wtol 8066->8071 8067->8055 8068->8058 8072 40206b ??3@YAXPAX 8068->8072 8070 4020c1 8070->8064 8071->8065 8072->8067 8087 40661a 8073->8087 8076 40774e 8091 4073d1 8076->8091 8077 40773c IsBadReadPtr 8077->8076 8081 401f51 GetUserDefaultUILanguage 8080->8081 8082 401f95 8080->8082 8083 401f72 GetSystemDefaultUILanguage 8081->8083 8084 401f6e 8081->8084 8082->8070 8083->8082 8085 401f7e GetSystemDefaultLCID 8083->8085 8084->8070 8085->8082 8086 401f8e 8085->8086 8086->8082 8088 406643 8087->8088 8089 40666f IsWindow 8087->8089 8088->8089 8090 40664b GetSystemMetrics GetSystemMetrics 8088->8090 8089->8076 8089->8077 8090->8089 8092 4073e0 8091->8092 8093 407444 8091->8093 8092->8093 8103 4024fc 8092->8103 8093->8052 8095 4073f1 8096 4024fc 2 API calls 8095->8096 8097 4073fc 8096->8097 8107 403b7f 8097->8107 8100 403b7f 19 API calls 8101 40740e ??3@YAXPAX ??3@YAXPAX 8100->8101 8101->8093 8104 402513 8103->8104 8116 40112b 8104->8116 8106 40251e 8106->8095 8180 403880 8107->8180 8109 403b59 8121 40393b 8109->8121 8111 403b69 8144 4039f6 8111->8144 8113 403b74 8167 4027c7 8113->8167 8117 401177 8116->8117 8118 401139 ??2@YAPAXI 8116->8118 8117->8106 8118->8117 8120 40115a 8118->8120 8119 40116f ??3@YAXPAX 8119->8117 8120->8119 8120->8120 8203 401411 8121->8203 8125 403954 8210 40254d 8125->8210 8127 403961 8128 4024fc 2 API calls 8127->8128 8129 40396e 8128->8129 8214 403805 8129->8214 8132 401362 2 API calls 8133 403992 8132->8133 8134 40254d 2 API calls 8133->8134 8135 40399f 8134->8135 8136 4024fc 2 API calls 8135->8136 8137 4039ac 8136->8137 8138 403805 3 API calls 8137->8138 8139 4039bc ??3@YAXPAX 8138->8139 8140 4024fc 2 API calls 8139->8140 8141 4039d3 8140->8141 8142 403805 3 API calls 8141->8142 8143 4039e2 ??3@YAXPAX ??3@YAXPAX 8142->8143 8143->8111 8145 401411 2 API calls 8144->8145 8146 403a04 8145->8146 8147 401362 2 API calls 8146->8147 8148 403a0f 8147->8148 8149 40254d 2 API calls 8148->8149 8150 403a1c 8149->8150 8151 4024fc 2 API calls 8150->8151 8152 403a29 8151->8152 8153 403805 3 API calls 8152->8153 8154 403a39 ??3@YAXPAX 8153->8154 8155 401362 2 API calls 8154->8155 8156 403a4d 8155->8156 8157 40254d 2 API calls 8156->8157 8158 403a5a 8157->8158 8159 4024fc 2 API calls 8158->8159 8160 403a67 8159->8160 8161 403805 3 API calls 8160->8161 8162 403a77 ??3@YAXPAX 8161->8162 8163 4024fc 2 API calls 8162->8163 8164 403a8e 8163->8164 8165 403805 3 API calls 8164->8165 8166 403a9d ??3@YAXPAX ??3@YAXPAX 8165->8166 8166->8113 8168 401411 2 API calls 8167->8168 8169 4027d5 8168->8169 8170 4027e5 ExpandEnvironmentStringsW 8169->8170 8171 40112b 2 API calls 8169->8171 8172 402809 8170->8172 8173 4027fe ??3@YAXPAX 8170->8173 8171->8170 8239 402535 8172->8239 8174 402840 8173->8174 8174->8100 8177 402824 8178 401362 2 API calls 8177->8178 8179 402838 ??3@YAXPAX 8178->8179 8179->8174 8181 401411 2 API calls 8180->8181 8182 40388e 8181->8182 8183 401362 2 API calls 8182->8183 8184 403899 8183->8184 8185 40254d 2 API calls 8184->8185 8186 4038a6 8185->8186 8187 4024fc 2 API calls 8186->8187 8188 4038b3 8187->8188 8189 403805 3 API calls 8188->8189 8190 4038c3 ??3@YAXPAX 8189->8190 8191 401362 2 API calls 8190->8191 8192 4038d7 8191->8192 8193 40254d 2 API calls 8192->8193 8194 4038e4 8193->8194 8195 4024fc 2 API calls 8194->8195 8196 4038f1 8195->8196 8197 403805 3 API calls 8196->8197 8198 403901 ??3@YAXPAX 8197->8198 8199 4024fc 2 API calls 8198->8199 8200 403918 8199->8200 8201 403805 3 API calls 8200->8201 8202 403927 ??3@YAXPAX ??3@YAXPAX 8201->8202 8202->8109 8204 40112b 2 API calls 8203->8204 8205 401425 8204->8205 8206 401362 8205->8206 8207 40136e 8206->8207 8209 401380 8206->8209 8208 40112b 2 API calls 8207->8208 8208->8209 8209->8125 8211 40255a 8210->8211 8219 401398 8211->8219 8213 402565 8213->8127 8215 40381b 8214->8215 8216 403817 ??3@YAXPAX 8214->8216 8215->8216 8223 4026b1 8215->8223 8227 402f96 8215->8227 8216->8132 8220 4013dc 8219->8220 8221 4013ac 8219->8221 8220->8213 8222 40112b 2 API calls 8221->8222 8222->8220 8224 4026c7 8223->8224 8225 4026db 8224->8225 8231 402346 memmove 8224->8231 8225->8215 8228 402fa5 8227->8228 8230 402fbe 8228->8230 8232 4026e6 8228->8232 8230->8215 8231->8225 8233 4026f6 8232->8233 8234 401398 2 API calls 8233->8234 8235 402702 8234->8235 8238 402346 memmove 8235->8238 8237 40270f 8237->8230 8238->8237 8240 402541 8239->8240 8241 402547 ExpandEnvironmentStringsW 8239->8241 8242 40112b 2 API calls 8240->8242 8241->8177 8242->8241 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211

                              Executed Functions

                              Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                              • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                              • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                              • _wtol.MSVCRT ref: 0040509F
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                              • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                              • _wtol.MSVCRT ref: 00405217
                              • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                              • wsprintfW.USER32 ref: 00405595
                              • _wtol.MSVCRT ref: 004057DE
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                              • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                              • CoInitialize.OLE32(00000000), ref: 004059E9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                              • GetKeyState.USER32(00000010), ref: 00405AA1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                              • memset.MSVCRT ref: 004060AE
                              • ShellExecuteExW.SHELL32(?), ref: 0040617E
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                              • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                              • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                              • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                              • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                              • _wtol.MSVCRT ref: 00405F65
                              • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                              • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                              • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                              • API String ID: 3696187633-3058303289
                              • Opcode ID: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                              • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                              • Opcode Fuzzy Hash: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                              • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                              Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017e3 call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                              • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                              • Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                              • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                              Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                              APIs
                              • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                              • SetLastError.KERNEL32(00000010), ref: 0040303D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AttributesErrorFileLast
                              • String ID:
                              • API String ID: 1799206407-0
                              • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                              • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                              • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                              • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                              Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                              • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: DiskFreeMessageSendSpace
                              • String ID:
                              • API String ID: 696007252-0
                              • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                              • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                              • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                              • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                              Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                              • String ID: HpA
                              • API String ID: 801014965-2938899866
                              • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                              • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                              • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                              • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                              Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                              • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                              • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                              • DispatchMessageW.USER32(?), ref: 00401B89
                              • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                              • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                              • String ID: Static
                              • API String ID: 1156981321-2272013587
                              • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                              • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                              • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                              • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                              Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                              APIs
                              • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                              • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@memcpymemmove
                              • String ID:
                              • API String ID: 3549172513-3916222277
                              • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                              • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                              • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                              • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                              Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                              APIs
                              • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                              • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                              • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                              • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                              • String ID:
                              • API String ID: 846840743-0
                              • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                              • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                              • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                              • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                              Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                              • wsprintfW.USER32 ref: 004044A7
                                • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                              • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                              • String ID: 7zSfxFolder%02d$IA
                              • API String ID: 3387708999-1317665167
                              • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                              • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                              • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                              • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                              Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090e6 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 1000 409283-409288 982->1000 1001 4090ec-4090f3 982->1001 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                              • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID: IA$IA
                              • API String ID: 1033339047-1400641299
                              • Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                              • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                              • Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                              • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                              Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: free
                              • String ID: $KA$4KA$HKA$\KA
                              • API String ID: 1294909896-3316857779
                              • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                              • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                              • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                              • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                              Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                              APIs
                              • _EH_prolog.MSVCRT ref: 004096D0
                              • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                              • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@$H_prolog
                              • String ID: HIA
                              • API String ID: 3431946709-2712174624
                              • Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                              • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                              • Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                              • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                              Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                              APIs
                              • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                              • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                              • memcmp.MSVCRT(?,?,?), ref: 004028E4
                              • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                              • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: lstrlenmemcmp$memmove
                              • String ID:
                              • API String ID: 3251180759-0
                              • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                              • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                              • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                              • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                              Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                              APIs
                              • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                              • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                              • String ID:
                              • API String ID: 359084233-0
                              • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                              • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                              • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                              • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                              Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                              APIs
                              • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                              • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorLast$AttributesCreateDirectoryFile
                              • String ID:
                              • API String ID: 635176117-0
                              • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                              • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                              • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                              • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                              Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                              • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID: ExecuteFile
                              • API String ID: 1033339047-323923146
                              • Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                              • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                              • Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                              • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                              Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                              • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@??3@memmove
                              • String ID:
                              • API String ID: 3828600508-0
                              • Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                              • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                              • Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                              • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                              Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID: @
                              • API String ID: 1890195054-2766056989
                              • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                              • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                              • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                              • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                              Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$??2@ExceptionThrowmemmove
                              • String ID:
                              • API String ID: 4269121280-0
                              • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                              • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                              • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                              • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                              Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@H_prolog
                              • String ID:
                              • API String ID: 1329742358-0
                              • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                              • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                              • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                              • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                              Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@??3@
                              • String ID:
                              • API String ID: 1936579350-0
                              • Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                              • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                              • Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                              • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                              Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@??3@
                              • String ID:
                              • API String ID: 1936579350-0
                              • Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                              • Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
                              • Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                              • Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64
                              Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                              • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                              • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                              • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                              • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                              Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(?), ref: 0040ED05
                              • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                              • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                              • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                              • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                              Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                              • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                              • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                              • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                              Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                              • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                              • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                              • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                              Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                              • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                              • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                              • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                              Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                              • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                              • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                              • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                              Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                              • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CloseCreateFileHandle
                              • String ID:
                              • API String ID: 3498533004-0
                              • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                              • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                              • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                              • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                              Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                              • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                              • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                              • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                              Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • _beginthreadex.MSVCRT ref: 00406552
                                • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                              • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                              • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                              • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                              Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                              • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                              • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                              • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                              Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                              • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                              • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                              • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                              Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                              • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                              • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                              • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                              Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                              • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                              • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                              • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                              Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ExceptionThrow
                              • String ID:
                              • API String ID: 432778473-0
                              • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                              • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                              • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                              • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                              Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                              • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                              • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                              • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                              Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID:
                              • API String ID: 1033339047-0
                              • Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                              • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                              • Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                              • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                              Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                              • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                              • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                              • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                              Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                              • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                              • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                              • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                              Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                              • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                              • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                              • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                              Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                              • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                              • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                              Download Yara Rule
                              APIs
                              • _wtol.MSVCRT ref: 004034E5
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                              • _wtol.MSVCRT ref: 0040367F
                              • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                              • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                              • String ID: .lnk
                              • API String ID: 408529070-24824748
                              • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                              • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                              • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                              • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                              Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                              • wsprintfW.USER32 ref: 00401FFD
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                              • GetLastError.KERNEL32 ref: 00402017
                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                              • GetLastError.KERNEL32 ref: 0040204C
                              • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                              • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                              • SetLastError.KERNEL32(00000000), ref: 00402098
                              • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                              • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                              • _wtol.MSVCRT ref: 0040212A
                              • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                              • String ID: 7zSfxString%d$XpA$\3A
                              • API String ID: 2117570002-3108448011
                              • Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                              • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                              • Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                              • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                              Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                              • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                              • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                              • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                              • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                              • LockResource.KERNEL32(00000000), ref: 00401C41
                              • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                              • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                              • wsprintfW.USER32 ref: 00401C95
                              • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                              • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                              • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                              • API String ID: 2639302590-365843014
                              • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                              • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                              • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                              • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                              Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                              • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                              • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                              • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                              • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                              • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                              • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                              • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                              • String ID:
                              • API String ID: 829399097-0
                              • Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                              • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                              • Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                              • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                              Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                              • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                              • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                              • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                              • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                              • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                              • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                              • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                              • String ID:
                              • API String ID: 1862581289-0
                              • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                              • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                              • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                              • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                              Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                              • GetWindow.USER32(?,00000005), ref: 00406D8F
                              • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Window$AddressLibraryLoadProc
                              • String ID: SetWindowTheme$\EA$uxtheme
                              • API String ID: 324724604-1613512829
                              • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                              • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                              • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                              • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                              Function 0041022D Relevance: .5, Instructions: 501COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                              • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                              • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                              • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                              Function 0041206B Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                              • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                              • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                              • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                              Function 00411F91 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                              • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                              Function 0040D72E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                              • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                              • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                              • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                              Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                              • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                              • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                              • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                              • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                              • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                              • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                              • API String ID: 3007203151-3467708659
                              • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                              • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                              • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                              • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                              Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                              • _wtol.MSVCRT ref: 004047DC
                              • _wtol.MSVCRT ref: 004047F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                              • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                              • API String ID: 2725485552-3187639848
                              • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                              • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                              • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                              • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                              Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                              • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                              • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                              • GetParent.USER32(?), ref: 00402E2E
                              • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                              • GetMenu.USER32(?), ref: 00402E55
                              • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                              • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                              • DestroyWindow.USER32(?), ref: 00402EA3
                              • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                              • GetSysColor.USER32(0000000F), ref: 00402EBC
                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                              • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                              • String ID: RichEdit20W$STATIC$riched20${\rtf
                              • API String ID: 1731037045-2281146334
                              • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                              • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                              • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                              • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                              Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowDC.USER32(00000000), ref: 00401CD4
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                              • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                              • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                              • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                              • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                              • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                              • CreateCompatibleDC.GDI32(?), ref: 00401D52
                              • SelectObject.GDI32(00000000,?), ref: 00401D60
                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                              • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                              • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                              • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                              • SelectObject.GDI32(00000000,?), ref: 00401DB3
                              • SelectObject.GDI32(00000000,?), ref: 00401DB9
                              • DeleteDC.GDI32(00000000), ref: 00401DC2
                              • DeleteDC.GDI32(00000000), ref: 00401DC5
                              • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                              • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                              • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                              • String ID:
                              • API String ID: 3462224810-0
                              • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                              • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                              • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                              • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                              Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                              • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                              • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                              • GetMenu.USER32(?), ref: 00401E44
                                • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                              • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                              • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                              • CoInitialize.OLE32(00000000), ref: 00401E8C
                              • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                              • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                              • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                              • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                              • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                              • String ID: IMAGES$STATIC
                              • API String ID: 4202116410-1168396491
                              • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                              • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                              • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                              • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                              Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                              • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                              • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                              • SetWindowLongW.USER32(00000000), ref: 004081D8
                              • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                              • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                              • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                              • SetFocus.USER32(00000000), ref: 0040821D
                              • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                              • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                              • GetDlgItem.USER32(?,00000002), ref: 00408294
                              • IsWindow.USER32(00000000), ref: 00408297
                              • GetDlgItem.USER32(?,00000002), ref: 004082A7
                              • EnableWindow.USER32(00000000), ref: 004082AA
                              • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                              • ShowWindow.USER32(00000000), ref: 004082C1
                                • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                              • String ID:
                              • API String ID: 855516470-0
                              • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                              • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                              • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                              • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                              Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                              • strncmp.MSVCRT ref: 004031F1
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                              • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                              • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$lstrcmpstrncmp
                              • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                              • API String ID: 2881732429-172299233
                              • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                              • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                              • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                              • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                              Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                              • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                              • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                              • GetSystemMetrics.USER32(00000011), ref: 00406B11
                              • GetSystemMetrics.USER32(00000008), ref: 00406B18
                              • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                              • GetParent.USER32(?), ref: 00406B43
                              • GetClientRect.USER32(00000000,?), ref: 00406B55
                              • ClientToScreen.USER32(?,?), ref: 00406B68
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                              • GetClientRect.USER32(?,?), ref: 00406C55
                              • ClientToScreen.USER32(?,?), ref: 00406B71
                                • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                              • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                              • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                              • String ID:
                              • API String ID: 747815384-0
                              • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                              • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                              • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                              • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                              Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                              • LoadIconW.USER32(00000000), ref: 00407D33
                              • GetSystemMetrics.USER32(00000032), ref: 00407D43
                              • GetSystemMetrics.USER32(00000031), ref: 00407D48
                              • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                              • LoadImageW.USER32(00000000), ref: 00407D54
                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                              • GetWindow.USER32(?,00000005), ref: 00407E76
                              • GetWindow.USER32(?,00000005), ref: 00407E92
                              • GetWindow.USER32(?,00000005), ref: 00407EAA
                              • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                              • LoadIconW.USER32(00000000), ref: 00407F0D
                              • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                              • SendMessageW.USER32(00000000), ref: 00407F2F
                                • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                              • String ID:
                              • API String ID: 1889686859-0
                              • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                              • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                              • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                              • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                              Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00406F45
                              • GetWindowLongW.USER32(00000000), ref: 00406F4C
                              • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                              • GetSystemMetrics.USER32(00000031), ref: 00406F91
                              • GetSystemMetrics.USER32(00000032), ref: 00406F98
                              • GetWindowDC.USER32(?), ref: 00406FAA
                              • GetWindowRect.USER32(?,?), ref: 00406FB7
                              • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                              • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                              • String ID:
                              • API String ID: 2586545124-0
                              • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                              • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                              • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                              • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                              Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                              • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                              • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                              • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                              • GetDlgItem.USER32(?,?), ref: 004067CC
                              • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                              • GetDlgItem.USER32(?,?), ref: 004067DD
                              • SetFocus.USER32(00000000,?,000004B4,75920E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ItemMessageSend$Focus
                              • String ID:
                              • API String ID: 3946207451-0
                              • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                              • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                              • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                              • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                              Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: IA$IA$IA$IA$IA$IA
                              • API String ID: 613200358-3743982587
                              • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                              • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                              • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                              • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                              Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                              • API String ID: 613200358-994561823
                              • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                              • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                              • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                              • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                              Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                              • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                              • GetDC.USER32(00000000), ref: 00406DFB
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                              • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                              • ReleaseDC.USER32(00000000,?), ref: 00406E24
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                              • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                              • String ID:
                              • API String ID: 2693764856-0
                              • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                              • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                              • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                              • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                              Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(?), ref: 0040696E
                              • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                              • GetSystemMetrics.USER32(0000003D), ref: 00406993
                              • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                              • SelectObject.GDI32(?,?), ref: 004069B8
                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                              • SelectObject.GDI32(?,?), ref: 004069F9
                              • ReleaseDC.USER32(?,?), ref: 00406A08
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                              • String ID:
                              • API String ID: 2466489532-0
                              • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                              • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                              • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                              • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                              Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                              • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                              • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                              • wsprintfW.USER32 ref: 00407BBB
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                              • String ID: %d%%
                              • API String ID: 3753976982-1518462796
                              • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                              • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                              • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                              • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                              Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$CharUpper$lstrlen
                              • String ID: hAA
                              • API String ID: 2587799592-1362906312
                              • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                              • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                              • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                              • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                              Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$FileTime$AttributesSystemlstrlen
                              • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                              • API String ID: 4038993085-2279431206
                              • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                              • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                              • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                              • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                              Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • EndDialog.USER32(?,00000000), ref: 00407579
                              • KillTimer.USER32(?,00000001), ref: 0040758A
                              • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                              • SuspendThread.KERNEL32(0000027C), ref: 004075CD
                              • ResumeThread.KERNEL32(0000027C), ref: 004075EA
                              • EndDialog.USER32(?,00000000), ref: 0040760C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: DialogThreadTimer$KillResumeSuspend
                              • String ID:
                              • API String ID: 4151135813-0
                              • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                              • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                              • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                              • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                              Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                              • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                              • wsprintfA.USER32 ref: 00404EBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$wsprintf
                              • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                              • API String ID: 2704270482-1550708412
                              • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                              • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                              • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                              • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                              Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%T/$%%T\
                              • API String ID: 613200358-2679640699
                              • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                              • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                              • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                              • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                              Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%S/$%%S\
                              • API String ID: 613200358-358529586
                              • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                              • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                              • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                              • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                              Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%M/$%%M\
                              • API String ID: 613200358-4143866494
                              • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                              • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                              • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                              • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                              Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ExceptionThrow
                              • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                              • API String ID: 432778473-803145960
                              • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                              • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                              • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                              • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                              Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                              • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@$??3@$memmove
                              • String ID: IA$IA$IA
                              • API String ID: 4294387087-924693538
                              • Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                              • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                              • Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                              • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                              Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                              • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                              • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                              • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??2@??3@ExceptionThrowmemcpy
                              • String ID: IA
                              • API String ID: 3462485524-3293647318
                              • Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                              • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                              • Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                              • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                              Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: wsprintf$ExitProcesslstrcat
                              • String ID: 0x%p
                              • API String ID: 2530384128-1745605757
                              • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                              • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                              • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                              • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                              Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                              • GetSystemMetrics.USER32(00000007), ref: 00407A51
                              • GetSystemMetrics.USER32(00000007), ref: 00407A62
                              • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: MetricsSystem$??3@
                              • String ID: 100%%
                              • API String ID: 2562992111-568723177
                              • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                              • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                              • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                              • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                              Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • wsprintfW.USER32 ref: 00407A12
                                • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                              • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: TextWindow$ItemLength$??3@wsprintf
                              • String ID: (%u%s)
                              • API String ID: 3595513934-2496177969
                              • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                              • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                              • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                              • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                              Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                              • GetProcAddress.KERNEL32(00000000), ref: 00402211
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetNativeSystemInfo$kernel32
                              • API String ID: 2574300362-3846845290
                              • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                              • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                              • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                              • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                              Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                              • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64RevertWow64FsRedirection$kernel32
                              • API String ID: 2574300362-3900151262
                              • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                              • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                              • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                              • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                              Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                              • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64DisableWow64FsRedirection$kernel32
                              • API String ID: 2574300362-736604160
                              • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                              • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                              • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                              • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                              Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1731127917-0
                              • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                              • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                              • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                              • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                              Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                              • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                              • wsprintfW.USER32 ref: 00403FFB
                              • GetFileAttributesW.KERNEL32(?), ref: 00404016
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: PathTemp$AttributesFilewsprintf
                              • String ID:
                              • API String ID: 1746483863-0
                              • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                              • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                              • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                              • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                              Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CharUpper
                              • String ID:
                              • API String ID: 9403516-0
                              • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                              • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                              • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                              • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                              Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                              • GetDlgItem.USER32(?,000004B7), ref: 00408020
                              • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                              • String ID:
                              • API String ID: 2538916108-0
                              • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                              • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                              • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                              • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                              Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                              • GetSystemMetrics.USER32(00000031), ref: 0040683A
                              • CreateFontIndirectW.GDI32(?), ref: 00406849
                              • DeleteObject.GDI32(00000000), ref: 00406878
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                              • String ID:
                              • API String ID: 1900162674-0
                              • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                              • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                              • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                              • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                              Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 0040749F
                              • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                              • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                              • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                              • String ID:
                              • API String ID: 1557639607-0
                              • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                              • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                              • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                              • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                              Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@$EnvironmentExpandStrings$??2@
                              • String ID:
                              • API String ID: 612612615-0
                              • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                              • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                              • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                              • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                              Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                              • SetWindowTextW.USER32(?,?), ref: 00403B12
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ??3@TextWindow$Length
                              • String ID:
                              • API String ID: 2308334395-0
                              • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                              • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                              • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                              • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                              Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                              • CreateFontIndirectW.GDI32(?), ref: 0040705B
                              • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                              • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: CreateFontIndirectItemMessageObjectSend
                              • String ID:
                              • API String ID: 2001801573-0
                              • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                              • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                              • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                              • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                              Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00401BA8
                              • GetWindowRect.USER32(?,?), ref: 00401BC1
                              • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                              • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: ClientScreen$ParentRectWindow
                              • String ID:
                              • API String ID: 2099118873-0
                              • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                              • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                              • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                              • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                              Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: _wtol
                              • String ID: GUIFlags$[G@
                              • API String ID: 2131799477-2126219683
                              • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                              • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                              • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                              • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                              Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2166179694.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2166160881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166201616.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166221696.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2166240383.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_Fqae7BLq4m.jbxd
                              Similarity
                              • API ID: EnvironmentVariable
                              • String ID: ?O@
                              • API String ID: 1431749950-3511380453
                              • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                              • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                              • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                              • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                              Execution Graph

                              Execution Coverage:5.2%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:8.6%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:95
                              execution_graph 108998 6c29fc6a 109003 6c326ed2 108998->109003 109009 6c321042 109003->109009 109005 6c29fc74 109006 6c2a068b 109005->109006 109031 6c2a06a0 109006->109031 109010 6c32104e __EH_prolog3 109009->109010 109017 6c2c34c0 109010->109017 109012 6c321086 109013 6c3210c7 109012->109013 109014 6c32108f GetProfileIntW GetProfileIntW 109012->109014 109028 6c2c3534 LeaveCriticalSection RaiseException ~refcount_ptr 109013->109028 109014->109013 109016 6c3210ce __DllMainCRTStartup@12 109016->109005 109018 6c2c34cc 109017->109018 109019 6c2c352e 109017->109019 109020 6c2c34da 109018->109020 109029 6c2c3558 InitializeCriticalSection 109018->109029 109030 6c2b789a RaiseException Concurrency::cancel_current_task 109019->109030 109023 6c2c351c EnterCriticalSection 109020->109023 109024 6c2c34ea EnterCriticalSection 109020->109024 109023->109012 109026 6c2c3514 LeaveCriticalSection 109024->109026 109027 6c2c3501 InitializeCriticalSection 109024->109027 109026->109023 109027->109026 109028->109016 109029->109020 109032 6c2a06af 109031->109032 109033 6c2a06b6 109031->109033 109037 6c3eff98 32 API calls 109032->109037 109038 6c3eff27 32 API calls 109033->109038 109036 6c29fc7e 109037->109036 109038->109036 109039 e4d740 109066 e4e5e0 109039->109066 109044 e4d91a 109130 e92a4a RaiseException 109044->109130 109045 e4d844 109074 e7939b 109045->109074 109051 e4d93e 109131 e96739 109051->109131 109055 e4d943 109059 e4d8a6 _MallocaArrayHolder 109122 e4d660 81 API calls 4 library calls 109059->109122 109062 e4d8bb 109062->109055 109063 e4d8ee _MallocaArrayHolder 109062->109063 109136 e7bb4d 109066->109136 109068 e4e623 ListArray 109143 e4e410 109068->109143 109070 e4d792 109071 e7a63f 109070->109071 109162 e7a337 109071->109162 109073 e4d7a3 109073->109044 109073->109045 109168 e7ac13 109074->109168 109077 e4d5f0 109078 e4d616 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 109077->109078 109079 e7b5dd do_wait 5 API calls 109078->109079 109080 e4d64e 109079->109080 109081 e4d3b0 109080->109081 109171 e4cfc0 109081->109171 109083 e4d425 109191 e4ae30 109083->109191 109085 e4d433 109086 e4ae30 26 API calls 109085->109086 109087 e4d43c 109086->109087 109196 e4d270 109087->109196 109089 e4d447 ListArray 109201 e4d300 109089->109201 109091 e4d4d2 109093 e4d5da 109091->109093 109095 e4d537 _MallocaArrayHolder 109091->109095 109092 e4d5b3 _MallocaArrayHolder 109094 e7b5dd do_wait 5 API calls 109092->109094 109096 e96739 std::_Winerror_message 26 API calls 109093->109096 109100 e4d5d6 109094->109100 109097 e4d5df 109095->109097 109098 e4d571 _MallocaArrayHolder 109095->109098 109096->109097 109101 e96739 std::_Winerror_message 26 API calls 109097->109101 109098->109092 109099 e4d5e4 109098->109099 109102 e96739 std::_Winerror_message 26 API calls 109099->109102 109104 e4ccf0 109100->109104 109101->109099 109103 e4d5e9 109102->109103 109105 e4cd2d 109104->109105 109107 e4cd33 _MallocaArrayHolder 109104->109107 109209 e97b21 100 API calls 4 library calls 109105->109209 109108 e4ce36 109107->109108 109115 e4ce04 Sleep 109107->109115 109116 e4ce1d 109107->109116 109117 e4ce31 109107->109117 109210 e96802 20 API calls _Atexit 109108->109210 109110 e4ce3b 109211 e4ccd0 27 API calls std::system_error::system_error 109110->109211 109112 e4ce48 109115->109108 109119 e4ce12 109115->109119 109116->109051 109116->109059 109121 e96739 std::_Winerror_message 26 API calls 109117->109121 109119->109107 109121->109108 109122->109062 109130->109051 109215 e966ae 26 API calls 4 library calls 109131->109215 109133 e96748 109216 e96756 IsProcessorFeaturePresent 109133->109216 109135 e96755 109137 e7bb52 Concurrency::details::_TaskCollection::_FullAliasWait 109136->109137 109138 e7bb6c 109137->109138 109140 e7bb6e Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 109137->109140 109158 ea52fa 7 API calls 2 library calls 109137->109158 109138->109068 109159 e92a4a RaiseException 109140->109159 109142 e7c84a 109144 e4e480 109143->109144 109145 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 109144->109145 109146 e4e4fc ListArray 109145->109146 109147 e4e568 109146->109147 109160 e56590 27 API calls 3 library calls 109146->109160 109161 e51b10 26 API calls 2 library calls 109147->109161 109150 e4e5b8 _MallocaArrayHolder 109150->109070 109151 e4e592 109151->109150 109152 e96739 std::_Winerror_message 26 API calls 109151->109152 109153 e4e5df 109152->109153 109154 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 109153->109154 109155 e4e623 ListArray 109154->109155 109156 e4e410 27 API calls 109155->109156 109157 e4e666 109156->109157 109157->109070 109158->109137 109159->109142 109160->109147 109161->109151 109163 e7a300 109162->109163 109164 e7a320 ___crtAcquireSRWLockExclusive 109162->109164 109163->109164 109167 e7ad10 InitializeCriticalSectionAndSpinCount 109163->109167 109164->109073 109166 e7a319 109166->109073 109167->109166 109169 e7ac34 GetSystemTimeAsFileTime 109168->109169 109170 e4d849 109168->109170 109169->109170 109170->109077 109173 e4d014 109171->109173 109172 e4d1f1 109208 e3f9c0 27 API calls 8 library calls 109172->109208 109173->109172 109176 e4d059 109173->109176 109175 e4d0d8 109206 e4cf60 27 API calls 3 library calls 109175->109206 109176->109175 109177 e4d071 109176->109177 109205 e4cee0 27 API calls std::system_error::system_error 109177->109205 109180 e4d0e7 109207 e4cf60 27 API calls 3 library calls 109180->109207 109182 e4d0c9 _MallocaArrayHolder 109182->109083 109183 e4d1d1 _MallocaArrayHolder 109183->109083 109184 e4d098 109184->109182 109185 e96739 std::_Winerror_message 26 API calls 109184->109185 109186 e4d0ff 109185->109186 109187 e96739 std::_Winerror_message 26 API calls 109186->109187 109188 e4d18b _MallocaArrayHolder 109186->109188 109187->109188 109188->109183 109189 e96739 std::_Winerror_message 26 API calls 109188->109189 109190 e4d26d 109189->109190 109192 e4ae3e 109191->109192 109193 e4ae61 _MallocaArrayHolder 109191->109193 109192->109193 109194 e96739 std::_Winerror_message 26 API calls 109192->109194 109193->109085 109195 e4aeac 109194->109195 109197 e4d27b _MallocaArrayHolder 109196->109197 109198 e96739 std::_Winerror_message 26 API calls 109197->109198 109199 e4d2d8 _MallocaArrayHolder 109197->109199 109200 e4d2fc 109198->109200 109199->109089 109202 e4d322 109201->109202 109203 e7b5dd do_wait 5 API calls 109202->109203 109204 e4d3a6 109203->109204 109204->109091 109205->109184 109206->109180 109207->109186 109208->109182 109209->109107 109210->109110 109211->109112 109215->109133 109217 e96761 109216->109217 109220 e9655f 109217->109220 109221 e9657b ListArray ___scrt_fastfail 109220->109221 109222 e965a7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 109221->109222 109225 e96678 ___scrt_fastfail 109222->109225 109223 e7b5dd do_wait 5 API calls 109224 e96696 GetCurrentProcess TerminateProcess 109223->109224 109224->109135 109225->109223 109226 e61440 GetWindowLongW 109227 e61496 DefWindowProcW 109226->109227 109228 e61468 109226->109228 109229 e7b5dd do_wait 5 API calls 109227->109229 109228->109227 109231 e61482 109228->109231 109230 e614b1 109229->109230 109232 e7b5dd do_wait 5 API calls 109231->109232 109233 e61490 109232->109233 109234 6c29a620 109274 6c275510 109234->109274 109238 6c29a676 109298 6c285960 109238->109298 109240 6c29a698 109301 6c298c30 109240->109301 109372 6c275660 109274->109372 109278 6c275557 109379 6c273da0 109278->109379 109281 6c27558c 109404 6c274ae0 109281->109404 109283 6c275575 109283->109281 109286 6c2755c2 Sleep 109283->109286 109386 6c273fb0 109283->109386 109390 6c274d80 109283->109390 109396 6c274ed0 109283->109396 109286->109283 109287 6c275602 109408 6c2756b0 109287->109408 109290 6c29a150 GetModuleFileNameA 109291 6c277bf0 30 API calls 109290->109291 109292 6c29a1c9 109291->109292 109293 6c29a1fc 109292->109293 109294 6c29a240 109292->109294 109530 6c298050 30 API calls 109293->109530 109296 6c277bf0 30 API calls 109294->109296 109297 6c29a229 109296->109297 109297->109238 109531 6c278b50 109298->109531 109300 6c2859a6 109300->109240 109540 6c285c50 109301->109540 109373 6c27566c 109372->109373 109411 6c3f2f02 GetSystemTimeAsFileTime __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 109373->109411 109376 6c3f6288 109413 6c3f9743 GetLastError 109376->109413 109467 6c3f629a 109379->109467 109382 6c3f629a 50 API calls 109383 6c273e18 109382->109383 109470 6c273f30 109383->109470 109389 6c274005 109386->109389 109387 6c274ae0 70 API calls 109388 6c274587 109387->109388 109388->109283 109389->109387 109391 6c274d8e 109390->109391 109478 6c3f1637 109391->109478 109394 6c274da1 109394->109283 109397 6c274ef0 109396->109397 109398 6c3f629a 50 API calls 109397->109398 109403 6c2751ca 109397->109403 109399 6c27515c 109398->109399 109400 6c3f629a 50 API calls 109399->109400 109401 6c27516e 109400->109401 109402 6c273f30 30 API calls 109401->109402 109402->109403 109403->109283 109405 6c274b2d 109404->109405 109407 6c274b40 std::ios_base::_Ios_base_dtor 109405->109407 109521 6c279980 70 API calls 2 library calls 109405->109521 109407->109287 109522 6c275840 109408->109522 109412 6c27554c 109411->109412 109412->109376 109414 6c3f9759 109413->109414 109415 6c3f975f 109413->109415 109440 6c3fb66b 6 API calls std::_Lockit::_Lockit 109414->109440 109419 6c3f9763 SetLastError 109415->109419 109441 6c3fb6aa 109415->109441 109423 6c3f97f8 109419->109423 109424 6c3f6292 109419->109424 109456 6c3f46b1 50 API calls CallUnexpected 109423->109456 109424->109278 109425 6c3f97a9 109429 6c3fb6aa __dosmaperr 6 API calls 109425->109429 109426 6c3f9798 109428 6c3fb6aa __dosmaperr 6 API calls 109426->109428 109432 6c3f97a6 109428->109432 109431 6c3f97b5 109429->109431 109430 6c3f97fd 109433 6c3f97b9 109431->109433 109434 6c3f97d0 109431->109434 109453 6c3f94b7 14 API calls __dosmaperr 109432->109453 109436 6c3fb6aa __dosmaperr 6 API calls 109433->109436 109454 6c3f9a80 14 API calls __dosmaperr 109434->109454 109436->109432 109438 6c3f97db 109455 6c3f94b7 14 API calls __dosmaperr 109438->109455 109440->109415 109457 6c3fbb28 109441->109457 109444 6c3f977b 109444->109419 109446 6c3fc808 109444->109446 109445 6c3fb6e4 TlsSetValue 109452 6c3fc815 __dosmaperr 109446->109452 109447 6c3fc855 109466 6c3e5636 14 API calls __dosmaperr 109447->109466 109448 6c3fc840 RtlAllocateHeap 109450 6c3f9790 109448->109450 109448->109452 109450->109425 109450->109426 109452->109447 109452->109448 109465 6c3ef81b EnterCriticalSection LeaveCriticalSection __dosmaperr 109452->109465 109453->109419 109454->109438 109455->109419 109456->109430 109458 6c3fb6c6 109457->109458 109459 6c3fbb58 109457->109459 109458->109444 109458->109445 109459->109458 109464 6c3fba5d LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_FlsSetValue 109459->109464 109461 6c3fbb6c 109461->109458 109462 6c3fbb72 GetProcAddress 109461->109462 109462->109458 109463 6c3fbb82 std::_Lockit::_Lockit 109462->109463 109463->109458 109464->109461 109465->109452 109466->109450 109468 6c3f9743 __Getctype 50 API calls 109467->109468 109469 6c273e06 109468->109469 109469->109382 109473 6c275ad0 109470->109473 109472 6c273e79 109472->109283 109474 6c275b0a 109473->109474 109476 6c275b0f 109473->109476 109477 6c275c00 30 API calls 109474->109477 109476->109472 109477->109476 109479 6c3f1643 ___scrt_is_nonwritable_in_current_image 109478->109479 109487 6c3f25cc EnterCriticalSection 109479->109487 109481 6c3f164a 109488 6c3f18f5 109481->109488 109486 6c3f1687 29 API calls 2 library calls 109486->109394 109487->109481 109489 6c3f1913 109488->109489 109500 6c3f1922 109489->109500 109514 6c3fff66 CreateFileW ___initconin 109489->109514 109491 6c3f192f 109491->109500 109515 6c3fffd7 5 API calls ___initconin 109491->109515 109493 6c3f1658 109504 6c3f167e 109493->109504 109495 6c3f1940 109496 6c3f1980 109495->109496 109495->109500 109501 6c3f196d __DllMainCRTStartup@12 109495->109501 109503 6c3f19aa 109495->109503 109516 6c3f94f1 15 API calls __dosmaperr 109496->109516 109499 6c3f1986 109499->109501 109507 6c2bf667 109500->109507 109501->109503 109517 6c40001d 5 API calls ___initconin 109501->109517 109518 6c2e856c 14 API calls ___std_exception_destroy 109503->109518 109520 6c3f25e3 LeaveCriticalSection 109504->109520 109506 6c274d93 109506->109394 109506->109486 109508 6c2bf66f 109507->109508 109509 6c2bf670 IsProcessorFeaturePresent 109507->109509 109508->109493 109511 6c3186c0 109509->109511 109519 6c3187a6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 109511->109519 109513 6c3187a3 109513->109493 109514->109491 109515->109495 109516->109499 109517->109503 109518->109500 109519->109513 109520->109506 109521->109407 109525 6c275860 109522->109525 109527 6c275874 109525->109527 109526 6c27562d 109526->109290 109527->109526 109529 6c275970 29 API calls 109527->109529 109529->109526 109530->109297 109532 6c278b6d 109531->109532 109535 6c278cb0 109532->109535 109534 6c278b93 109534->109300 109536 6c278dbf 109535->109536 109538 6c278d19 109535->109538 109539 6c278ec0 30 API calls 109536->109539 109538->109534 109539->109538 109541 6c285ca5 109540->109541 109566 6c28b540 109541->109566 109567 6c28b596 109566->109567 109574 6c28b730 109567->109574 109575 6c28b789 109574->109575 109591 6c28aa70 109575->109591 109598 6c28abd0 109591->109598 109610 6c28ad40 109598->109610 109627 6c277400 109610->109627 109628 6c277493 109627->109628 109629 6c2775a9 109627->109629 110513 eacd20 110518 eac8aa 110513->110518 110516 eacd48 110519 eac8d5 110518->110519 110526 eaca1e 110519->110526 110533 eb4d7c 79 API calls 2 library calls 110519->110533 110521 eacac8 110537 e96729 26 API calls __wsopen_s 110521->110537 110523 eaca27 110523->110516 110530 eb5596 110523->110530 110525 eaca68 110525->110526 110534 eb4d7c 79 API calls 2 library calls 110525->110534 110526->110523 110536 e96802 20 API calls _Atexit 110526->110536 110528 eaca87 110528->110526 110535 eb4d7c 79 API calls 2 library calls 110528->110535 110538 eb4e9f 110530->110538 110532 eb55b1 110532->110516 110533->110525 110534->110528 110535->110526 110536->110521 110537->110523 110541 eb4eab BuildCatchObjectHelperInternal 110538->110541 110539 eb4eb9 110556 e96802 20 API calls _Atexit 110539->110556 110541->110539 110543 eb4ef2 110541->110543 110542 eb4ebe 110557 e96729 26 API calls __wsopen_s 110542->110557 110549 eb5545 110543->110549 110548 eb4ec8 __wsopen_s 110548->110532 110559 eb65b1 110549->110559 110551 eb4f16 110558 eb4f3f LeaveCriticalSection __wsopen_s 110551->110558 110556->110542 110557->110548 110558->110548 110560 eb65bd 110559->110560 110561 eb65d4 110559->110561 110636 e96802 20 API calls _Atexit 110560->110636 110563 eb65dc 110561->110563 110564 eb65f3 110561->110564 110638 e96802 20 API calls _Atexit 110563->110638 110640 ea9493 10 API calls 2 library calls 110564->110640 110566 eb65c2 110637 e96729 26 API calls __wsopen_s 110566->110637 110568 eb65fa MultiByteToWideChar 110572 eb6629 110568->110572 110573 eb6619 GetLastError 110568->110573 110570 eb65e1 110639 e96729 26 API calls __wsopen_s 110570->110639 110642 ea7a29 110572->110642 110641 e967cc 20 API calls __dosmaperr 110573->110641 110576 eb555b 110576->110551 110583 eb55b6 110576->110583 110578 eb6659 110580 ea79ef _free 20 API calls 110578->110580 110579 eb6638 MultiByteToWideChar 110579->110578 110581 eb664d GetLastError 110579->110581 110580->110576 110649 e967cc 20 API calls __dosmaperr 110581->110649 110652 eb5319 110583->110652 110586 eb55e8 110683 e967ef 20 API calls _Atexit 110586->110683 110587 eb5601 110669 eb0714 110587->110669 110590 eb5606 110591 eb560f 110590->110591 110592 eb5626 110590->110592 110685 e967ef 20 API calls _Atexit 110591->110685 110682 eb5284 CreateFileW 110592->110682 110596 eb5614 110686 e96802 20 API calls _Atexit 110596->110686 110598 eb56dc GetFileType 110599 eb56e7 GetLastError 110598->110599 110604 eb572e 110598->110604 110689 e967cc 20 API calls __dosmaperr 110599->110689 110600 eb55ed 110684 e96802 20 API calls _Atexit 110600->110684 110601 eb565f 110601->110598 110602 eb56b1 GetLastError 110601->110602 110687 eb5284 CreateFileW 110601->110687 110688 e967cc 20 API calls __dosmaperr 110602->110688 110691 eb065d 21 API calls 2 library calls 110604->110691 110606 eb56f5 CloseHandle 110606->110600 110608 eb571e 110606->110608 110690 e96802 20 API calls _Atexit 110608->110690 110610 eb56a4 110610->110598 110610->110602 110612 eb574f 110614 eb579b 110612->110614 110692 eb5495 105 API calls 3 library calls 110612->110692 110613 eb5723 110613->110600 110618 eb57c8 110614->110618 110693 eb5037 105 API calls 4 library calls 110614->110693 110617 eb57c1 110617->110618 110619 eb57d9 110617->110619 110694 ea9e9c 29 API calls 2 library calls 110618->110694 110621 eb5583 110619->110621 110622 eb5857 CloseHandle 110619->110622 110630 ea79ef 110621->110630 110695 eb5284 CreateFileW 110622->110695 110624 eb5882 110625 eb57d1 110624->110625 110626 eb588c GetLastError 110624->110626 110625->110621 110696 e967cc 20 API calls __dosmaperr 110626->110696 110628 eb5898 110697 eb0826 21 API calls 2 library calls 110628->110697 110631 ea79fa HeapFree 110630->110631 110632 ea7a23 __dosmaperr 110630->110632 110631->110632 110633 ea7a0f 110631->110633 110632->110551 110719 e96802 20 API calls _Atexit 110633->110719 110635 ea7a15 GetLastError 110635->110632 110636->110566 110637->110576 110638->110570 110639->110576 110640->110568 110641->110576 110643 ea7a67 110642->110643 110648 ea7a37 _strftime 110642->110648 110651 e96802 20 API calls _Atexit 110643->110651 110645 ea7a52 RtlAllocateHeap 110646 ea7a65 110645->110646 110645->110648 110646->110578 110646->110579 110648->110643 110648->110645 110650 ea52fa 7 API calls 2 library calls 110648->110650 110649->110578 110650->110648 110651->110646 110653 eb533a 110652->110653 110654 eb5354 110652->110654 110653->110654 110705 e96802 20 API calls _Atexit 110653->110705 110698 eb52a9 110654->110698 110657 eb5349 110706 e96729 26 API calls __wsopen_s 110657->110706 110659 eb538c 110660 eb53bb 110659->110660 110707 e96802 20 API calls _Atexit 110659->110707 110666 eb540e 110660->110666 110709 ea5524 26 API calls 2 library calls 110660->110709 110663 eb5409 110663->110666 110667 e96756 __Getctype 11 API calls 110663->110667 110664 eb53b0 110708 e96729 26 API calls __wsopen_s 110664->110708 110666->110586 110666->110587 110668 eb5494 110667->110668 110670 eb0720 BuildCatchObjectHelperInternal 110669->110670 110712 e9c53e EnterCriticalSection 110670->110712 110673 eb0727 110674 eb074c 110673->110674 110678 eb07ba EnterCriticalSection 110673->110678 110681 eb076e 110673->110681 110716 eb04f3 21 API calls 3 library calls 110674->110716 110675 eb0797 __wsopen_s 110675->110590 110677 eb0751 110677->110681 110717 eb063a EnterCriticalSection 110677->110717 110679 eb07c7 LeaveCriticalSection 110678->110679 110678->110681 110679->110673 110713 eb081d 110681->110713 110682->110601 110683->110600 110684->110621 110685->110596 110686->110600 110687->110610 110688->110600 110689->110606 110690->110613 110691->110612 110692->110614 110693->110617 110694->110625 110695->110624 110696->110628 110697->110625 110700 eb52c1 110698->110700 110699 eb52dc 110699->110659 110700->110699 110710 e96802 20 API calls _Atexit 110700->110710 110702 eb5300 110711 e96729 26 API calls __wsopen_s 110702->110711 110704 eb530b 110704->110659 110705->110657 110706->110654 110707->110664 110708->110660 110709->110663 110710->110702 110711->110704 110712->110673 110718 e9c586 LeaveCriticalSection 110713->110718 110715 eb0824 110715->110675 110716->110677 110717->110681 110718->110715 110719->110635 110720 6c3f9894 GetLastError 110721 6c3f98aa 110720->110721 110722 6c3f98b0 110720->110722 110743 6c3fb66b 6 API calls std::_Lockit::_Lockit 110721->110743 110724 6c3fb6aa __dosmaperr 6 API calls 110722->110724 110726 6c3f98b4 SetLastError 110722->110726 110725 6c3f98cc 110724->110725 110725->110726 110728 6c3fc808 __dosmaperr 12 API calls 110725->110728 110729 6c3f98e1 110728->110729 110730 6c3f98fa 110729->110730 110731 6c3f98e9 110729->110731 110732 6c3fb6aa __dosmaperr 6 API calls 110730->110732 110733 6c3fb6aa __dosmaperr 6 API calls 110731->110733 110734 6c3f9906 110732->110734 110740 6c3f98f7 110733->110740 110735 6c3f990a 110734->110735 110736 6c3f9921 110734->110736 110737 6c3fb6aa __dosmaperr 6 API calls 110735->110737 110745 6c3f9a80 14 API calls __dosmaperr 110736->110745 110737->110740 110744 6c3f94b7 14 API calls __dosmaperr 110740->110744 110741 6c3f992c 110746 6c3f94b7 14 API calls __dosmaperr 110741->110746 110743->110722 110744->110726 110745->110741 110746->110726 110747 6c3e21b3 110748 6c3e21bc 110747->110748 110749 6c3e21c1 110747->110749 110764 6c3e21d6 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 110748->110764 110753 6c3e20a8 110749->110753 110756 6c3e20b4 ___scrt_is_nonwritable_in_current_image 110753->110756 110754 6c3e20c3 110755 6c3e20dd dllmain_raw 110755->110754 110758 6c3e20f7 dllmain_crt_dispatch 110755->110758 110756->110754 110756->110755 110757 6c3e20d8 __DllMainCRTStartup@12 110756->110757 110759 6c3e2149 110757->110759 110765 6c3e1f7c 110 API calls 4 library calls 110757->110765 110758->110754 110758->110757 110759->110754 110760 6c3e2152 dllmain_crt_dispatch 110759->110760 110760->110754 110761 6c3e2165 dllmain_raw 110760->110761 110761->110754 110763 6c3e213e dllmain_raw 110763->110759 110764->110749 110765->110763 110766 ea83a4 110781 ea79c9 110766->110781 110768 ea83b2 110769 ea83df 110768->110769 110770 ea83c0 110768->110770 110772 ea83ec 110769->110772 110777 ea83f9 110769->110777 110799 e96802 20 API calls _Atexit 110770->110799 110800 e96802 20 API calls _Atexit 110772->110800 110774 ea8489 110788 ea84b5 110774->110788 110776 ea83c5 110777->110774 110777->110776 110779 ea847c 110777->110779 110801 eb3555 110777->110801 110779->110774 110810 ea91b6 21 API calls 2 library calls 110779->110810 110782 ea79ea 110781->110782 110783 ea79d5 110781->110783 110782->110768 110811 e96802 20 API calls _Atexit 110783->110811 110785 ea79da 110812 e96729 26 API calls __wsopen_s 110785->110812 110787 ea79e5 110787->110768 110789 ea79c9 __fread_nolock 26 API calls 110788->110789 110790 ea84c4 110789->110790 110791 ea8568 110790->110791 110792 ea84d6 110790->110792 110793 ea76d2 __wsopen_s 95 API calls 110791->110793 110794 ea84f3 110792->110794 110797 ea8519 110792->110797 110796 ea8500 110793->110796 110816 ea76d2 110794->110816 110796->110776 110797->110796 110813 ea8180 110797->110813 110799->110776 110800->110776 110802 eb356f 110801->110802 110803 eb3562 110801->110803 110806 eb357b 110802->110806 111028 e96802 20 API calls _Atexit 110802->111028 111027 e96802 20 API calls _Atexit 110803->111027 110805 eb3567 110805->110779 110806->110779 110808 eb359c 111029 e96729 26 API calls __wsopen_s 110808->111029 110810->110774 110811->110785 110812->110787 110841 ea7ffd 110813->110841 110815 ea8196 110815->110796 110817 ea76de BuildCatchObjectHelperInternal 110816->110817 110818 ea76fe 110817->110818 110819 ea76e6 110817->110819 110821 ea779c 110818->110821 110826 ea7733 110818->110826 110958 e967ef 20 API calls _Atexit 110819->110958 110963 e967ef 20 API calls _Atexit 110821->110963 110822 ea76eb 110959 e96802 20 API calls _Atexit 110822->110959 110825 ea77a1 110964 e96802 20 API calls _Atexit 110825->110964 110904 eb063a EnterCriticalSection 110826->110904 110827 ea76f3 __wsopen_s 110827->110796 110830 ea77a9 110965 e96729 26 API calls __wsopen_s 110830->110965 110831 ea7739 110833 ea776a 110831->110833 110834 ea7755 110831->110834 110905 ea77bd 110833->110905 110960 e96802 20 API calls _Atexit 110834->110960 110837 ea775a 110961 e967ef 20 API calls _Atexit 110837->110961 110839 ea7765 110962 ea7794 LeaveCriticalSection __wsopen_s 110839->110962 110842 ea8009 BuildCatchObjectHelperInternal 110841->110842 110843 ea8011 110842->110843 110848 ea8029 110842->110848 110876 e967ef 20 API calls _Atexit 110843->110876 110845 ea80dd 110881 e967ef 20 API calls _Atexit 110845->110881 110846 ea8016 110877 e96802 20 API calls _Atexit 110846->110877 110848->110845 110851 ea8061 110848->110851 110850 ea80e2 110882 e96802 20 API calls _Atexit 110850->110882 110866 eb063a EnterCriticalSection 110851->110866 110854 ea80ea 110883 e96729 26 API calls __wsopen_s 110854->110883 110855 ea8067 110857 ea808b 110855->110857 110858 ea80a0 110855->110858 110878 e96802 20 API calls _Atexit 110857->110878 110867 ea8102 110858->110867 110861 ea801e __wsopen_s 110861->110815 110862 ea809b 110880 ea80d5 LeaveCriticalSection __wsopen_s 110862->110880 110863 ea8090 110879 e967ef 20 API calls _Atexit 110863->110879 110866->110855 110884 eb08b7 110867->110884 110869 ea8114 110870 ea811c 110869->110870 110871 ea812d SetFilePointerEx 110869->110871 110897 e96802 20 API calls _Atexit 110870->110897 110873 ea8121 110871->110873 110874 ea8145 GetLastError 110871->110874 110873->110862 110898 e967cc 20 API calls __dosmaperr 110874->110898 110876->110846 110877->110861 110878->110863 110879->110862 110880->110861 110881->110850 110882->110854 110883->110861 110885 eb08d9 110884->110885 110886 eb08c4 110884->110886 110890 eb08fe 110885->110890 110901 e967ef 20 API calls _Atexit 110885->110901 110899 e967ef 20 API calls _Atexit 110886->110899 110889 eb08c9 110900 e96802 20 API calls _Atexit 110889->110900 110890->110869 110891 eb0909 110902 e96802 20 API calls _Atexit 110891->110902 110894 eb08d1 110894->110869 110895 eb0911 110903 e96729 26 API calls __wsopen_s 110895->110903 110897->110873 110898->110873 110899->110889 110900->110894 110901->110891 110902->110895 110903->110894 110904->110831 110906 ea77eb 110905->110906 110943 ea77e4 110905->110943 110907 ea780e 110906->110907 110908 ea77ef 110906->110908 110912 ea785f 110907->110912 110913 ea7842 110907->110913 110976 e967ef 20 API calls _Atexit 110908->110976 110910 e7b5dd do_wait 5 API calls 110914 ea79c5 110910->110914 110911 ea77f4 110977 e96802 20 API calls _Atexit 110911->110977 110916 ea7875 110912->110916 110966 ea819b 110912->110966 110979 e967ef 20 API calls _Atexit 110913->110979 110914->110839 110969 ea7362 110916->110969 110918 ea77fb 110978 e96729 26 API calls __wsopen_s 110918->110978 110921 ea7847 110980 e96802 20 API calls _Atexit 110921->110980 110925 ea78bc 110929 ea78d0 110925->110929 110930 ea7916 WriteFile 110925->110930 110926 ea7883 110931 ea78a9 110926->110931 110932 ea7887 110926->110932 110927 ea784f 110981 e96729 26 API calls __wsopen_s 110927->110981 110935 ea78d8 110929->110935 110936 ea7906 110929->110936 110933 ea7939 GetLastError 110930->110933 110938 ea789f 110930->110938 110983 ea7142 78 API calls 3 library calls 110931->110983 110937 ea797d 110932->110937 110982 ea72f5 GetLastError WriteConsoleW CreateFileW __wsopen_s 110932->110982 110933->110938 110939 ea78dd 110935->110939 110940 ea78f6 110935->110940 110986 ea73d8 7 API calls 2 library calls 110936->110986 110937->110943 110990 e96802 20 API calls _Atexit 110937->110990 110938->110937 110938->110943 110948 ea7959 110938->110948 110939->110937 110945 ea78e6 110939->110945 110985 ea75a5 8 API calls 2 library calls 110940->110985 110943->110910 110984 ea74b7 7 API calls 2 library calls 110945->110984 110947 ea78f4 110947->110938 110952 ea7960 110948->110952 110953 ea7974 110948->110953 110949 ea79a2 110991 e967ef 20 API calls _Atexit 110949->110991 110987 e96802 20 API calls _Atexit 110952->110987 110989 e967cc 20 API calls __dosmaperr 110953->110989 110956 ea7965 110988 e967ef 20 API calls _Atexit 110956->110988 110958->110822 110959->110827 110960->110837 110961->110839 110962->110827 110963->110825 110964->110830 110965->110827 110967 ea8102 __wsopen_s 28 API calls 110966->110967 110968 ea81b1 110967->110968 110968->110916 110970 eb3555 __fread_nolock 26 API calls 110969->110970 110971 ea7372 110970->110971 110972 ea7377 110971->110972 110992 ea6ec4 GetLastError 110971->110992 110972->110925 110972->110926 110974 ea739a 110974->110972 110975 ea73b8 GetConsoleMode 110974->110975 110975->110972 110976->110911 110977->110918 110978->110943 110979->110921 110980->110927 110981->110943 110982->110938 110983->110938 110984->110947 110985->110947 110986->110947 110987->110956 110988->110943 110989->110943 110990->110949 110991->110943 110993 ea6eda 110992->110993 110994 ea6ee0 110992->110994 111012 ea966e 11 API calls 2 library calls 110993->111012 110998 ea6f2f SetLastError 110994->110998 111013 ea9213 110994->111013 110998->110974 110999 ea6efa 111001 ea79ef _free 20 API calls 110999->111001 111003 ea6f00 111001->111003 111002 ea6f0f 111002->110999 111004 ea6f16 111002->111004 111006 ea6f3b SetLastError 111003->111006 111023 ea6d36 20 API calls __ExceptionPtr::__ExceptionPtr 111004->111023 111024 e9ca4b 71 API calls 2 library calls 111006->111024 111007 ea6f21 111009 ea79ef _free 20 API calls 111007->111009 111011 ea6f28 111009->111011 111010 ea6f47 111011->110998 111011->111006 111012->110994 111014 ea9220 111013->111014 111015 ea9260 111014->111015 111016 ea924b HeapAlloc 111014->111016 111017 ea9234 _strftime 111014->111017 111026 e96802 20 API calls _Atexit 111015->111026 111016->111017 111018 ea925e 111016->111018 111017->111015 111017->111016 111025 ea52fa 7 API calls 2 library calls 111017->111025 111020 ea6ef2 111018->111020 111020->110999 111022 ea96c4 11 API calls 2 library calls 111020->111022 111022->111002 111023->111007 111024->111010 111025->111017 111026->111020 111027->110805 111028->110808 111029->110805 111030 eacda5 111035 eacadc 111030->111035 111033 eacdcd 111040 eacb0d try_get_first_available_module 111035->111040 111037 eacd0c 111059 e96729 26 API calls __wsopen_s 111037->111059 111039 eacc61 111039->111033 111047 eb58df 111039->111047 111046 eacc56 111040->111046 111050 ea423c 111040->111050 111043 ea423c 73 API calls 111044 eaccc9 111043->111044 111045 ea423c 73 API calls 111044->111045 111044->111046 111045->111046 111046->111039 111058 e96802 20 API calls _Atexit 111046->111058 111063 eb4f6b 111047->111063 111049 eb58fa 111049->111033 111051 ea42dc 111050->111051 111052 ea4250 111050->111052 111062 ea42f4 73 API calls 4 library calls 111051->111062 111055 ea4272 111052->111055 111060 e96802 20 API calls _Atexit 111052->111060 111055->111043 111055->111046 111056 ea4267 111061 e96729 26 API calls __wsopen_s 111056->111061 111058->111037 111059->111039 111060->111056 111061->111055 111062->111055 111066 eb4f77 BuildCatchObjectHelperInternal 111063->111066 111064 eb4f85 111074 e96802 20 API calls _Atexit 111064->111074 111066->111064 111067 eb4fbe 111066->111067 111069 eb55b6 __wsopen_s 121 API calls 111067->111069 111068 eb4f8a 111075 e96729 26 API calls __wsopen_s 111068->111075 111071 eb4fe2 111069->111071 111076 eb500b LeaveCriticalSection __wsopen_s 111071->111076 111073 eb4f94 __wsopen_s 111073->111049 111074->111068 111075->111073 111076->111073 111077 e354f1 111078 e35500 RegOpenKeyExW 111077->111078 111079 e35576 RegOpenKeyExW 111078->111079 111081 e3560b ListArray 111079->111081 111082 e35666 111079->111082 111085 e35623 RegQueryValueExW 111081->111085 111083 e356b0 111082->111083 111084 e356ad RegCloseKey 111082->111084 111087 e35cea _MallocaArrayHolder 111083->111087 111125 e405b0 32 API calls do_wait 111083->111125 111084->111083 111085->111082 111089 e35d26 _MallocaArrayHolder 111087->111089 111092 e35d72 111087->111092 111088 e356f6 PathAddBackslashW 111095 e3578a 111088->111095 111090 e7b5dd do_wait 5 API calls 111089->111090 111091 e35d50 111090->111091 111094 e96739 std::_Winerror_message 26 API calls 111092->111094 111096 e35d77 111094->111096 111126 e404d0 HeapAlloc RaiseException 111095->111126 111125->111088 111127 e4be70 GetLocalTime 111128 e4bed0 ListArray 111127->111128 111161 e4be50 111128->111161 111130 e4befd ListArray 111164 e9c29e 111130->111164 111135 e4bfc6 111182 e4b260 109 API calls 111135->111182 111136 e4bfd8 FindNextFileA 111138 e4bfd0 111136->111138 111157 e4bfee _MallocaArrayHolder 111136->111157 111139 e4c28e _MallocaArrayHolder 111138->111139 111142 e4c2b6 111138->111142 111140 e7b5dd do_wait 5 API calls 111139->111140 111141 e4c2b0 111140->111141 111143 e96739 std::_Winerror_message 26 API calls 111142->111143 111144 e4c2bb 111143->111144 111183 e4ca20 100 API calls 2 library calls 111144->111183 111145 e4c24b FindNextFileA 111145->111138 111145->111157 111147 e4c2ce 111148 e96739 std::_Winerror_message 26 API calls 111147->111148 111149 e4c2f2 __Mtx_destroy_in_situ _MallocaArrayHolder 111147->111149 111150 e4c349 111148->111150 111184 e4ca20 100 API calls 2 library calls 111150->111184 111152 e4c37f __Mtx_destroy_in_situ _MallocaArrayHolder 111153 e4c35b 111153->111152 111154 e96739 std::_Winerror_message 26 API calls 111153->111154 111155 e4c3bd _MallocaArrayHolder 111154->111155 111156 e4ae30 26 API calls 111156->111157 111157->111142 111157->111145 111157->111156 111158 e4c1dc 111157->111158 111159 e4be50 83 API calls 111158->111159 111160 e4c1fb DeleteFileA 111159->111160 111160->111157 111185 e4b1d0 111161->111185 111165 e9c2ab 111164->111165 111166 e9c2b9 111164->111166 111165->111166 111171 e9c2d0 111165->111171 111214 e96802 20 API calls _Atexit 111166->111214 111168 e9c2c1 111215 e96729 26 API calls __wsopen_s 111168->111215 111170 e4bf85 111173 e9c235 111170->111173 111171->111170 111216 e96802 20 API calls _Atexit 111171->111216 111174 e9c243 111173->111174 111176 e9c251 111173->111176 111174->111176 111180 e9c27a 111174->111180 111217 e96802 20 API calls _Atexit 111176->111217 111177 e9c259 111218 e96729 26 API calls __wsopen_s 111177->111218 111179 e4bf9e FindFirstFileA 111179->111135 111179->111136 111180->111179 111219 e96802 20 API calls _Atexit 111180->111219 111182->111138 111183->111147 111184->111153 111186 e4b1ea 111185->111186 111189 e9ae6a 111186->111189 111192 e983e4 111189->111192 111191 e4b1f4 111191->111130 111193 e983ef 111192->111193 111195 e98404 111192->111195 111208 e96802 20 API calls _Atexit 111193->111208 111196 e98446 111195->111196 111199 e98412 111195->111199 111212 e96802 20 API calls _Atexit 111196->111212 111198 e983f4 111209 e96729 26 API calls __wsopen_s 111198->111209 111210 e97de2 83 API calls 4 library calls 111199->111210 111200 e9843e 111213 e96729 26 API calls __wsopen_s 111200->111213 111203 e983ff 111203->111191 111204 e9842a 111206 e98456 111204->111206 111211 e96802 20 API calls _Atexit 111204->111211 111206->111191 111208->111198 111209->111203 111210->111204 111211->111200 111212->111200 111213->111206 111214->111168 111215->111170 111216->111168 111217->111177 111218->111179 111219->111177 111220 6c2b6fdf 111221 6c2b6ff9 111220->111221 111222 6c2b6fe3 111220->111222 111222->111221 111224 6c2c583d 7 API calls 3 library calls 111222->111224 111224->111221 111225 e65830 IsWindow 111226 e65865 SetWindowLongW PostMessageW 111225->111226 111227 e65881 111225->111227 111226->111227 111238 e72ee0 111227->111238 111229 e65890 111230 e72ee0 181 API calls 111229->111230 111231 e6589b ListArray 111230->111231 111365 e41bd0 41 API calls 111231->111365 111233 e658b3 111366 e65900 54 API calls 111233->111366 111235 e658c6 111367 e70a80 48 API calls 3 library calls 111235->111367 111237 e658e8 111368 e42560 111238->111368 111241 e732c3 curl_easy_cleanup 111242 e732cd 111241->111242 111244 e7b5dd do_wait 5 API calls 111242->111244 111243 e42560 38 API calls 111246 e72f65 std::system_error::system_error BuildCatchObjectHelperInternal _strrchr 111243->111246 111245 e732eb 111244->111245 111245->111229 111376 e3f1d0 111246->111376 111249 e73237 _MallocaArrayHolder 111251 e7326f _MallocaArrayHolder 111249->111251 111253 e732f4 111249->111253 111250 e732ef 111252 e96739 std::_Winerror_message 26 API calls 111250->111252 111251->111241 111251->111242 111252->111253 111254 e96739 std::_Winerror_message 26 API calls 111253->111254 111255 e732f9 111254->111255 111256 e73350 curl_easy_init 111255->111256 111257 e736df 111255->111257 111384 e749f0 111256->111384 111399 e37070 36 API calls 111257->111399 111261 e7336a 111262 e42560 38 API calls 111261->111262 111264 e7336f 111262->111264 111263 e7371c 111400 e74aa0 127 API calls 6 library calls 111263->111400 111266 e42560 38 API calls 111264->111266 111295 e7368c _MallocaArrayHolder 111264->111295 111286 e733b7 BuildCatchObjectHelperInternal _strrchr 111266->111286 111267 e73760 111401 e699e0 111267->111401 111270 e7b5dd do_wait 5 API calls 111272 e73ca7 111270->111272 111271 e737aa curl_easy_setopt curl_easy_setopt curl_easy_setopt 111274 e737e2 curl_easy_setopt 111271->111274 111275 e737ef curl_easy_perform 111271->111275 111272->111229 111274->111275 111277 e73ba1 111275->111277 111278 e7380a 111275->111278 111276 e737a7 111276->111271 111439 e37150 36 API calls 111277->111439 111279 e42560 38 API calls 111278->111279 111281 e7380f 111279->111281 111282 e73b8b curl_easy_cleanup 111281->111282 111284 e42560 38 API calls 111281->111284 111282->111295 111283 e73bc6 111440 e41470 111283->111440 111288 e7385a BuildCatchObjectHelperInternal _strrchr 111284->111288 111389 e42020 111286->111389 111289 e42020 5 API calls 111288->111289 111302 e739dc std::system_error::system_error BuildCatchObjectHelperInternal 111289->111302 111290 e73530 std::system_error::system_error BuildCatchObjectHelperInternal 111291 e3f1d0 114 API calls 111290->111291 111292 e73614 111291->111292 111293 e73642 _MallocaArrayHolder 111292->111293 111294 e73cad 111292->111294 111293->111295 111297 e73cb2 111293->111297 111296 e96739 std::_Winerror_message 26 API calls 111294->111296 111295->111270 111296->111297 111298 e96739 std::_Winerror_message 26 API calls 111297->111298 111299 e73cb7 111298->111299 111300 e96739 std::_Winerror_message 26 API calls 111299->111300 111301 e73cbc 111300->111301 111303 e96739 std::_Winerror_message 26 API calls 111301->111303 111421 e38330 111302->111421 111304 e73cc1 111303->111304 111305 e740af 111304->111305 111306 e73d1a curl_easy_init 111304->111306 111393 e37070 36 API calls 111305->111393 111308 e749f0 14 API calls 111306->111308 111311 e73d2a 111308->111311 111311->111305 111314 e73d34 111311->111314 111312 e73af5 _MallocaArrayHolder 111312->111301 111313 e73b42 _MallocaArrayHolder 111312->111313 111313->111282 111315 e42560 38 API calls 111314->111315 111317 e73d39 111315->111317 111316 e740ec 111394 e74aa0 127 API calls 6 library calls 111316->111394 111320 e42560 38 API calls 111317->111320 111364 e74015 _MallocaArrayHolder 111317->111364 111319 e74130 111321 e74164 curl_easy_setopt curl_easy_setopt curl_easy_setopt 111319->111321 111472 e69de0 22 API calls 111319->111472 111347 e73d81 BuildCatchObjectHelperInternal _strrchr 111320->111347 111322 e74196 curl_easy_setopt 111321->111322 111323 e741a3 curl_easy_perform 111321->111323 111322->111323 111327 e7454b 111323->111327 111328 e741bb 111323->111328 111324 e7b5dd do_wait 5 API calls 111329 e749c8 111324->111329 111326 e74161 111326->111321 111331 e745b9 111327->111331 111395 e37070 36 API calls 111327->111395 111330 e42560 38 API calls 111328->111330 111329->111229 111337 e741c0 111330->111337 111333 e42560 38 API calls 111331->111333 111339 e745c1 111333->111339 111334 e7456d 111396 e9c21e 111334->111396 111336 e74532 curl_easy_cleanup 111336->111364 111337->111336 111338 e42560 38 API calls 111337->111338 111349 e7420d BuildCatchObjectHelperInternal _strrchr 111338->111349 111340 e42560 38 API calls 111339->111340 111339->111364 111342 e74609 111340->111342 111341 e7457d 111341->111331 111473 e971fa 111341->111473 111351 e74647 BuildCatchObjectHelperInternal _strrchr 111342->111351 111483 e69de0 22 API calls 111342->111483 111348 e42020 5 API calls 111347->111348 111353 e73efd std::system_error::system_error BuildCatchObjectHelperInternal 111348->111353 111350 e42020 5 API calls 111349->111350 111359 e74389 std::system_error::system_error BuildCatchObjectHelperInternal 111350->111359 111352 e42020 5 API calls 111351->111352 111361 e747a9 std::system_error::system_error BuildCatchObjectHelperInternal 111352->111361 111354 e3f1d0 114 API calls 111353->111354 111355 e73fe7 111354->111355 111356 e749ce 111355->111356 111355->111364 111357 e96739 std::_Winerror_message 26 API calls 111356->111357 111358 e749ec 111357->111358 111360 e38330 114 API calls 111359->111360 111363 e74471 _MallocaArrayHolder 111360->111363 111484 e75290 29 API calls 4 library calls 111361->111484 111363->111336 111364->111324 111365->111233 111366->111235 111367->111237 111369 e42575 111368->111369 111370 e425bd 111368->111370 111485 e7b7ab 5 API calls __Init_thread_wait 111369->111485 111370->111243 111370->111251 111372 e4257f 111372->111370 111486 e7bb2a 29 API calls __onexit 111372->111486 111374 e425b3 111487 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 111374->111487 111377 e3f210 111376->111377 111378 e3f259 111376->111378 111488 e3f140 111377->111488 111379 e7b5dd do_wait 5 API calls 111378->111379 111380 e3f271 111379->111380 111380->111249 111380->111250 111385 e74a02 curl_easy_setopt 111384->111385 111386 e73360 111384->111386 111387 e74a2a 11 API calls 111385->111387 111388 e74a19 curl_easy_setopt curl_easy_setopt 111385->111388 111386->111257 111386->111261 111387->111386 111388->111387 111390 e42044 111389->111390 111391 e7b5dd do_wait 5 API calls 111390->111391 111392 e420c6 111391->111392 111392->111290 111393->111316 111394->111319 111395->111334 111629 e9c086 111396->111629 111398 e9c230 111398->111341 111399->111263 111400->111267 111681 e41ad0 111401->111681 111404 e69abc 111715 e417d0 111404->111715 111405 e69a1a 111696 e69d00 111405->111696 111407 e69ac6 111409 e417d0 2 API calls 111407->111409 111411 e69ad0 111409->111411 111412 e69a94 111412->111271 111420 e69de0 22 API calls 111412->111420 111413 e69a3e WideCharToMultiByte 111414 e69a58 111413->111414 111415 e69a5e 111414->111415 111416 e69a9f 111414->111416 111418 e69a79 WideCharToMultiByte 111415->111418 111713 e6a650 22 API calls 111415->111713 111714 e6a0a0 HeapAlloc RaiseException 111416->111714 111418->111407 111418->111412 111420->111276 111422 e3837e ListArray 111421->111422 111430 e3845c _MallocaArrayHolder 111421->111430 111733 e39020 111422->111733 111423 e7b5dd do_wait 5 API calls 111424 e3847e 111423->111424 111424->111299 111424->111312 111427 e3f140 2 API calls 111428 e38413 111427->111428 111438 e4fd00 113 API calls 111428->111438 111429 e3841e 111429->111430 111431 e3858c 111429->111431 111430->111423 111432 e96739 std::_Winerror_message 26 API calls 111431->111432 111433 e38591 111432->111433 111737 e785d4 111433->111737 111438->111429 111439->111283 111441 e4147f 111440->111441 111446 e4148c 111440->111446 111742 e41250 HeapAlloc RaiseException 111441->111742 111443 e417d0 2 API calls 111445 e41552 111443->111445 111444 e41484 111444->111295 111452 e41ad0 39 API calls 111445->111452 111449 e414ca 111446->111449 111458 e414f5 BuildCatchObjectHelperInternal 111446->111458 111743 e41410 22 API calls 111446->111743 111448 e4151c 111748 e41610 20 API calls 3 library calls 111448->111748 111449->111448 111450 e414d4 111449->111450 111453 e414e5 111450->111453 111454 e414f7 111450->111454 111450->111458 111456 e4158f 111452->111456 111744 e96802 20 API calls _Atexit 111453->111744 111454->111458 111746 e96802 20 API calls _Atexit 111454->111746 111455 e41535 111455->111295 111459 e41595 111456->111459 111460 e415ef 111456->111460 111458->111443 111458->111455 111749 e41180 111459->111749 111463 e417d0 2 API calls 111460->111463 111461 e414ea 111745 e96729 26 API calls __wsopen_s 111461->111745 111466 e415f9 111463->111466 111465 e41502 111747 e96729 26 API calls __wsopen_s 111465->111747 111469 e415da 111469->111295 111471 e41470 51 API calls 111471->111469 111472->111326 111474 e97208 111473->111474 111475 e745b3 111473->111475 111474->111475 111476 e9722a 111474->111476 111477 e97214 111474->111477 111482 e97b21 100 API calls 4 library calls 111475->111482 111768 e97013 111476->111768 111771 e96802 20 API calls _Atexit 111477->111771 111482->111331 111483->111351 111484->111364 111485->111372 111486->111374 111487->111370 111489 e7939b __Xtime_get_ticks GetSystemTimeAsFileTime 111488->111489 111490 e3f157 111489->111490 111491 e3f184 111490->111491 111492 e3f16f GetCurrentThreadId 111490->111492 111493 e4fd00 111491->111493 111492->111491 111508 e4f6a0 111493->111508 111495 e4fe02 _MallocaArrayHolder 111495->111378 111496 e4fdaa 111496->111495 111497 e96739 std::_Winerror_message 26 API calls 111496->111497 111498 e4fe28 111497->111498 111499 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 111498->111499 111500 e4fe8a 111499->111500 111501 e4fd00 113 API calls 111500->111501 111502 e4fee8 111501->111502 111503 e4fffe _MallocaArrayHolder 111502->111503 111504 e96739 std::_Winerror_message 26 API calls 111502->111504 111503->111378 111505 e50022 111504->111505 111506 e50062 111505->111506 111511 e4c450 111505->111511 111506->111378 111520 e4f850 111508->111520 111510 e4f6bf 111510->111496 111537 e7a660 111511->111537 111515 e4c490 111540 e4c6a0 111515->111540 111516 e4c4be 111516->111505 111517 e4c4a4 __Mtx_unlock 111517->111516 111571 e79e53 27 API calls std::_Throw_Cpp_error 111517->111571 111521 e4f872 111520->111521 111522 e4f87a 111520->111522 111521->111510 111523 e4f882 111522->111523 111524 e4f8fb 111522->111524 111526 e4f8c4 111523->111526 111527 e4f88d 111523->111527 111536 e4ee30 27 API calls std::_Winerror_message 111524->111536 111530 e4f8e5 111526->111530 111532 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 111526->111532 111529 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 111527->111529 111528 e4f89e 111531 e96739 std::_Winerror_message 26 API calls 111528->111531 111534 e4f8a7 111528->111534 111529->111528 111530->111510 111533 e4f905 111531->111533 111535 e4f8ce 111532->111535 111534->111510 111535->111510 111572 e7a3ba 111537->111572 111541 e4c7c8 ListArray 111540->111541 111542 e4c6e7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 111540->111542 111543 e971fa 98 API calls 111541->111543 111542->111541 111545 e4d3b0 27 API calls 111542->111545 111544 e4c846 111543->111544 111546 e4c8b3 111544->111546 111547 e4c84d 111544->111547 111548 e4c763 111545->111548 111604 e96802 20 API calls _Atexit 111546->111604 111550 e4c887 _MallocaArrayHolder 111547->111550 111556 e4c902 111547->111556 111549 e4ccf0 101 API calls 111548->111549 111552 e4c77c 111549->111552 111553 e7b5dd do_wait 5 API calls 111550->111553 111555 e4c7b3 _MallocaArrayHolder 111552->111555 111562 e4c8ae 111552->111562 111557 e4c8a8 111553->111557 111554 e4c8b8 111605 e4ccd0 27 API calls std::system_error::system_error 111554->111605 111603 e4d660 81 API calls 4 library calls 111555->111603 111560 e96739 std::_Winerror_message 26 API calls 111556->111560 111557->111517 111559 e4c8c8 111606 e54350 26 API calls 5 library calls 111559->111606 111563 e4c907 111560->111563 111565 e96739 std::_Winerror_message 26 API calls 111562->111565 111592 e96a27 111563->111592 111565->111546 111567 e4c918 111567->111517 111568 e4c8f1 111607 e92a4a RaiseException 111568->111607 111570 e79e53 27 API calls std::_Throw_Cpp_error 111570->111515 111571->111516 111573 e7a3e2 GetCurrentThreadId 111572->111573 111574 e7a410 111572->111574 111576 e7a3ed GetCurrentThreadId 111573->111576 111577 e7a408 111573->111577 111575 e7a414 GetCurrentThreadId 111574->111575 111581 e7a43a 111574->111581 111586 e7a423 111575->111586 111576->111577 111580 e7b5dd do_wait 5 API calls 111577->111580 111578 e7a4d3 GetCurrentThreadId 111578->111586 111579 e7a52a GetCurrentThreadId 111579->111577 111584 e4c483 111580->111584 111581->111578 111582 e7a45a 111581->111582 111590 e79475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 111582->111590 111584->111515 111584->111570 111586->111577 111586->111579 111587 e7a492 GetCurrentThreadId 111587->111586 111588 e7a465 __Xtime_diff_to_millis2 111587->111588 111588->111577 111588->111586 111588->111587 111591 e79475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 111588->111591 111590->111588 111591->111588 111593 e96a33 BuildCatchObjectHelperInternal 111592->111593 111594 e96a3a 111593->111594 111595 e96a43 111593->111595 111619 e9694f 99 API calls 4 library calls 111594->111619 111608 e97a83 EnterCriticalSection 111595->111608 111598 e96a4d 111609 e968ff 111598->111609 111600 e96a40 __wsopen_s 111600->111567 111603->111541 111604->111554 111605->111559 111606->111568 111607->111556 111608->111598 111610 e9690c 111609->111610 111611 e96915 111609->111611 111627 e9694f 99 API calls 4 library calls 111610->111627 111621 e96899 111611->111621 111615 e96912 111620 e96a78 LeaveCriticalSection __fread_nolock 111615->111620 111616 ea79c9 __fread_nolock 26 API calls 111617 e96935 111616->111617 111628 ea70d3 30 API calls 2 library calls 111617->111628 111619->111600 111620->111600 111622 e968ad 111621->111622 111623 e968b1 111621->111623 111622->111615 111622->111616 111623->111622 111624 ea79c9 __fread_nolock 26 API calls 111623->111624 111625 e968d1 111624->111625 111626 ea76d2 __wsopen_s 95 API calls 111625->111626 111626->111622 111627->111615 111628->111615 111632 e9c092 BuildCatchObjectHelperInternal 111629->111632 111630 e9c0a0 111654 e96802 20 API calls _Atexit 111630->111654 111632->111630 111634 e9c0cd 111632->111634 111633 e9c0a5 111655 e96729 26 API calls __wsopen_s 111633->111655 111636 e9c0df 111634->111636 111637 e9c0d2 111634->111637 111646 ea9f38 111636->111646 111656 e96802 20 API calls _Atexit 111637->111656 111641 e9c0b0 __wsopen_s 111641->111398 111647 ea9f44 BuildCatchObjectHelperInternal 111646->111647 111659 e9c53e EnterCriticalSection 111647->111659 111649 ea9f52 111660 ea9fd2 111649->111660 111654->111633 111655->111641 111656->111641 111659->111649 111667 ea9ff5 111660->111667 111661 ea9f5f 111673 ea9f8e 111661->111673 111662 eaa04e 111667->111661 111667->111662 111676 e97a83 EnterCriticalSection 111667->111676 111677 e97a97 LeaveCriticalSection 111667->111677 111676->111667 111677->111667 111682 e41ae6 111681->111682 111684 e41b41 111681->111684 111723 e7b7ab 5 API calls __Init_thread_wait 111682->111723 111695 e41bbf 111684->111695 111726 e7b7ab 5 API calls __Init_thread_wait 111684->111726 111686 e41af0 111686->111684 111688 e41afc GetProcessHeap 111686->111688 111687 e41b5c 111687->111695 111727 e7bb2a 29 API calls __onexit 111687->111727 111724 e7bb2a 29 API calls __onexit 111688->111724 111691 e41b37 111725 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 111691->111725 111692 e41bb5 111728 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 111692->111728 111695->111404 111695->111405 111697 e69d13 111696->111697 111710 e69a36 111696->111710 111697->111710 111729 e41000 9 API calls 111697->111729 111699 e69d2a 111700 e69d34 FindResourceW 111699->111700 111699->111710 111701 e69d48 111700->111701 111700->111710 111730 e41080 LoadResource LockResource SizeofResource 111701->111730 111703 e69d52 111704 e69d5b WideCharToMultiByte 111703->111704 111703->111710 111705 e69dcb 111704->111705 111706 e69d7b 111704->111706 111708 e417d0 2 API calls 111705->111708 111707 e69d98 WideCharToMultiByte 111706->111707 111731 e6a650 22 API calls 111706->111731 111707->111705 111707->111710 111711 e69dd5 111708->111711 111710->111412 111710->111413 111710->111414 111712 e69d96 111712->111707 111713->111418 111714->111412 111716 e417de 111715->111716 111732 e92a4a RaiseException 111716->111732 111718 e417eb 111719 e417fd 111718->111719 111720 e4180e 111718->111720 111719->111407 111721 e417d0 RaiseException 111720->111721 111722 e41818 HeapAlloc 111721->111722 111722->111407 111723->111686 111724->111691 111725->111684 111726->111687 111727->111692 111728->111695 111729->111699 111730->111703 111731->111712 111732->111718 111734 e39067 111733->111734 111735 e7b5dd do_wait 5 API calls 111734->111735 111736 e383e1 111735->111736 111736->111427 111738 e785e2 111737->111738 111741 e92a4a RaiseException 111738->111741 111740 e785f0 111741->111740 111742->111444 111743->111449 111744->111461 111745->111458 111746->111465 111747->111458 111748->111458 111750 e41193 111749->111750 111762 e41219 111749->111762 111750->111762 111763 e41000 9 API calls 111750->111763 111752 e411aa 111753 e411b0 FindResourceW 111752->111753 111752->111762 111754 e411c4 111753->111754 111753->111762 111764 e41080 LoadResource LockResource SizeofResource 111754->111764 111756 e411ce 111757 e411fa 111756->111757 111756->111762 111765 e41410 22 API calls 111756->111765 111766 e96815 26 API calls 4 library calls 111757->111766 111760 e41213 111767 e410e0 HeapAlloc RaiseException 111760->111767 111762->111469 111762->111471 111763->111752 111764->111756 111765->111757 111766->111760 111767->111762 111813 e6e1b0 111814 e6e1e5 111813->111814 111816 e6e1fb 111813->111816 111815 e6e2ba 111817 e7a660 Concurrency::details::_CancellationTokenState::_RegisterCallback 12 API calls 111815->111817 111827 e6e30b 111815->111827 111816->111815 111821 e6e26e 111816->111821 111816->111827 111828 e70f50 111816->111828 111819 e6e2ca 111817->111819 111820 e6e297 __Mtx_unlock 111819->111820 111847 e79e53 27 API calls std::_Throw_Cpp_error 111819->111847 111820->111827 111848 e79e53 27 API calls std::_Throw_Cpp_error 111820->111848 111823 e7a660 Concurrency::details::_CancellationTokenState::_RegisterCallback 12 API calls 111821->111823 111821->111827 111824 e6e28a 111823->111824 111824->111820 111846 e79e53 27 API calls std::_Throw_Cpp_error 111824->111846 111829 e70f95 111828->111829 111834 e71121 111828->111834 111829->111834 111849 e94fb8 111829->111849 111831 e7b5dd do_wait 5 API calls 111832 e711f6 111831->111832 111832->111816 111833 e70fab FindHandler 111833->111834 111835 e7a660 Concurrency::details::_CancellationTokenState::_RegisterCallback 12 API calls 111833->111835 111834->111831 111836 e70fd3 111835->111836 111839 e70fe0 111836->111839 111854 e79e53 27 API calls std::_Throw_Cpp_error 111836->111854 111855 e94ec5 RaiseException 7 library calls 111839->111855 111840 e70ffd 111841 e711fc 111840->111841 111843 e710c8 __Mtx_unlock 111840->111843 111842 e785d4 RaiseException 111841->111842 111845 e71201 _MallocaArrayHolder 111842->111845 111843->111834 111856 e79e53 27 API calls std::_Throw_Cpp_error 111843->111856 111845->111816 111846->111820 111847->111820 111848->111827 111851 e94fc4 std::__non_rtti_object::__construct_from_string_literal BuildCatchObjectHelperInternal 111849->111851 111850 e94fdb 111850->111833 111851->111850 111857 e92a4a RaiseException 111851->111857 111853 e95044 111854->111839 111855->111840 111856->111834 111857->111853 111858 e68a70 111996 e75630 111858->111996 111860 e68ac4 ListArray 111862 e68b4e MultiByteToWideChar 111860->111862 112053 e4b210 111860->112053 112090 e935c0 111996->112090 111999 e756bc SetupDiEnumDeviceInfo 112002 e75807 SetupDiDestroyDeviceInfoList 111999->112002 112028 e756e5 111999->112028 112000 e7586a 112166 e76390 7 API calls 4 library calls 112000->112166 112002->112000 112003 e7582a 112002->112003 112005 e758f6 112003->112005 112010 e75903 ListArray 112003->112010 112004 e756f0 SetupDiGetDeviceInstanceIdW 112004->112002 112004->112028 112167 e96802 20 API calls _Atexit 112005->112167 112007 e75908 112009 e7596e 112007->112009 112019 e7597b ListArray 112007->112019 112008 e758fb 112169 e96729 26 API calls __wsopen_s 112008->112169 112170 e96802 20 API calls _Atexit 112009->112170 112010->112007 112168 e96802 20 API calls _Atexit 112010->112168 112011 ea423c 73 API calls 112011->112028 112014 e75980 112105 e75590 112014->112105 112017 e757e4 SetupDiEnumDeviceInfo 112017->112002 112017->112004 112018 e75973 112172 e96729 26 API calls __wsopen_s 112018->112172 112019->112014 112171 e96802 20 API calls _Atexit 112019->112171 112023 e759bc 112024 e759fe 112023->112024 112029 e75a0b ListArray 112023->112029 112173 e96802 20 API calls _Atexit 112024->112173 112026 e75a10 112125 e76aa0 112026->112125 112027 e75a03 112175 e96729 26 API calls __wsopen_s 112027->112175 112028->112004 112028->112011 112028->112017 112092 e76520 112028->112092 112029->112026 112174 e96802 20 API calls _Atexit 112029->112174 112034 e762af 112152 e721e0 112034->112152 112036 e76305 112158 e72040 112036->112158 112039 e75590 26 API calls 112040 e76323 112039->112040 112041 e7b5dd do_wait 5 API calls 112040->112041 112042 e76343 112041->112042 112042->111860 112043 e75b76 std::system_error::system_error 112044 e76349 112043->112044 112047 e75c60 std::system_error::system_error _MallocaArrayHolder 112043->112047 112052 e7623a _MallocaArrayHolder 112043->112052 112045 e96739 std::_Winerror_message 26 API calls 112044->112045 112046 e76380 112045->112046 112048 e76245 112047->112048 112049 e7621d 112047->112049 112051 e75590 26 API calls 112048->112051 112050 e75590 26 API calls 112049->112050 112050->112052 112051->112052 112147 e76740 112052->112147 112091 e7567a SetupDiGetClassDevsW 112090->112091 112091->111999 112091->112000 112094 e76556 ListArray 112092->112094 112093 e76604 CreateFileW 112095 e7671f 112093->112095 112096 e76628 DeviceIoControl 112093->112096 112094->112093 112099 e7b5dd do_wait 5 API calls 112095->112099 112097 e7666b __ExceptionPtr::_CallCopyCtor 112096->112097 112098 e76688 DeviceIoControl 112096->112098 112097->112098 112100 e76705 CloseHandle 112098->112100 112104 e766c3 __ExceptionPtr::_CallCopyCtor 112098->112104 112101 e7672d 112099->112101 112102 e7b5dd do_wait 5 API calls 112100->112102 112101->112028 112103 e7671b 112102->112103 112103->112028 112104->112100 112106 e755a4 112105->112106 112107 e7559e 112105->112107 112108 e755a8 112106->112108 112113 e755c1 ListArray 112106->112113 112107->112023 112176 e96802 20 API calls _Atexit 112108->112176 112110 e755ad 112177 e96729 26 API calls __wsopen_s 112110->112177 112111 e755cd __ExceptionPtr::_CallCopyCtor 112111->112023 112113->112111 112115 e755ef 112113->112115 112116 e75609 112113->112116 112114 e755b8 112114->112023 112178 e96802 20 API calls _Atexit 112115->112178 112117 e755ff 112116->112117 112180 e96802 20 API calls _Atexit 112116->112180 112117->112023 112120 e755f4 112179 e96729 26 API calls __wsopen_s 112120->112179 112121 e75612 112181 e96729 26 API calls __wsopen_s 112121->112181 112124 e7561d 112124->112023 112182 e77640 112125->112182 112127 e76b01 112128 e77640 27 API calls 112127->112128 112129 e76b0b 112128->112129 112194 e77700 112129->112194 112131 e76db2 _MallocaArrayHolder 112132 e7b5dd do_wait 5 API calls 112131->112132 112135 e76dd7 112132->112135 112133 e76b13 112140 e76b49 112133->112140 112146 e76b1a _MallocaArrayHolder 112133->112146 112234 e779e0 27 API calls 4 library calls 112133->112234 112134 e76de0 112136 e96739 std::_Winerror_message 26 API calls 112134->112136 112135->112043 112139 e76de5 112136->112139 112140->112146 112235 e779e0 27 API calls 4 library calls 112140->112235 112141 e76c36 112142 e4ae30 26 API calls 112141->112142 112141->112146 112143 e76c87 112142->112143 112144 e76ddb 112143->112144 112143->112146 112145 e96739 std::_Winerror_message 26 API calls 112144->112145 112145->112134 112146->112131 112146->112134 112151 e7674e _MallocaArrayHolder 112147->112151 112148 e96739 std::_Winerror_message 26 API calls 112149 e76a96 112148->112149 112150 e76a72 _MallocaArrayHolder 112150->112034 112151->112148 112151->112150 112153 e72212 __ExceptionPtr::_CallCopyCtor 112152->112153 112154 e7226b __ExceptionPtr::_CallCopyCtor 112153->112154 112293 e722a0 5 API calls do_wait 112153->112293 112154->112036 112156 e72245 112156->112154 112294 e722a0 5 API calls do_wait 112156->112294 112159 e7205d 112158->112159 112165 e720d2 112158->112165 112162 e721e0 5 API calls 112159->112162 112160 e7b5dd do_wait 5 API calls 112161 e7212c 112160->112161 112161->112039 112163 e720c5 112162->112163 112164 e721e0 5 API calls 112163->112164 112164->112165 112165->112160 112166->112003 112167->112008 112168->112008 112169->112007 112170->112018 112171->112018 112172->112014 112173->112027 112174->112027 112175->112026 112176->112110 112177->112114 112178->112120 112179->112117 112180->112121 112181->112124 112183 e7766a 112182->112183 112184 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 112183->112184 112186 e776df 112183->112186 112185 e77689 112184->112185 112187 e776d3 112185->112187 112188 e776ba 112185->112188 112191 e7b5dd do_wait 5 API calls 112186->112191 112236 e782f0 27 API calls 5 library calls 112187->112236 112189 e7b5dd do_wait 5 API calls 112188->112189 112193 e776cd 112189->112193 112192 e776ec 112191->112192 112192->112127 112193->112127 112237 e77280 112194->112237 112196 e7771e 112197 e77733 GetProcAddress 112196->112197 112198 e778dc GetProcAddress 112196->112198 112201 e77765 LoadLibraryA 112197->112201 112202 e77748 GetCurrentProcess 112197->112202 112203 e778f3 112198->112203 112204 e77948 GetSystemFirmwareTable 112198->112204 112206 e777e2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 112201->112206 112231 e7786d 112201->112231 112212 e77756 112202->112212 112290 e77ee0 50 API calls 3 library calls 112203->112290 112207 e77979 112204->112207 112208 e7795b ListArray 112204->112208 112227 e77818 112206->112227 112206->112231 112210 e7b5dd do_wait 5 API calls 112207->112210 112217 e77961 GetSystemFirmwareTable 112208->112217 112209 e77903 112214 e77907 112209->112214 112215 e77923 112209->112215 112216 e77992 112210->112216 112212->112201 112218 e778d7 112212->112218 112213 e7787f 112213->112207 112233 e77887 112213->112233 112291 e77d60 27 API calls 2 library calls 112214->112291 112215->112207 112221 e7792b 112215->112221 112216->112133 112217->112207 112219 e77996 112217->112219 112218->112198 112292 e77d60 27 API calls 2 library calls 112219->112292 112225 e7b5dd do_wait 5 API calls 112221->112225 112222 e77916 112223 e779c1 112222->112223 112226 e7b5dd do_wait 5 API calls 112223->112226 112228 e77944 112225->112228 112229 e779da 112226->112229 112230 e77894 ListArray 112227->112230 112227->112231 112228->112133 112229->112133 112232 e75590 26 API calls 112230->112232 112289 e77ee0 50 API calls 3 library calls 112231->112289 112232->112233 112233->112219 112234->112140 112235->112141 112236->112186 112238 e772a3 GetModuleHandleA GetProcAddress 112237->112238 112239 e7752e 112237->112239 112240 e772d7 LoadLibraryW 112238->112240 112241 e772ca GetCurrentProcess 112238->112241 112242 e7b5dd do_wait 5 API calls 112239->112242 112245 e77524 112240->112245 112246 e77314 GetProcAddress 112240->112246 112241->112240 112244 e7753b 112242->112244 112244->112196 112245->112239 112247 e77337 FreeLibrary 112246->112247 112248 e77324 112246->112248 112247->112245 112249 e77346 112247->112249 112248->112247 112250 e77383 112249->112250 112254 e7734e 112249->112254 112252 e7738c 112250->112252 112253 e77429 112250->112253 112251 e77363 112255 e7b5dd do_wait 5 API calls 112251->112255 112256 e773b3 112252->112256 112257 e77393 112252->112257 112258 e774f7 112253->112258 112259 e77432 112253->112259 112254->112245 112254->112251 112260 e7737f 112255->112260 112265 e773dc 112256->112265 112266 e773b8 112256->112266 112262 e7b5dd do_wait 5 API calls 112257->112262 112258->112245 112261 e774f9 112258->112261 112263 e774c7 112259->112263 112264 e7743d ListArray 112259->112264 112260->112196 112269 e7b5dd do_wait 5 API calls 112261->112269 112270 e773af 112262->112270 112263->112261 112268 e774cc 112263->112268 112276 e7744f GetVersionExW 112264->112276 112265->112245 112267 e773e5 112265->112267 112271 e7b5dd do_wait 5 API calls 112266->112271 112272 e77409 112267->112272 112273 e773e9 112267->112273 112274 e7b5dd do_wait 5 API calls 112268->112274 112275 e77520 112269->112275 112270->112196 112277 e773d8 112271->112277 112279 e7b5dd do_wait 5 API calls 112272->112279 112278 e7b5dd do_wait 5 API calls 112273->112278 112280 e774f3 112274->112280 112275->112196 112281 e7746f 112276->112281 112282 e7749d 112276->112282 112277->112196 112284 e77405 112278->112284 112285 e77425 112279->112285 112280->112196 112286 e7b5dd do_wait 5 API calls 112281->112286 112283 e7b5dd do_wait 5 API calls 112282->112283 112287 e774c3 112283->112287 112284->112196 112285->112196 112288 e77499 112286->112288 112287->112196 112288->112196 112289->112213 112290->112209 112291->112222 112292->112223 112293->112156 112294->112156 112345 6c29fb5f 112350 6c2be0bb 112345->112350 112347 6c29fb69 112348 6c2a068b 32 API calls 112347->112348 112349 6c29fb73 112348->112349 112351 6c2be0c7 __EH_prolog3 112350->112351 112354 6c2be417 112351->112354 112353 6c2be2b0 __DllMainCRTStartup@12 112353->112347 112355 6c2be438 std::bad_exception::bad_exception 112354->112355 112356 6c2be4bf 112354->112356 112358 6c2be468 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 112355->112358 112357 6c2bf667 _ValidateLocalCookies 5 API calls 112356->112357 112359 6c2be4d2 112357->112359 112365 6c2be4d4 112358->112365 112359->112353 112497 6c2bf675 112365->112497 112367 6c2be4e0 GetSysColor 112368 6c2be4f5 GetSysColor 112367->112368 112369 6c2be501 GetSysColor 112367->112369 112368->112369 112371 6c2be524 112369->112371 112372 6c2be518 GetSysColor 112369->112372 112498 6c2a3f98 112371->112498 112372->112371 112374 6c2be53a 22 API calls 112375 6c2be66d GetSysColor 112374->112375 112376 6c2be664 112374->112376 112377 6c2be67f GetSysColorBrush 112375->112377 112376->112377 112378 6c2be69b GetSysColorBrush 112377->112378 112379 6c2be8ec 112377->112379 112378->112379 112380 6c2be6ae GetSysColorBrush 112378->112380 112531 6c2b789a RaiseException Concurrency::cancel_current_task 112379->112531 112380->112379 112383 6c2be6c1 112380->112383 112506 6c2a32ba 112383->112506 112385 6c2be6ce CreateSolidBrush 112386 6c2be6df 112385->112386 112387 6c2a32ba DeleteObject 112386->112387 112388 6c2be6ec CreateSolidBrush 112387->112388 112389 6c2be6fd 112388->112389 112390 6c2a32ba DeleteObject 112389->112390 112391 6c2be70a CreateSolidBrush 112390->112391 112392 6c2be71b 112391->112392 112393 6c2a32ba DeleteObject 112392->112393 112394 6c2be728 CreateSolidBrush 112393->112394 112395 6c2be73c 112394->112395 112396 6c2a32ba DeleteObject 112395->112396 112397 6c2be749 CreateSolidBrush 112396->112397 112398 6c2be75a 112397->112398 112399 6c2a32ba DeleteObject 112398->112399 112400 6c2be767 CreateSolidBrush 112399->112400 112401 6c2be778 112400->112401 112402 6c2a32ba DeleteObject 112401->112402 112403 6c2be785 CreateSolidBrush 112402->112403 112404 6c2be796 112403->112404 112405 6c2a32ba DeleteObject 112404->112405 112406 6c2be7a3 CreatePen 112405->112406 112407 6c2be7bc 112406->112407 112408 6c2a32ba DeleteObject 112407->112408 112409 6c2be7c9 CreatePen 112408->112409 112410 6c2be7e0 112409->112410 112411 6c2a32ba DeleteObject 112410->112411 112412 6c2be7ed CreatePen 112411->112412 112414 6c2be804 112412->112414 112413 6c2be81b 112415 6c2be888 112413->112415 112416 6c2be824 CreateSolidBrush 112413->112416 112414->112413 112417 6c2a32ba DeleteObject 112414->112417 112527 6c2bf4a2 7 API calls 2 library calls 112415->112527 112418 6c2be886 112416->112418 112417->112413 112510 6c2f2019 112418->112510 112420 6c2be892 112420->112379 112421 6c2be896 112420->112421 112423 6c2be8af CreatePatternBrush 112421->112423 112497->112367 112499 6c2a3fa4 __EH_prolog3 112498->112499 112500 6c2a3fc7 GetWindowDC 112499->112500 112532 6c2a3446 112500->112532 112503 6c2a3fdd __DllMainCRTStartup@12 112503->112374 112507 6c2a32c3 112506->112507 112508 6c2a32c0 112506->112508 112509 6c2a32c8 DeleteObject 112507->112509 112508->112385 112509->112385 112511 6c2f2022 112510->112511 112521 6c2be8d4 112510->112521 112511->112521 112541 6c322832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection 112511->112541 112522 6c2a3fed 112521->112522 112527->112420 112533 6c2a3469 112532->112533 112534 6c2a3453 112532->112534 112533->112503 112538 6c2a2beb RaiseException Concurrency::cancel_current_task 112533->112538 112539 6c2a40ef RaiseException EnterCriticalSection LeaveCriticalSection __EH_prolog3 __DllMainCRTStartup@12 112534->112539 112536 6c2a345e 112540 6c2c0682 RaiseException 112536->112540 112539->112536 112540->112533 112559 6c2c5794 112560 6c2c579d 112559->112560 112563 6c2c57ff 112560->112563 112569 6c2c53fd EnterCriticalSection 112560->112569 112562 6c2c57c1 112562->112563 112564 6c2c57c7 112562->112564 112589 6c2b789a RaiseException Concurrency::cancel_current_task 112563->112589 112588 6c2c56f6 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 112564->112588 112568 6c2c57d3 __DllMainCRTStartup@12 112571 6c2c5421 112569->112571 112573 6c2c5488 GlobalHandle 112571->112573 112574 6c2c5473 112571->112574 112579 6c2c5534 LeaveCriticalSection 112571->112579 112587 6c2c54d1 std::bad_exception::bad_exception 112571->112587 112572 6c2c5501 LeaveCriticalSection 112572->112562 112576 6c2c551c 112573->112576 112577 6c2c549b GlobalUnlock 112573->112577 112581 6c2c547b GlobalAlloc 112574->112581 112576->112579 112580 6c2c5521 GlobalHandle 112576->112580 112582 6c2b72c2 112577->112582 112590 6c2b7866 RaiseException Concurrency::cancel_current_task 112579->112590 112580->112579 112583 6c2c552d GlobalLock 112580->112583 112584 6c2c54bd 112581->112584 112585 6c2c54b1 GlobalReAlloc 112582->112585 112583->112579 112584->112576 112586 6c2c54c1 GlobalLock 112584->112586 112585->112584 112586->112579 112586->112587 112587->112572 112588->112568 112593 6c29ab10 MessageBoxA 112594 6c4000fb CreateFileW 112595 6c3f14a3 112596 6c3fc808 __dosmaperr 14 API calls 112595->112596 112597 6c3f14b5 112596->112597 112601 6c3f14c2 112597->112601 112602 6c3fb767 6 API calls std::_Lockit::_Lockit 112597->112602 112600 6c3f1517 112603 6c3f94b7 14 API calls __dosmaperr 112601->112603 112602->112597 112603->112600 112604 e9b6d7 112605 e9b6fa 112604->112605 112606 e9b6e7 112604->112606 112607 e9b70c 112605->112607 112618 e9b71f 112605->112618 112643 e96802 20 API calls _Atexit 112606->112643 112645 e96802 20 API calls _Atexit 112607->112645 112610 e9b6ec 112644 e96729 26 API calls __wsopen_s 112610->112644 112612 e9b711 112646 e96729 26 API calls __wsopen_s 112612->112646 112613 e9b73f 112647 e96802 20 API calls _Atexit 112613->112647 112614 e9b752 112635 eac80f 112614->112635 112615 e9b6f6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 112618->112613 112618->112614 112620 e9b757 112648 eac044 112620->112648 112622 e9b769 112623 e9b956 112622->112623 112655 eac070 112622->112655 112624 e96756 __Getctype 11 API calls 112623->112624 112626 e9b960 112624->112626 112627 e9b77b 112627->112623 112662 eac09c 112627->112662 112629 e9b78d 112629->112623 112631 e9b796 112629->112631 112630 e9b81e 112630->112615 112670 eac860 26 API calls 3 library calls 112630->112670 112631->112630 112633 e9b7ba 112631->112633 112633->112615 112669 eac860 26 API calls 3 library calls 112633->112669 112636 eac81b BuildCatchObjectHelperInternal 112635->112636 112637 eac851 __wsopen_s 112636->112637 112671 e9c53e EnterCriticalSection 112636->112671 112637->112620 112639 eac82b 112640 eac83e 112639->112640 112672 eac72f 112639->112672 112690 eac857 LeaveCriticalSection std::_Lockit::~_Lockit 112640->112690 112643->112610 112644->112615 112645->112612 112646->112615 112647->112615 112649 eac050 112648->112649 112650 eac065 112648->112650 112795 e96802 20 API calls _Atexit 112649->112795 112650->112622 112652 eac055 112796 e96729 26 API calls __wsopen_s 112652->112796 112654 eac060 112654->112622 112656 eac07c 112655->112656 112657 eac091 112655->112657 112797 e96802 20 API calls _Atexit 112656->112797 112657->112627 112659 eac081 112798 e96729 26 API calls __wsopen_s 112659->112798 112661 eac08c 112661->112627 112663 eac0a8 112662->112663 112664 eac0bd 112662->112664 112799 e96802 20 API calls _Atexit 112663->112799 112664->112629 112666 eac0ad 112800 e96729 26 API calls __wsopen_s 112666->112800 112668 eac0b8 112668->112629 112669->112615 112670->112615 112671->112639 112674 eac77b _strftime 112672->112674 112673 eac782 112675 eac7f2 112673->112675 112680 eac7e9 112673->112680 112674->112673 112676 ea7a29 _strftime 21 API calls 112674->112676 112678 eac7ef 112675->112678 112752 eac5d4 112675->112752 112677 eac79a _strftime 112676->112677 112687 eac7c7 112677->112687 112688 eac7a1 112677->112688 112681 ea79ef _free 20 API calls 112678->112681 112691 eac3ff 112680->112691 112683 eac7fd 112681->112683 112684 e7b5dd do_wait 5 API calls 112683->112684 112686 eac80b 112684->112686 112685 ea79ef _free 20 API calls 112685->112673 112686->112640 112689 ea79ef _free 20 API calls 112687->112689 112688->112685 112689->112673 112690->112637 112692 eac40e _strftime 112691->112692 112693 eac09c _strftime 26 API calls 112692->112693 112694 eac424 112693->112694 112695 eac044 _strftime 26 API calls 112694->112695 112749 eac59e 112694->112749 112699 eac436 112695->112699 112696 e96756 __Getctype 11 API calls 112697 eac5d3 _strftime 112696->112697 112700 eac09c _strftime 26 API calls 112697->112700 112698 ea79ef _free 20 API calls 112701 eac486 112698->112701 112699->112698 112703 eac5a7 _strftime 112699->112703 112699->112749 112702 eac5f9 112700->112702 112707 ea7a29 _strftime 21 API calls 112701->112707 112704 eac724 112702->112704 112705 eac044 _strftime 26 API calls 112702->112705 112703->112678 112706 e96756 __Getctype 11 API calls 112704->112706 112708 eac60b 112705->112708 112713 eac72e _strftime 112706->112713 112709 eac49e 112707->112709 112708->112704 112711 eac070 _strftime 26 API calls 112708->112711 112710 ea79ef _free 20 API calls 112709->112710 112717 eac4aa 112710->112717 112712 eac61d 112711->112712 112712->112704 112714 eac626 112712->112714 112715 eac782 112713->112715 112720 ea7a29 _strftime 21 API calls 112713->112720 112716 ea79ef _free 20 API calls 112714->112716 112719 eac7f2 112715->112719 112723 eac7e9 112715->112723 112718 eac631 GetTimeZoneInformation 112716->112718 112717->112703 112721 e9c29e ___std_exception_copy 26 API calls 112717->112721 112728 eac64d 112718->112728 112735 eac6ee _strftime 112718->112735 112722 eac5d4 _strftime 78 API calls 112719->112722 112732 eac7ef 112719->112732 112725 eac79a _strftime 112720->112725 112727 eac4d4 112721->112727 112722->112732 112729 eac3ff _strftime 78 API calls 112723->112729 112724 ea79ef _free 20 API calls 112730 eac7fd 112724->112730 112726 eac7a1 112725->112726 112738 eac7c7 112725->112738 112734 ea79ef _free 20 API calls 112726->112734 112727->112749 112788 eabe67 26 API calls 2 library calls 112727->112788 112793 e9c636 71 API calls 2 library calls 112728->112793 112729->112732 112733 e7b5dd do_wait 5 API calls 112730->112733 112732->112724 112736 eac80b 112733->112736 112734->112715 112735->112678 112736->112678 112740 ea79ef _free 20 API calls 112738->112740 112739 eac6a2 WideCharToMultiByte 112741 eac6c0 WideCharToMultiByte 112739->112741 112740->112715 112741->112735 112742 eac4ed 112742->112749 112789 ea4212 75 API calls _strftime 112742->112789 112745 eac515 112746 eac561 112745->112746 112790 ea4212 75 API calls _strftime 112745->112790 112746->112703 112792 eabe67 26 API calls 2 library calls 112746->112792 112749->112696 112749->112703 112750 eac53c 112750->112746 112791 ea4212 75 API calls _strftime 112750->112791 112753 eac5e3 _strftime 112752->112753 112754 eac09c _strftime 26 API calls 112753->112754 112755 eac5f9 112754->112755 112756 eac724 112755->112756 112757 eac044 _strftime 26 API calls 112755->112757 112758 e96756 __Getctype 11 API calls 112756->112758 112759 eac60b 112757->112759 112762 eac72e _strftime 112758->112762 112759->112756 112760 eac070 _strftime 26 API calls 112759->112760 112761 eac61d 112760->112761 112761->112756 112763 eac626 112761->112763 112767 ea7a29 _strftime 21 API calls 112762->112767 112781 eac782 112762->112781 112764 ea79ef _free 20 API calls 112763->112764 112765 eac631 GetTimeZoneInformation 112764->112765 112775 eac64d 112765->112775 112785 eac6ee _strftime 112765->112785 112766 eac7f2 112768 eac7ef 112766->112768 112769 eac5d4 _strftime 78 API calls 112766->112769 112778 eac79a _strftime 112767->112778 112771 ea79ef _free 20 API calls 112768->112771 112769->112768 112770 eac7e9 112773 eac3ff _strftime 78 API calls 112770->112773 112774 eac7fd 112771->112774 112772 eac7a1 112777 ea79ef _free 20 API calls 112772->112777 112773->112768 112776 e7b5dd do_wait 5 API calls 112774->112776 112794 e9c636 71 API calls 2 library calls 112775->112794 112779 eac80b 112776->112779 112777->112781 112778->112772 112782 eac7c7 112778->112782 112779->112678 112781->112766 112781->112770 112784 ea79ef _free 20 API calls 112782->112784 112783 eac6a2 WideCharToMultiByte 112786 eac6c0 WideCharToMultiByte 112783->112786 112784->112781 112785->112678 112786->112785 112788->112742 112789->112745 112790->112750 112791->112746 112792->112749 112793->112739 112794->112783 112795->112652 112796->112654 112797->112659 112798->112661 112799->112666 112800->112668 112801 e3245c 112802 e32461 __ExceptionPtrCurrentException 112801->112802 112804 e42560 38 API calls 112802->112804 112840 e325d6 __ExceptionPtrCurrentException 112802->112840 112819 e32475 _strrchr 112804->112819 112805 e325fa InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateEventW 112806 e42560 38 API calls 112805->112806 112808 e3264e __ExceptionPtrCurrentException 112806->112808 112807 e32811 GetModuleHandleW 113174 e61930 112807->113174 112808->112807 112810 e42560 38 API calls 112808->112810 112827 e3268d _strrchr 112810->112827 112816 e42560 38 API calls 112817 e3286e __ExceptionPtrCurrentException 112816->112817 112818 e42560 38 API calls 112817->112818 112870 e329fd __ExceptionPtrCurrentException 112817->112870 112850 e328a7 _strrchr 112818->112850 112821 e42020 5 API calls 112819->112821 112826 e32547 std::system_error::system_error 112821->112826 112822 e32a3b 113214 e35dd0 112822->113214 112830 e38330 114 API calls 112826->112830 112829 e42020 5 API calls 112827->112829 112828 e32a66 113231 e652d0 IsWindow 112828->113231 112841 e32765 std::system_error::system_error 112829->112841 112831 e325b8 112830->112831 113550 e420d0 26 API calls 2 library calls 112831->113550 112834 e32a9d 112835 e325c7 113551 e420d0 26 API calls 2 library calls 112835->113551 113128 e61190 IsWindow 112840->113128 113142 e385a0 112841->113142 112843 e327d6 113552 e420d0 26 API calls 2 library calls 112843->113552 112846 e327e5 113553 e420d0 26 API calls 2 library calls 112846->113553 112853 e42020 5 API calls 112850->112853 112852 e327f4 __ExceptionPtrCurrentException 112852->112807 112857 e32972 std::system_error::system_error 112853->112857 112861 e3f1d0 114 API calls 112857->112861 112863 e329df 112861->112863 113554 e420d0 26 API calls 2 library calls 112863->113554 112867 e329ee 113555 e420d0 26 API calls 2 library calls 112867->113555 113200 e416a0 112870->113200 113129 e611b5 SetWindowLongW 113128->113129 113132 e611d4 113128->113132 113130 e7b5dd do_wait 5 API calls 113129->113130 113131 e611d0 113130->113131 113131->112805 113132->113132 113133 e6121a GetModuleHandleW RegisterClassW CreateWindowExW 113132->113133 113134 e6129f SetWindowLongW 113133->113134 113135 e612a9 113133->113135 113134->113135 113136 e612d7 _MallocaArrayHolder 113135->113136 113138 e612f4 113135->113138 113137 e7b5dd do_wait 5 API calls 113136->113137 113139 e612f0 113137->113139 113140 e96739 std::_Winerror_message 26 API calls 113138->113140 113139->112805 113141 e612f9 113140->113141 113143 e385ee ListArray 113142->113143 113151 e386cb _MallocaArrayHolder 113142->113151 113592 e390a0 113143->113592 113144 e7b5dd do_wait 5 API calls 113145 e386ed 113144->113145 113145->112843 113148 e3f140 2 API calls 113149 e38682 113148->113149 113173 e4fd00 113 API calls 113149->113173 113150 e3868d 113150->113151 113152 e387fb 113150->113152 113151->113144 113153 e96739 std::_Winerror_message 26 API calls 113152->113153 113154 e38800 113153->113154 113155 e785d4 RaiseException 113154->113155 113156 e38805 113155->113156 113157 e785d4 RaiseException 113156->113157 113158 e3880a 113157->113158 113159 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 113158->113159 113160 e38855 113159->113160 113596 e4ed00 113160->113596 113163 e7a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 113164 e388b8 113163->113164 113165 e4ed00 8 API calls 113164->113165 113166 e388db 113165->113166 113167 e7a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 113166->113167 113168 e388e8 113167->113168 113169 e7a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 113168->113169 113170 e388f3 113169->113170 113171 e7b5dd do_wait 5 API calls 113170->113171 113172 e389e8 113171->113172 113172->112843 113173->113150 113599 e61700 113174->113599 113176 e6197f 113177 e41ad0 39 API calls 113176->113177 113178 e619c3 113177->113178 113179 e61a19 113178->113179 113180 e619c9 113178->113180 113181 e417d0 2 API calls 113179->113181 113624 e61ac0 113180->113624 113182 e61a23 113181->113182 113185 e41700 RegOpenKeyExW 113186 e41767 113185->113186 113187 e41733 RegQueryValueExW RegCloseKey 113185->113187 113188 e7b5dd do_wait 5 API calls 113186->113188 113187->113186 113189 e32850 113188->113189 113190 e61bd0 113189->113190 113191 e61c07 113190->113191 113199 e32869 113190->113199 113697 e7b7ab 5 API calls __Init_thread_wait 113191->113697 113193 e61c11 113193->113199 113698 e707e0 28 API calls 3 library calls 113193->113698 113195 e61c39 113699 e7bb2a 29 API calls __onexit 113195->113699 113197 e61c4d 113700 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 113197->113700 113199->112816 113201 e416ab 113200->113201 113202 e416ba 113201->113202 113203 e416f2 113201->113203 113204 e416d3 113201->113204 113202->112822 113206 e41600 2 API calls 113203->113206 113701 e41610 20 API calls 3 library calls 113204->113701 113208 e416f7 RegOpenKeyExW 113206->113208 113207 e416ea 113207->112822 113210 e41767 113208->113210 113211 e41733 RegQueryValueExW RegCloseKey 113208->113211 113212 e7b5dd do_wait 5 API calls 113210->113212 113211->113210 113213 e41772 113212->113213 113213->112822 113215 e41ad0 39 API calls 113214->113215 113216 e35dfe 113215->113216 113217 e35e41 113216->113217 113219 e35e04 113216->113219 113218 e417d0 2 API calls 113217->113218 113220 e35e4b 113218->113220 113221 e41180 38 API calls 113219->113221 113222 e35e1f 113221->113222 113223 e32a57 113222->113223 113702 e36fe0 24 API calls 113222->113702 113225 e40f40 113223->113225 113226 e935c0 ListArray 113225->113226 113227 e40f75 GetModuleFileNameW PathRemoveFileSpecW PathAddBackslashW 113226->113227 113228 e40fc2 113227->113228 113228->113228 113229 e7b5dd do_wait 5 API calls 113228->113229 113230 e40fed 113229->113230 113230->112828 113232 e6532a SetWindowLongW 113231->113232 113233 e6533b ListArray 113231->113233 113235 e65733 _MallocaArrayHolder 113232->113235 113234 e6534e lstrcpynW PathAddBackslashW 113233->113234 113236 e6539c 113234->113236 113245 e653c0 113234->113245 113242 e7b5dd do_wait 5 API calls 113235->113242 113237 e65407 113236->113237 113239 e653b5 113236->113239 113238 e41470 51 API calls 113237->113238 113238->113245 113241 e416a0 25 API calls 113239->113241 113240 e41470 51 API calls 113244 e6544b 113240->113244 113241->113245 113243 e657ec 113242->113243 113243->112834 113245->113240 113550->112835 113551->112840 113552->112846 113553->112852 113554->112867 113555->112870 113593 e390e7 113592->113593 113594 e7b5dd do_wait 5 API calls 113593->113594 113595 e38651 113594->113595 113595->113148 113597 e7bb4d Concurrency::details::SchedulerProxy::GetResourceForNewSubscription 8 API calls 113596->113597 113598 e388ab 113597->113598 113598->113163 113600 e935c0 ListArray 113599->113600 113601 e6175f GetModuleFileNameW 113600->113601 113602 e617c0 113601->113602 113602->113602 113603 e617e2 GetFileVersionInfoSizeW 113602->113603 113606 e61817 ListArray 113603->113606 113612 e6188f _MallocaArrayHolder 113603->113612 113604 e618f5 _MallocaArrayHolder 113605 e7b5dd do_wait 5 API calls 113604->113605 113607 e6191c 113605->113607 113609 e61846 GetFileVersionInfoW 113606->113609 113607->113176 113608 e61923 113610 e96739 std::_Winerror_message 26 API calls 113608->113610 113611 e61871 VerQueryValueW 113609->113611 113609->113612 113613 e61928 113610->113613 113611->113612 113612->113604 113612->113608 113614 e61700 96 API calls 113613->113614 113615 e6197f 113614->113615 113616 e41ad0 39 API calls 113615->113616 113617 e619c3 113616->113617 113618 e61a19 113617->113618 113619 e619c9 113617->113619 113620 e417d0 2 API calls 113618->113620 113622 e61ac0 84 API calls 113619->113622 113621 e61a23 113620->113621 113623 e61a02 113622->113623 113623->113176 113625 e61ad4 113624->113625 113635 e61b12 113624->113635 113637 e3f110 113625->113637 113626 e417d0 2 API calls 113628 e61b38 113626->113628 113630 e417d0 2 API calls 113628->113630 113631 e61b42 113630->113631 113632 e61aff 113641 e3f0c0 113632->113641 113635->113626 113636 e3282a 113635->113636 113636->113185 113638 e3f123 113637->113638 113646 e9ae8e 113638->113646 113642 e3f0d5 113641->113642 113672 e9aeb2 113642->113672 113645 e41410 22 API calls 113645->113632 113649 e9825f 113646->113649 113650 e9829f 113649->113650 113651 e98287 113649->113651 113650->113651 113653 e982a7 113650->113653 113666 e96802 20 API calls _Atexit 113651->113666 113668 e9891c 71 API calls 3 library calls 113653->113668 113654 e9828c 113667 e96729 26 API calls __wsopen_s 113654->113667 113657 e982b7 113669 e988e7 20 API calls __dosmaperr 113657->113669 113658 e7b5dd do_wait 5 API calls 113660 e3f131 113658->113660 113660->113628 113660->113632 113660->113645 113661 e9832f 113670 e99169 83 API calls 3 library calls 113661->113670 113664 e9833a 113671 e9899f 20 API calls _free 113664->113671 113665 e98297 113665->113658 113666->113654 113667->113665 113668->113657 113669->113661 113670->113664 113671->113665 113675 e9845c 113672->113675 113674 e3f0e3 113674->113635 113676 e9847c 113675->113676 113677 e98467 113675->113677 113679 e984c0 113676->113679 113682 e9848a 113676->113682 113691 e96802 20 API calls _Atexit 113677->113691 113695 e96802 20 API calls _Atexit 113679->113695 113681 e9846c 113692 e96729 26 API calls __wsopen_s 113681->113692 113693 e97f5e 83 API calls 4 library calls 113682->113693 113683 e984b8 113696 e96729 26 API calls __wsopen_s 113683->113696 113686 e984a2 113689 e984d0 113686->113689 113694 e96802 20 API calls _Atexit 113686->113694 113687 e98477 113687->113674 113689->113674 113691->113681 113692->113687 113693->113686 113694->113683 113695->113683 113696->113689 113697->113193 113698->113195 113699->113197 113700->113199 113701->113207 113702->113223

                              Executed Functions

                              Function 00E3245C Relevance: 152.8, APIs: 53, Strings: 33, Instructions: 2261windowsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00E324CE
                              • _strrchr.LIBCMT ref: 00E324E1
                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00E3261A
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00E3262A
                              • CreateEventW.KERNEL32(0000000C,00000000,00000000,{BD1397DC-D793-4948-B24A-116ED32CB105}), ref: 00E32640
                              • _strrchr.LIBCMT ref: 00E326EC
                              • _strrchr.LIBCMT ref: 00E326FF
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00E3281A
                              • _strrchr.LIBCMT ref: 00E328F9
                              • _strrchr.LIBCMT ref: 00E3290C
                              • _strrchr.LIBCMT ref: 00E32B40
                              • _strrchr.LIBCMT ref: 00E32B53
                              • _strrchr.LIBCMT ref: 00E32CFD
                              • _strrchr.LIBCMT ref: 00E32D10
                              • _strrchr.LIBCMT ref: 00E32EB6
                              • _strrchr.LIBCMT ref: 00E32EC9
                              • _strrchr.LIBCMT ref: 00E33090
                              • _strrchr.LIBCMT ref: 00E330A3
                              • _strrchr.LIBCMT ref: 00E3324E
                              • _strrchr.LIBCMT ref: 00E33261
                              • _strrchr.LIBCMT ref: 00E33412
                              • _strrchr.LIBCMT ref: 00E33425
                              • _strrchr.LIBCMT ref: 00E335DE
                              • _strrchr.LIBCMT ref: 00E335F1
                              • _strrchr.LIBCMT ref: 00E33885
                              • _strrchr.LIBCMT ref: 00E33898
                              • _strrchr.LIBCMT ref: 00E339FF
                              • _strrchr.LIBCMT ref: 00E33A12
                              • PeekMessageW.USER32(00000001,00000000,00000000,00000000,00000001), ref: 00E33AE1
                              • TranslateMessage.USER32(00000001), ref: 00E33AEF
                              • DispatchMessageW.USER32(00000001), ref: 00E33AF9
                              • WaitForSingleObject.KERNEL32(?,00000001,?,00000000,?,?,?,00000064,00000001), ref: 00E33B0B
                              • WaitForSingleObject.KERNEL32(?,00000064,?,00000000,?,?,?,00000064,00000001), ref: 00E33B1D
                              • _strrchr.LIBCMT ref: 00E33BA4
                              • _strrchr.LIBCMT ref: 00E33BBB
                              • _strrchr.LIBCMT ref: 00E33C47
                              • _strrchr.LIBCMT ref: 00E33C5A
                              • _strrchr.LIBCMT ref: 00E33E04
                              • _strrchr.LIBCMT ref: 00E33E17
                                • Part of subcall function 00E6FD30: __Cnd_broadcast.LIBCPMT ref: 00E6FD86
                                • Part of subcall function 00E6FD30: __Mtx_unlock.LIBCPMT ref: 00E6FE35
                              • _strrchr.LIBCMT ref: 00E33F4B
                              • _strrchr.LIBCMT ref: 00E33F5E
                              • _strrchr.LIBCMT ref: 00E34092
                              • _strrchr.LIBCMT ref: 00E340A5
                              • _strrchr.LIBCMT ref: 00E341F9
                              • _strrchr.LIBCMT ref: 00E3420C
                                • Part of subcall function 00E61300: IsWindow.USER32(00000001), ref: 00E61306
                                • Part of subcall function 00E61300: SetWindowLongW.USER32(00000001,000000EB,00000000), ref: 00E61317
                                • Part of subcall function 00E61300: DestroyWindow.USER32(00000001), ref: 00E61320
                              • _strrchr.LIBCMT ref: 00E34340
                              • _strrchr.LIBCMT ref: 00E34353
                              • _strrchr.LIBCMT ref: 00E34487
                              • _strrchr.LIBCMT ref: 00E3449A
                              • curl_global_cleanup.LIBCURL(?,00000000,?,?,?,00000064,00000001), ref: 00E34556
                              • MoveFileExW.KERNEL32(00000000,00000000,00000004,?,00000000,?,?,?,00000064,00000001), ref: 00E34569
                              • _strrchr.LIBCMT ref: 00E345F0
                              • _strrchr.LIBCMT ref: 00E34603
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr$MessageWindow$DescriptorObjectSecuritySingleWait$Cnd_broadcastCreateDaclDestroyDispatchEventFileHandleInitializeLongModuleMoveMtx_unlockPeekTranslatecurl_global_cleanup
                              • String ID: /%s %u$/%s true$CXZShellExecute UnInit$CXZShellExecute init$CXZUpdateModule Stop$CXZUpdateModule UnInit$CXZUpdateModule init$CreateEvent [{}]$InstallListenWnd$InstallSlience$Message Loop$PerformExecute Ok$PerformLoadUpdateInfo Ok$Run$Running m_hWndAsy:{}$SOFTWARE\XZDesktopCalendar$ServiceMgr Run$ServiceMgr Stop$ThreadPoolMgr Run$ThreadPoolMgr stop$Timer init$Timer stop$UnionId$UpdateInfo.bHasNewVersion:{}-UpdateInfo.UpdateType:{}$WaitForSingleObject Event is touch$XZDesktopCalendar$curl init res:{}$d$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$https://update-xztodolist.cqttech.com/api/v1/update/check$stoped${BD1397DC-D793-4948-B24A-116ED32CB105}$}
                              • API String ID: 3533261124-1744484503
                              • Opcode ID: 4b5f4cef8f92c929d92cec88fe93ed69bc177b2da5a872d960ee0747df1accd9
                              • Instruction ID: 7c6a171499d13218c273a954e22896cf370b322e359f0ae22fceb48ffd6a3340
                              • Opcode Fuzzy Hash: 4b5f4cef8f92c929d92cec88fe93ed69bc177b2da5a872d960ee0747df1accd9
                              • Instruction Fuzzy Hash: D113C234E043089ADF14FBB4AD1ABAD7AE19F54304F4060ECF249772C2EEB55A45CB66
                              Function 00E70420 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 294processlibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2152 e70420-e70483 CreateToolhelp32Snapshot 2153 e7055f 2152->2153 2154 e70489-e70499 Process32FirstW 2152->2154 2157 e70561-e70569 GetLastError 2153->2157 2155 e7049f 2154->2155 2156 e70558-e70559 CloseHandle 2154->2156 2158 e704a0-e704a9 call e41ad0 2155->2158 2156->2153 2159 e706b4 2157->2159 2160 e7056f-e70578 CloseHandle 2157->2160 2168 e704af-e704d1 call e41180 2158->2168 2169 e7073b-e7076a call e417d0 2158->2169 2161 e706ba-e706bf 2159->2161 2160->2161 2163 e706c1-e706c4 CloseHandle 2161->2163 2164 e706cb-e706d0 2161->2164 2163->2164 2166 e706d2-e706d5 CloseHandle 2164->2166 2167 e706dc-e706f7 2164->2167 2166->2167 2170 e70701-e70716 2167->2170 2171 e706f9-e706fc 2167->2171 2187 e704d3-e704dc 2168->2187 2188 e704ff-e70512 call ea3ffe 2168->2188 2179 e707cd-e707da call e7b5dd 2169->2179 2180 e7076c-e707c8 call e935c0 GetModuleFileNameW PathRemoveFileSpecW call ea4173 LoadLibraryW 2169->2180 2173 e70720-e7073a call e7b5dd 2170->2173 2174 e70718-e7071b 2170->2174 2171->2170 2174->2173 2180->2179 2189 e704e0-e704e9 2187->2189 2196 e70514-e7051d 2188->2196 2197 e7051f-e70531 2188->2197 2189->2189 2192 e704eb-e704fa call e41470 2189->2192 2192->2188 2196->2197 2198 e7057d-e705ad OpenProcess CloseHandle 2196->2198 2199 e70533-e70536 2197->2199 2200 e7053b-e7054f Process32NextW 2197->2200 2201 e705b7-e705bd 2198->2201 2202 e705af-e705b2 2198->2202 2199->2200 2200->2158 2203 e70555 2200->2203 2201->2157 2204 e705bf-e705c2 2201->2204 2202->2201 2203->2156 2204->2157 2205 e705c4-e705d3 OpenProcessToken 2204->2205 2205->2157 2206 e705d5-e70600 DuplicateTokenEx 2205->2206 2206->2157 2207 e70606-e7060b 2206->2207 2207->2157 2208 e70611-e70664 2207->2208 2209 e70677-e70697 CreateProcessWithTokenW 2208->2209 2210 e70666-e70674 call e41310 2208->2210 2209->2157 2212 e7069d-e706af CloseHandle * 2 2209->2212 2210->2209 2212->2157
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,C1427766), ref: 00E70470
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E70491
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00E70547
                              • CloseHandle.KERNEL32(00000000), ref: 00E70559
                              • GetLastError.KERNEL32 ref: 00E70561
                              • CloseHandle.KERNEL32(00000000), ref: 00E70576
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00E70585
                              • CloseHandle.KERNEL32(?), ref: 00E70593
                              • OpenProcessToken.ADVAPI32(00000000,0000000B,00000000), ref: 00E705CB
                              • DuplicateTokenEx.ADVAPI32(00000000,02000000,?,00000001,00000001,00000000), ref: 00E705F8
                              • CreateProcessWithTokenW.ADVAPI32(00000000,00000001,?,?,04000630,00000000,00000000,00000044,?), ref: 00E7068F
                              • CloseHandle.KERNEL32(?), ref: 00E706A0
                              • CloseHandle.KERNEL32(?), ref: 00E706A9
                                • Part of subcall function 00E41AD0: GetProcessHeap.KERNEL32 ref: 00E41B11
                              • CloseHandle.KERNEL32(00000000), ref: 00E706C2
                              • CloseHandle.KERNEL32(00000000), ref: 00E706D3
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E7078F
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 00E7079C
                              • LoadLibraryW.KERNEL32(?), ref: 00E707C2
                                • Part of subcall function 00E41180: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00E310A4,{B33F2493-A9D4-4D1D-B32A-4CD0BDC5B344},?,00EBBE3E,000000FF), ref: 00E411BA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseHandle$Process$Token$CreateFileOpenProcess32$DuplicateErrorFindFirstHeapLastLibraryLoadModuleNameNextPathRemoveResourceSnapshotSpecToolhelp32With
                              • String ID: D$\CrashCatch.dll$explorer.exe
                              • API String ID: 1976851797-2239689160
                              • Opcode ID: ffd16a84b30bf3b8b29efd3f72f3dbc893dac0797f43c83dd614687687c4e1eb
                              • Instruction ID: ea3d12e37d0115b2fa1422c8e7cda45a5646fa849d8ffc7dd46e8b25ba89acc3
                              • Opcode Fuzzy Hash: ffd16a84b30bf3b8b29efd3f72f3dbc893dac0797f43c83dd614687687c4e1eb
                              • Instruction Fuzzy Hash: 85B1AD71A00209EFDB20DFA4CC48BAEB7B8EF45714F149269E819F7291EB709A44CF50
                              Function 00E346D0 Relevance: 29.0, APIs: 6, Strings: 10, Instructions: 953COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00E407A8
                                • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00E407BE
                                • Part of subcall function 00E40760: GetTempPathW.KERNEL32(00000104,?), ref: 00E407D4
                                • Part of subcall function 00E40760: PathAppendW.SHLWAPI(?), ref: 00E407F0
                                • Part of subcall function 00E40760: PathAddBackslashW.SHLWAPI(?), ref: 00E407FD
                                • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E40810
                                • Part of subcall function 00E40760: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E40820
                                • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E4082D
                              • _strrchr.LIBCMT ref: 00E34C19
                              • _strrchr.LIBCMT ref: 00E34C2C
                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00E34F9D
                              • PathFileExistsW.SHLWAPI(00000003,Name_UpdateForceID_Key,00ECDB92,?,?,00000000,0000FDE9,Name_UpdateForceFile_Key,00ECDB78,?,?,00000000,0000FDE9,Name_UpdateForceLog_Key,00ECDB5F,?), ref: 00E35257
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E353D9
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E354D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Path$ExistsFile$FolderIos_base_dtorSpecial_strrchrstd::ios_base::_$AppendBackslashCreateDirectoryHandleModuleTemp
                              • String ID: Cqttech\XZDesktopCalendar$Name_UpdateForceFile_Key$Name_UpdateForceFromVersion_Key$Name_UpdateForceID_Key$Name_UpdateForceLog_Key$Name_UpdateForceNewVersion_Key$Parse Config fail$PerformLoadUpdateInfo$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$update.cfg
                              • API String ID: 4104599493-1853103233
                              • Opcode ID: 3016a19996c30d2a8caab458d77b86709ef9cc028984b348d95b1f01b7f44aa8
                              • Instruction ID: 6c31c1b571581e17ce1141a7f4651a34a7de61e6315c8d62b14469c4f69e4437
                              • Opcode Fuzzy Hash: 3016a19996c30d2a8caab458d77b86709ef9cc028984b348d95b1f01b7f44aa8
                              • Instruction Fuzzy Hash: F492AE71A002489FDB14CF68CD49BEDBBB1AF45304F1491E8E409BB392EB75AA85CF51
                              Function 00E68A70 Relevance: 27.4, APIs: 10, Strings: 5, Instructions: 1128COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E75630: SetupDiGetClassDevsW.SETUPAPI(00ECF610,00000000,00000000,00000002), ref: 00E756A7
                                • Part of subcall function 00E75630: SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00E756D7
                                • Part of subcall function 00E75630: SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00E7570B
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000024,?,?,?,?,?,C1427766), ref: 00E68B61
                              • curl_slist_append.LIBCURL(00000000,-00000010,?,?,?,?,?,C1427766), ref: 00E68C84
                              • curl_slist_append.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,?,?,C1427766), ref: 00E68CE2
                              • curl_slist_append.LIBCURL(?,?), ref: 00E68D31
                                • Part of subcall function 00E417D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00E417E6
                              • __Mtx_unlock.LIBCPMT ref: 00E68E29
                              • __Mtx_unlock.LIBCPMT ref: 00E68E8A
                              • __Mtx_unlock.LIBCPMT ref: 00E69178
                              • __Mtx_unlock.LIBCPMT ref: 00E68FF1
                                • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E69868
                              • GetWindowLongW.USER32(?,000000EB), ref: 00E69908
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Setupcurl_slist_append$Device$ByteCharClassCpp_errorDevsEnumException@8InfoInstanceIos_base_dtorLongMultiThrowThrow_WideWindowstd::_std::ios_base::_
                              • String ID: $$%c%c$X$appid: %d$id: %s
                              • API String ID: 2834369693-1652127108
                              • Opcode ID: d92418d0a0042e36f562899e5df5132cb13fdf4aa222c5082b07791ad2b8b7f4
                              • Instruction ID: 2e58157f288fd9819e39589d500db1500dcb04c8aeb9b66cfa94d21539602d0d
                              • Opcode Fuzzy Hash: d92418d0a0042e36f562899e5df5132cb13fdf4aa222c5082b07791ad2b8b7f4
                              • Instruction Fuzzy Hash: 34A2AF71D00219DFDB14DFA8DD89BAEBBB4EF45304F1481A9E409B7292DB319A84CF91
                              Function 00E4BE70 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 421filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2871 e4be70-e4bf21 GetLocalTime call e935c0 call e4be50 2876 e4bf24-e4bf29 2871->2876 2876->2876 2877 e4bf2b-e4bfc4 call e41ee0 call e935c0 * 2 call e9c29e call e9c235 FindFirstFileA 2876->2877 2888 e4bfc6-e4bfd3 call e4b260 2877->2888 2889 e4bfd8-e4bfe8 FindNextFileA 2877->2889 2891 e4c266-e4c26f 2888->2891 2889->2891 2892 e4bfee 2889->2892 2895 e4c271-e4c27c 2891->2895 2896 e4c298-e4c2b3 call e7b5dd 2891->2896 2894 e4bff0-e4bffb 2892->2894 2898 e4c000-e4c004 2894->2898 2899 e4c28e-e4c295 call e7bb3f 2895->2899 2900 e4c27e-e4c28c 2895->2900 2903 e4c006-e4c008 2898->2903 2904 e4c020-e4c022 2898->2904 2899->2896 2900->2899 2905 e4c2b6-e4c2d4 call e96739 call e4ca20 2900->2905 2908 e4c01c-e4c01e 2903->2908 2909 e4c00a-e4c010 2903->2909 2910 e4c025-e4c027 2904->2910 2923 e4c2d6-e4c2e0 2905->2923 2924 e4c2fe-e4c321 call e7a5e3 2905->2924 2908->2910 2909->2904 2912 e4c012-e4c01a 2909->2912 2913 e4c02d-e4c032 2910->2913 2914 e4c24b-e4c260 FindNextFileA 2910->2914 2912->2898 2912->2908 2916 e4c038-e4c03c 2913->2916 2914->2891 2914->2894 2917 e4c03e-e4c040 2916->2917 2918 e4c058-e4c05a 2916->2918 2920 e4c054-e4c056 2917->2920 2921 e4c042-e4c048 2917->2921 2922 e4c05d-e4c05f 2918->2922 2920->2922 2921->2918 2926 e4c04a-e4c052 2921->2926 2922->2914 2927 e4c065-e4c089 2922->2927 2928 e4c2f4-e4c2fb call e7bb3f 2923->2928 2929 e4c2e2-e4c2f0 2923->2929 2935 e4c323-e4c325 2924->2935 2936 e4c329-e4c32d 2924->2936 2926->2916 2926->2920 2931 e4c090-e4c095 2927->2931 2928->2924 2932 e4c344-e4c361 call e96739 call e4ca20 2929->2932 2933 e4c2f2 2929->2933 2931->2931 2937 e4c097-e4c0f0 call e41ee0 call e4adc0 2931->2937 2951 e4c363-e4c36d 2932->2951 2952 e4c38b-e4c3af call e7a5e3 2932->2952 2933->2928 2935->2936 2940 e4c33d-e4c341 2936->2940 2941 e4c32f-e4c33a call e7bb3f 2936->2941 2956 e4c127-e4c196 call e4bce0 call e41ee0 call e4ae30 2937->2956 2957 e4c0f2-e4c0f9 2937->2957 2941->2940 2953 e4c381-e4c388 call e7bb3f 2951->2953 2954 e4c36f-e4c37d 2951->2954 2967 e4c3b7 2952->2967 2968 e4c3b1-e4c3b3 2952->2968 2953->2952 2958 e4c37f 2954->2958 2959 e4c3b8-e4c3ca call e96739 2954->2959 2984 e4c1c7-e4c1da call e4bdb0 2956->2984 2985 e4c198-e4c1a7 2956->2985 2963 e4c245 2957->2963 2964 e4c0ff-e4c10a 2957->2964 2958->2953 2977 e4c3cc-e4c3d7 call e7bb3f 2959->2977 2978 e4c3da-e4c3de 2959->2978 2963->2914 2970 e4c120-e4c122 2964->2970 2971 e4c10c-e4c11a 2964->2971 2968->2967 2972 e4c23d-e4c242 call e7bb3f 2970->2972 2971->2905 2971->2970 2972->2963 2977->2978 2991 e4c1dc-e4c205 call e4be50 DeleteFileA 2984->2991 2992 e4c20b-e4c218 2984->2992 2986 e4c1bd-e4c1c4 call e7bb3f 2985->2986 2987 e4c1a9-e4c1b7 2985->2987 2986->2984 2987->2905 2987->2986 2991->2992 2992->2963 2995 e4c21a-e4c229 2992->2995 2997 e4c23b-e4c23c 2995->2997 2998 e4c22b-e4c239 2995->2998 2997->2972 2998->2905 2998->2997
                              APIs
                              • GetLocalTime.KERNEL32(?,C1427766,?,00000001), ref: 00E4BEB7
                              • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4BFAF
                              • FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4BFE0
                              • DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 00E4C205
                              • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4C258
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00E4C314
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00E4C3A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$Find$Mtx_destroy_in_situNext$DeleteFirstLocalTime
                              • String ID: %s\%s$%s_%d-%02d-%02d.log$L$\*.*
                              • API String ID: 1207274154-3549012632
                              • Opcode ID: 05f7a609148b038957f8a9dd070f64ffc91908cbf349d8eb742bd4ac78991b1e
                              • Instruction ID: 2795f2c31cde676c3d81998f44a348fe1b71f76cdd726664308c267bd0ab058a
                              • Opcode Fuzzy Hash: 05f7a609148b038957f8a9dd070f64ffc91908cbf349d8eb742bd4ac78991b1e
                              • Instruction Fuzzy Hash: 8FE12671A002189BDB24DF64DC85BEEB7A9EF04304F1451E9E90AB7292D771AB88CF54
                              Function 00EAC3FF Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3378 eac3ff-eac427 call eac03e call eac09c 3383 eac42d-eac439 call eac044 3378->3383 3384 eac5c7-eac5fc call e96756 call eac03e call eac09c 3378->3384 3383->3384 3389 eac43f-eac44a 3383->3389 3408 eac602-eac60e call eac044 3384->3408 3409 eac724-eac780 call e96756 call eb4d71 3384->3409 3391 eac44c-eac44e 3389->3391 3392 eac480-eac489 call ea79ef 3389->3392 3396 eac450-eac454 3391->3396 3403 eac48c-eac491 3392->3403 3399 eac470-eac472 3396->3399 3400 eac456-eac458 3396->3400 3401 eac475-eac477 3399->3401 3404 eac45a-eac460 3400->3404 3405 eac46c-eac46e 3400->3405 3406 eac47d 3401->3406 3407 eac5c1-eac5c6 3401->3407 3403->3403 3410 eac493-eac4b4 call ea7a29 call ea79ef 3403->3410 3404->3399 3411 eac462-eac46a 3404->3411 3405->3401 3406->3392 3408->3409 3418 eac614-eac620 call eac070 3408->3418 3428 eac78a-eac78d 3409->3428 3429 eac782-eac788 3409->3429 3410->3407 3426 eac4ba-eac4bd 3410->3426 3411->3396 3411->3405 3418->3409 3427 eac626-eac647 call ea79ef GetTimeZoneInformation 3418->3427 3430 eac4c0-eac4c5 3426->3430 3444 eac64d-eac66e 3427->3444 3445 eac700-eac723 call eac038 call eac02c call eac032 3427->3445 3432 eac7d0-eac7e2 3428->3432 3433 eac78f-eac79f call ea7a29 3428->3433 3429->3432 3430->3430 3434 eac4c7-eac4d9 call e9c29e 3430->3434 3436 eac7f2 3432->3436 3437 eac7e4-eac7e7 3432->3437 3448 eac7a9-eac7c2 call eb4d71 3433->3448 3449 eac7a1 3433->3449 3434->3384 3450 eac4df-eac4f2 call eabf18 3434->3450 3442 eac7f7-eac80e call ea79ef call e7b5dd 3436->3442 3443 eac7f2 call eac5d4 3436->3443 3437->3436 3446 eac7e9-eac7f0 call eac3ff 3437->3446 3443->3442 3451 eac678-eac67f 3444->3451 3452 eac670-eac675 3444->3452 3446->3442 3475 eac7c7-eac7cd call ea79ef 3448->3475 3476 eac7c4-eac7c5 3448->3476 3456 eac7a2-eac7a7 call ea79ef 3449->3456 3450->3384 3474 eac4f8-eac4fb 3450->3474 3461 eac681-eac688 3451->3461 3462 eac697-eac69a 3451->3462 3452->3451 3479 eac7cf 3456->3479 3461->3462 3463 eac68a-eac695 3461->3463 3465 eac69d-eac6be call e9c636 WideCharToMultiByte 3462->3465 3463->3465 3484 eac6cc-eac6ce 3465->3484 3485 eac6c0-eac6c3 3465->3485 3480 eac4fd-eac501 3474->3480 3481 eac503-eac50c 3474->3481 3475->3479 3476->3456 3479->3432 3480->3474 3480->3481 3486 eac50e 3481->3486 3487 eac50f-eac51c call ea4212 3481->3487 3490 eac6d0-eac6ec WideCharToMultiByte 3484->3490 3485->3484 3489 eac6c5-eac6ca 3485->3489 3486->3487 3496 eac51f-eac523 3487->3496 3489->3490 3492 eac6fb-eac6fe 3490->3492 3493 eac6ee-eac6f1 3490->3493 3492->3445 3493->3492 3495 eac6f3-eac6f9 3493->3495 3495->3445 3497 eac52d-eac52e 3496->3497 3498 eac525-eac527 3496->3498 3497->3496 3499 eac529-eac52b 3498->3499 3500 eac530-eac533 3498->3500 3499->3497 3499->3500 3501 eac577-eac579 3500->3501 3502 eac535-eac548 call ea4212 3500->3502 3504 eac57b-eac57d 3501->3504 3505 eac580-eac58f 3501->3505 3510 eac54f-eac553 3502->3510 3504->3505 3506 eac591-eac5a3 call eabf18 3505->3506 3507 eac5a7-eac5aa 3505->3507 3511 eac5ad-eac5bf call eac038 call eac02c 3506->3511 3516 eac5a5 3506->3516 3507->3511 3513 eac54a-eac54c 3510->3513 3514 eac555-eac558 3510->3514 3511->3407 3513->3514 3517 eac54e 3513->3517 3514->3501 3518 eac55a-eac56a call ea4212 3514->3518 3516->3384 3517->3510 3524 eac571-eac575 3518->3524 3524->3501 3525 eac56c-eac56e 3524->3525 3525->3501 3526 eac570 3525->3526 3526->3524
                              APIs
                              • _free.LIBCMT ref: 00EAC481
                              • _free.LIBCMT ref: 00EAC4A5
                              • _free.LIBCMT ref: 00EAC62C
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                              • _free.LIBCMT ref: 00EAC7F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 314583886-239921721
                              • Opcode ID: c835f1c2863108a0da4c06ac36e9bec848d2c73d1f650dd0cca6e7781cf37113
                              • Instruction ID: 6cee93c19260b067986e43a35eb8433f076c6cc6033b6609a2e683fab353527a
                              • Opcode Fuzzy Hash: c835f1c2863108a0da4c06ac36e9bec848d2c73d1f650dd0cca6e7781cf37113
                              • Instruction Fuzzy Hash: 8DC11672D002459FCB209F799C81AAA7BE8AF4B354F3461AAF495BF291D730BD41CB50
                              Function 00E76520 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 168fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,#{ad498944-762f-11d0-8dcb-00c04fc3358c},?,?,00000000,00000000), ref: 00E76617
                              • DeviceIoControl.KERNEL32(00000000,00170002,?,00000004,?,00000008,?,00000000), ref: 00E76660
                              • DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,?,00000008,00000000,00000000), ref: 00E766BB
                              • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00E76706
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ControlDevice$CloseCreateFileHandle
                              • String ID: #{ad498944-762f-11d0-8dcb-00c04fc3358c}$\W$\\.\
                              • API String ID: 1375849437-1674818372
                              • Opcode ID: 7ef8651e79c14ba60fa80b92382cfe79fc22e391d27b385e604f9e727008e4e3
                              • Instruction ID: 45b5fb8ad0933f9dd083fc44a447e9496602508e32e89c3bd8c4be5c192c49e7
                              • Opcode Fuzzy Hash: 7ef8651e79c14ba60fa80b92382cfe79fc22e391d27b385e604f9e727008e4e3
                              • Instruction Fuzzy Hash: 8E51EB75A4021CAFDB24DB14CC86BEA73B8EF54708F4051AAE909F7190EB749E498BD4
                              Function 6C280200 Relevance: 9.5, APIs: 6, Instructions: 505encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextW.ADVAPI32 ref: 6C28028A
                              • CryptCreateHash.ADVAPI32 ref: 6C280328
                                • Part of subcall function 6C3E2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C276633,?,?,?,6C2764E8,?), ref: 6C3E2362
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$AcquireContextCreateExceptionHashRaise
                              • String ID:
                              • API String ID: 333276693-0
                              • Opcode ID: 854e11fab70a93fae5f8b745759eaf77a06761212585fc394db4944c816c5c81
                              • Instruction ID: 4e948b9906746d3107e67e2de301ed8bd6956c3bbb74cfa687d9291eef6b0ed6
                              • Opcode Fuzzy Hash: 854e11fab70a93fae5f8b745759eaf77a06761212585fc394db4944c816c5c81
                              • Instruction Fuzzy Hash: 6E321FB49013588FDB14EF68D945BDDBBB0BF49314F0185A9D809A7790D770AE88CF92
                              Function 6C281340 Relevance: 7.9, APIs: 5, Instructions: 405encryptionCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C27FF50: CryptStringToBinaryA.CRYPT32 ref: 6C27FFD0
                                • Part of subcall function 6C27FF50: CryptStringToBinaryA.CRYPT32 ref: 6C280077
                              • CryptAcquireContextW.ADVAPI32 ref: 6C281589
                              • CryptImportKey.ADVAPI32 ref: 6C281657
                              • CryptSetKeyParam.ADVAPI32 ref: 6C2816E2
                              • CryptSetKeyParam.ADVAPI32 ref: 6C281789
                                • Part of subcall function 6C3E2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C276633,?,?,?,6C2764E8,?), ref: 6C3E2362
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$BinaryParamString$AcquireContextExceptionImportRaise
                              • String ID:
                              • API String ID: 2873263705-0
                              • Opcode ID: a75fdf07526db1bc4e319cfcdaadd152096fe897d5caedcbce7f5f62552d100e
                              • Instruction ID: 3eddda6b7a5e3a24e82d7a55e71d05e0f4b0035e0bcc17fc18126276b2d1acd9
                              • Opcode Fuzzy Hash: a75fdf07526db1bc4e319cfcdaadd152096fe897d5caedcbce7f5f62552d100e
                              • Instruction Fuzzy Hash: 0112F9B09052188FDB14EF68D955BDDBBF0BF49304F0085A9D849A7790DB74AA8CCF92
                              Function 6C2BE8F2 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 356stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1235 6c2be8f2-6c2be948 call 6c2bf6de call 6c2a3f98 GetDeviceCaps 1240 6c2be94a-6c2be956 1235->1240 1241 6c2be960-6c2be968 1235->1241 1240->1241 1242 6c2be958 1240->1242 1243 6c2be96a-6c2be96e 1241->1243 1244 6c2be97e-6c2be986 1241->1244 1242->1241 1243->1244 1245 6c2be970-6c2be978 call 6c2a3290 DeleteObject 1243->1245 1246 6c2be988-6c2be98c 1244->1246 1247 6c2be99c-6c2be9a4 1244->1247 1245->1244 1246->1247 1249 6c2be98e-6c2be996 call 6c2a3290 DeleteObject 1246->1249 1250 6c2be9ba-6c2be9c2 1247->1250 1251 6c2be9a6-6c2be9aa 1247->1251 1249->1247 1255 6c2be9d8-6c2be9e0 1250->1255 1256 6c2be9c4-6c2be9c8 1250->1256 1251->1250 1254 6c2be9ac-6c2be9b4 call 6c2a3290 DeleteObject 1251->1254 1254->1250 1257 6c2be9e2-6c2be9e6 1255->1257 1258 6c2be9f6-6c2be9fe 1255->1258 1256->1255 1261 6c2be9ca-6c2be9d2 call 6c2a3290 DeleteObject 1256->1261 1257->1258 1263 6c2be9e8-6c2be9f0 call 6c2a3290 DeleteObject 1257->1263 1264 6c2bea00-6c2bea04 1258->1264 1265 6c2bea14-6c2bea1c 1258->1265 1261->1255 1263->1258 1264->1265 1269 6c2bea06-6c2bea0e call 6c2a3290 DeleteObject 1264->1269 1270 6c2bea1e-6c2bea22 1265->1270 1271 6c2bea32-6c2bea3a 1265->1271 1269->1265 1270->1271 1276 6c2bea24-6c2bea2c call 6c2a3290 DeleteObject 1270->1276 1272 6c2bea3c-6c2bea40 1271->1272 1273 6c2bea50-6c2bea58 1271->1273 1272->1273 1277 6c2bea42-6c2bea4a call 6c2a3290 DeleteObject 1272->1277 1278 6c2bea5a-6c2bea5e 1273->1278 1279 6c2bea6e-6c2bea76 1273->1279 1276->1271 1277->1273 1278->1279 1284 6c2bea60-6c2bea68 call 6c2a3290 DeleteObject 1278->1284 1285 6c2bea78-6c2bea7c 1279->1285 1286 6c2bea8c-6c2beae9 call 6c2bf3a3 call 6c3e4600 GetTextCharsetInfo 1279->1286 1284->1279 1285->1286 1290 6c2bea7e-6c2bea86 call 6c2a3290 DeleteObject 1285->1290 1297 6c2beaeb-6c2beaee 1286->1297 1298 6c2beaf0-6c2beaf4 1286->1298 1290->1286 1299 6c2beaf7-6c2beb1d lstrcpyW 1297->1299 1298->1299 1300 6c2beaf6 1298->1300 1301 6c2beb8b-6c2bebcc CreateFontIndirectW call 6c2a3264 call 6c3f46f5 1299->1301 1302 6c2beb1f-6c2beb26 1299->1302 1300->1299 1313 6c2bebce-6c2bebd0 1301->1313 1314 6c2bebd3-6c2becd9 CreateFontIndirectW call 6c2a3264 call 6c2bf3a3 CreateFontIndirectW call 6c2a3264 CreateFontIndirectW call 6c2a3264 CreateFontIndirectW call 6c2a3264 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c2a3264 GetStockObject 1301->1314 1302->1301 1304 6c2beb28-6c2beb42 EnumFontFamiliesW 1302->1304 1306 6c2beb59-6c2beb76 EnumFontFamiliesW 1304->1306 1307 6c2beb44-6c2beb57 lstrcpyW 1304->1307 1309 6c2beb78-6c2beb7d 1306->1309 1310 6c2beb7f 1306->1310 1307->1301 1312 6c2beb84-6c2beb85 lstrcpyW 1309->1312 1310->1312 1312->1301 1313->1314 1327 6c2beda9-6c2bedb6 call 6c2bf3e4 1314->1327 1328 6c2becdf-6c2becee GetObjectW 1314->1328 1334 6c2bede1-6c2bede3 1327->1334 1328->1327 1329 6c2becf4-6c2beda4 lstrcpyW CreateFontIndirectW call 6c2a3264 CreateFontIndirectW call 6c2a3264 GetObjectW CreateFontIndirectW call 6c2a3264 CreateFontIndirectW call 6c2a3264 1328->1329 1329->1327 1336 6c2bedb8-6c2bedbf 1334->1336 1337 6c2bede5-6c2bedf5 call 6c29d720 1334->1337 1338 6c2bee0b-6c2bee10 call 6c2b789a 1336->1338 1339 6c2bedc1-6c2bedcb call 6c2aade5 1336->1339 1345 6c2bedfa-6c2bee0a call 6c2a3fed call 6c2bf761 1337->1345 1339->1334 1350 6c2bedcd-6c2beddd 1339->1350 1350->1334
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2BE8FC
                                • Part of subcall function 6C2A3F98: __EH_prolog3.LIBCMT ref: 6C2A3F9F
                                • Part of subcall function 6C2A3F98: GetWindowDC.USER32(00000000,00000004,6C2BE53A,00000000), ref: 6C2A3FCB
                              • GetDeviceCaps.GDI32(?,00000058), ref: 6C2BE91C
                              • DeleteObject.GDI32(00000000), ref: 6C2BE978
                              • DeleteObject.GDI32(00000000), ref: 6C2BE996
                              • DeleteObject.GDI32(00000000), ref: 6C2BE9B4
                              • DeleteObject.GDI32(00000000), ref: 6C2BE9D2
                              • DeleteObject.GDI32(00000000), ref: 6C2BE9F0
                              • DeleteObject.GDI32(00000000), ref: 6C2BEA0E
                              • DeleteObject.GDI32(00000000), ref: 6C2BEA2C
                              • DeleteObject.GDI32(00000000), ref: 6C2BEA4A
                              • DeleteObject.GDI32(00000000), ref: 6C2BEA68
                              • DeleteObject.GDI32(00000000), ref: 6C2BEA86
                              • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C2BEABE
                              • lstrcpyW.KERNEL32(?,?), ref: 6C2BEB13
                              • EnumFontFamiliesW.GDI32(?,00000000,6C2BF59F,Segoe UI), ref: 6C2BEB3A
                              • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C2BEB4D
                              • EnumFontFamiliesW.GDI32(?,00000000,6C2BF59F,Tahoma), ref: 6C2BEB6B
                              • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C2BEB85
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEB8F
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEBD7
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEC16
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEC42
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEC63
                              • GetSystemMetrics.USER32(00000048), ref: 6C2BEC82
                              • lstrcpyW.KERNEL32(?,Marlett), ref: 6C2BEC95
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BEC9F
                              • GetStockObject.GDI32(00000011), ref: 6C2BECCB
                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C2BECE6
                              • lstrcpyW.KERNEL32(?,Arial), ref: 6C2BED27
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BED31
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BED4A
                              • GetObjectW.GDI32(?,0000005C,?), ref: 6C2BED68
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BED76
                              • CreateFontIndirectW.GDI32(?), ref: 6C2BED97
                                • Part of subcall function 6C2BF3E4: __EH_prolog3_GS.LIBCMT ref: 6C2BF3EB
                                • Part of subcall function 6C2BF3E4: GetTextMetricsW.GDI32(?,?), ref: 6C2BF420
                                • Part of subcall function 6C2BF3E4: GetTextMetricsW.GDI32(?,?), ref: 6C2BF460
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                              • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma$Al
                              • API String ID: 2837096512-3394685091
                              • Opcode ID: 3d1c0b2179165f2dccaf717dedfe7cb27f6032e7fa248aab4c6353077db6745f
                              • Instruction ID: b00a4dc0ce7053c56eb44f44bc585d72b1fc587dfd64d85579930b3a698da81f
                              • Opcode Fuzzy Hash: 3d1c0b2179165f2dccaf717dedfe7cb27f6032e7fa248aab4c6353077db6745f
                              • Instruction Fuzzy Hash: 83E17C71A0074D9FDF11EBB0C848BDEB7B8BF0A349F108599A85AB7680EB749549CF50
                              Function 6C2BE4D4 Relevance: 64.8, APIs: 43, Instructions: 298COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 6c2be4d4-6c2be4f3 call 6c2bf675 GetSysColor 1359 6c2be4f5-6c2be4ff GetSysColor 1356->1359 1360 6c2be504 1356->1360 1359->1360 1361 6c2be501-6c2be502 1359->1361 1362 6c2be506-6c2be516 GetSysColor 1360->1362 1361->1362 1363 6c2be529 1362->1363 1364 6c2be518-6c2be522 GetSysColor 1362->1364 1366 6c2be52b-6c2be662 call 6c2a3f98 GetDeviceCaps GetSysColor * 21 1363->1366 1364->1363 1365 6c2be524-6c2be527 1364->1365 1365->1366 1369 6c2be66d-6c2be679 GetSysColor 1366->1369 1370 6c2be664-6c2be66b 1366->1370 1371 6c2be67f-6c2be695 GetSysColorBrush 1369->1371 1370->1371 1372 6c2be69b-6c2be6a8 GetSysColorBrush 1371->1372 1373 6c2be8ec-6c2be8f1 call 6c2b789a 1371->1373 1372->1373 1374 6c2be6ae-6c2be6bb GetSysColorBrush 1372->1374 1374->1373 1377 6c2be6c1-6c2be80c call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreateSolidBrush call 6c2a3264 call 6c2a32ba CreatePen call 6c2a3264 call 6c2a32ba CreatePen call 6c2a3264 call 6c2a32ba CreatePen call 6c2a3264 1374->1377 1418 6c2be81b-6c2be822 1377->1418 1419 6c2be80e-6c2be812 1377->1419 1421 6c2be888-6c2be894 call 6c2bf4a2 1418->1421 1422 6c2be824-6c2be886 CreateSolidBrush call 6c2a3264 1418->1422 1419->1418 1420 6c2be814-6c2be816 call 6c2a32ba 1419->1420 1420->1418 1421->1373 1428 6c2be896-6c2be8ca call 6c2a3264 CreatePatternBrush call 6c2a3264 call 6c29d720 1421->1428 1429 6c2be8cf-6c2be8eb call 6c2f2019 call 6c2a3fed call 6c2bf74d 1422->1429 1428->1429
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2BE4DB
                              • GetSysColor.USER32(00000016), ref: 6C2BE4E4
                              • GetSysColor.USER32(0000000F), ref: 6C2BE4F7
                              • GetSysColor.USER32(00000015), ref: 6C2BE50E
                              • GetSysColor.USER32(0000000F), ref: 6C2BE51A
                              • GetDeviceCaps.GDI32(?,0000000C), ref: 6C2BE542
                              • GetSysColor.USER32(0000000F), ref: 6C2BE550
                              • GetSysColor.USER32(00000010), ref: 6C2BE55E
                              • GetSysColor.USER32(00000015), ref: 6C2BE56C
                              • GetSysColor.USER32(00000016), ref: 6C2BE57A
                              • GetSysColor.USER32(00000014), ref: 6C2BE588
                              • GetSysColor.USER32(00000012), ref: 6C2BE596
                              • GetSysColor.USER32(00000011), ref: 6C2BE5A4
                              • GetSysColor.USER32(00000006), ref: 6C2BE5AF
                              • GetSysColor.USER32(0000000D), ref: 6C2BE5BA
                              • GetSysColor.USER32(0000000E), ref: 6C2BE5C5
                              • GetSysColor.USER32(00000005), ref: 6C2BE5D0
                              • GetSysColor.USER32(00000008), ref: 6C2BE5DE
                              • GetSysColor.USER32(00000009), ref: 6C2BE5E9
                              • GetSysColor.USER32(00000007), ref: 6C2BE5F4
                              • GetSysColor.USER32(00000002), ref: 6C2BE5FF
                              • GetSysColor.USER32(00000003), ref: 6C2BE60A
                              • GetSysColor.USER32(0000001B), ref: 6C2BE618
                              • GetSysColor.USER32(0000001C), ref: 6C2BE626
                              • GetSysColor.USER32(0000000A), ref: 6C2BE634
                              • GetSysColor.USER32(0000000B), ref: 6C2BE642
                              • GetSysColor.USER32(00000013), ref: 6C2BE650
                              • GetSysColor.USER32(0000001A), ref: 6C2BE679
                              • GetSysColorBrush.USER32(00000010), ref: 6C2BE68A
                              • GetSysColorBrush.USER32(00000014), ref: 6C2BE69D
                              • GetSysColorBrush.USER32(00000005), ref: 6C2BE6B0
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE6D1
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE6EF
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE70D
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE72E
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE74C
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE76A
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE788
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C2BE7AE
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C2BE7D2
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C2BE7F6
                              • CreateSolidBrush.GDI32(?), ref: 6C2BE874
                              • CreatePatternBrush.GDI32(00000000), ref: 6C2BE8B2
                                • Part of subcall function 6C2A32BA: DeleteObject.GDI32(00000000), ref: 6C2A32C9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                              • String ID:
                              • API String ID: 3754413814-0
                              • Opcode ID: eaa9bd603b2ba6dfde63024121bd03957b8f086c984bd1c6d7da4f98658616f7
                              • Instruction ID: 6d1499df268bf4c6c2516744f13345bd9c6d4cb0b0fa8201c306095921d695ee
                              • Opcode Fuzzy Hash: eaa9bd603b2ba6dfde63024121bd03957b8f086c984bd1c6d7da4f98658616f7
                              • Instruction Fuzzy Hash: 58C16D71B00A16EFDB06AFB4880879DBAB0BF0E745F400119EA55D7A80DB75E919DBD0
                              Function 00E72EE0 Relevance: 61.8, APIs: 27, Strings: 7, Instructions: 2266COMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00E72FBA
                              • _strrchr.LIBCMT ref: 00E72FCD
                              • curl_easy_cleanup.LIBCURL(00000000,C1427766,00000000,?), ref: 00E732C4
                              • _strrchr.LIBCMT ref: 00E73405
                              • _strrchr.LIBCMT ref: 00E73418
                              • _strrchr.LIBCMT ref: 00E738AE
                              • _strrchr.LIBCMT ref: 00E738C1
                              • curl_easy_cleanup.LIBCURL(?), ref: 00E73B90
                              • curl_easy_init.LIBCURL(C1427766,00000000,?), ref: 00E73D1A
                              • curl_easy_init.LIBCURL(C1427766,00000000,?), ref: 00E73350
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000029,00000001,00000000,?), ref: 00E74A0E
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000040,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A1E
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000051,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A25
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D5,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A32
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D6,00000078,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A3C
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D7,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A46
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000063,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A4D
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000000D,00000708,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A57
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000004E,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A5E
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00002722,Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36), ref: 00E74A6E
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000002B,00000000), ref: 00E74A75
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000034,00000001), ref: 00E74A7C
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00002749), ref: 00E74A85
                                • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00004E58,00E75270), ref: 00E74A92
                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,00000000,?,?), ref: 00E737B8
                              • curl_easy_setopt.LIBCURL(?,00004E2B,00E74E10), ref: 00E737C9
                              • curl_easy_setopt.LIBCURL(?,00002711), ref: 00E737D6
                              • curl_easy_setopt.LIBCURL(?,00002727,?), ref: 00E737EA
                              • curl_easy_perform.LIBCURL ref: 00E737F1
                              • _strrchr.LIBCMT ref: 00E73DD2
                              • _strrchr.LIBCMT ref: 00E73DE5
                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,00000000,?,?), ref: 00E74172
                              • curl_easy_setopt.LIBCURL(?,00004E2B,00E74E10,?,00002712,00000000,00000000,?,?), ref: 00E74180
                              • curl_easy_setopt.LIBCURL(?,00002711,?,?,00004E2B,00E74E10,?,00002712,00000000,00000000,?,?), ref: 00E7418A
                              • curl_easy_setopt.LIBCURL(?,00002727,?), ref: 00E7419E
                              • curl_easy_perform.LIBCURL ref: 00E741A5
                              • _strrchr.LIBCMT ref: 00E7425E
                              • _strrchr.LIBCMT ref: 00E74271
                              • curl_easy_cleanup.LIBCURL(?), ref: 00E74537
                              • _strrchr.LIBCMT ref: 00E7467E
                              • _strrchr.LIBCMT ref: 00E74691
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: curl_easy_setopt$_strrchr$curl_easy_cleanup$curl_easy_initcurl_easy_perform
                              • String ID: DownLoadFinish:{}, Size:{}$Download$Get$UnInit$curl init failed$curl_easy_perform failed,{}$g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp
                              • API String ID: 533436632-4114691947
                              • Opcode ID: bc6d9e4629956b92a2acfeefbd2b06331718e23228741f8f0ce702871da11d8b
                              • Instruction ID: b29f5b03d83bdb2ed2dde393ae425bd982de0f192a726d5d270ee271ec8e7bbc
                              • Opcode Fuzzy Hash: bc6d9e4629956b92a2acfeefbd2b06331718e23228741f8f0ce702871da11d8b
                              • Instruction Fuzzy Hash: DF13F070A002459FDB14DFA8C849B9EBBF2FF84304F14916CE519BB392E771AA45CB91
                              Function 00E77700 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 237libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2214 e77700-e7772d call e77280 2217 e77733-e77746 GetProcAddress 2214->2217 2218 e778dc-e778f1 GetProcAddress 2214->2218 2221 e77765-e777dc LoadLibraryA 2217->2221 2222 e77748-e77758 GetCurrentProcess 2217->2222 2223 e778f3-e77905 call e77ee0 2218->2223 2224 e77948-e77959 GetSystemFirmwareTable 2218->2224 2226 e77873-e77881 call e77ee0 2221->2226 2227 e777e2-e77816 GetProcAddress * 4 2221->2227 2222->2221 2237 e7775a-e7775f 2222->2237 2238 e77907-e77918 call e77d60 2223->2238 2239 e77923-e77929 2223->2239 2228 e77982-e77995 call e7b5dd 2224->2228 2229 e7795b-e77977 call e7bb8b GetSystemFirmwareTable 2224->2229 2226->2228 2243 e77887-e7788f 2226->2243 2227->2226 2231 e77818-e7781e 2227->2231 2245 e77996-e779b9 2229->2245 2246 e77979-e7797f call e7bb94 2229->2246 2231->2226 2241 e77820-e77825 2231->2241 2237->2221 2244 e778d7 2237->2244 2256 e7791e 2238->2256 2257 e779ca-e779dd call e7b5dd 2238->2257 2239->2228 2249 e7792b-e77947 call e7bb94 call e7b5dd 2239->2249 2241->2226 2248 e77827-e77829 2241->2248 2251 e779ba-e779bc call e77d60 2243->2251 2244->2218 2245->2251 2246->2228 2248->2226 2253 e7782b-e77843 2248->2253 2260 e779c1-e779c7 call e7bb94 2251->2260 2253->2226 2264 e77845-e7786b 2253->2264 2256->2260 2260->2257 2270 e77894-e778d2 call e7bb8b call e75590 2264->2270 2271 e7786d 2264->2271 2270->2251 2271->2226
                              APIs
                                • Part of subcall function 00E77280: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?), ref: 00E772B7
                                • Part of subcall function 00E77280: GetProcAddress.KERNEL32(00000000), ref: 00E772BE
                                • Part of subcall function 00E77280: GetCurrentProcess.KERNEL32(00E7771E), ref: 00E772CE
                                • Part of subcall function 00E77280: LoadLibraryW.KERNEL32(ntdll.dll,?), ref: 00E77304
                                • Part of subcall function 00E77280: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00E7731A
                                • Part of subcall function 00E77280: FreeLibrary.KERNEL32(00000000), ref: 00E77338
                              • GetProcAddress.KERNEL32(00000000), ref: 00E77740
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E76B13,00000003), ref: 00E7774D
                              • LoadLibraryA.KERNEL32(?,?,ntdll.dll), ref: 00E777D2
                              • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00E777E8
                              • GetProcAddress.KERNEL32(00000000,ZwMapViewOfSection), ref: 00E777F4
                              • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 00E77800
                              • GetProcAddress.KERNEL32(00000000,ZwClose), ref: 00E7780C
                              • GetProcAddress.KERNEL32(00000000), ref: 00E778E9
                              • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00E77953
                              • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00E7796F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressProc$Library$CurrentFirmwareLoadProcessSystemTable$FreeHandleModule
                              • String ID: ,$@$GetSystemFirmwareTable$IsWow64Process$ZwClose$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$kernel32$kernel32.dll$ntdll.dll
                              • API String ID: 461479394-3246421382
                              • Opcode ID: 210324b9f40cc9b23c4eecdd3cc1db714426351e1a506c115c9466eb56e52384
                              • Instruction ID: 33e1eab93cd86911cda364c821580e143181663b84b61573c6278eb1f6e7b09c
                              • Opcode Fuzzy Hash: 210324b9f40cc9b23c4eecdd3cc1db714426351e1a506c115c9466eb56e52384
                              • Instruction Fuzzy Hash: 36819E71608341AFD710DFA4CC45B5BBBE8EF84304F00992EFA99A7291DB71D909CB92
                              Function 00EB55B6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2999 eb55b6-eb55e6 call eb5319 3002 eb55e8-eb55f3 call e967ef 2999->3002 3003 eb5601-eb560d call eb0714 2999->3003 3010 eb55f5-eb55fc call e96802 3002->3010 3008 eb560f-eb5624 call e967ef call e96802 3003->3008 3009 eb5626-eb566f call eb5284 3003->3009 3008->3010 3018 eb56dc-eb56e5 GetFileType 3009->3018 3019 eb5671-eb567a 3009->3019 3020 eb58d8-eb58de 3010->3020 3021 eb572e-eb5731 3018->3021 3022 eb56e7-eb5718 GetLastError call e967cc CloseHandle 3018->3022 3024 eb567c-eb5680 3019->3024 3025 eb56b1-eb56d7 GetLastError call e967cc 3019->3025 3027 eb573a-eb5740 3021->3027 3028 eb5733-eb5738 3021->3028 3022->3010 3036 eb571e-eb5729 call e96802 3022->3036 3024->3025 3029 eb5682-eb56af call eb5284 3024->3029 3025->3010 3033 eb5744-eb5792 call eb065d 3027->3033 3034 eb5742 3027->3034 3028->3033 3029->3018 3029->3025 3042 eb57a2-eb57c6 call eb5037 3033->3042 3043 eb5794-eb57a0 call eb5495 3033->3043 3034->3033 3036->3010 3049 eb57d9-eb581c 3042->3049 3050 eb57c8 3042->3050 3043->3042 3048 eb57ca-eb57d4 call ea9e9c 3043->3048 3048->3020 3052 eb581e-eb5822 3049->3052 3053 eb583d-eb584b 3049->3053 3050->3048 3052->3053 3055 eb5824-eb5838 3052->3055 3056 eb5851-eb5855 3053->3056 3057 eb58d6 3053->3057 3055->3053 3056->3057 3058 eb5857-eb588a CloseHandle call eb5284 3056->3058 3057->3020 3061 eb58be-eb58d2 3058->3061 3062 eb588c-eb58b8 GetLastError call e967cc call eb0826 3058->3062 3061->3057 3062->3061
                              APIs
                                • Part of subcall function 00EB5284: CreateFileW.KERNEL32(00000000,?,?,_V,?,?,00000000,?,00EB565F,00000000,0000000C), ref: 00EB52A1
                              • GetLastError.KERNEL32 ref: 00EB56CA
                              • __dosmaperr.LIBCMT ref: 00EB56D1
                              • GetFileType.KERNEL32(00000000), ref: 00EB56DD
                              • GetLastError.KERNEL32 ref: 00EB56E7
                              • __dosmaperr.LIBCMT ref: 00EB56F0
                              • CloseHandle.KERNEL32(00000000), ref: 00EB5710
                              • CloseHandle.KERNEL32(?), ref: 00EB585A
                              • GetLastError.KERNEL32 ref: 00EB588C
                              • __dosmaperr.LIBCMT ref: 00EB5893
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: fd4953e4aaa021f1cc9901a246d649232f82118e177f5a9b7456a57e611d8472
                              • Instruction ID: b0f82aad6c82d8d0cd715949f2a2a0dddd792a6838b233f77246508bb6a258c7
                              • Opcode Fuzzy Hash: fd4953e4aaa021f1cc9901a246d649232f82118e177f5a9b7456a57e611d8472
                              • Instruction Fuzzy Hash: 51A12433A005588FDF19AF68D8917EE7BE1AB06328F14115AF811BF2A1DA319C16CB51
                              Function 00E75630 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 862COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3067 e75630-e756b6 call e935c0 SetupDiGetClassDevsW 3070 e756bc-e756df SetupDiEnumDeviceInfo 3067->3070 3071 e7586a-e758aa call e76390 3067->3071 3073 e75807-e75828 SetupDiDestroyDeviceInfoList 3070->3073 3074 e756e5 3070->3074 3078 e758b1-e758f4 3071->3078 3073->3071 3077 e7582a-e75868 3073->3077 3076 e756f0-e75713 SetupDiGetDeviceInstanceIdW 3074->3076 3076->3073 3079 e75719-e75731 call ea423c 3076->3079 3077->3078 3080 e758f6-e75901 call e96802 3078->3080 3081 e75903-e75906 3078->3081 3090 e75733-e7574b call ea423c 3079->3090 3091 e75751-e75757 call e76520 3079->3091 3094 e7592b call e96729 3080->3094 3084 e75914-e75925 call e935c0 call e96802 3081->3084 3085 e75908-e75912 3081->3085 3084->3094 3088 e75930-e7596c 3085->3088 3092 e7596e-e75979 call e96802 3088->3092 3093 e7597b-e7597e 3088->3093 3090->3091 3105 e757e4-e75801 SetupDiEnumDeviceInfo 3090->3105 3104 e7575c-e7575e 3091->3104 3113 e759a1 call e96729 3092->3113 3099 e75980-e75988 3093->3099 3100 e7598a-e7599b call e935c0 call e96802 3093->3100 3094->3088 3108 e759a6-e759fc call e75590 3099->3108 3100->3113 3104->3105 3106 e75764-e75766 3104->3106 3105->3073 3105->3076 3111 e757cb-e757d9 3106->3111 3112 e75768 3106->3112 3124 e759fe-e75a09 call e96802 3108->3124 3125 e75a0b-e75a0e 3108->3125 3116 e757dd-e757e3 3111->3116 3112->3116 3117 e7576a-e75780 3112->3117 3113->3108 3116->3105 3121 e75792-e7579a 3117->3121 3122 e75782-e7578f 3117->3122 3129 e757c7-e757c9 3121->3129 3130 e7579c-e757a6 3121->3130 3122->3121 3135 e75a33 call e96729 3124->3135 3127 e75a10-e75a1a 3125->3127 3128 e75a1c-e75a2d call e935c0 call e96802 3125->3128 3132 e75a38-e75b78 call e76aa0 3127->3132 3128->3135 3129->3111 3129->3116 3130->3129 3134 e757a8-e757af 3130->3134 3144 e762a4-e76346 call e76740 call e721e0 call e72040 call e75590 call e7b5dd 3132->3144 3145 e75b7e-e75baf 3132->3145 3134->3129 3137 e757b1-e757bb 3134->3137 3135->3132 3137->3129 3140 e757bd-e757c5 3137->3140 3140->3129 3147 e75bb2-e75bb7 3145->3147 3147->3147 3148 e75bb9-e75bfd call e41ee0 3147->3148 3154 e75c00-e75c05 3148->3154 3154->3154 3156 e75c07-e75c39 call e41ee0 call e42180 3154->3156 3166 e75c3b-e75c4a 3156->3166 3167 e75c6a-e75c9e 3156->3167 3168 e75c60-e75c67 call e7bb3f 3166->3168 3169 e75c4c-e75c5a 3166->3169 3170 e75ca0-e75ca5 3167->3170 3168->3167 3169->3168 3172 e76349-e76380 call e96739 3169->3172 3170->3170 3171 e75ca7-e75cd9 call e41ee0 call e42180 3170->3171 3181 e75cdb-e75cea 3171->3181 3182 e75d0a-e75d3f 3171->3182 3183 e75d00-e75d07 call e7bb3f 3181->3183 3184 e75cec-e75cfa 3181->3184 3185 e75d40-e75d45 3182->3185 3183->3182 3184->3183 3185->3185 3187 e75d47-e75d79 call e41ee0 call e42180 3185->3187 3193 e75d7b-e75d8a 3187->3193 3194 e75daa-e75ddf 3187->3194 3195 e75da0-e75da7 call e7bb3f 3193->3195 3196 e75d8c-e75d9a 3193->3196 3197 e75de0-e75de5 3194->3197 3195->3194 3196->3195 3197->3197 3199 e75de7-e75e19 call e41ee0 call e42180 3197->3199 3205 e75e1b-e75e2a 3199->3205 3206 e75e4a-e75e7f 3199->3206 3208 e75e40-e75e47 call e7bb3f 3205->3208 3209 e75e2c-e75e3a 3205->3209 3207 e75e80-e75e85 3206->3207 3207->3207 3211 e75e87-e75eb9 call e41ee0 call e42180 3207->3211 3208->3206 3209->3208 3217 e75ebb-e75eca 3211->3217 3218 e75eea-e75f1f 3211->3218 3219 e75ee0-e75ee7 call e7bb3f 3217->3219 3220 e75ecc-e75eda 3217->3220 3221 e75f20-e75f25 3218->3221 3219->3218 3220->3219 3221->3221 3222 e75f27-e75f59 call e41ee0 call e42180 3221->3222 3229 e75f5b-e75f6a 3222->3229 3230 e75f8a-e75fbf 3222->3230 3231 e75f80-e75f87 call e7bb3f 3229->3231 3232 e75f6c-e75f7a 3229->3232 3233 e75fc0-e75fc5 3230->3233 3231->3230 3232->3231 3233->3233 3235 e75fc7-e75ff9 call e41ee0 call e42180 3233->3235 3241 e75ffb-e7600a 3235->3241 3242 e7602a-e7605f 3235->3242 3243 e76020-e76027 call e7bb3f 3241->3243 3244 e7600c-e7601a 3241->3244 3245 e76060-e76065 3242->3245 3243->3242 3244->3243 3245->3245 3247 e76067-e76099 call e41ee0 call e42180 3245->3247 3253 e7609b-e760aa 3247->3253 3254 e760ca-e760ff 3247->3254 3256 e760c0-e760c7 call e7bb3f 3253->3256 3257 e760ac-e760ba 3253->3257 3255 e76100-e76105 3254->3255 3255->3255 3259 e76107-e76139 call e41ee0 call e42180 3255->3259 3256->3254 3257->3256 3265 e7613b-e7614a 3259->3265 3266 e7616a-e7619f 3259->3266 3267 e76160-e76167 call e7bb3f 3265->3267 3268 e7614c-e7615a 3265->3268 3269 e761a0-e761a5 3266->3269 3267->3266 3268->3267 3269->3269 3270 e761a7-e761d5 call e41ee0 call e42180 3269->3270 3277 e761d7-e761e6 3270->3277 3278 e76206-e7621b 3270->3278 3279 e761fc-e76203 call e7bb3f 3277->3279 3280 e761e8-e761f6 3277->3280 3281 e76245-e76265 call e75590 3278->3281 3282 e7621d-e76243 call e75590 3278->3282 3279->3278 3280->3279 3289 e7626a-e76273 3281->3289 3282->3289 3289->3144 3290 e76275-e76284 3289->3290 3291 e76286-e76294 3290->3291 3292 e7629a-e762a1 call e7bb3f 3290->3292 3291->3292 3292->3144
                              APIs
                              • SetupDiGetClassDevsW.SETUPAPI(00ECF610,00000000,00000000,00000002), ref: 00E756A7
                              • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00E756D7
                              • SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00E7570B
                              • SetupDiEnumDeviceInfo.SETUPAPI(?,00000001,0000001C), ref: 00E757F9
                              • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00E7580D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Setup$Device$Info$Enum$ClassDestroyDevsInstanceList
                              • String ID: "$0]$PCI${1A3E09BE-1E45-494B-9174-D7385B45BBF5}
                              • API String ID: 2459852064-3227047338
                              • Opcode ID: 8808a3662db4b79ee1dc6381584f6c4342077794a7ff8bf195255329a6357115
                              • Instruction ID: 9ecc20c8ed5d70593f20890e5e4c1aec3f8b65209a69f3f41cbc6c2026ec5ee4
                              • Opcode Fuzzy Hash: 8808a3662db4b79ee1dc6381584f6c4342077794a7ff8bf195255329a6357115
                              • Instruction Fuzzy Hash: 3C72CCB19006588ADB28CF24CC94BEEBBB5AF45308F5092D9E50DB7282D7755BC8CF54
                              Function 00E652D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 381stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3295 e652d0-e65328 IsWindow 3296 e6532a-e65336 SetWindowLongW 3295->3296 3297 e6533b-e6539a call e935c0 lstrcpynW PathAddBackslashW 3295->3297 3298 e6575a-e6576e 3296->3298 3305 e65416-e6541f 3297->3305 3306 e6539c-e653ac 3297->3306 3300 e65770-e65773 3298->3300 3301 e65778-e6578c 3298->3301 3300->3301 3303 e65796-e657aa 3301->3303 3304 e6578e-e65791 3301->3304 3310 e657b4-e657c9 3303->3310 3311 e657ac-e657af 3303->3311 3304->3303 3307 e65425-e6542e 3305->3307 3308 e65407-e65411 call e41470 3306->3308 3309 e653ae-e653b3 3306->3309 3307->3307 3313 e65430-e65468 call e41470 3307->3313 3308->3305 3309->3308 3314 e653b5-e653d9 call e416a0 3309->3314 3315 e657d3-e657f2 call e7b5dd 3310->3315 3316 e657cb-e657ce 3310->3316 3311->3310 3323 e654e4-e65501 3313->3323 3324 e6546a-e6547a 3313->3324 3325 e653db-e653f2 3314->3325 3326 e653f8-e65405 3314->3326 3316->3315 3327 e65503-e65513 3323->3327 3328 e6557d-e655f8 call e61a30 call e614c0 3323->3328 3329 e654d5-e654df call e41470 3324->3329 3330 e6547c-e65481 3324->3330 3325->3326 3326->3305 3332 e65515-e6551a 3327->3332 3333 e6556e-e65578 call e41470 3327->3333 3348 e6562f-e656e2 GetModuleHandleW RegisterClassW CreateWindowExW 3328->3348 3349 e655fa-e6560f 3328->3349 3329->3323 3330->3329 3334 e65483-e654a7 call e416a0 3330->3334 3332->3333 3337 e6551c-e65540 call e416a0 3332->3337 3333->3328 3346 e654c6-e654d3 3334->3346 3347 e654a9-e654c0 3334->3347 3350 e65542-e65559 3337->3350 3351 e6555f-e6556c 3337->3351 3346->3323 3347->3346 3354 e656e4-e656e8 SetWindowLongW 3348->3354 3355 e656ee-e65706 call e68980 3348->3355 3352 e65625-e6562c call e7bb3f 3349->3352 3353 e65611-e6561f 3349->3353 3350->3351 3351->3328 3352->3348 3353->3352 3357 e657f5 call e96739 3353->3357 3354->3355 3365 e6573d-e65753 3355->3365 3366 e65708-e6571d 3355->3366 3364 e657fa-e65821 call e96739 call e72ad0 * 2 3357->3364 3365->3298 3368 e65733-e6573a call e7bb3f 3366->3368 3369 e6571f-e6572d 3366->3369 3368->3365 3369->3364 3369->3368
                              APIs
                              • IsWindow.USER32(?), ref: 00E6531D
                              • SetWindowLongW.USER32(?,000000EB,?), ref: 00E65330
                                • Part of subcall function 00E72AD0: _strrchr.LIBCMT ref: 00E72BAD
                                • Part of subcall function 00E72AD0: _strrchr.LIBCMT ref: 00E72BC0
                              • lstrcpynW.KERNEL32(?,00000003,00000103), ref: 00E65360
                              • PathAddBackslashW.SHLWAPI(?), ref: 00E6536D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window_strrchr$BackslashLongPathlstrcpyn
                              • String ID: CXZUpdateModule
                              • API String ID: 1126664090-2850203272
                              • Opcode ID: 3a06533d057bd7a87d883b0bed54b90d9548a3d481996416b56e27419bd3de8a
                              • Instruction ID: eaf466c8f50f0d6181199976ec8bcf18c78d203020b9626bb25d477fd9a421bf
                              • Opcode Fuzzy Hash: 3a06533d057bd7a87d883b0bed54b90d9548a3d481996416b56e27419bd3de8a
                              • Instruction Fuzzy Hash: 50F1AF31A056059FDB24DF28DC88B9AB7B1FF45314F1482DDE45AAB2A1DB31AE84CF50
                              Function 00E6FA60 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 239comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3527 e6fa60-e6fa9d CoInitialize OleInitialize 3528 e6faa0-e6faab 3527->3528 3529 e6fab1-e6fadf call e7a660 3528->3529 3530 e6fcfc-e6fd23 OleUninitialize CoUninitialize call e7b5dd 3528->3530 3535 e6fae1-e6fae7 call e79e53 3529->3535 3536 e6faea-e6fafc call e7a685 3529->3536 3535->3536 3541 e6fb07-e6fb0d 3536->3541 3542 e6fafe-e6fb04 call e79e53 3536->3542 3544 e6fb0f-e6fb2b call e7a660 3541->3544 3545 e6fb7b-e6fb86 3541->3545 3542->3541 3551 e6fb36-e6fb52 call e7a2eb 3544->3551 3552 e6fb2d-e6fb33 call e79e53 3544->3552 3545->3530 3548 e6fb8c-e6fb9a call e6ff30 3545->3548 3556 e6fba0-e6fbb4 call e7a660 3548->3556 3557 e6fcc1-e6fccd 3548->3557 3563 e6fb54-e6fb5a call e79e53 3551->3563 3564 e6fb5d-e6fb6c call e7a685 3551->3564 3552->3551 3568 e6fbb6-e6fbbc call e79e53 3556->3568 3569 e6fbbf-e6fbec call e70180 3556->3569 3560 e6fcf0-e6fcf7 3557->3560 3561 e6fccf-e6fcd7 3557->3561 3560->3528 3561->3560 3566 e6fcd9-e6fce7 3561->3566 3563->3564 3578 e6fb77 3564->3578 3579 e6fb6e-e6fb74 call e79e53 3564->3579 3566->3560 3580 e6fce9-e6fceb 3566->3580 3568->3569 3581 e6fd24-e6fd2f call e78611 3569->3581 3582 e6fbf2-e6fc12 call e7a685 3569->3582 3578->3545 3579->3578 3580->3560 3589 e6fc14-e6fc1a call e79e53 3582->3589 3590 e6fc1d-e6fc3a call e7a660 3582->3590 3589->3590 3596 e6fc45-e6fc4f 3590->3596 3597 e6fc3c-e6fc42 call e79e53 3590->3597 3599 e6fc51 3596->3599 3600 e6fc5f-e6fc7d 3596->3600 3597->3596 3602 e6fc54-e6fc57 3599->3602 3603 e6fc9f-e6fcb6 call e7bb3f call e7a685 3600->3603 3604 e6fc7f-e6fc87 3600->3604 3602->3600 3606 e6fc59-e6fc5d 3602->3606 3603->3557 3613 e6fcb8-e6fcbe call e79e53 3603->3613 3604->3603 3607 e6fc89-e6fc98 3604->3607 3606->3600 3606->3602 3607->3603 3612 e6fc9a 3607->3612 3612->3603 3613->3557
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 00E6FA8F
                              • OleInitialize.OLE32(00000000), ref: 00E6FA97
                              • __Mtx_unlock.LIBCPMT ref: 00E6FAF2
                              • __Mtx_unlock.LIBCPMT ref: 00E6FB62
                              • __Mtx_unlock.LIBCPMT ref: 00E6FC08
                                • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                              • __Mtx_unlock.LIBCPMT ref: 00E6FCAC
                              • OleUninitialize.OLE32 ref: 00E6FCFC
                              • CoUninitialize.OLE32 ref: 00E6FD02
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$InitializeUninitialize$Cpp_errorThrow_std::_
                              • String ID: list<T> too long
                              • API String ID: 669680987-4027344264
                              • Opcode ID: d5691148f03b0f0762411bdf36851c644d2a205c1db4e4dcc1e7c8e9c578c9b8
                              • Instruction ID: fe537e41fa89caf2811094299f5e2f1c5c189d49a93987657f4659f04d3eafca
                              • Opcode Fuzzy Hash: d5691148f03b0f0762411bdf36851c644d2a205c1db4e4dcc1e7c8e9c578c9b8
                              • Instruction Fuzzy Hash: 7991C2B1D00205DFDB10DF68E945B5EBBE4AF05358F199179E819BB382E731E904CBA2
                              Function 6C2C53FD Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3616 6c2c53fd-6c2c541f EnterCriticalSection 3617 6c2c5435-6c2c5438 3616->3617 3618 6c2c5421-6c2c5425 3616->3618 3621 6c2c543a-6c2c543d 3617->3621 3622 6c2c5465-6c2c5467 3617->3622 3619 6c2c553a 3618->3619 3620 6c2c542b-6c2c542f 3618->3620 3624 6c2c553d-6c2c5548 LeaveCriticalSection call 6c2b7866 3619->3624 3620->3617 3625 6c2c54f6-6c2c54fc 3620->3625 3621->3619 3626 6c2c5443-6c2c5448 3621->3626 3623 6c2c5468-6c2c5471 3622->3623 3630 6c2c5488-6c2c5495 GlobalHandle 3623->3630 3631 6c2c5473-6c2c5486 call 6c2b72c2 GlobalAlloc 3623->3631 3628 6c2c54fe 3625->3628 3629 6c2c5501-6c2c551b LeaveCriticalSection 3625->3629 3627 6c2c544b-6c2c544e 3626->3627 3633 6c2c5458-6c2c545a 3627->3633 3634 6c2c5450-6c2c5456 3627->3634 3628->3629 3636 6c2c551c-6c2c551f 3630->3636 3637 6c2c549b-6c2c54b7 GlobalUnlock call 6c2b72c2 GlobalReAlloc 3630->3637 3645 6c2c54bd-6c2c54bf 3631->3645 3633->3625 3639 6c2c5460-6c2c5463 3633->3639 3634->3627 3634->3633 3640 6c2c5534-6c2c5538 3636->3640 3641 6c2c5521-6c2c552b GlobalHandle 3636->3641 3637->3645 3639->3623 3640->3624 3641->3640 3644 6c2c552d-6c2c552e GlobalLock 3641->3644 3644->3640 3645->3636 3647 6c2c54c1-6c2c54cf GlobalLock 3645->3647 3647->3640 3648 6c2c54d1-6c2c54f4 call 6c3e4600 3647->3648 3648->3625
                              APIs
                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C271B28,?,6C2B4930,6C271B28,6C2A94A5,6C271B28,6C2B3DF0), ref: 6C2C540E
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,6C271B28,?,6C2B4930,6C271B28,6C2A94A5,6C271B28,6C2B3DF0), ref: 6C2C5480
                              • GlobalHandle.KERNEL32(?), ref: 6C2C548A
                              • GlobalUnlock.KERNEL32(00000000), ref: 6C2C549C
                              • GlobalReAlloc.KERNEL32(?,00000000), ref: 6C2C54B7
                              • GlobalLock.KERNEL32(00000000), ref: 6C2C54C2
                              • LeaveCriticalSection.KERNEL32(?), ref: 6C2C550F
                              • GlobalHandle.KERNEL32(?), ref: 6C2C5523
                              • GlobalLock.KERNEL32(00000000), ref: 6C2C552E
                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,6C271B28,?,6C2B4930,6C271B28,6C2A94A5,6C271B28,6C2B3DF0,EE3AED3E), ref: 6C2C553D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                              • String ID:
                              • API String ID: 2667261700-0
                              • Opcode ID: 05bc50f92bd2b7c4fe8c98fd3cb0d8bc88f893830ef40f0bf1a6311d6a19eafe
                              • Instruction ID: e27f55417f1313239ef9f2c0bcc96e6a217f28e229cca944da03f61a594b46ed
                              • Opcode Fuzzy Hash: 05bc50f92bd2b7c4fe8c98fd3cb0d8bc88f893830ef40f0bf1a6311d6a19eafe
                              • Instruction Fuzzy Hash: 5A41B27170021AEFDB14EFA8C848B99BBB9FF05346F104265EC15E7940DB74E940DB91
                              Function 6C408E1E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3651 6c408e1e-6c408e4e call 6c4092b8 3654 6c408e50-6c408e5b call 6c3e5649 3651->3654 3655 6c408e69-6c408e75 call 6c3f126d 3651->3655 3660 6c408e5d-6c408e64 call 6c3e5636 3654->3660 3661 6c408e77-6c408e8c call 6c3e5649 call 6c3e5636 3655->3661 3662 6c408e8e-6c408ed7 call 6c409223 3655->3662 3671 6c409143-6c409147 3660->3671 3661->3660 3669 6c408f44-6c408f4d GetFileType 3662->3669 3670 6c408ed9-6c408ee2 3662->3670 3675 6c408f96-6c408f99 3669->3675 3676 6c408f4f-6c408f80 GetLastError call 6c3e565c CloseHandle 3669->3676 3673 6c408ee4-6c408ee8 3670->3673 3674 6c408f19-6c408f3f GetLastError call 6c3e565c 3670->3674 3673->3674 3680 6c408eea-6c408f17 call 6c409223 3673->3680 3674->3660 3678 6c408fa2-6c408fa8 3675->3678 3679 6c408f9b-6c408fa0 3675->3679 3676->3660 3690 6c408f86-6c408f91 call 6c3e5636 3676->3690 3683 6c408fac-6c408ffa call 6c3f1411 3678->3683 3684 6c408faa 3678->3684 3679->3683 3680->3669 3680->3674 3694 6c409019-6c409041 call 6c4094dc 3683->3694 3695 6c408ffc-6c409008 call 6c409432 3683->3695 3684->3683 3690->3660 3700 6c409043-6c409044 3694->3700 3701 6c409046-6c409087 3694->3701 3695->3694 3702 6c40900a 3695->3702 3703 6c40900c-6c409014 call 6c401790 3700->3703 3704 6c4090a8-6c4090b6 3701->3704 3705 6c409089-6c40908d 3701->3705 3702->3703 3703->3671 3707 6c409141 3704->3707 3708 6c4090bc-6c4090c0 3704->3708 3705->3704 3706 6c40908f-6c4090a3 3705->3706 3706->3704 3707->3671 3708->3707 3710 6c4090c2-6c4090f5 CloseHandle call 6c409223 3708->3710 3714 6c4090f7-6c409123 GetLastError call 6c3e565c call 6c3f1380 3710->3714 3715 6c409129-6c40913d 3710->3715 3714->3715 3715->3707
                              APIs
                                • Part of subcall function 6C409223: CreateFileW.KERNEL32(6C28A8D0,00000000,?,6C408EC7,?,?,00000000,?,6C408EC7,6C28A8D0,0000000C), ref: 6C409240
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C408F32
                              • __dosmaperr.LIBCMT ref: 6C408F39
                              • GetFileType.KERNEL32(00000000), ref: 6C408F45
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C408F4F
                              • __dosmaperr.LIBCMT ref: 6C408F58
                              • CloseHandle.KERNEL32(00000000), ref: 6C408F78
                              • CloseHandle.KERNEL32(6C3FFF1C), ref: 6C4090C5
                              • GetLastError.KERNEL32 ref: 6C4090F7
                              • __dosmaperr.LIBCMT ref: 6C4090FE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID:
                              • API String ID: 4237864984-0
                              • Opcode ID: 2923bdaf40bcf95c7d7c3c825abe9cfee76bb999036d8d43a36b00a05f8e06f1
                              • Instruction ID: 2632515af5d0f0d329100f44dfe3742780ff241b7b725624d3ed4a63e2945fe7
                              • Opcode Fuzzy Hash: 2923bdaf40bcf95c7d7c3c825abe9cfee76bb999036d8d43a36b00a05f8e06f1
                              • Instruction Fuzzy Hash: 2CA1F232B441149FCF19EF68D851FAD3BB1AB4B329F14026EE811AB791D736C816CB91
                              Function 00E6CEF0 Relevance: 13.6, APIs: 9, Instructions: 77comsleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3720 e6cef0-e6cf34 call e7a660 3723 e6cf36-e6cf3c call e79e53 3720->3723 3724 e6cf3f-e6cf50 call e7a2cc 3720->3724 3723->3724 3729 e6cf52-e6cf58 call e79e53 3724->3729 3730 e6cf5b-e6cf68 call e7a685 3724->3730 3729->3730 3735 e6cf73-e6cf99 CoInitialize OleInitialize GetTickCount 3730->3735 3736 e6cf6a-e6cf70 call e79e53 3730->3736 3738 e6cfb5-e6cfe1 CoUninitialize OleUninitialize call e7b175 call e7bb3f 3735->3738 3739 e6cf9b 3735->3739 3736->3735 3741 e6cfa1-e6cfb3 call e6be20 Sleep 3739->3741 3741->3738
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InitializeUninitialize$Cnd_do_broadcast_at_thread_exitCnd_signalCountMtx_unlockSleepTick
                              • String ID:
                              • API String ID: 2752312933-0
                              • Opcode ID: 023d6e30a7a5a7b3d2485f079831a413d5bf67bb231a6c688d9722f01a1ddaa1
                              • Instruction ID: 5c74f1781cadc449e0379c2c3acc13cf085c0786b7e8b0d311f95ce59dc56157
                              • Opcode Fuzzy Hash: 023d6e30a7a5a7b3d2485f079831a413d5bf67bb231a6c688d9722f01a1ddaa1
                              • Instruction Fuzzy Hash: B621B2B1A00200AFD301AF65EC06B1ABBE5FF04314F189579F949B73A2DB72E854CA91
                              Function 6C299BF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetFileAttributesA.KERNEL32 ref: 6C299C9B
                              • SHGetFolderPathA.SHELL32 ref: 6C299CE4
                              • GetFileAttributesA.KERNEL32 ref: 6C299DDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AttributesFile$FolderPath
                              • String ID: Dl
                              • API String ID: 1382956649-3183023029
                              • Opcode ID: 8fac95df67f10ea8afe68b3769d7f5782c35791cbfb0835b98c64e9ff509810b
                              • Instruction ID: 8490058d2c03261dcf2ace7effcfb28320ec32b25979646b09b767aa4fa2f247
                              • Opcode Fuzzy Hash: 8fac95df67f10ea8afe68b3769d7f5782c35791cbfb0835b98c64e9ff509810b
                              • Instruction Fuzzy Hash: EAB12CB4910318CFCB14EF68C984B9DBBB0FF49314F0081A9D81A9B790DB749A89CF91
                              Function 00EAC5D4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3815 eac5d4-eac5fc call eac03e call eac09c 3820 eac602-eac60e call eac044 3815->3820 3821 eac724-eac780 call e96756 call eb4d71 3815->3821 3820->3821 3826 eac614-eac620 call eac070 3820->3826 3833 eac78a-eac78d 3821->3833 3834 eac782-eac788 3821->3834 3826->3821 3832 eac626-eac647 call ea79ef GetTimeZoneInformation 3826->3832 3845 eac64d-eac66e 3832->3845 3846 eac700-eac723 call eac038 call eac02c call eac032 3832->3846 3836 eac7d0-eac7e2 3833->3836 3837 eac78f-eac79f call ea7a29 3833->3837 3834->3836 3839 eac7f2 3836->3839 3840 eac7e4-eac7e7 3836->3840 3849 eac7a9-eac7c2 call eb4d71 3837->3849 3850 eac7a1 3837->3850 3843 eac7f7-eac80e call ea79ef call e7b5dd 3839->3843 3844 eac7f2 call eac5d4 3839->3844 3840->3839 3847 eac7e9-eac7f0 call eac3ff 3840->3847 3844->3843 3851 eac678-eac67f 3845->3851 3852 eac670-eac675 3845->3852 3847->3843 3872 eac7c7-eac7cd call ea79ef 3849->3872 3873 eac7c4-eac7c5 3849->3873 3856 eac7a2-eac7a7 call ea79ef 3850->3856 3860 eac681-eac688 3851->3860 3861 eac697-eac69a 3851->3861 3852->3851 3876 eac7cf 3856->3876 3860->3861 3862 eac68a-eac695 3860->3862 3864 eac69d-eac6be call e9c636 WideCharToMultiByte 3861->3864 3862->3864 3879 eac6cc-eac6ce 3864->3879 3880 eac6c0-eac6c3 3864->3880 3872->3876 3873->3856 3876->3836 3883 eac6d0-eac6ec WideCharToMultiByte 3879->3883 3880->3879 3882 eac6c5-eac6ca 3880->3882 3882->3883 3884 eac6fb-eac6fe 3883->3884 3885 eac6ee-eac6f1 3883->3885 3884->3846 3885->3884 3886 eac6f3-eac6f9 3885->3886 3886->3846
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                              • _free.LIBCMT ref: 00EAC62C
                                • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                              • _free.LIBCMT ref: 00EAC7F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 1286116820-239921721
                              • Opcode ID: 22e386314eddbb6f63e9b8737f06e957d44bc78664417f30e4d37e7f5dfb8f0c
                              • Instruction ID: 7b6d74665cfac682fcb2e764faa9141fb239007db7381e6968f64ea1ecf3b571
                              • Opcode Fuzzy Hash: 22e386314eddbb6f63e9b8737f06e957d44bc78664417f30e4d37e7f5dfb8f0c
                              • Instruction Fuzzy Hash: 9951D672900219EFCB10EF759CC19AA77F8EF4A754F20226AF455BF191EB30AD458B50
                              Function 6C321042 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C321049
                                • Part of subcall function 6C2C34C0: EnterCriticalSection.KERNEL32(6C478410,?,?,0000007C,?,6C2AF878,00000001), ref: 6C2C34F1
                                • Part of subcall function 6C2C34C0: InitializeCriticalSection.KERNEL32(00000000,?,6C2AF878,00000001), ref: 6C2C3507
                                • Part of subcall function 6C2C34C0: LeaveCriticalSection.KERNEL32(6C478410,?,6C2AF878,00000001), ref: 6C2C3515
                                • Part of subcall function 6C2C34C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C2AF878,00000001), ref: 6C2C3522
                              • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C32109C
                              • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C3210B2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                              • String ID: DragDelay$DragMinDist$d}Bl$windows
                              • API String ID: 3965097884-3234701269
                              • Opcode ID: 294b2048b291a7a42554deb29aa02afc081b3dc72a34a128b57ea260afb19536
                              • Instruction ID: 7a5f9744e4bab7516381431b1d829b9fb59b6b74abd06ef50c3f84e63de99749
                              • Opcode Fuzzy Hash: 294b2048b291a7a42554deb29aa02afc081b3dc72a34a128b57ea260afb19536
                              • Instruction Fuzzy Hash: 5D015EB0A117409FDBA1EF34C546B9ABAF0BB08704F50191DE549E7F40D779A504CF55
                              Function 00E40760 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00E407A8
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00E407BE
                              • GetTempPathW.KERNEL32(00000104,?), ref: 00E407D4
                              • PathAppendW.SHLWAPI(?), ref: 00E407F0
                              • PathAddBackslashW.SHLWAPI(?), ref: 00E407FD
                              • PathFileExistsW.SHLWAPI(?), ref: 00E40810
                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E40820
                              • PathFileExistsW.SHLWAPI(?), ref: 00E4082D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Path$ExistsFileFolderSpecial$AppendBackslashCreateDirectoryTemp
                              • String ID:
                              • API String ID: 3243460205-0
                              • Opcode ID: 9c6a80c64676fb6999b7ece60ff21b77c5f32624c5937c7bfac7558abe0461f6
                              • Instruction ID: d3dcf1762f012f25ed92a6ed7d92309449886369c1d7cb763b7d09e9ea733f46
                              • Opcode Fuzzy Hash: 9c6a80c64676fb6999b7ece60ff21b77c5f32624c5937c7bfac7558abe0461f6
                              • Instruction Fuzzy Hash: 1231807194021CAFDB20DF60DC89BEA77BCFB54704F0405AAE909E6140D770AA88CFA1
                              Function 00E6F8E0 Relevance: 10.8, APIs: 7, Instructions: 344comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                              • __Mtx_unlock.LIBCPMT ref: 00E6F9B8
                                • Part of subcall function 00E97BA1: _abort.LIBCMT ref: 00E97BD7
                              • CoInitialize.OLE32(00000000), ref: 00E6FA8F
                              • OleInitialize.OLE32(00000000), ref: 00E6FA97
                              • __Mtx_unlock.LIBCPMT ref: 00E6FAF2
                              • __Mtx_unlock.LIBCPMT ref: 00E6FB62
                              • __Mtx_unlock.LIBCPMT ref: 00E6FC08
                                • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                              • __Mtx_unlock.LIBCPMT ref: 00E6FCAC
                              • OleUninitialize.OLE32 ref: 00E6FCFC
                              • CoUninitialize.OLE32 ref: 00E6FD02
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$InitializeUninitialize$Cnd_initCpp_errorMtx_initThrd_startThrow__abortstd::_
                              • String ID:
                              • API String ID: 498520733-0
                              • Opcode ID: 94c216b7cbab568b3fcae7584993f3b06f548fa48b0d522857108de033fa299c
                              • Instruction ID: 25007c884d419c2e34ca1f902a95a3ba2515e84c8d1c00807dcd126bc1240b12
                              • Opcode Fuzzy Hash: 94c216b7cbab568b3fcae7584993f3b06f548fa48b0d522857108de033fa299c
                              • Instruction Fuzzy Hash: A3D1A2B1D00248DFDB00DFA8E945B9EBBF4AF05354F189169E819B7382E731E904CBA1
                              Function 00E66040 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000BC6,00000000,00000000), ref: 00E660E1
                              • __Mtx_unlock.LIBCPMT ref: 00E660EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageMtx_unlockPost
                              • String ID: C:\Windows\System32\kernel32.dll$invalid stoul argument$stoul argument out of range
                              • API String ID: 545632012-474098362
                              • Opcode ID: df6306176638604051c787f0d25cdf013b853f0d86d62c06bb992a6e91472d12
                              • Instruction ID: b1c463b3715d922598031917f9e26cad36dcff4922eedde28fd77039d86eb198
                              • Opcode Fuzzy Hash: df6306176638604051c787f0d25cdf013b853f0d86d62c06bb992a6e91472d12
                              • Instruction Fuzzy Hash: 4B31D7B0C40309ABDF20AFA5AD45BDDB6F4EF05740F0451AAB81CB6391EB705A84CF51
                              Function 6C402B82 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39addfa47cbb56974b54ac5f3f8262305f551559a6c5550cfe4ecce5ad71bbab
                              • Instruction ID: 6d9922de5c10248d461435407ce9fcf40c6c3684eea06df2791995f611ecaf91
                              • Opcode Fuzzy Hash: 39addfa47cbb56974b54ac5f3f8262305f551559a6c5550cfe4ecce5ad71bbab
                              • Instruction Fuzzy Hash: 41B1F470B84245AFDB21CF98C888FAE7BB0BF4A319F144169E550977C1CB70D946CBA1
                              Function 00E9B6D7 Relevance: 9.3, APIs: 6, Instructions: 264COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 00E9B864
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B880
                              • __allrem.LIBCMT ref: 00E9B897
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B8B5
                              • __allrem.LIBCMT ref: 00E9B8CC
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B8EA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                              • Instruction ID: 4aeb23315875e0c0aa705601efbe318f4f5597b3d511d976b3e99e8dd2bb6410
                              • Opcode Fuzzy Hash: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                              • Instruction Fuzzy Hash: 5B812C71A007069BEF249F68ED81B6B73E9AF85724F24662EF550FB681E770ED008750
                              Function 6C2996B0 Relevance: 9.1, APIs: 6, Instructions: 135processCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
                              • String ID:
                              • API String ID: 4013288513-0
                              • Opcode ID: 7cfd646915450d2a5193f602f04d744b473163b4a468b54cebc9986e0590766d
                              • Instruction ID: bd6f7c2fac25f1f94077557beb8eff98189abb8dfc081eb190863987f903ac64
                              • Opcode Fuzzy Hash: 7cfd646915450d2a5193f602f04d744b473163b4a468b54cebc9986e0590766d
                              • Instruction Fuzzy Hash: 0F510BB4E083499FCB00EFA9D4456ADBFF0BF49314F00455DE899A7740D7349958CBA2
                              Function 00E61190 Relevance: 9.1, APIs: 6, Instructions: 122registryCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(?), ref: 00E611AB
                              • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00E611BB
                              • GetModuleHandleW.KERNEL32(00000000,00000000,-00000002), ref: 00E6123C
                              • RegisterClassW.USER32(?), ref: 00E61265
                              • CreateWindowExW.USER32(00000000,?,00ECEA54,00000000,00000000,00000000,00000001,00000001,000000FD,00000000,00000000,00000000), ref: 00E61292
                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E612A3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Long$ClassCreateHandleModuleRegister
                              • String ID:
                              • API String ID: 354519829-0
                              • Opcode ID: 4359d24bf3535600086311630c5456a510240dd0899b2a27699cf5aaa25f6d03
                              • Instruction ID: f25768896aa5dbf3f33b47f83bf4b8e8e10400eb2d9c94df8b4bdee5d347fea5
                              • Opcode Fuzzy Hash: 4359d24bf3535600086311630c5456a510240dd0899b2a27699cf5aaa25f6d03
                              • Instruction Fuzzy Hash: 4C41FE30208300AFD7109F28DC5AB5FBBE5EF89714F505A2DF955A62E0EB71E844CB82
                              Function 00E61700 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 254COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C1427766,00000000,?), ref: 00E617AA
                              • GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,?), ref: 00E61803
                              • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 00E61867
                              • VerQueryValueW.VERSION(00000000,00ECEA50,?,00000034), ref: 00E61885
                                • Part of subcall function 00E417D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00E417E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$InfoVersion$Exception@8ModuleNameQuerySizeThrowValue
                              • String ID: %d.%d.%d.%d
                              • API String ID: 4009888614-3491811756
                              • Opcode ID: ba62ea89234366d123d8f12366b45d2ef3fcb9407a0f6e58cf9c7f49e821ddf7
                              • Instruction ID: fe7b80247d11d300126ab09f01a807964be35931a2889eac8307100b0f7fa443
                              • Opcode Fuzzy Hash: ba62ea89234366d123d8f12366b45d2ef3fcb9407a0f6e58cf9c7f49e821ddf7
                              • Instruction Fuzzy Hash: 309182719002599FDB10DF69DD89BAEB7F8FF49304F1442A9E809F7281E774AA84CB50
                              Function 6C29A620 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 215threadsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C29A150: GetModuleFileNameA.KERNEL32 ref: 6C29A1AC
                              • CreateThread.KERNEL32 ref: 6C29A7DD
                              • CreateThread.KERNEL32 ref: 6C29A819
                              • WaitForSingleObject.KERNEL32 ref: 6C29A846
                                • Part of subcall function 6C29A320: GetModuleFileNameA.KERNEL32 ref: 6C29A37C
                                • Part of subcall function 6C29A0E0: GetModuleFileNameA.KERNEL32 ref: 6C29A113
                                • Part of subcall function 6C29A520: GetModuleHandleA.KERNEL32 ref: 6C29A568
                                • Part of subcall function 6C299520: GetModuleHandleA.KERNEL32 ref: 6C29952F
                                • Part of subcall function 6C299520: FindResourceW.KERNEL32 ref: 6C299594
                                • Part of subcall function 6C299520: LoadResource.KERNEL32 ref: 6C2995BD
                                • Part of subcall function 6C299520: SizeofResource.KERNEL32 ref: 6C2995D6
                                • Part of subcall function 6C299520: LockResource.KERNEL32 ref: 6C2995E8
                                • Part of subcall function 6C2980D0: WSAStartup.WS2_32 ref: 6C2980FF
                                • Part of subcall function 6C2980D0: getaddrinfo.WS2_32 ref: 6C2981F9
                                • Part of subcall function 6C2980D0: WSACleanup.WS2_32 ref: 6C298215
                                • Part of subcall function 6C2980D0: freeaddrinfo.WS2_32 ref: 6C2983B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Module$Resource$FileName$CreateHandleThread$CleanupFindLoadLockObjectSingleSizeofStartupWaitfreeaddrinfogetaddrinfo
                              • String ID: IiViS$libcurl.dll
                              • API String ID: 1047316345-1299199552
                              • Opcode ID: 6aed699e324d2aeae6d4b0975713276cdc36bb8de09b152ae1d917b446434035
                              • Instruction ID: 3d9b80a76f47a946def4232357ef477040d3f74920bc69f8cd18bf8e4e1523e9
                              • Opcode Fuzzy Hash: 6aed699e324d2aeae6d4b0975713276cdc36bb8de09b152ae1d917b446434035
                              • Instruction Fuzzy Hash: 70A105B0900318CFDB14EF65D855BDDBBB0FB05304F01849AD85A9BB90EB749A48CF92
                              Function 00E416A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00E41729
                              • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00E41754
                              • RegCloseKey.ADVAPI32(?), ref: 00E4175F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                              • API String ID: 3677997916-378819227
                              • Opcode ID: 2f993fa4aff4f5f49f140a33cc2c2de54600e2c9e7827664a4d247ee7f0d54aa
                              • Instruction ID: c24d5ae89feea267e1690a4e7f36f0b9e937a09ca973d4383fabf49042b1d6b0
                              • Opcode Fuzzy Hash: 2f993fa4aff4f5f49f140a33cc2c2de54600e2c9e7827664a4d247ee7f0d54aa
                              • Instruction Fuzzy Hash: 6F21B075600308AFDB10DF68EC45EAAB7F8EF84714F0444AAF916E7251DB30ED488B90
                              Function 6C2BE417 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C2BE474
                              • VerSetConditionMask.KERNEL32(00000000), ref: 6C2BE47C
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C2BE48D
                              • GetSystemMetrics.USER32(00001000), ref: 6C2BE49E
                                • Part of subcall function 6C2BE4D4: __EH_prolog3.LIBCMT ref: 6C2BE4DB
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000016), ref: 6C2BE4E4
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000F), ref: 6C2BE4F7
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000015), ref: 6C2BE50E
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000F), ref: 6C2BE51A
                                • Part of subcall function 6C2BE4D4: GetDeviceCaps.GDI32(?,0000000C), ref: 6C2BE542
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000F), ref: 6C2BE550
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000010), ref: 6C2BE55E
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000015), ref: 6C2BE56C
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000016), ref: 6C2BE57A
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000014), ref: 6C2BE588
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000012), ref: 6C2BE596
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000011), ref: 6C2BE5A4
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000006), ref: 6C2BE5AF
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000D), ref: 6C2BE5BA
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000E), ref: 6C2BE5C5
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000005), ref: 6C2BE5D0
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000008), ref: 6C2BE5DE
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000009), ref: 6C2BE5E9
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000007), ref: 6C2BE5F4
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000002), ref: 6C2BE5FF
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(00000003), ref: 6C2BE60A
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000001B), ref: 6C2BE618
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000001C), ref: 6C2BE626
                                • Part of subcall function 6C2BE4D4: GetSysColor.USER32(0000000A), ref: 6C2BE634
                                • Part of subcall function 6C2BE8F2: __EH_prolog3_GS.LIBCMT ref: 6C2BE8FC
                                • Part of subcall function 6C2BE8F2: GetDeviceCaps.GDI32(?,00000058), ref: 6C2BE91C
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BE978
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BE996
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BE9B4
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BE9D2
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BE9F0
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BEA0E
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BEA2C
                                • Part of subcall function 6C2BE8F2: DeleteObject.GDI32(00000000), ref: 6C2BEA4A
                                • Part of subcall function 6C2BEE11: GetSystemMetrics.USER32(00000031), ref: 6C2BEE1F
                                • Part of subcall function 6C2BEE11: GetSystemMetrics.USER32(00000032), ref: 6C2BEE2D
                                • Part of subcall function 6C2BEE11: SetRectEmpty.USER32(?), ref: 6C2BEE40
                                • Part of subcall function 6C2BEE11: EnumDisplayMonitors.USER32(00000000,00000000,6C2BF5E9,?,?,?), ref: 6C2BEE50
                                • Part of subcall function 6C2BEE11: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C2BEE5F
                                • Part of subcall function 6C2BEE11: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C2BEE8C
                                • Part of subcall function 6C2BEE11: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C2BEEA0
                                • Part of subcall function 6C2BEE11: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C2BEEC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                              • String ID: >:
                              • API String ID: 2442922003-3907246019
                              • Opcode ID: 2763b3f78867adda848b0e2bf8d67772faf18d50095f10da477972361618e335
                              • Instruction ID: 28010a0c8cef1806354e5c2c62eb987ed4ec9992ff854e0d265c4d5b41223e02
                              • Opcode Fuzzy Hash: 2763b3f78867adda848b0e2bf8d67772faf18d50095f10da477972361618e335
                              • Instruction Fuzzy Hash: 2C1177B0F00318ABDB25AF759C49FEBB6BCEB89748F00449DB54596280CBB44A458BD1
                              Function 00E41700 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00E41729
                              • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00E41754
                              • RegCloseKey.ADVAPI32(?), ref: 00E4175F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                              • API String ID: 3677997916-378819227
                              • Opcode ID: d11227e01720da24a962d9599ca2ef7172c02a5cec982ea51e6cc1d288553f4f
                              • Instruction ID: 1658ae69f969dd470838bcf63e0a035549fae892d7e95dc87d78cb6d17b577af
                              • Opcode Fuzzy Hash: d11227e01720da24a962d9599ca2ef7172c02a5cec982ea51e6cc1d288553f4f
                              • Instruction Fuzzy Hash: 79013174A0031DBFEF10AF95DC85FAEB7BCEB08714F0041AAF914B7291D6715A489B90
                              Function 6C3E20A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: bf3aac7012cc2a524d513cfcd13c6f43d8299c07c755bc47eacd6653edd2a6dc
                              • Instruction ID: 32fdf244e5ec210285c6259e04caa80e72c941bc9ee916ceacc493cb7032b3dd
                              • Opcode Fuzzy Hash: bf3aac7012cc2a524d513cfcd13c6f43d8299c07c755bc47eacd6653edd2a6dc
                              • Instruction Fuzzy Hash: 1921A272D01636ABDB218F15CE48AEE3A69EB48798F004116E81557B50C7338E058FE0
                              Function 00E4D740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E4D79E
                                • Part of subcall function 00E7A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00E7A64A
                              • __Xtime_get_ticks.LIBCPMT ref: 00E4D844
                                • Part of subcall function 00E7939B: ___crtFlsFree.LIBCPMT ref: 00E793A4
                                • Part of subcall function 00E4D5F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4D611
                                • Part of subcall function 00E4CCF0: Sleep.KERNEL32(?,?,00000010), ref: 00E4CE07
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4D939
                              Strings
                              • daily_file_sink: Invalid rotation time in ctor, xrefs: 00E4D91F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::create_stl_critical_sectionException@8FreeMtx_init_in_situSleepThrowUnothrow_t@std@@@Xtime_get_ticks___crt__ehfuncinfo$??2@
                              • String ID: daily_file_sink: Invalid rotation time in ctor
                              • API String ID: 4188573093-2939006100
                              • Opcode ID: 21e9f9c250be0ae4d311e63d9c117e9cf5edabef967dc5602480c1c6b9792638
                              • Instruction ID: f3ef5e5756a900dd2400c8fb2d58819d41647f5c61470100c14fcfe24f8de8e6
                              • Opcode Fuzzy Hash: 21e9f9c250be0ae4d311e63d9c117e9cf5edabef967dc5602480c1c6b9792638
                              • Instruction Fuzzy Hash: B65122B09007449BDB14DF28D985B9FBBF4EF48300F10861DE885AB782EB75E944CBA0
                              Function 00E38770 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388B3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388E3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388EE
                              Strings
                              • Unknown exception in logger, xrefs: 00E3877E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_init_in_situ
                              • String ID: Unknown exception in logger
                              • API String ID: 3366076730-1706402959
                              • Opcode ID: ae03571940d3f02251ea22ca4a6f9c6de09ff8677a14a9efa926889c0fad0e59
                              • Instruction ID: 5faef8f419f6a7549a2f90f321641d89b84e6396ac47d280e7e099a93d2abb37
                              • Opcode Fuzzy Hash: ae03571940d3f02251ea22ca4a6f9c6de09ff8677a14a9efa926889c0fad0e59
                              • Instruction Fuzzy Hash: BD51DEB1904748DFEB20DF64C989B9ABBF0EF00314F04859DE559AB381DBB5A944CF91
                              Function 00E4CCF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(?,?,00000010), ref: 00E4CE07
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4CE93
                                • Part of subcall function 00E92A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00E92AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseSleepThrow
                              • String ID: for writing$Failed opening file
                              • API String ID: 38309065-807226085
                              • Opcode ID: 35eb3c547f3bfd9aad607b664d813605ba879b57711ee9e96d7715c7560bf894
                              • Instruction ID: 4b2ec5aef3bb0d3e12b6a74ffde42e32c438b737f18ae963777e2bc2cfa44c6f
                              • Opcode Fuzzy Hash: 35eb3c547f3bfd9aad607b664d813605ba879b57711ee9e96d7715c7560bf894
                              • Instruction Fuzzy Hash: 5051DF71A002089FDF14DFA8E881FAEBBB5FF44304F245529E815B7391EB35AA44CB90
                              Function 00E7AC62 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • InitOnceExecuteOnce.KERNELBASE(?,00E78AD0,00000001,?,00E4019A,00000000,?,00E3FF77,00EE5B80,00E3FF40,00EE5B78,?,00E4019A,?,00000001), ref: 00E7AC88
                              • SetLastError.KERNEL32(0000000D,?,?,ios_base::failbit set,?,00E78AD0,00000001,?,00E4019A,00000000,?,00E3FF77,00EE5B80,00E3FF40,00EE5B78), ref: 00E7ACE6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Once$ErrorExecuteInitLast
                              • String ID: ios_base::failbit set
                              • API String ID: 3407056439-3924258884
                              • Opcode ID: c24f0ce7b865f6cfc6f0333f84865c2486bc2f22357e3317c96769f1cd8e3f08
                              • Instruction ID: b7289151a51c25f4fa8f7044483ec739c5632a91840b058ddeb58006a8d4f367
                              • Opcode Fuzzy Hash: c24f0ce7b865f6cfc6f0333f84865c2486bc2f22357e3317c96769f1cd8e3f08
                              • Instruction Fuzzy Hash: 2611CE32200116BFDF135F65DD849AFFB65FB88315B188039F91AB6220CB319C559BE2
                              Function 6C2BA7D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(Shell32,00000000,?,6C29CF8A), ref: 6C2BA7DC
                              • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C2BA7ED
                              Strings
                              • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C2BA7E7
                              • Shell32, xrefs: 6C2BA7D5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                              • API String ID: 1646373207-2658420654
                              • Opcode ID: 14e43005a2976d4a9fcd61bc08b3c59c9f68793b047be75bb448c09995bab071
                              • Instruction ID: 8e541abc1f78ddab217f8f1148c49bd81ce20d471c25ec5558b53d1a9bc4f320
                              • Opcode Fuzzy Hash: 14e43005a2976d4a9fcd61bc08b3c59c9f68793b047be75bb448c09995bab071
                              • Instruction Fuzzy Hash: 49E02672B02669678721BB21CC0CC1A7B28FA866AA3400439F815E3B00CE30D802C7E4
                              Function 6C4033E9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(ac?l,?,6C3F6361,?), ref: 6C4033F1
                              • GetLastError.KERNEL32(?,6C3F6361,?), ref: 6C4033FB
                              • __dosmaperr.LIBCMT ref: 6C403402
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DeleteErrorFileLast__dosmaperr
                              • String ID: ac?l
                              • API String ID: 1545401867-4103421260
                              • Opcode ID: 79d4c943d77940ac5b76cdb8e8994732199660c566e54439cf679190ffb327f4
                              • Instruction ID: e9b5990b6cab699bd103c632fb51c8859e0d0855039b644b547892927c3c6b28
                              • Opcode Fuzzy Hash: 79d4c943d77940ac5b76cdb8e8994732199660c566e54439cf679190ffb327f4
                              • Instruction Fuzzy Hash: C5D0C972245208679E00BBF6AC0891A3F6C9A867793540626F52DC66D0DA31C4518651
                              Function 6C2A95E5 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2A95EF
                                • Part of subcall function 6C2B8400: __EH_prolog3.LIBCMT ref: 6C2B8407
                              • GetCurrentThread.KERNEL32 ref: 6C2A964E
                              • GetCurrentThreadId.KERNEL32 ref: 6C2A9657
                              • GetVersionExW.KERNEL32 ref: 6C2A96F3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentThread$H_prolog3H_prolog3_Version
                              • String ID:
                              • API String ID: 786120064-0
                              • Opcode ID: 563772de811463aef0bbd89670dc196b911bdceb9caefd3bb1ad2c1d1ad60feb
                              • Instruction ID: 9c63d3d908e232f7eeb58ba9eebb8454c1025285d052ce3edc26f018e143566e
                              • Opcode Fuzzy Hash: 563772de811463aef0bbd89670dc196b911bdceb9caefd3bb1ad2c1d1ad60feb
                              • Instruction Fuzzy Hash: B05102B4A01B198FD725EF6A898468AFBF1BF49704F50496ED8AEC7B10DB30A445CF50
                              Function 00E4C6A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4C70B
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4C8FD
                              Strings
                              • Failed writing to file , xrefs: 00E4C8C9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8ThrowUnothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: Failed writing to file
                              • API String ID: 110933538-3481382570
                              • Opcode ID: aa4dfb42773601ee149bcc03b36a843ccd19453d2b149f15d99b589cabdf1beb
                              • Instruction ID: a0160c3dbec3d9be2751d60b1c4221fe4f40e744b360db690a696d77ea0b4b40
                              • Opcode Fuzzy Hash: aa4dfb42773601ee149bcc03b36a843ccd19453d2b149f15d99b589cabdf1beb
                              • Instruction Fuzzy Hash: E861B171901219ABDF14DF64DC89BDDB7B5FF44304F20929AE808B7291DB31AA85CF90
                              Function 00E385A0 Relevance: 4.7, APIs: 3, Instructions: 208COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E3F140: __Xtime_get_ticks.LIBCPMT ref: 00E3F152
                                • Part of subcall function 00E3F140: GetCurrentThreadId.KERNEL32 ref: 00E3F178
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388B3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388E3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388EE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_init_in_situ$CurrentThreadXtime_get_ticks
                              • String ID:
                              • API String ID: 2135877135-0
                              • Opcode ID: b6c934d0fe3adeba7644eb575afc823ffca0d832af80da697a1fbbe27c6641aa
                              • Instruction ID: 51a46c42f5272ca1271c3554707e0874cb1ca5131801e6d8a7efeb65b3342720
                              • Opcode Fuzzy Hash: b6c934d0fe3adeba7644eb575afc823ffca0d832af80da697a1fbbe27c6641aa
                              • Instruction Fuzzy Hash: 7281AFB19007489FDB20DF64CD89B9EBBF4EB44314F14859EE419AB380DB75AA48CF91
                              Function 00EA77BD Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2460df373da613bccbb835f297f29a5eafba00e9e5b759ef4a09708923f05460
                              • Instruction ID: 42fccf4642879e656e4f9ccffd3af29ec5d04e6e2628a32f830b22ca30b8a2fa
                              • Opcode Fuzzy Hash: 2460df373da613bccbb835f297f29a5eafba00e9e5b759ef4a09708923f05460
                              • Instruction Fuzzy Hash: 8251AF71D082199BDF15DFA8CC49AEF7BB4AF8A318F11215AE484BF291D774A900C761
                              Function 00E6E810 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00E6E90F
                              • SetEvent.KERNEL32(?), ref: 00E6EA2C
                              • __Mtx_unlock.LIBCPMT ref: 00E6EA36
                                • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Cnd_initEventMtx_initThrd_start
                              • String ID:
                              • API String ID: 3085764595-0
                              • Opcode ID: e5f5f836b3f409f89a60fabec724f87bb95c3dfde596e8e0e598204d47c4e9cd
                              • Instruction ID: 2518c3218cf276622c4be004d14b61c8fa17e63e4e08b7f6994cf2ad10a11e75
                              • Opcode Fuzzy Hash: e5f5f836b3f409f89a60fabec724f87bb95c3dfde596e8e0e598204d47c4e9cd
                              • Instruction Fuzzy Hash: CA616FB1D00248EFDB00DFA4E845B9EBBF4EF05314F189169E819B7391E771A944CBA1
                              Function 00E386F3 Relevance: 4.7, APIs: 3, Instructions: 153COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388B3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388E3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E388EE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_init_in_situ
                              • String ID:
                              • API String ID: 3366076730-0
                              • Opcode ID: be010e484c040318241f179a00314f6a1466ffcda7c486581afb29f3f2f95eda
                              • Instruction ID: cd0451aa2c948267b903f770ffcb2a76c876b30bae17765cf685d5bb3c975f97
                              • Opcode Fuzzy Hash: be010e484c040318241f179a00314f6a1466ffcda7c486581afb29f3f2f95eda
                              • Instruction Fuzzy Hash: AF51ECB1900708DFEB20DF68C989B9ABBF0EF44314F04859DE45AAB391DB75A944CF91
                              Function 00EAC72F Relevance: 4.6, APIs: 3, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00EAC7A2
                              • _free.LIBCMT ref: 00EAC7F8
                                • Part of subcall function 00EAC5D4: _free.LIBCMT ref: 00EAC62C
                                • Part of subcall function 00EAC5D4: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                                • Part of subcall function 00EAC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                                • Part of subcall function 00EAC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: 2c40f99ddbb861ed71117b06c1bdefd5074f701fa14151b8ab8f3599f2b83e86
                              • Instruction ID: 2c25a6149614bf209e534c7932a13b796f144edbbb37553b9d3f810c354a6177
                              • Opcode Fuzzy Hash: 2c40f99ddbb861ed71117b06c1bdefd5074f701fa14151b8ab8f3599f2b83e86
                              • Instruction Fuzzy Hash: AC21FC7280421956D731A6359CC1AEA77B8CF8F764F212297F494BE181EF307DC58E90
                              Function 00E701C0 Relevance: 4.6, APIs: 3, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • __Cnd_signal.LIBCPMT ref: 00E70216
                              • __Mtx_unlock.LIBCPMT ref: 00E7022E
                              • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00E7024A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalMtx_unlock
                              • String ID:
                              • API String ID: 2839255513-0
                              • Opcode ID: f3843ead79fbe81c1749463a3f68ffc368679a82f753756b973d9cdb16a1baf3
                              • Instruction ID: b5d968e8dc04597f7070c537eae4d9d9715632f37379af7086318b0682f2c4d1
                              • Opcode Fuzzy Hash: f3843ead79fbe81c1749463a3f68ffc368679a82f753756b973d9cdb16a1baf3
                              • Instruction Fuzzy Hash: 9B11A3B2900744ABD721AB65AC06B1B77E8DF40714F08E539FC1EB3652EB36E5048692
                              Function 00E6F2F0 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • __Cnd_signal.LIBCPMT ref: 00E6F346
                              • __Mtx_unlock.LIBCPMT ref: 00E6F35E
                              • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00E6F37A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalMtx_unlock
                              • String ID:
                              • API String ID: 2839255513-0
                              • Opcode ID: 90cb628e692df8a25cf38a21c549239ce1accf9b31d41bc4af8c09a59babda81
                              • Instruction ID: 7544bb723efcc8c6f78c80a508c1b400cdd1dc8cd6f9c32f3cfe32c1284b6405
                              • Opcode Fuzzy Hash: 90cb628e692df8a25cf38a21c549239ce1accf9b31d41bc4af8c09a59babda81
                              • Instruction Fuzzy Hash: E011C6B2D40740ABD711AB61EC02B5BB7E8EF40714F089539F81EB3752EB36F9148692
                              Function 00E9CBE2 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(?,?,Function_0006CA8E,00000000,?,?), ref: 00E9CC2B
                              • GetLastError.KERNEL32(?,?,?,?,?,00E79F7D,00000000,00000000,?,?,00000000,?,?,?,00E61104,?), ref: 00E9CC37
                              • __dosmaperr.LIBCMT ref: 00E9CC3E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread__dosmaperr
                              • String ID:
                              • API String ID: 2744730728-0
                              • Opcode ID: c0db53bb98662f469ba5b0f0ec564e26e928e9856a1cb70d9627a18c9f1c8c71
                              • Instruction ID: 1638a53c4bb6d123a3ec9753ec03c29cb528bea7892a51fb0d65fa2fcb289cc0
                              • Opcode Fuzzy Hash: c0db53bb98662f469ba5b0f0ec564e26e928e9856a1cb70d9627a18c9f1c8c71
                              • Instruction Fuzzy Hash: EF01B17650410AAFCF15FFA6DC059EFBFA9EF84764F24512AF809B2250DB718811D7A0
                              Function 00EA8102 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00EA81B1,?,?,00000002,00000000), ref: 00EA813B
                              • GetLastError.KERNEL32(?,00EA81B1,?,?,00000002,00000000,?,00EA7875,?,00000000,00000000,00000002,?,?,?,?), ref: 00EA8145
                              • __dosmaperr.LIBCMT ref: 00EA814C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID:
                              • API String ID: 2336955059-0
                              • Opcode ID: 415c8b2633aa72191fe0a2900b778e071713f1d743650c52a7fe25fb5271225c
                              • Instruction ID: b6ffb04d1ffa94536a05503b647f8b2e850047529e6f0ee5c9cae009a40bd68d
                              • Opcode Fuzzy Hash: 415c8b2633aa72191fe0a2900b778e071713f1d743650c52a7fe25fb5271225c
                              • Instruction Fuzzy Hash: D2016D33610114AFCF098F59DC01CEF3B59EB89334B241255F801AF190EA31AC018790
                              Function 00E6B9A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                              • __Mtx_unlock.LIBCPMT ref: 00E6BA5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_initMtx_initMtx_unlockThrd_start
                              • String ID: l!
                              • API String ID: 2901745279-4133310417
                              • Opcode ID: 8dc4accd2b4c363bf50c77c436650aba42e383027412c59f72725f64a178af38
                              • Instruction ID: deacb0f622bec20390940c6b37c2d873b13132310110adf5d07e353ee01cbfe9
                              • Opcode Fuzzy Hash: 8dc4accd2b4c363bf50c77c436650aba42e383027412c59f72725f64a178af38
                              • Instruction Fuzzy Hash: 3B31C2B1C04248AFDB10EFA8D842B9EBBF4EF14714F145169E905B7381E775A984CBA2
                              Function 6C2BE0BB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2BE0C2
                                • Part of subcall function 6C2BE417: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C2BE474
                                • Part of subcall function 6C2BE417: VerSetConditionMask.KERNEL32(00000000), ref: 6C2BE47C
                                • Part of subcall function 6C2BE417: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C2BE48D
                                • Part of subcall function 6C2BE417: GetSystemMetrics.USER32(00001000), ref: 6C2BE49E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                              • String ID: Al
                              • API String ID: 2710481357-3234785264
                              • Opcode ID: 9d0f873ed4e42ab36bd333dae2963f418a7646f213e8d256697a5fbafbf0632f
                              • Instruction ID: d044005d1b005e05a9ba5e499f5e2e249d610b63f3aff84a4092acb25f91d84b
                              • Opcode Fuzzy Hash: 9d0f873ed4e42ab36bd333dae2963f418a7646f213e8d256697a5fbafbf0632f
                              • Instruction Fuzzy Hash: 0F51DEB0905F458ED3A9CF3A85417C6FAE0BF89304F108A2E91AED6660EB706184CF55
                              Function 00EB5284 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,?,?,_V,?,?,00000000,?,00EB565F,00000000,0000000C), ref: 00EB52A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID: _V
                              • API String ID: 823142352-3862173090
                              • Opcode ID: 5d929cccfceaeeb14a0129485fc44ef1b7c91b5a1cf6a5512dc8b8969e0ad416
                              • Instruction ID: 16ce8307b6d46418aaab3e58b325c1788fa961d281616bedb4b06b906a9b4221
                              • Opcode Fuzzy Hash: 5d929cccfceaeeb14a0129485fc44ef1b7c91b5a1cf6a5512dc8b8969e0ad416
                              • Instruction Fuzzy Hash: C4D06C3200014DBFDF028F85DC06EDA3BAAFB88715F014110FA1866020C772E861AB90
                              Function 6C29AC10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_slist_free_all
                              • API String ID: 2030045667-2048950981
                              • Opcode ID: 12c6a501d9e9c21c2015dfe6b95e94436fe1f0214989e7b53f648814676b62ed
                              • Instruction ID: 276d394e5f80acf65b6b76b970904ea2f9ad4e1c5beddadae412abcfc6b367d0
                              • Opcode Fuzzy Hash: 12c6a501d9e9c21c2015dfe6b95e94436fe1f0214989e7b53f648814676b62ed
                              • Instruction Fuzzy Hash: 9ED017705082049BE740BF78C50A35ABBF4E740204F40886AD49C83281E6B980598BC2
                              Function 6C29AC50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_slist_append
                              • API String ID: 2030045667-3558798127
                              • Opcode ID: cc106e493ece78077b05aebafef40ae81178e915ba20d6976438175d6072d587
                              • Instruction ID: d6da15d718fba2f1abed91c0ca4da7feb34f55a2e62b3a286366a6acddf21ac4
                              • Opcode Fuzzy Hash: cc106e493ece78077b05aebafef40ae81178e915ba20d6976438175d6072d587
                              • Instruction Fuzzy Hash: 13D067755182049BE740BF78C64A35ABFF4E744214F40895AD49C87241E6B994598B87
                              Function 6C29AB10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_easy_init
                              • API String ID: 2030045667-4195830768
                              • Opcode ID: 777899767fd561aeaf6789267bd9439e92e03085fa99ee06aecf6a682a0a3ea5
                              • Instruction ID: c440f04906ed3eb9f5973f01a6ddd10e97a354897d26dd01824f4531d82fb031
                              • Opcode Fuzzy Hash: 777899767fd561aeaf6789267bd9439e92e03085fa99ee06aecf6a682a0a3ea5
                              • Instruction Fuzzy Hash: 7FD017705083049BE340BF78C50A31ABBF4E740204F408C5AD49C83241E6B980598BC2
                              Function 6C287170 Relevance: 3.2, APIs: 2, Instructions: 229COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                              • Instruction ID: 96b75b62364afaca5eca7d23c960d9ecaaa20b4cdfc6e20e20bf9c74869cc389
                              • Opcode Fuzzy Hash: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                              • Instruction Fuzzy Hash: 98C15A78A093858FD364CF28C180B9ABBE1BF89754F10892EE9DD87751D730A948CB43
                              Function 6C3E1E75 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6C3E1EC2
                                • Part of subcall function 6C3E226E: InitializeSListHead.KERNEL32(6C47A058,6C3E1ECC,6C46F718,00000010,6C3E2065,?,00000000,?,00000007,6C46F738,00000010,6C3E2078,?,?,6C3E2101,?), ref: 6C3E2273
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C3E1F2C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                              • String ID:
                              • API String ID: 3231365870-0
                              • Opcode ID: 144ec289db3aa5e80b47553c0af4a828886f4407f107b4b53a2522c2203e4a8e
                              • Instruction ID: 770c8f57f9e6b21fe0713d8b451743de096a8257e4b5939e9db28f7ea8725e7a
                              • Opcode Fuzzy Hash: 144ec289db3aa5e80b47553c0af4a828886f4407f107b4b53a2522c2203e4a8e
                              • Instruction Fuzzy Hash: AC21DB726092A55EDB01EBB4D804BD93771AF0A35DF10061AD89267FC1DB77800A8FA6
                              Function 6C3E1F7C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6C3E1FC3
                              • ___scrt_uninitialize_crt.LIBCMT ref: 6C3E1FDD
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Initialize___scrt_uninitialize_crt
                              • String ID:
                              • API String ID: 2442719207-0
                              • Opcode ID: e603647ba4559ec00fb43f1ee522581e30429aeb4ec5abf1665ad74440c513a0
                              • Instruction ID: ed054d77075b0088cd623ee4002668c71f614a6f3269cae153b8944845b741ff
                              • Opcode Fuzzy Hash: e603647ba4559ec00fb43f1ee522581e30429aeb4ec5abf1665ad74440c513a0
                              • Instruction Fuzzy Hash: 1421D47294826A9ADB00DFF89A087DD37B4AB0E729F10451BD54192EC0CB77890ACF61
                              Function 6C3FFE4F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,?,00008000,6C3FFF1C,?,?,?,6C3FFCD7,6C3FFF1C,?,00000000,?,?), ref: 6C3FFE8B
                              • GetLastError.KERNEL32(00000000,?,?,?,6C3FFCD7,6C3FFF1C,?,00000000,?,?,00000000,00008000,6C3FFF1C,?,?,6C408E3B), ref: 6C3FFE98
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: 449dfeb5167b6727c242d56d1b23795c6da6b8b00c7717b7250f5cd474fbe8e5
                              • Instruction ID: 695e7b8f317a3f272dc1ea19a3d1c35a728ecf90a03a4647dae9e43ffaa5c390
                              • Opcode Fuzzy Hash: 449dfeb5167b6727c242d56d1b23795c6da6b8b00c7717b7250f5cd474fbe8e5
                              • Instruction Fuzzy Hash: 49010433600214AFCB05CF59CC04C9E3B69DB8A368B240208FC219B6A1E671D952CF90
                              Function 00E61440 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000EB), ref: 00E61457
                              • DefWindowProcW.USER32(?,?,?,?), ref: 00E614A0
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$LongProc
                              • String ID:
                              • API String ID: 2275667008-0
                              • Opcode ID: 9935aa2d21c5c4377e36d850cf23a58120aff6e83c9755ffb73108ba0fae83e7
                              • Instruction ID: 575b4d4c652970d0187e1e66c0d70d5f50fbf2ec5aa6a77f8dfbf0167d818f5a
                              • Opcode Fuzzy Hash: 9935aa2d21c5c4377e36d850cf23a58120aff6e83c9755ffb73108ba0fae83e7
                              • Instruction Fuzzy Hash: C3017C3160010DAFCF01DF94EC50AEE7BB5EF49310F408699FD166B290DB329A24DB90
                              Function 00E9CA8E Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00EDEEC0,00000010,00000003,00EA6F47), ref: 00E9CAA1
                              • ExitThread.KERNEL32 ref: 00E9CAA8
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: e4b5094a2bf5b72495c315cfcc6b990e0766a681d0b2e269d978df3ed77de720
                              • Instruction ID: acace0639ee0228faf0757f67e590206785625464a2d010701a76e9a71ca7d91
                              • Opcode Fuzzy Hash: e4b5094a2bf5b72495c315cfcc6b990e0766a681d0b2e269d978df3ed77de720
                              • Instruction Fuzzy Hash: 1EF08C71500204AFDF00FBB0C90AAAE7BB1EF49700F205559F4027B2A2CB716905DBA0
                              Function 6C3F9894 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,?,6C3E563B,6C3FC85A,?,?,6C3F9790,00000001,00000364,?,00000006,000000FF,?,?,6C3F6292), ref: 6C3F9898
                              • SetLastError.KERNEL32(00000000,?,6C275557), ref: 6C3F993A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: 4e928256d6ee246b7fb7800b011675ffe99967699cc7c030260fcf19f8f498be
                              • Instruction ID: 0fa4eaaf2e42274a088208a78ef72f612e2231ca8d90742f02505298f74fc3ec
                              • Opcode Fuzzy Hash: 4e928256d6ee246b7fb7800b011675ffe99967699cc7c030260fcf19f8f498be
                              • Instruction Fuzzy Hash: 7411E975349310AEDB01EEB58CD0E9B2A6CDF522EDB100E31F57495AA0E7518C0B8D71
                              Function 6C4017C0 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C4017AF,6C409011,?,00000000,00000000), ref: 6C401816
                              • GetLastError.KERNEL32(?,00000000,?,6C4017AF,6C409011,?,00000000,00000000), ref: 6C401820
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast
                              • String ID:
                              • API String ID: 918212764-0
                              • Opcode ID: 1427d2dafd8cc821029f5a764fe8069460437985f4b396493d6063f711298fae
                              • Instruction ID: b6ebdb31220d268f6e77524c0a406797c60a3617f4d370cbc7457a40fabcc5a5
                              • Opcode Fuzzy Hash: 1427d2dafd8cc821029f5a764fe8069460437985f4b396493d6063f711298fae
                              • Instruction Fuzzy Hash: A3112933B452242AC711A375A444FAD37A59B8773FF240729E83487FD0DB60C5418651
                              Function 00E70F50 Relevance: 1.8, APIs: 1, Instructions: 295COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00E7110F
                                • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cpp_errorMtx_unlockThrow_std::_
                              • String ID:
                              • API String ID: 2243708590-0
                              • Opcode ID: 4fc641722d5401d06966a9c067c62ca2c56576c53b3e1ee9e294490954a19689
                              • Instruction ID: a23176dddeebb280d6416afeb9d2f1925cf41ddeb1066c8f87d05213d2a63051
                              • Opcode Fuzzy Hash: 4fc641722d5401d06966a9c067c62ca2c56576c53b3e1ee9e294490954a19689
                              • Instruction Fuzzy Hash: BCB16871A012449FCB14CF68C991BAABBF4FF09714F19D1A9E919AB391D734ED00CB90
                              Function 6C3F5AFD Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c9f684fa889dd244e0ec41c47dddefc8c004d304ce5333910cf8ac151f4368b
                              • Instruction ID: 7f1aa472f5c0e2f0c1edfc469670ddd014607039c0e54540f2acb5f463527c9c
                              • Opcode Fuzzy Hash: 9c9f684fa889dd244e0ec41c47dddefc8c004d304ce5333910cf8ac151f4368b
                              • Instruction Fuzzy Hash: 8251B270A00248AFDB04DF58C890E997FB5EF4A328F25C559E8699B751D332DE42CF91
                              Function 00E6E1B0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock
                              • String ID:
                              • API String ID: 1418687624-0
                              • Opcode ID: e14539eb5e6876a0b6faf9880abf2c98f5b7cecc64aba6696da0a0fbaf1634c8
                              • Instruction ID: 0948d59c6b3b6d334a5c9fc80b1c4fa30510a532dd9e51e0ffe28eb8cb6635f3
                              • Opcode Fuzzy Hash: e14539eb5e6876a0b6faf9880abf2c98f5b7cecc64aba6696da0a0fbaf1634c8
                              • Instruction Fuzzy Hash: 3641BEB6A40610DFDB10DF18E945B5AB7E9FB44748F0991A9EC09EB392E731ED01CB90
                              Function 00E37990 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E7B7AB: EnterCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7B6
                                • Part of subcall function 00E7B7AB: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7F3
                              • std::_XGetLastError.LIBCPMT ref: 00E37AC1
                                • Part of subcall function 00E7B761: EnterCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B76B
                                • Part of subcall function 00E7B761: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B79E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$ErrorLaststd::_
                              • String ID:
                              • API String ID: 3493314306-0
                              • Opcode ID: a2b5c3720ca25047998710585bb9c532c95b8f99a890646c1cd364ffe5f25e31
                              • Instruction ID: e15928f24d9a50abbb6b4307a7b5f186c5b312db40ac20475ea39e82cf3508ff
                              • Opcode Fuzzy Hash: a2b5c3720ca25047998710585bb9c532c95b8f99a890646c1cd364ffe5f25e31
                              • Instruction Fuzzy Hash: C531E5B1D043489FDB10DFA4D946B9EBBF8EB08314F04512AE805B7391EB759A08CB91
                              Function 6C3FFED2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 500eaf4775dc8f4dc91fa2bd73846bfab4e273e24360eea1be6cb1a9163332b6
                              • Instruction ID: 1909fdf7f3314caf11c172eeb43d6c6585660455d9e5d8ab1196bcb7da18c246
                              • Opcode Fuzzy Hash: 500eaf4775dc8f4dc91fa2bd73846bfab4e273e24360eea1be6cb1a9163332b6
                              • Instruction Fuzzy Hash: BD116672A0420AAFCB05DF58E940D9B7BF8EF49308F044469F819EB301D731E912CBA4
                              Function 00EACDA5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 8160085448fc8e63b2a4653f6980b75f5eab9216a6e180daa8f0702bfc91b7e8
                              • Instruction ID: 4f576ee9deda0a02ab1987e58e59a1c2c196b3cb3ceb6871019a8bf152ef7ba1
                              • Opcode Fuzzy Hash: 8160085448fc8e63b2a4653f6980b75f5eab9216a6e180daa8f0702bfc91b7e8
                              • Instruction Fuzzy Hash: 2A11187690420AAFCF15DF58E941A9B7BF8EF49314F104069F809AB351D631E9218B65
                              Function 00EACD20 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 06b1167324aa920a479f46d28c334bdd05624e042fa91e407c45516a7deccf61
                              • Instruction ID: 564d7c8c0ae0718b38b78f7eee24cb358b210bbfe7f019540b465295f7f6821a
                              • Opcode Fuzzy Hash: 06b1167324aa920a479f46d28c334bdd05624e042fa91e407c45516a7deccf61
                              • Instruction Fuzzy Hash: 10114572A0420AAFCF15DF58E9419DA7BF8EF49304F1040A9F809AB311D631EA218BA5
                              Function 00E4C450 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock
                              • String ID:
                              • API String ID: 1418687624-0
                              • Opcode ID: 27c8cd6246756503efc87a569b78a81cbfa11713e01ec2bf587fee988fa1b89c
                              • Instruction ID: dec5e9973293862c9c017fc2b835163eb68a069973d1a1afa632d5b396859c6f
                              • Opcode Fuzzy Hash: 27c8cd6246756503efc87a569b78a81cbfa11713e01ec2bf587fee988fa1b89c
                              • Instruction Fuzzy Hash: 180184B2900214ABDB00DF95ED05B9BB7ECEF45710F058136F819A3651EB75EA1486A2
                              Function 6C3FC808 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,6C3F6292,?,?,6C3F9790,00000001,00000364,?,00000006,000000FF,?,?,6C3F6292,?,6C275557), ref: 6C3FC849
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 79d67a712163918b67b2d4e30c00fbbda915a80177387e08216f44582700cf44
                              • Instruction ID: b3fd1152334a95ffa9c706c658faaa76401051a8854ec869f02fbea921cf0a76
                              • Opcode Fuzzy Hash: 79d67a712163918b67b2d4e30c00fbbda915a80177387e08216f44582700cf44
                              • Instruction Fuzzy Hash: 41F0B43568212C97EB31BA66B804F8B3B5CAF457B4B108925EC34E7D80DB71D8028EE1
                              Function 00EB5545 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                              • Instruction ID: c3b25b299e96d39e56181f34ab71141ad043a3edd6e4a7ccfc7ff471a5a181c5
                              • Opcode Fuzzy Hash: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                              • Instruction Fuzzy Hash: 94F0BE3351110CBBCF209E95DC02DDF3BAEEF89371F144112FD18A2060DA36CA21A7A0
                              Function 00E4D5F0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4D611
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 885266447-0
                              • Opcode ID: 644df985b829d9658f02dc5c088a3cd2b7d65694d3e42f1e706eb162c194ec91
                              • Instruction ID: 2d85f9768ad61c60fa7cf64f5feab87ae0304145b6581e205c3beba39b15a7fb
                              • Opcode Fuzzy Hash: 644df985b829d9658f02dc5c088a3cd2b7d65694d3e42f1e706eb162c194ec91
                              • Instruction Fuzzy Hash: 29016D31D1434CABCB01DFA8DC019EEB7B8FF58314F00961AF94576201EB7066D48B84
                              Function 00E610F0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Thrd_start
                              • String ID:
                              • API String ID: 2176944979-0
                              • Opcode ID: 216e343ed53ad991c7a664a30b41c02b96641873a79f7490143f30788b692bbe
                              • Instruction ID: 98fc2b031c9409010bf95a7261da98ad00e58fc26e039b398277ea8b7e47c5e7
                              • Opcode Fuzzy Hash: 216e343ed53ad991c7a664a30b41c02b96641873a79f7490143f30788b692bbe
                              • Instruction Fuzzy Hash: 77F0A7B194130166EF361115AC06B977AC88F11794F0CE479FA0FB0152E556EC948692
                              Function 00EA7A29 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: b8c8fa2bd15034aa2f412c5fdabe2c02cd43d934ce0cf6080a66e62c3ba9e04b
                              • Instruction ID: 69ad7a2720f97f51a156dd88349876c975a6633eb9c8d94821093d3bf2b70d7c
                              • Opcode Fuzzy Hash: b8c8fa2bd15034aa2f412c5fdabe2c02cd43d934ce0cf6080a66e62c3ba9e04b
                              • Instruction Fuzzy Hash: B8E0E53211D520BBDA20A6659C00BAF37899F0B3B4F152161FCC9BE1D0DF20FE0081E0
                              Function 00E7BB4D Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7C845
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID:
                              • API String ID: 2005118841-0
                              • Opcode ID: 641a06c2fe3b68c4df8a70d5659489225add09981280737ea7508b09f2fe9fe4
                              • Instruction ID: e9156a759ca760db3b2f7fffea60ffcf8cda9d5fce8a5b257913b2da263b2501
                              • Opcode Fuzzy Hash: 641a06c2fe3b68c4df8a70d5659489225add09981280737ea7508b09f2fe9fe4
                              • Instruction Fuzzy Hash: 05E0923580060DB7CF147AA8EC06AAD77AC5F01364B20E125FD1CB54F6EF70E95591D1
                              Function 6C409223 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(6C28A8D0,00000000,?,6C408EC7,?,?,00000000,?,6C408EC7,6C28A8D0,0000000C), ref: 6C409240
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: cf870a23748e25d2de20f0c83606001cff6cce32095c38d821fbe0791319b8c3
                              • Instruction ID: 9c14dd03e43c63c1a8982ececca43f837a7e03a470478eef47207e53615ea014
                              • Opcode Fuzzy Hash: cf870a23748e25d2de20f0c83606001cff6cce32095c38d821fbe0791319b8c3
                              • Instruction Fuzzy Hash: A8D06C3210010DBFDF02AE84DC06EDA3BAAFB4C714F414000BA1856020C732E821EB90
                              Function 6C2A32BA Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 6C2A32C9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DeleteObject
                              • String ID:
                              • API String ID: 1531683806-0
                              • Opcode ID: f3b8cc5404fa09dd2c3dad657780d4f82abd55217d3db19b6380622e3e8e5853
                              • Instruction ID: 5b09bcf2647a7ca6f2dfee3ebf5d6fdc9658cb4044ec27662f9922f5cc9adefc
                              • Opcode Fuzzy Hash: f3b8cc5404fa09dd2c3dad657780d4f82abd55217d3db19b6380622e3e8e5853
                              • Instruction Fuzzy Hash: 23B09270D25209AACE00AAB08A0C74A76647B4130AF148894B40583844DB3AC406C580
                              Function 6C275510 Relevance: 1.3, APIs: 1, Instructions: 86sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: e0d19138f83af4490954bd970e52fa2bfb4879ca8bca2cfb88cd669bc614202d
                              • Instruction ID: 32ba376c365ebe6651392e1ef200959b821b247c03f2efe9b8291a0c659464cb
                              • Opcode Fuzzy Hash: e0d19138f83af4490954bd970e52fa2bfb4879ca8bca2cfb88cd669bc614202d
                              • Instruction Fuzzy Hash: 123129B4A1434DCFCB24EFA8D581A9DFBB1FF0A714F014529D8159BB50D7349809CBA2
                              Function 6C299AC0 Relevance: 1.3, APIs: 1, Instructions: 67sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2996B0: CreateToolhelp32Snapshot.KERNEL32 ref: 6C299702
                              • Sleep.KERNEL32 ref: 6C299B9F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateSleepSnapshotToolhelp32
                              • String ID:
                              • API String ID: 684154974-0
                              • Opcode ID: 566c1abdb281f88d3c370c99241a46600bac4eacef9b080d466e8c5bd3cf338a
                              • Instruction ID: 14e6f22369b3a65ee79d7bfc7451b3759400c33e1359e93d9b9234f805c3ab89
                              • Opcode Fuzzy Hash: 566c1abdb281f88d3c370c99241a46600bac4eacef9b080d466e8c5bd3cf338a
                              • Instruction Fuzzy Hash: 4D213BB591035D8FCB14EFA9C8916DEBBB4FB06720F000629D8156BB84D7799509CBA1
                              Function 6C299680 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: fe0be36e50bb810149edfee708c9841c2e9ed2c1d4c50d2529c1d58bb255fcff
                              • Instruction ID: 73928cbf2f23816455844598dc2ad316869d9a8f5a50800918e19e3cb4478205
                              • Opcode Fuzzy Hash: fe0be36e50bb810149edfee708c9841c2e9ed2c1d4c50d2529c1d58bb255fcff
                              • Instruction Fuzzy Hash: 8ED09E75D002089FC740FFBCE54559EBFF4AB44210F404075E985D7300E6749694CB96

                              Non-executed Functions

                              Function 00E77280 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?), ref: 00E772B7
                              • GetProcAddress.KERNEL32(00000000), ref: 00E772BE
                              • GetCurrentProcess.KERNEL32(00E7771E), ref: 00E772CE
                              • LoadLibraryW.KERNEL32(ntdll.dll,?), ref: 00E77304
                              • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00E7731A
                              • FreeLibrary.KERNEL32(00000000), ref: 00E77338
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressLibraryProc$CurrentFreeHandleLoadModuleProcess
                              • String ID: IsWow64Process$RtlGetNtVersionNumbers$kernel32$ntdll.dll
                              • API String ID: 1719414290-67787543
                              • Opcode ID: 284bdd6def9c98bf6db6ddd57e884071613acfeb79b08193c5a19343c0aa79ef
                              • Instruction ID: de1a04aab8e7456fa29a76cc3fce9b3ef22cd8457eac49bdb1ecfa2562cf18df
                              • Opcode Fuzzy Hash: 284bdd6def9c98bf6db6ddd57e884071613acfeb79b08193c5a19343c0aa79ef
                              • Instruction Fuzzy Hash: 3861E53261810C5ACF14EBA6F8A17BDB3E5EF59324F40516BE84EF7290EB758A448750
                              Function 00E62EE0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000), ref: 00E62F97
                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00E62FBC
                              • LocalAlloc.KERNEL32(00000040,?,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E62FD4
                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00E62FF8
                              • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,?), ref: 00E63015
                              • LocalAlloc.KERNEL32(00000040,?,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E63027
                              • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,?), ref: 00E63043
                                • Part of subcall function 00E62AF0: lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,C1427766), ref: 00E62B5B
                                • Part of subcall function 00E62AF0: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00E62B8D
                                • Part of subcall function 00E62AF0: LocalAlloc.KERNEL32(00000040,?,?,?,C1427766), ref: 00E62BA0
                                • Part of subcall function 00E62AF0: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00E62BD6
                                • Part of subcall function 00E62AF0: CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00E62BF9
                              • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,?,00000000), ref: 00E63136
                              • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,?,00000000), ref: 00E631B3
                              Strings
                              • %02d/%02d/%04d %02d:%02d, xrefs: 00E6321D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$Param$AllocCertLocalObject$CertificateDecodeFindStore$NameQuerylstrcmp
                              • String ID: %02d/%02d/%04d %02d:%02d
                              • API String ID: 2053929674-4051342895
                              • Opcode ID: a8d90fac2d99315a1df0eb0da8bf31db0e027cc2f91e4f7dadd3e0972b8f3fed
                              • Instruction ID: b5682a597f2eb7895b55d649d7d1062dce2f9d6f10db33cfae1c6b7a73f95b82
                              • Opcode Fuzzy Hash: a8d90fac2d99315a1df0eb0da8bf31db0e027cc2f91e4f7dadd3e0972b8f3fed
                              • Instruction Fuzzy Hash: A3A18D75A40228AFDB24DB64CC51FEAB7B8BF49740F0041DAE909B7290D771AE85CF60
                              Function 00E62AF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155encryptionmemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,C1427766), ref: 00E62B5B
                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00E62B8D
                              • LocalAlloc.KERNEL32(00000040,?,?,?,C1427766), ref: 00E62BA0
                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00E62BD6
                              • CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00E62BF9
                              • CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00E62C26
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CertCryptDecodeNameObject$AllocLocallstrcmp
                              • String ID: 1.3.6.1.4.1.311.2.1.12
                              • API String ID: 2110785831-2596186611
                              • Opcode ID: 0c77712cdd3b677ae822f620467b8c0f73a125c3dffc5366fb1c34a6bc703fc6
                              • Instruction ID: 90ef2ade498ac47f5b3bdf21330b789c8a7eea383cd709149f5e12ee83dd6bf9
                              • Opcode Fuzzy Hash: 0c77712cdd3b677ae822f620467b8c0f73a125c3dffc5366fb1c34a6bc703fc6
                              • Instruction Fuzzy Hash: 4A518A70A80605AFDB14CFA9D885FAEBBF4FF48754F14912DE606BB291C771A841CB60
                              Function 00E632B1 Relevance: 12.0, APIs: 8, Instructions: 41encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • LocalFree.KERNEL32(?,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632C2
                              • LocalFree.KERNEL32(?,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632C9
                              • LocalFree.KERNEL32(?,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632D6
                              • LocalFree.KERNEL32(00000000,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632DD
                              • LocalFree.KERNEL32(?,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632EA
                              • CertFreeCertificateContext.CRYPT32(00000000,00E63283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,C1427766), ref: 00E632F7
                              • CertCloseStore.CRYPT32(00000000,00000000), ref: 00E6330A
                              • CryptMsgClose.CRYPT32(00000000), ref: 00E6331B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Free$Local$CertClose$CertificateContextCryptStore
                              • String ID:
                              • API String ID: 506982671-0
                              • Opcode ID: af676d7d10a4beb4b601e2c72a66ac53d0b5c30d90d346e20c7f4a9aec050453
                              • Instruction ID: 306c6ffc19c2de37a63c6382b19fc13f2fe0086d08ec693184303641b2c76dc2
                              • Opcode Fuzzy Hash: af676d7d10a4beb4b601e2c72a66ac53d0b5c30d90d346e20c7f4a9aec050453
                              • Instruction Fuzzy Hash: 7DF0EC74F812259BDF209B76AD94F5B77ACAF04B85F041599E804F3261CB75DE408E60
                              Function 00E62DB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91encryptionmemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(?,1.2.840.113549.1.9.6), ref: 00E62E18
                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00E62E47
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00E62E56
                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00E62E82
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                              • String ID: 1.2.840.113549.1.9.6
                              • API String ID: 3284379815-2921522063
                              • Opcode ID: c84cfed0c4bb8ed5c30ca76fccbbe565896724d5c62bfcc91900f6c6911493b0
                              • Instruction ID: 83604cded86385afee97679da329a3edb5a0d1cf61510b418e42614060b9fb13
                              • Opcode Fuzzy Hash: c84cfed0c4bb8ed5c30ca76fccbbe565896724d5c62bfcc91900f6c6911493b0
                              • Instruction Fuzzy Hash: 37316D71A40709AFDB15CFA9DC41FAABBF5FB48704F10416EE611BB2A0DB72A840CB50
                              Function 00EB2704 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00EB279D
                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00EB27C6
                              • GetACP.KERNEL32 ref: 00EB27DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: c2bebfb570af4a3280bbc856cfe411847534c225a6a56374b26cd29dae9b8c2a
                              • Instruction ID: 34ee64da05be5b05da09da9645a1d02645c0cf9525a6c495ef16a2dcc6221786
                              • Opcode Fuzzy Hash: c2bebfb570af4a3280bbc856cfe411847534c225a6a56374b26cd29dae9b8c2a
                              • Instruction Fuzzy Hash: 71210626A00125ABDB308F15CD01AD773AAEF54B58B66A56EEB09FB110EF32DD41C394
                              Function 00E62CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79timestringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(1.2.840.113549.1.9.5,00000000), ref: 00E62D10
                              • CryptDecodeObject.CRYPT32(00010001,1.2.840.113549.1.9.5,?,00000008,00000000,?,00000008), ref: 00E62D60
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E62D72
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E62D7F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Time$File$CryptDecodeLocalObjectSystemlstrcmp
                              • String ID: 1.2.840.113549.1.9.5
                              • API String ID: 1508694121-925610549
                              • Opcode ID: 9e8112c0c3aa65556eb2d9a083e52926322d858067a75062fe91de868bdd237b
                              • Instruction ID: bb568294a274577027c2b037b121c15135444a1012b3744a613c913b7d0756cd
                              • Opcode Fuzzy Hash: 9e8112c0c3aa65556eb2d9a083e52926322d858067a75062fe91de868bdd237b
                              • Instruction Fuzzy Hash: 9C214132A0010DAFCF14EFA9DC85AEEB7B9FB48300B4151AEF90AE7151DA3199458B90
                              Function 00EB28D8 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00EA6EC4: GetLastError.KERNEL32(?,?,00E9CAB3,00EDEEC0,00000010), ref: 00EA6EC8
                                • Part of subcall function 00EA6EC4: _free.LIBCMT ref: 00EA6EFB
                                • Part of subcall function 00EA6EC4: SetLastError.KERNEL32(00000000), ref: 00EA6F3C
                                • Part of subcall function 00EA6EC4: _abort.LIBCMT ref: 00EA6F42
                                • Part of subcall function 00EA6EC4: _free.LIBCMT ref: 00EA6F23
                                • Part of subcall function 00EA6EC4: SetLastError.KERNEL32(00000000), ref: 00EA6F30
                              • GetUserDefaultLCID.KERNEL32 ref: 00EB29E4
                              • IsValidCodePage.KERNEL32(00000000), ref: 00EB2A3F
                              • IsValidLocale.KERNEL32(?,00000001), ref: 00EB2A4E
                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00EB2A96
                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00EB2AB5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: 2b721653e05d8dc7183fe368c8a563dfc50dbae8774b7a9865b3d12d87700bea
                              • Instruction ID: f4b8030b89fc0ca06205c8fe727b8f8cdb979d87d8186e94b8674916bba222ce
                              • Opcode Fuzzy Hash: 2b721653e05d8dc7183fe368c8a563dfc50dbae8774b7a9865b3d12d87700bea
                              • Instruction Fuzzy Hash: 02517F72A00206AFDB10DFA5CC85AFF77B8BF48700F04556DEA58FB1A0DB70A9449B61
                              Function 00E3B010 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00E3B45C
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E3B487
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E3B4C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: L
                              • API String ID: 1173841540-4033448573
                              • Opcode ID: 08c8bba6e5dab30d01170f40bcd9a28a3719e12e15d68b3fc70fe5d999f86933
                              • Instruction ID: c14ae13bdc8694efcf90f5b3d663273c35da65f466374f9471d4adac62d21dea
                              • Opcode Fuzzy Hash: 08c8bba6e5dab30d01170f40bcd9a28a3719e12e15d68b3fc70fe5d999f86933
                              • Instruction Fuzzy Hash: E3023975D046588FCB25CFA8C490AAEFBF5BF48310F1496AED95AA7341D730A984CF90
                              Function 00E7B4C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E58840: InitializeCriticalSectionAndSpinCount.KERNEL32(00EDD73C,00000000,00E7B4F4,?,?,00EDD73C), ref: 00E58843
                                • Part of subcall function 00E58840: GetLastError.KERNEL32(?,?,00EDD73C), ref: 00E5884D
                              • IsDebuggerPresent.KERNEL32(?,?,00EDD73C), ref: 00E7B4F8
                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00EDD73C), ref: 00E7B507
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E7B502
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 450123788-631824599
                              • Opcode ID: ed532b71a531ce8ead2061a11f6e2f2ea90f55e25901bf43b04518721563e19d
                              • Instruction ID: 7bcf2282234d482dd60ff17ef9948b976a4324df1b13d8684cdaf8e2d15d08c4
                              • Opcode Fuzzy Hash: ed532b71a531ce8ead2061a11f6e2f2ea90f55e25901bf43b04518721563e19d
                              • Instruction Fuzzy Hash: 9AE06D742007018FC7209F25E918747BBE5AF04304F40E96DE899F6261EBB5D4488FA1
                              Function 00E9655F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E96657
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E96661
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E9666E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: bed711044bcab1e7894775296d1658e71fbac80b25fd25ca33d3a68b8ed06ef8
                              • Instruction ID: 96d4952da387d6333cc3e030f399ee74b25e5b9523024923fa499ae1c86a8465
                              • Opcode Fuzzy Hash: bed711044bcab1e7894775296d1658e71fbac80b25fd25ca33d3a68b8ed06ef8
                              • Instruction Fuzzy Hash: 8831B2759012189BCF21DF68DD897DDBBB8AF08310F5052EAE81CA7261EB709B858F44
                              Function 00EA46B3 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000003,?,00EA4689,00000003,00EDEEE0,0000000C,00EA47E0,00000003,00000002,00000000,?,00E9CA8D,00000003), ref: 00EA46D4
                              • TerminateProcess.KERNEL32(00000000,?,00EA4689,00000003,00EDEEE0,0000000C,00EA47E0,00000003,00000002,00000000,?,00E9CA8D,00000003), ref: 00EA46DB
                              • ExitProcess.KERNEL32 ref: 00EA46ED
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: acd15d56fcd1babfbadea0cbff8ae5f48c34ec23a6179e1ebd3bdef6f4c42049
                              • Instruction ID: 9fcf8af630051d3d8ac6457c7859a50f966340089ff7150a5656fff9ca71be85
                              • Opcode Fuzzy Hash: acd15d56fcd1babfbadea0cbff8ae5f48c34ec23a6179e1ebd3bdef6f4c42049
                              • Instruction Fuzzy Hash: 2AE04675000108AFCF016F16CD49A893BA9EF8A345F004520F909AE172CB79EC92DA80
                              Function 00E76390 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • GetAdaptersInfo.IPHLPAPI(?), ref: 00E763CC
                              • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00E763EF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AdaptersInfo
                              • String ID:
                              • API String ID: 3177971545-0
                              • Opcode ID: 068cc384a7308109e94f91dcc24bc481ea957e2a9fd59dde750498433a2c4151
                              • Instruction ID: fd35463bfd8eeb437ea70a900f3bc39f0309c4974de94720a33d92a598267299
                              • Opcode Fuzzy Hash: 068cc384a7308109e94f91dcc24bc481ea957e2a9fd59dde750498433a2c4151
                              • Instruction Fuzzy Hash: 3A21C8725046045FD721EF24DC81AABB7D8FB94329F40453AFD5DB7141EA30A8098792
                              Function 6C2AE96E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Iconic
                              • String ID:
                              • API String ID: 110040809-0
                              • Opcode ID: 956800462a8ba09eed4828d0d253ba137ffb92c03994caef59bff5ae3645c07f
                              • Instruction ID: 8786846ca7fa36e8758dbcdfc07c482a9253b506f15b1a09ad95894d29f59fb6
                              • Opcode Fuzzy Hash: 956800462a8ba09eed4828d0d253ba137ffb92c03994caef59bff5ae3645c07f
                              • Instruction Fuzzy Hash: 47D01331114765C7C7519F55D4447C5B7F57B49319B00051ED45545D70D7E0D491C7C0
                              Function 00E41AD0 Relevance: 1.3, APIs: 1, Instructions: 47memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E7B7AB: EnterCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7B6
                                • Part of subcall function 00E7B7AB: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7F3
                              • GetProcessHeap.KERNEL32 ref: 00E41B11
                                • Part of subcall function 00E7BB2A: __onexit.LIBCMT ref: 00E7BB30
                                • Part of subcall function 00E7B761: EnterCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B76B
                                • Part of subcall function 00E7B761: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B79E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$HeapProcess__onexit
                              • String ID:
                              • API String ID: 1320482808-0
                              • Opcode ID: 10e1c71b90285bd6a03083d3adabdea5afefb36b712f8699b4553b90a335a48f
                              • Instruction ID: c156060b2c88939f8564914a64d87c893783eb052b63c99a55621b55b7085b43
                              • Opcode Fuzzy Hash: 10e1c71b90285bd6a03083d3adabdea5afefb36b712f8699b4553b90a335a48f
                              • Instruction Fuzzy Hash: 3C112BB7900BCCCEC3609B66ED8AB8A37E0B74432CF506659F1197E2A1E3B158488B51
                              Function 00E77EE0 Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 359comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitializeEx.OLE32(00000000,00000000,C1427766,?), ref: 00E77F1F
                              • CoCreateInstance.OLE32(00EC28F0,00000000,00000001,00EC2820,?), ref: 00E77F46
                              • InterlockedDecrement.KERNEL32(?), ref: 00E77FB3
                              • SysFreeString.OLEAUT32(00000000), ref: 00E77FC8
                              • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00E78007
                              • CoUninitialize.OLE32 ref: 00E78023
                              • VariantInit.OLEAUT32(?), ref: 00E78080
                              • InterlockedDecrement.KERNEL32(?), ref: 00E780D4
                              • SysFreeString.OLEAUT32(00000000), ref: 00E780E9
                              • VariantInit.OLEAUT32(?), ref: 00E78128
                                • Part of subcall function 00E4B340: SysAllocString.OLEAUT32(?), ref: 00E4B3A0
                              • InterlockedDecrement.KERNEL32(?), ref: 00E7817C
                              • SysFreeString.OLEAUT32(00000000), ref: 00E78191
                              • VariantInit.OLEAUT32(?), ref: 00E781D0
                                • Part of subcall function 00E77540: _com_util::ConvertStringToBSTR.COMSUPP ref: 00E775A0
                              • InterlockedDecrement.KERNEL32(?), ref: 00E78224
                              • SysFreeString.OLEAUT32(00000000), ref: 00E78239
                              • VariantClear.OLEAUT32(?), ref: 00E782AD
                              • CoUninitialize.OLE32 ref: 00E782C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: String$DecrementFreeInterlockedVariant$Init$Uninitialize$AllocBlanketClearConvertCreateInitializeInstanceProxy_com_util::
                              • String ID: MSSMBios_RawSMBiosTables$ROOT\WMI$SMBiosData$SmbiosMajorVersion$SmbiosMinorVersion$`)u
                              • API String ID: 2776751823-2377987326
                              • Opcode ID: e069968b9548b835032e6fe79511e0acdd927a4dc4d211aab0aced5bad6d9a9c
                              • Instruction ID: 791af341cab9395dc25110f88bf448387fd11f558f15ab9274d031b5ddc22295
                              • Opcode Fuzzy Hash: e069968b9548b835032e6fe79511e0acdd927a4dc4d211aab0aced5bad6d9a9c
                              • Instruction Fuzzy Hash: E9D16A71A40204AFDB24DFA4CD49F9EBBF8AF18710F149158E919BB291EB71ED05CB60
                              Function 6C306A6A Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 337windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • InflateRect.USER32(?,00000004,00000004), ref: 6C306AC3
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C306AD5
                              • UpdateWindow.USER32(?), ref: 6C306ADE
                              • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C306B1F
                              • DispatchMessageW.USER32(?), ref: 6C306B31
                              • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C306B41
                              • GetCapture.USER32 ref: 6C306B4B
                              • SetCapture.USER32(?), ref: 6C306B5C
                              • GetCapture.USER32 ref: 6C306B68
                              • GetWindowRect.USER32(?,?), ref: 6C306B90
                              • SetCursorPos.USER32(?,?), ref: 6C306BB7
                              • GetCapture.USER32 ref: 6C306BBD
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C306BD6
                              • DispatchMessageW.USER32(?), ref: 6C306C00
                              • ReleaseCapture.USER32 ref: 6C306C40
                              • IsWindow.USER32(?), ref: 6C306C49
                              • SendMessageW.USER32(8589084D,00000010,00000000,00000000), ref: 6C306C62
                              • SetTimer.USER32(?,0000EC05,00000000), ref: 6C30A71C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendTimerUpdate
                              • String ID: >:
                              • API String ID: 3094444671-3907246019
                              • Opcode ID: 4de9071ec9836793cae0c19be30bc946acedd0b7115d9fac6b456915ad46ceaf
                              • Instruction ID: 805077db50b49058ae21e9228e1d878b167647a26ae92fb1bf7c3b61bff36b74
                              • Opcode Fuzzy Hash: 4de9071ec9836793cae0c19be30bc946acedd0b7115d9fac6b456915ad46ceaf
                              • Instruction Fuzzy Hash: A9B19376B01219AFDF04EBA4D848AAE7BB9FF49318F140029FD05E7A84DB719844CF60
                              Function 6C2A2ED4 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2A2EDB
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2A2F30
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2A2F48
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2A2F60
                              • GetObjectW.GDI32(00000004,00000018,?), ref: 6C2A2F80
                              • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C2A2FA6
                              • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6C41DA40), ref: 6C2A2FC9
                              • CreatePatternBrush.GDI32(?), ref: 6C2A2FDB
                              • DeleteObject.GDI32(?), ref: 6C2A300A
                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C2A301B
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C2A3063
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C2A3089
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C2A30B1
                              • FillRect.USER32(?,?,?), ref: 6C2A3113
                                • Part of subcall function 6C2A4160: __EH_prolog3.LIBCMT ref: 6C2A4167
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C2A3141
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C2A315C
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C2A3173
                              • DeleteDC.GDI32(00000000), ref: 6C2A31E0
                              • DeleteDC.GDI32(00000000), ref: 6C2A31FC
                              • DeleteDC.GDI32(00000000), ref: 6C2A321B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
                              • String ID:
                              • API String ID: 308707564-0
                              • Opcode ID: 120431a8f406e4e283f5cb2df966a546bda97749e885b0aedaffba9597f00568
                              • Instruction ID: ef64d9765d98890480344a05bae83493e79e3e54ff44f1e17c206f97f96c89f5
                              • Opcode Fuzzy Hash: 120431a8f406e4e283f5cb2df966a546bda97749e885b0aedaffba9597f00568
                              • Instruction Fuzzy Hash: E4B1B2B2D0120CAFDF11AFE4CD84AEEBB79FF08359F204019F915A6650DB319906DB60
                              Function 00E749F0 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • curl_easy_setopt.LIBCURL(00ECE204,00000029,00000001,00000000,?), ref: 00E74A0E
                              • curl_easy_setopt.LIBCURL(00ECE204,00000040,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A1E
                              • curl_easy_setopt.LIBCURL(00ECE204,00000051,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A25
                              • curl_easy_setopt.LIBCURL(00ECE204,000000D5,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A32
                              • curl_easy_setopt.LIBCURL(00ECE204,000000D6,00000078,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A3C
                              • curl_easy_setopt.LIBCURL(00ECE204,000000D7,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A46
                              • curl_easy_setopt.LIBCURL(00ECE204,00000063,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A4D
                              • curl_easy_setopt.LIBCURL(00ECE204,0000000D,00000708,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A57
                              • curl_easy_setopt.LIBCURL(00ECE204,0000004E,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A5E
                              • curl_easy_setopt.LIBCURL(00ECE204,00002722,Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36), ref: 00E74A6E
                              • curl_easy_setopt.LIBCURL(00ECE204,0000002B,00000000), ref: 00E74A75
                              • curl_easy_setopt.LIBCURL(00ECE204,00000034,00000001), ref: 00E74A7C
                              • curl_easy_setopt.LIBCURL(00ECE204,00002749), ref: 00E74A85
                              • curl_easy_setopt.LIBCURL(00ECE204,00004E58,00E75270), ref: 00E74A92
                              Strings
                              • Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36, xrefs: 00E74A63
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: curl_easy_setopt
                              • String ID: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
                              • API String ID: 2879491745-4105674886
                              • Opcode ID: a9f9091e4e5e7ffbcdd2c36642c0903d6554726bcb7dbe67c999109c348c2e68
                              • Instruction ID: c30e4d33405a927b39fff56f0e895110e98d35fe168f8ef7a881b7e437fb1b43
                              • Opcode Fuzzy Hash: a9f9091e4e5e7ffbcdd2c36642c0903d6554726bcb7dbe67c999109c348c2e68
                              • Instruction Fuzzy Hash: 6511D3617C2BA875F53232665C4BFCF2A0C9FE2F55F064011FB083D5C19AC9664289EA
                              Function 00E3DEC0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Getcvt
                              • String ID: .,$false$true
                              • API String ID: 1921796781-276263365
                              • Opcode ID: 40f5ba29aaf786078af5d049676d15f2bbdbfda52b06d0897a679fd2a7c7f199
                              • Instruction ID: 512274f825bbba193fa9a9d15018f56f8293cb4e9358cc8dc4edc25d7ecf9869
                              • Opcode Fuzzy Hash: 40f5ba29aaf786078af5d049676d15f2bbdbfda52b06d0897a679fd2a7c7f199
                              • Instruction Fuzzy Hash: 6F71F231A042458FCB14DF64D885BAABFF5EF84314F1491AEE8497B382DB76A905CB90
                              Function 6C2C4ABE Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000001), ref: 6C2C4AC9
                              • GetCursorPos.USER32(?), ref: 6C2C4AEE
                              • ScreenToClient.USER32(?,?), ref: 6C2C4AFB
                              • GetCapture.USER32 ref: 6C2C4B6D
                              • ClientToScreen.USER32(?,?), ref: 6C2C4BB0
                              • WindowFromPoint.USER32(?,?), ref: 6C2C4BBC
                              • IsChild.USER32(?,?), ref: 6C2C4BD4
                              • KillTimer.USER32(?,0000EC0A), ref: 6C2C4C14
                              • KillTimer.USER32(?,0000EC09), ref: 6C2C4C3D
                                • Part of subcall function 6C2AED80: GetForegroundWindow.USER32 ref: 6C2AED8D
                                • Part of subcall function 6C2AED80: GetLastActivePopup.USER32(?), ref: 6C2AED9E
                              • GetParent.USER32(?), ref: 6C2C4C94
                              • IsAppThemed.UXTHEME ref: 6C2C4CEE
                              • OpenThemeData.UXTHEME(?,REBAR), ref: 6C2C4D00
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
                              • String ID: REBAR
                              • API String ID: 214255902-925029515
                              • Opcode ID: 8551d53cf0ce594320a67b552d95e865128d777a9d7bcf1d8231d83928930a8c
                              • Instruction ID: 8822e5e203d0c08dbc4ad35ee578707ddab3054bc2d9890a294e51480ddbbc32
                              • Opcode Fuzzy Hash: 8551d53cf0ce594320a67b552d95e865128d777a9d7bcf1d8231d83928930a8c
                              • Instruction Fuzzy Hash: 2161A231B0061E9FDB45EFA4C894ABE7BB5BF49719B100669EC11E7AA0DB30D901CB91
                              Function 00E9C6AD Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: 63dce55cf8febf89b2fbfe15a066df2874d5167aaae1b8e208c4a5d1eed79344
                              • Instruction ID: c72bb60fa7bc8ba6e02249c9352b1e9e4879b3907d508c5d28092592cc9c79dd
                              • Opcode Fuzzy Hash: 63dce55cf8febf89b2fbfe15a066df2874d5167aaae1b8e208c4a5d1eed79344
                              • Instruction Fuzzy Hash: 2FB1A0B1904305AFDF20EF65C881BEEB7F5BF49304F24506AF499BB282D775A8418B60
                              Function 6C2A2C1F Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2A2C26
                              • GetSysColor.USER32(00000014), ref: 6C2A2C5D
                                • Part of subcall function 6C2A3367: __EH_prolog3.LIBCMT ref: 6C2A336E
                                • Part of subcall function 6C2A3367: CreateSolidBrush.GDI32(6C2AF82B), ref: 6C2A3389
                              • GetSysColor.USER32(00000010), ref: 6C2A2C72
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2A2C86
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2A2C9E
                              • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6C2A2CC1
                              • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C2A2CE2
                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C2A2D03
                                • Part of subcall function 6C2A3D86: SelectObject.GDI32(6C2AF82B,?), ref: 6C2A3D8F
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C2A2D4B
                                • Part of subcall function 6C2A3696: SetBkColor.GDI32(?,6C2AF82B), ref: 6C2A36AB
                                • Part of subcall function 6C2A3696: SetBkColor.GDI32(?,6C2AF82B), ref: 6C2A36BD
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C2A2D74
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C2A2D9E
                              • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C2A2E09
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C2A2E32
                              • DeleteDC.GDI32(00000000), ref: 6C2A2EA7
                              • DeleteDC.GDI32(00000000), ref: 6C2A2EC6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
                              • String ID:
                              • API String ID: 2254850417-0
                              • Opcode ID: 8bcd8d1c173754a854b366122e26da5acf0249b0b41deaa80d03e5abda720aa1
                              • Instruction ID: f027dcb24db47ebcc01acc4f8f982f9685253d9e219d37c24a09e9cd204c6731
                              • Opcode Fuzzy Hash: 8bcd8d1c173754a854b366122e26da5acf0249b0b41deaa80d03e5abda720aa1
                              • Instruction Fuzzy Hash: C581D6B190020DAFDF02EFE0CD45AEEBB79FF18714F504018F915A66A0DB719A56DB60
                              Function 6C2DEE4B Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2DEE55
                              • GetClientRect.USER32(?,?), ref: 6C2DEE73
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C2DEEAC
                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C2DEF01
                              • CreateDIBSection.GDI32(?,?), ref: 6C2DEF73
                              • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C2DEFAC
                              • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C2DEFDF
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C2DF047
                              • GetWindowRect.USER32(?,?), ref: 6C2DF0B6
                              • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C2DF206
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                              • String ID: (
                              • API String ID: 2918208214-3887548279
                              • Opcode ID: 585cb2db257f295a7e43acfba2af9cd62e89f72f7323639783fba51b35be5186
                              • Instruction ID: dbbdf79e1402a4c277d6cd3285ac30a514a9fbf9bd0f9c8cc6104fa0950760b6
                              • Opcode Fuzzy Hash: 585cb2db257f295a7e43acfba2af9cd62e89f72f7323639783fba51b35be5186
                              • Instruction Fuzzy Hash: 67D12775A0061AEFDF15DFA8C984AEEBBB9FF08304F114129E919A7610DB30AD45CF94
                              Function 6C32CECE Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C32CED5
                                • Part of subcall function 6C31E380: __EH_prolog3.LIBCMT ref: 6C31E387
                              • GetWindowRect.USER32(?,?), ref: 6C32CFBB
                                • Part of subcall function 6C2BBCF3: GetDlgCtrlID.USER32(?), ref: 6C2BBCFE
                                • Part of subcall function 6C32EBDB: GetWindowRect.USER32(?,?), ref: 6C32EBE9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3RectWindow$Ctrl
                              • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                              • API String ID: 2598721110-2628993547
                              • Opcode ID: b5f05289a33a43a1390e972effd7713983069727876aafdff71559ff6eac9324
                              • Instruction ID: d5b07e2f314114f47d7af2469a1f2488225d1f5630790583d9036f66b4862bda
                              • Opcode Fuzzy Hash: b5f05289a33a43a1390e972effd7713983069727876aafdff71559ff6eac9324
                              • Instruction Fuzzy Hash: E5814B35A002599FCF05EFA4C894DFDB772BF89314F190468E916AB7A1DB35A805CF50
                              Function 00EB158E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 00EB15D2
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB093E
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0950
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0962
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0974
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0986
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0998
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB09AA
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB09BC
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB09CE
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB09E0
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB09F2
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0A04
                                • Part of subcall function 00EB0921: _free.LIBCMT ref: 00EB0A16
                              • _free.LIBCMT ref: 00EB15C7
                                • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                              • _free.LIBCMT ref: 00EB15E9
                              • _free.LIBCMT ref: 00EB15FE
                              • _free.LIBCMT ref: 00EB1609
                              • _free.LIBCMT ref: 00EB162B
                              • _free.LIBCMT ref: 00EB163E
                              • _free.LIBCMT ref: 00EB164C
                              • _free.LIBCMT ref: 00EB1657
                              • _free.LIBCMT ref: 00EB168F
                              • _free.LIBCMT ref: 00EB1696
                              • _free.LIBCMT ref: 00EB16B3
                              • _free.LIBCMT ref: 00EB16CB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 9ba95d1e0ae81825e495d903fdb2ec0b8660e14e1a8aab3a39e0bc8f8ac6cac9
                              • Instruction ID: 24ba95862dc314f54b7a95ce399ba4b67fc74a41cca42c1dd4d8e06b438a741a
                              • Opcode Fuzzy Hash: 9ba95d1e0ae81825e495d903fdb2ec0b8660e14e1a8aab3a39e0bc8f8ac6cac9
                              • Instruction Fuzzy Hash: 8B3190315043049FEB20AA39DC46B9773EAAF453A4F55A8AAE489FB155DF30FC808B10
                              Function 6C2C2A3E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 212timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                              • String ID: >:
                              • API String ID: 2135910768-3907246019
                              • Opcode ID: fb49badcf4c9da9aa628879f2c92116e24e0009ded6ebed1dd95cc1c7c283aa9
                              • Instruction ID: 3305ed005cbcafc955db24dfcb5fe5e5f56688219580f0102ce6b16cb24a0414
                              • Opcode Fuzzy Hash: fb49badcf4c9da9aa628879f2c92116e24e0009ded6ebed1dd95cc1c7c283aa9
                              • Instruction Fuzzy Hash: E371BF71B0421E9FCF58EF64C888AAEB775FF49305F155625EC05B7A40CB34A9418BA2
                              Function 6C32CCD1 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C32CCD8
                                • Part of subcall function 6C31E380: __EH_prolog3.LIBCMT ref: 6C31E387
                                • Part of subcall function 6C2BBCF3: GetDlgCtrlID.USER32(?), ref: 6C2BBCFE
                                • Part of subcall function 6C32A024: __EH_prolog3.LIBCMT ref: 6C32A02B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3$Ctrl
                              • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                              • API String ID: 3879667756-2628993547
                              • Opcode ID: 70f3938766f79220870108b4e96bcc09446ac8cbc6d41132a31740f01c0c0d40
                              • Instruction ID: f44a0562a1456adb03748c7c0edeb5488d1de590419c964ec2d134a4a834e7f6
                              • Opcode Fuzzy Hash: 70f3938766f79220870108b4e96bcc09446ac8cbc6d41132a31740f01c0c0d40
                              • Instruction Fuzzy Hash: 29519F35A0026DAFCF04DF64C894DEDBB76BF49318B140459E816AB381DB35AD15CF91
                              Function 6C2C4E40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C2C4E5F
                              • GetWindowRect.USER32(?,?), ref: 6C2C4E7E
                              • SetRect.USER32(?,?,00000000,?,?), ref: 6C2C4EBD
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C2C4ECC
                              • SetRect.USER32(?,?,00000000,?,?), ref: 6C2C4EE4
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C2C4EF3
                              • SetRect.USER32(?,00000000,?,?,?), ref: 6C2C4F1B
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C2C4F2A
                              • SetRect.USER32(?,00000000,?,00000001,?), ref: 6C2C4F41
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C2C4F50
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Invalidate$Window$Proc
                              • String ID: >:
                              • API String ID: 570070710-3907246019
                              • Opcode ID: b49cbb9305b1b3ab7a7ad4747d8c4843c8f54e9467c44a2903c9f13c1eaef308
                              • Instruction ID: ddbc9a7405d63369330f88ba34617dc7760bd11f4b6e4f4b44626710720a044d
                              • Opcode Fuzzy Hash: b49cbb9305b1b3ab7a7ad4747d8c4843c8f54e9467c44a2903c9f13c1eaef308
                              • Instruction Fuzzy Hash: 04412F72A0020AAFDF11EFA4CD89FAFBBB9FB09704F600519F645E2590D771A944CB61
                              Function 00EA6DD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00EA6DE4
                                • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                              • _free.LIBCMT ref: 00EA6DF0
                              • _free.LIBCMT ref: 00EA6DFB
                              • _free.LIBCMT ref: 00EA6E06
                              • _free.LIBCMT ref: 00EA6E11
                              • _free.LIBCMT ref: 00EA6E1C
                              • _free.LIBCMT ref: 00EA6E27
                              • _free.LIBCMT ref: 00EA6E32
                              • _free.LIBCMT ref: 00EA6E3D
                              • _free.LIBCMT ref: 00EA6E4B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID: pI
                              • API String ID: 776569668-2917132990
                              • Opcode ID: c92667fb1d3a64faed6592687b118d4d266c10c6511b8e6ad400792d62aa6c78
                              • Instruction ID: 48d2d9fadec532d1785e56ab985e356d1769a8cd8deb1e1561a46d641a9607e3
                              • Opcode Fuzzy Hash: c92667fb1d3a64faed6592687b118d4d266c10c6511b8e6ad400792d62aa6c78
                              • Instruction Fuzzy Hash: 2F11BC76108108BFCB41FF54CD42CDA3BB6EF49390B029056F9885F122E631EE50DB40
                              Function 00EB0A1F Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 80f85619a6bf63b7e376390f0f974080ecbb2f5811ba60d2e2b3bbf60824d1e4
                              • Instruction ID: 449f163da502de50f70301b5ceb7d1e61f22d13d20fd9fa0c8249e75c3cb054a
                              • Opcode Fuzzy Hash: 80f85619a6bf63b7e376390f0f974080ecbb2f5811ba60d2e2b3bbf60824d1e4
                              • Instruction Fuzzy Hash: 3AC151B2E44208ABDB20DBA8CC42FEF77F8AB4D710F145565FA45FB282D670B9448760
                              Function 6C2E6C3F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 6C2E6CC9
                              • GetSystemMetrics.USER32(0000004D), ref: 6C2E6CD4
                              • GetSystemMetrics.USER32(0000004E), ref: 6C2E6CDF
                              • GetSystemMetrics.USER32(0000004F), ref: 6C2E6CED
                              • IntersectRect.USER32(?,?,?), ref: 6C2E6D46
                              • IntersectRect.USER32(?,?,?), ref: 6C2E6DA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MetricsSystem$IntersectRect
                              • String ID: "$(r.l$(r.l$>:
                              • API String ID: 1124862357-1657472191
                              • Opcode ID: ded93286609101915226b8b948976286999135fe14e4cf5439fb2436c6ea9690
                              • Instruction ID: 3f11c6c421f47fede39c407bddcaac8de81e6686fd35d345e3278310f8d806ac
                              • Opcode Fuzzy Hash: ded93286609101915226b8b948976286999135fe14e4cf5439fb2436c6ea9690
                              • Instruction Fuzzy Hash: 7F61C276A01209DFCF45DFA8C5C4A9EBBF5FF09304B50815AE905EB20AEB31E944CB50
                              Function 6C356FF3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C356FFA
                              • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6C357011
                                • Part of subcall function 6C356F50: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C356FC7
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C357091
                              • SelectObject.GDI32(?,00000018), ref: 6C3570A4
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C3570C2
                              • SelectObject.GDI32(?,?), ref: 6C3570D7
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C3570F6
                              • SelectObject.GDI32(?,00000000), ref: 6C357104
                              • SelectObject.GDI32(?,00000000), ref: 6C35710E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Select$Create$Compatible$H_prolog3Section
                              • String ID:
                              • API String ID: 2431383920-3916222277
                              • Opcode ID: d04dda93de6184dc82d87ecc01960a127995e6c6aead76ef546d2d80f62e5afa
                              • Instruction ID: e23eb510bc9e429fac7b9a5ce72890c3236449207f6d38a5467387d5d3e973f9
                              • Opcode Fuzzy Hash: d04dda93de6184dc82d87ecc01960a127995e6c6aead76ef546d2d80f62e5afa
                              • Instruction Fuzzy Hash: 19416172E10119AFDB11DFE4CC44EEEBB79FF46318F508129E911A6650DB728916CBA0
                              Function 6C2DE8AB Relevance: 17.0, APIs: 11, Instructions: 497windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2DE8B2
                              • GetClientRect.USER32(?,?), ref: 6C2DE8D0
                              • SetRectEmpty.USER32(?), ref: 6C2DE924
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DE96F
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DE9F8
                              • GetWindowRect.USER32(?,?), ref: 6C2DEA1D
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C2DEA49
                              • OffsetRect.USER32(?,00000000,00000000), ref: 6C2DEAF7
                              • InflateRect.USER32(?,00000000,00000000), ref: 6C2DEB55
                              • IsRectEmpty.USER32(?), ref: 6C2DEC53
                              • IsRectEmpty.USER32(?), ref: 6C2DEDE3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$EmptyWindow$Points$ClientH_prolog3_InflateOffset
                              • String ID:
                              • API String ID: 302641110-0
                              • Opcode ID: e42a4483f88610cb747815cf8deccfd42d0002940badf23f6d4e4985762a5e35
                              • Instruction ID: c2e7c95649ac5d010473f1b6360f46e26482e15630b3fcfe16287f2117d97900
                              • Opcode Fuzzy Hash: e42a4483f88610cb747815cf8deccfd42d0002940badf23f6d4e4985762a5e35
                              • Instruction Fuzzy Hash: F5128D31A0161EDFDF05DFA4C848AEEBBB2FF49315F150129EC16AB684DB71A905CB90
                              Function 00E9B96C Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 00E9B9C4
                              • GetLastError.KERNEL32 ref: 00E9B9D1
                              • __dosmaperr.LIBCMT ref: 00E9B9D8
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 00E9BA04
                              • GetLastError.KERNEL32 ref: 00E9BA0E
                              • __dosmaperr.LIBCMT ref: 00E9BA15
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 00E9BA58
                              • GetLastError.KERNEL32 ref: 00E9BA62
                              • __dosmaperr.LIBCMT ref: 00E9BA69
                              • _free.LIBCMT ref: 00E9BA75
                              • _free.LIBCMT ref: 00E9BA7C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: 599ef6351e8a1925b66f351f4d3c83e47acc0e2d1b723f1d2a198433bf3a4eb3
                              • Instruction ID: 90042f03cee6012d642a86c1fda8b4d1bae7347614ad6f98ff8132cd00e810d6
                              • Opcode Fuzzy Hash: 599ef6351e8a1925b66f351f4d3c83e47acc0e2d1b723f1d2a198433bf3a4eb3
                              • Instruction Fuzzy Hash: 3A31B87280420AFFDF11AFA5ED85DAF7BA8EF45368F10522AF91076161EB318D10D761
                              Function 00E4E6C0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 327COMMON
                              Download Yara Rule
                              APIs
                              • WriteConsoleA.KERNEL32(?,?,?,00000000,00000000), ref: 00E4E793
                              • GetConsoleScreenBufferInfo.KERNEL32(?,?,?,?,?), ref: 00E4E8BC
                              • SetConsoleTextAttribute.KERNEL32(?,?), ref: 00E4E8D6
                              • WriteConsoleA.KERNEL32(?,?,?,00000000,00000000), ref: 00E4E8F7
                              • SetConsoleTextAttribute.KERNEL32(?,?), ref: 00E4E903
                              • WriteConsoleA.KERNEL32(?,?,00000000,00000000,00000000), ref: 00E4E935
                              • __Mtx_unlock.LIBCPMT ref: 00E4E995
                              • __Mtx_unlock.LIBCPMT ref: 00E4EABC
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Console$Write$AttributeMtx_unlockText$BufferInfoScreen
                              • String ID: list<T> too long
                              • API String ID: 1661840912-4027344264
                              • Opcode ID: 9476b448cab186563bae6953c975a51355ac69fcc7b8213c96a4fb8232a4a9b7
                              • Instruction ID: 4bed61358f8b6350fb8279704c01a82180027d1e227082bad29f9452b0dab383
                              • Opcode Fuzzy Hash: 9476b448cab186563bae6953c975a51355ac69fcc7b8213c96a4fb8232a4a9b7
                              • Instruction Fuzzy Hash: 69C18F71A00218AFDB14DF68DC49B9AB7F5FF48304F1481A9E909AB391D775AE44CF90
                              Function 6C2E8F1D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2E8F27
                              • GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 6C2E8F7D
                              • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6C2E9047
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Theme$ColorCurrentH_prolog3_Name
                              • String ID: Aero$Luna$homestead$metallic$normalcolor$royale
                              • API String ID: 2781885202-2881773410
                              • Opcode ID: 1756100716a4431cb7c27655059dec41abda12649b8e66edd8353db92f68c86b
                              • Instruction ID: ac6755a651b5daab0f1c7c3cff58bcfe3f71e550e1e348b861d27798ada748df
                              • Opcode Fuzzy Hash: 1756100716a4431cb7c27655059dec41abda12649b8e66edd8353db92f68c86b
                              • Instruction Fuzzy Hash: B851E97180022DAADB20DB62CC44FDB7779AF04354F4405E6F818B2680DF729BE9CEA5
                              Function 6C31C86E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2C583D: __EH_prolog3_catch.LIBCMT ref: 6C2C5844
                              • GetModuleHandleW.KERNEL32(comctl32.dll,6C31C9ED,?,00000000,?,?,6C2CC8E4,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C8A1
                              • GetUserDefaultUILanguage.KERNEL32(?,?,6C2CC8E4,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C8B1
                              • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6C2CC8E4,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C8EF
                              • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6C2CC8E4,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C90E
                              • LoadResource.KERNEL32(00000000,00000000,?,?,6C2CC8E4,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C91A
                                • Part of subcall function 6C31CA2B: GetDC.USER32(00000000), ref: 6C31CA7E
                                • Part of subcall function 6C31CA2B: EnumFontFamiliesExW.GDI32(00000000,?,6C31CA15,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C31CA99
                                • Part of subcall function 6C31CA2B: ReleaseDC.USER32(00000000,00000000), ref: 6C31CAA1
                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6C2CB741,?,?), ref: 6C31C94A
                              • GlobalFree.KERNEL32(00000001), ref: 6C31C9C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
                              • String ID: MS UI Gothic$comctl32.dll
                              • API String ID: 1488066090-3248924666
                              • Opcode ID: 595aca2c2655095553473d51391a0872ee8207fb3db65948cdfb10a330935f67
                              • Instruction ID: 2984d9224358bc633116e46b5b6f133194f4a7e75d11251f872d1c3d6b41899d
                              • Opcode Fuzzy Hash: 595aca2c2655095553473d51391a0872ee8207fb3db65948cdfb10a330935f67
                              • Instruction Fuzzy Hash: 8941E171205605AFE708BA64DC49FBA37ACDF46B18F104139FC56DBE80DB31D840CA62
                              Function 00E9079C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00E907B5
                                • Part of subcall function 00E90A84: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00E904E8), ref: 00E90A94
                              • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00E907CA
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E907D9
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E907E7
                              • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00E9085D
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E9089D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E908AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                              • String ID: pContext$switchState
                              • API String ID: 3151764488-2660820399
                              • Opcode ID: 0fe42dbcbee130469c721f86d529f32e93c5a7d3b67d3d5bd29770974bec3128
                              • Instruction ID: f566117e3e559bf69fc90f66e1b4348ca4736d38f16cf9f3f61d3015bbdf9762
                              • Opcode Fuzzy Hash: 0fe42dbcbee130469c721f86d529f32e93c5a7d3b67d3d5bd29770974bec3128
                              • Instruction Fuzzy Hash: 1C31B035A00314AFCF18EF64C881AAE73B5AF54324F60546AE925B7342DB70ED02CA90
                              Function 6C2DA972 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • ScreenToClient.USER32(?,?), ref: 6C2DA98E
                              • GetParent.USER32(?), ref: 6C2DA99E
                              • GetClientRect.USER32(?,?), ref: 6C2DA9E2
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DA9F4
                              • PtInRect.USER32(?,?,?), ref: 6C2DAA04
                              • GetClientRect.USER32(?,?), ref: 6C2DAA31
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DAA43
                              • PtInRect.USER32(?,?,?), ref: 6C2DAA53
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$ParentScreen
                              • String ID: >:
                              • API String ID: 1944725958-3907246019
                              • Opcode ID: 7f3d2216eda77c9901719068fd60fdf1bdcb81a81a9e1d654afce85e280fb415
                              • Instruction ID: 65bc834e97b3602d9329955050ef3f78c19c1b3f9dee8fce5b91a60d51d0db08
                              • Opcode Fuzzy Hash: 7f3d2216eda77c9901719068fd60fdf1bdcb81a81a9e1d654afce85e280fb415
                              • Instruction Fuzzy Hash: BE316C36A0051AEBCF02EFA8C944CAE7BB9FF49704B154269FD46E7650DB31EE048B51
                              Function 6C2AAA64 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 73libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                              • EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • DecodePointer.KERNEL32(00000000), ref: 6C2AAAB1
                              • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C2AAAD9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                              • String ID: >:$SetDefaultDllDirectories$\$kernel32.dll
                              • API String ID: 2101061299-1730080400
                              • Opcode ID: 65b7cce83f2061b101cace010b419c9d2d249f957292ebfb0290f48d70e56d8b
                              • Instruction ID: 4f92005839c68f60f5c1a696c31c03a96966c337398d8ae199b32f6dae17433c
                              • Opcode Fuzzy Hash: 65b7cce83f2061b101cace010b419c9d2d249f957292ebfb0290f48d70e56d8b
                              • Instruction Fuzzy Hash: B321A471A4111DE7DB10EAA68D48FDB7BFCAF19358F540865FC15D2900E730C54ACEA1
                              Function 6C2CCDB4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • GetStockObject.GDI32(00000011), ref: 6C2CCDD6
                              • GetStockObject.GDI32(0000000D), ref: 6C2CCDE2
                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C2CCDF3
                              • GetDC.USER32(00000000), ref: 6C2CCE02
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C2CCE19
                              • MulDiv.KERNEL32(?,00000048,00000000), ref: 6C2CCE25
                              • ReleaseDC.USER32(00000000,00000000), ref: 6C2CCE31
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Stock$CapsDeviceRelease
                              • String ID: >:$System
                              • API String ID: 46613423-1472989878
                              • Opcode ID: 5e3c4b33d190fc7b23768876b64d106b8fa90e04b5d06ca24db720ccf07edeb9
                              • Instruction ID: 516b2863950bc69471370aea8ac2f335e499f66ca2681d267602c199f3ac26cd
                              • Opcode Fuzzy Hash: 5e3c4b33d190fc7b23768876b64d106b8fa90e04b5d06ca24db720ccf07edeb9
                              • Instruction Fuzzy Hash: 6B116D75700318ABEB04FA658C49BAE7BB9AB4AB49F504119B906DB280DB71D800C661
                              Function 00E856E5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00E85707
                              • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00E85711
                              • DuplicateHandle.KERNEL32(00000000), ref: 00E85718
                              • SafeRWList.LIBCONCRT ref: 00E85737
                                • Part of subcall function 00E83706: __EH_prolog3.LIBCMT ref: 00E8370D
                                • Part of subcall function 00E83706: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00E83717
                                • Part of subcall function 00E83706: List.LIBCMT ref: 00E83721
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E85749
                              • GetLastError.KERNEL32 ref: 00E85758
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E8576E
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8577C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8H_prolog3HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                              • String ID: eventObject
                              • API String ID: 3870774015-1680012138
                              • Opcode ID: 8895b1f1132905815e9848b4cf78b2fc7ee290b0cd3798b4c382c783628a4e2b
                              • Instruction ID: 52b9e6350c0254f3068288a18851b6b895aa6295208ad4394967868d0d5587ec
                              • Opcode Fuzzy Hash: 8895b1f1132905815e9848b4cf78b2fc7ee290b0cd3798b4c382c783628a4e2b
                              • Instruction Fuzzy Hash: E2117072500205EBCB14FBA4DD59FAF77ACAB00315F209526F51DF11A1DF709A058760
                              Function 6C352881 Relevance: 15.2, APIs: 10, Instructions: 211windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2AB928: __EH_prolog3_catch.LIBCMT ref: 6C2AB92F
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 6C3528E4
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6C352919
                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6C352944
                              • LoadIconW.USER32(?,00000000), ref: 6C352979
                              • LoadIconW.USER32(00000000,00007F00), ref: 6C35298C
                              • GetClassLongW.USER32(?,000000F2), ref: 6C3529BB
                              • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6C352A44
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6C352A06
                                • Part of subcall function 6C2F162E: __EH_prolog3_catch.LIBCMT ref: 6C2F1638
                                • Part of subcall function 6C2F162E: CloseHandle.KERNEL32(00000000,?,00000000,00000080,6C353131,?,00000000,?,?,00000000), ref: 6C2F1673
                                • Part of subcall function 6C2F162E: GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6C353131,?,00000000,?,?,00000000), ref: 6C2F1694
                                • Part of subcall function 6C2F162E: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6C2F16E9
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C352AFB
                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C352B15
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$H_prolog3_catchIconLoad$ClassCloseCreateFileHandleLongPathTemp
                              • String ID:
                              • API String ID: 2083023585-0
                              • Opcode ID: 7ce05c3b897ba115338d279ff785457297a39fa370c66a2c34edb2e0b6dccde9
                              • Instruction ID: e78fddaadda2133522dfdc44c062187f978e06303a291113abafc6184482a58c
                              • Opcode Fuzzy Hash: 7ce05c3b897ba115338d279ff785457297a39fa370c66a2c34edb2e0b6dccde9
                              • Instruction Fuzzy Hash: DF71AF35701614AFDB25AF14CC88FAA3B75EF49725F14007AED19AB791CB71A810CFA0
                              Function 6C324CB4 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C324CBE
                              • GetObjectW.GDI32(?,00000018,?), ref: 6C324CE3
                              • GetObjectW.GDI32(?,00000054,?), ref: 6C324D28
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C324E14
                              • SelectObject.GDI32(?,?), ref: 6C324E36
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C324E95
                              • GetPixel.GDI32(?,?,00000000), ref: 6C324EA7
                              • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6C324EB6
                              • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C324EC8
                              • SelectObject.GDI32(?,00000000), ref: 6C324F16
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                              • String ID:
                              • API String ID: 1266819874-0
                              • Opcode ID: 3a4c1dd0d05b465656f0e890ff71125ba9c6726eb870e2eed762037d551e3e76
                              • Instruction ID: b81ca428c959d184aeccc75129720888b746fccdda77d3953fee6cd448eeb160
                              • Opcode Fuzzy Hash: 3a4c1dd0d05b465656f0e890ff71125ba9c6726eb870e2eed762037d551e3e76
                              • Instruction Fuzzy Hash: 95813775E002289BDF21DFA9C884A9DBBB5FF89308F2581A9E858E7701DB319D45CF50
                              Function 00E61E80 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 317libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetDesktopFolder.SHELL32(?), ref: 00E62036
                              • LoadLibraryW.KERNEL32(shell32.dll), ref: 00E620B2
                              • GetProcAddress.KERNEL32(00000000,SHOpenFolderAndSelectItems), ref: 00E620C4
                              • FreeLibrary.KERNEL32(00000000), ref: 00E620E1
                              • FreeLibrary.KERNEL32(00000000), ref: 00E620FA
                              • SHOpenWithDialog.SHELL32(00000000,?), ref: 00E621FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Library$Free$AddressDesktopDialogFolderLoadOpenProcWith
                              • String ID: SHOpenFolderAndSelectItems$shell32.dll
                              • API String ID: 3033948749-666694915
                              • Opcode ID: 2db91eda664e730113e138fabb9c98994c1404f5bdb90f16e6c9669509cf573a
                              • Instruction ID: bfbae0e34c9066a0fbd9fe95ba6e167cc3a37903dbfe96d3fe669d43053399ca
                              • Opcode Fuzzy Hash: 2db91eda664e730113e138fabb9c98994c1404f5bdb90f16e6c9669509cf573a
                              • Instruction Fuzzy Hash: DEC1DEB0A41708ABDF21DF64DC48B9ABBF4AF14754F149198FA09BB291D774DE41CB80
                              Function 00EB6809 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,00EB6AE2,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00EB68B5
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00EB6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00EB6938
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000010,00000001,00000000,j,?,00EB6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00EB69CB
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00EB6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00EB69E2
                                • Part of subcall function 00EA7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000010,?,00EB6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00EB6A5E
                              • __freea.LIBCMT ref: 00EB6A89
                              • __freea.LIBCMT ref: 00EB6A95
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                              • String ID: j
                              • API String ID: 2829977744-1273469241
                              • Opcode ID: 02422f223177f685c3a8d64e715253e5ad4e815b84a5b223a7acf57f1d287299
                              • Instruction ID: 7499473aad6573aa9b512013d3d4a54882121dd05a4b97e00812638bde19f44a
                              • Opcode Fuzzy Hash: 02422f223177f685c3a8d64e715253e5ad4e815b84a5b223a7acf57f1d287299
                              • Instruction Fuzzy Hash: 0D91D472E002169EDF249FA5CC81AEFBBA5AF09714F18A569E804F7191D739DC40CBA0
                              Function 6C3E2A70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C3E2AA7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C3E2AAF
                              • _ValidateLocalCookies.LIBCMT ref: 6C3E2B38
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C3E2B63
                              • _ValidateLocalCookies.LIBCMT ref: 6C3E2BB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: '>l$>:$csm
                              • API String ID: 1170836740-1157191292
                              • Opcode ID: 00f59371fc84011bd05d93cef2daf12add976052205017bee189e28feadc241f
                              • Instruction ID: c9f2e4407b145c99b8e7b86e4a7121dc98b77a759b9b0cf424bf4d08ddbca864
                              • Opcode Fuzzy Hash: 00f59371fc84011bd05d93cef2daf12add976052205017bee189e28feadc241f
                              • Instruction Fuzzy Hash: FA41A130A0122B9BCF00EF68C888ADE7BB5AF4931CF108556D8249B751DB339A06CF91
                              Function 6C2AECC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$ActiveFocus$MessageSend
                              • String ID: u
                              • API String ID: 1556911595-4067256894
                              • Opcode ID: b8f371612d48a8a56847e9769208730b9de9f6892682a8e0c8827c96df16c6f6
                              • Instruction ID: 6188ec6daa0f312d747af41e453082c0c9757796cf7b77f21bcfaf3f4186ba76
                              • Opcode Fuzzy Hash: b8f371612d48a8a56847e9769208730b9de9f6892682a8e0c8827c96df16c6f6
                              • Instruction Fuzzy Hash: 1611D03A211A0DABEB117BB4C848AAA3B6CEF4A70AB204524FD11A5955C774C423D7D0
                              Function 00EA8C75 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5734687ea4ed89b8f930fe546b6733fb1b41da7d08d52821a949f1e029d120b9
                              • Instruction ID: b10a7eb42179f96e82d499144e63b1abb823a047df8805db384d192abebe0442
                              • Opcode Fuzzy Hash: 5734687ea4ed89b8f930fe546b6733fb1b41da7d08d52821a949f1e029d120b9
                              • Instruction Fuzzy Hash: 73C10275A042499FCF15DFA8C991BAEBBB1BF0E304F146186E454BF292CB34AD44CB60
                              Function 00EB00BD Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                              • String ID:
                              • API String ID: 1282221369-0
                              • Opcode ID: fdd63ef11f4acfdd2fb946a6dea01c6aaad99efd9243c6c5a4c691a307b5f25d
                              • Instruction ID: e0a66c56d0c83623db92dc3930aeb0886eb8433ecd1d082d097a36bbfaaa1959
                              • Opcode Fuzzy Hash: fdd63ef11f4acfdd2fb946a6dea01c6aaad99efd9243c6c5a4c691a307b5f25d
                              • Instruction Fuzzy Hash: 6B617972D05305AFDF28AF78DC81AEF7BE49F06324F00516EF944BB2A2D631A9048B50
                              Function 00E7A3BA Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                              • String ID:
                              • API String ID: 3943753294-0
                              • Opcode ID: df0609627642758403b6a3b137ba4b8b49b22e2aca52ed609b01a9e0b4bdad10
                              • Instruction ID: 7e7500ccff322a42d02c505866e1498d850868f423612cf52b8ee8388b431b75
                              • Opcode Fuzzy Hash: df0609627642758403b6a3b137ba4b8b49b22e2aca52ed609b01a9e0b4bdad10
                              • Instruction Fuzzy Hash: 53515D71900105CFCF10DF64D9899AE77B0EF44315B28E179E81ABB191EB71ED85CB62
                              Function 6C2E8CAC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              • FillRect.USER32(?,?,00000000), ref: 6C2E8CEB
                              • GetParent.USER32(?), ref: 6C2E8D0C
                              • GetWindowRect.USER32(?,?), ref: 6C2E8D29
                              • GetClientRect.USER32(?,?), ref: 6C2E8DCC
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2E8DDE
                              • DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 6C2E8E06
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
                              • String ID: >:
                              • API String ID: 2136005349-3907246019
                              • Opcode ID: d0d086161c584fd557a1533d89d17b5d6d0e740e00a852f86abae8afd547ea5d
                              • Instruction ID: 83401f57ecd8d758ca1a546169eb1024c479f82cba76208e52e6c2d0f5c3009f
                              • Opcode Fuzzy Hash: d0d086161c584fd557a1533d89d17b5d6d0e740e00a852f86abae8afd547ea5d
                              • Instruction Fuzzy Hash: 0F41057AA0061ADFCB01DFA9C8449EE7BB4FF5D315B54426AFC45A7610EB30E941CBA0
                              Function 00E623E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • GetNativeSystemInfo.KERNEL32(?,C1427766), ref: 00E62420
                              • Wow64DisableWow64FsRedirection.KERNEL32(00000000), ref: 00E6243A
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00E624E6
                              • GetLastError.KERNEL32 ref: 00E624EC
                              • CoTaskMemFree.OLE32(00000000), ref: 00E624FA
                              • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00E62509
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Wow64$Redirection$DisableErrorExecuteFreeInfoLastNativeRevertShellSystemTask
                              • String ID: <
                              • API String ID: 2498432326-4251816714
                              • Opcode ID: 8a956175e9d792d784bdb2d7d0b4286e958d9e18a92870ecea88bcad84aae6bd
                              • Instruction ID: 4277f88631efe16dd7c494a4ef5056c9365318446ed8064dfbf064a644344de5
                              • Opcode Fuzzy Hash: 8a956175e9d792d784bdb2d7d0b4286e958d9e18a92870ecea88bcad84aae6bd
                              • Instruction Fuzzy Hash: B0511A75900609CFCB10CF69D988A9EBBF5FF08314F20926EE515AB261EB35D945CF90
                              Function 00E94EC5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00E94F18
                              • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00E94F31
                              • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00E94F38
                              • PMDtoOffset.LIBCMT ref: 00E94F57
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FindInstanceTargetType$Offset
                              • String ID: Bad dynamic_cast!
                              • API String ID: 1467055271-2956939130
                              • Opcode ID: 8a97ffc3f5710899296752257f76718cd24584d7e0bdb807075ff820f8c2fde6
                              • Instruction ID: f01ce461f4dae7c7c6f5e9e1f145a37c727f2c607470266407a0bcacd75d0693
                              • Opcode Fuzzy Hash: 8a97ffc3f5710899296752257f76718cd24584d7e0bdb807075ff820f8c2fde6
                              • Instruction Fuzzy Hash: 2021C3B2A00305AFDF14DF64D906EAE77B5FB44725F24A65AF911B72C0D731E9028A90
                              Function 6C32EF65 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32EFFA
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32F010
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32F01B
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32F026
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32F031
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C32F03C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ContextExternal$BaseBase::~Concurrency::details::
                              • String ID: >:
                              • API String ID: 1690591649-3907246019
                              • Opcode ID: f87adddd6212083149731e24528dbba1e6f06dec9138415706fc8845bf60b5a4
                              • Instruction ID: 9e2922435194d2c2e0ccbfe80371d956e2b6670f7878b07c599ed3ea15d65414
                              • Opcode Fuzzy Hash: f87adddd6212083149731e24528dbba1e6f06dec9138415706fc8845bf60b5a4
                              • Instruction Fuzzy Hash: A2215072304945ABCB08DF74C8A0BEEF76AFB54218F80462DD41A57B80DF25691ACED6
                              Function 6C2BEE11 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(00000031), ref: 6C2BEE1F
                              • GetSystemMetrics.USER32(00000032), ref: 6C2BEE2D
                              • SetRectEmpty.USER32(?), ref: 6C2BEE40
                              • EnumDisplayMonitors.USER32(00000000,00000000,6C2BF5E9,?,?,?), ref: 6C2BEE50
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C2BEE5F
                              • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C2BEE8C
                              • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C2BEEA0
                              • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C2BEEC6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                              • String ID:
                              • API String ID: 2614369430-0
                              • Opcode ID: db831ab61d7427c8e5e5abd5dd5e7b60e9bd36bdb41bdafb1aa3db516cf8816a
                              • Instruction ID: 0fa8c1f5d1bb267e8c472f2c95480d989c261a553a38fdbe0bba59670f7a1f82
                              • Opcode Fuzzy Hash: db831ab61d7427c8e5e5abd5dd5e7b60e9bd36bdb41bdafb1aa3db516cf8816a
                              • Instruction Fuzzy Hash: 02215CB1301616BFE705AF718C88AE3BBBCFF0A396F504529F959D6140D7B0A854CBA0
                              Function 00E31F89 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 307timeCOMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00E3203A
                              • _strrchr.LIBCMT ref: 00E3204D
                              • SetTimer.USER32(FFFFFFFF,000007C5,000003E8,00000000), ref: 00E3231B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr$Timer
                              • String ID: OnWMHandle$WM_INSTALLOK$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp
                              • API String ID: 951948468-3093241845
                              • Opcode ID: 29d8f547a41652cf3277b98408c8886f9b63d21644ba69e7611cc09554f6c1e2
                              • Instruction ID: 09e6e669313d1507693974b4ad4f934f1616961b8951ed88126c49e07f210d98
                              • Opcode Fuzzy Hash: 29d8f547a41652cf3277b98408c8886f9b63d21644ba69e7611cc09554f6c1e2
                              • Instruction Fuzzy Hash: 9AB1D030B002449FDB04DBA8CD89B6EBBB1AF84700F14916CE655BB3D2E775A945CB91
                              Function 00EB0E44 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 5d7438fbd7f54712eb55e3fe6b87be7d75a724e5fa93088b2f74dcf96688e92e
                              • Instruction ID: 780f9b79132f9593569065cef8e97ca1b35641f0091259f00a5873107d981589
                              • Opcode Fuzzy Hash: 5d7438fbd7f54712eb55e3fe6b87be7d75a724e5fa93088b2f74dcf96688e92e
                              • Instruction Fuzzy Hash: FE61A171A04245EFDB20DFA4CC42BEBBBF5EB49720F1451AAE944FB251D730AD819B90
                              Function 00EA7142 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00EA78B7,?,?,?,?,?,?), ref: 00EA7184
                              • __fassign.LIBCMT ref: 00EA71FF
                              • __fassign.LIBCMT ref: 00EA721A
                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00EA7240
                              • WriteFile.KERNEL32(?,?,00000000,00EA78B7,00000000,?,?,?,?,?,?,?,?,?,00EA78B7,?), ref: 00EA725F
                              • WriteFile.KERNEL32(?,?,00000001,00EA78B7,00000000,?,?,?,?,?,?,?,?,?,00EA78B7,?), ref: 00EA7298
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: a2db1fda99584915c41b0ff91409bbdc0671202d5671c35628e1dcc5852cb2f4
                              • Instruction ID: 8e7b2f86ff028dc793a70d02d2c3006a6166da787216e0d9fc8df8ba19724e5a
                              • Opcode Fuzzy Hash: a2db1fda99584915c41b0ff91409bbdc0671202d5671c35628e1dcc5852cb2f4
                              • Instruction Fuzzy Hash: 7E5183B19042499FDB10CFA8DC85BEEBBF9EF0A300F14511AF995FB261D630A945CB64
                              Function 00E62920 Relevance: 10.6, APIs: 7, Instructions: 134encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CertGetNameStringW.CRYPT32(?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E62982
                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E62998
                              • CertGetNameStringW.CRYPT32(C1427766,00000004,00000001,00000000,00000000,00000000,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E629B7
                              • LocalFree.KERNEL32(00000000,00000000,-00000002,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E629ED
                              • CertGetNameStringW.CRYPT32(C1427766,00000003,00000000,00000000,00000000,00000000,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E629FF
                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E62A11
                              • CertGetNameStringW.CRYPT32(C1427766,00000003,00000000,00000000,00000000,C1427766,?,00000004,00000001,00000000,00000000,00000000,C1427766), ref: 00E62A2B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CertNameString$Local$Alloc$Free
                              • String ID:
                              • API String ID: 1148605495-0
                              • Opcode ID: f9fd271b3bb742bb5d147c9d86ea0d410a887d6e391c84489f73961d070ecd62
                              • Instruction ID: 81d3b2b71e7b34a51b1baf6905b54c624056305a33aa2736a4b78f77ecb01c0f
                              • Opcode Fuzzy Hash: f9fd271b3bb742bb5d147c9d86ea0d410a887d6e391c84489f73961d070ecd62
                              • Instruction Fuzzy Hash: 1E41E571A40315AFDB24DFA5DC55FABBAB8EF48B54F108119FA05FB290D7B09901CBA0
                              Function 00E947D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 00E947FB
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00E94803
                              • _ValidateLocalCookies.LIBCMT ref: 00E94891
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00E948BC
                              • _ValidateLocalCookies.LIBCMT ref: 00E94911
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 035e3f326dd38ecbd6c989c6a5074aa611e9304d577c4a75850eec6ec4c6f931
                              • Instruction ID: 87fc37a42831358ce93767a6fa72bbfae5ed1d3ead8e062efd1da50ee123d409
                              • Opcode Fuzzy Hash: 035e3f326dd38ecbd6c989c6a5074aa611e9304d577c4a75850eec6ec4c6f931
                              • Instruction Fuzzy Hash: E541C674E002489BCF24DF69C880E9EBBF5AF45318F149166F815BB391D7329D56CB90
                              Function 6C2D8CF3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorScreen$Rect
                              • String ID: >:
                              • API String ID: 1082406499-3907246019
                              • Opcode ID: 1bde4237f3626dfaef6e917251d3f64a1352cf4f94685af2cb35d0a6b3b05047
                              • Instruction ID: 32a6afb0b0effe3d78e313464751e12b60c075edda653bcdfc1ccbf7d4d0caf1
                              • Opcode Fuzzy Hash: 1bde4237f3626dfaef6e917251d3f64a1352cf4f94685af2cb35d0a6b3b05047
                              • Instruction Fuzzy Hash: E8316D35B0021EDFCF05EFB4C884AAEB7B5FF59309F11012AE815A7640DB34A955CBA1
                              Function 6C2DCE79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C2DCEC2
                              • GetClientRect.USER32(?,?), ref: 6C2DCEEE
                              • PtInRect.USER32(?,?,?), ref: 6C2DCF06
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C2DCF2F
                              • SendMessageW.USER32(?,00000200,?,?), ref: 6C2DCF4E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientCursorMessagePointsSendWindow
                              • String ID: >:
                              • API String ID: 1257894355-3907246019
                              • Opcode ID: 561a82ed994e9a70e1c6d14ba027c8e6785089e39d9c28c0ae2d9675319003f3
                              • Instruction ID: 56ab696fb7bec5ed66416bad83b81737ec95c74d750a69dfd206ce35278bdf19
                              • Opcode Fuzzy Hash: 561a82ed994e9a70e1c6d14ba027c8e6785089e39d9c28c0ae2d9675319003f3
                              • Instruction Fuzzy Hash: 20317E71A0020EAFDF15EF64C8408EEBBB5FF14754F21422AFD2992550EB31E914CBA0
                              Function 6C2A0DF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2A0DFC
                              • GetClassNameW.USER32(?,?,000000FF), ref: 6C2A0E56
                              • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C2A0EE7
                              • GetStockObject.GDI32(00000005), ref: 6C2A0EF8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClassH_prolog3_NameObjectStockThemed
                              • String ID: Button$Static
                              • API String ID: 2434646892-2498952662
                              • Opcode ID: 8b24d67fdbadfb37543d6cf3693afc08aa181bc85b795b872d7435231489512d
                              • Instruction ID: 06ed97ecd60d461b61e72da2582169b085b4b7000a898252cd658d5be5b92a4b
                              • Opcode Fuzzy Hash: 8b24d67fdbadfb37543d6cf3693afc08aa181bc85b795b872d7435231489512d
                              • Instruction Fuzzy Hash: 1C31E83594025EDBCB14DF94CA58FDA7374AF14319F10419DED1AA7A80DB30AD86CB51
                              Function 00EB65B1 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 965b4f6d64987053c993f8af733a8bdbea4f4bca17a75310ad4e9d74e4a9faca
                              • Instruction ID: 0b374142f5f7ed183f6de38ce660732850b32db33ed2bc0194544d7e7f96c237
                              • Opcode Fuzzy Hash: 965b4f6d64987053c993f8af733a8bdbea4f4bca17a75310ad4e9d74e4a9faca
                              • Instruction Fuzzy Hash: 5311B7B2905115BFDF212FB6AC05DEB7BACEB86764B10662AF812F6251DA358800D670
                              Function 6C2BAE4D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6C2BAE88
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C2BAEB4
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C2BAEE0
                              • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C2BAEF2
                              • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C2BAF01
                                • Part of subcall function 6C2BA71A: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C2BA72B
                                • Part of subcall function 6C2BA71A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C2BA73B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseCreate$AddressHandleModuleOpenProc
                              • String ID: software
                              • API String ID: 550756860-2010147023
                              • Opcode ID: 2ee7416fa492a8800749c098b1a99ca4aed2fdec6ae2aabcc6b1fc05431e103d
                              • Instruction ID: fac99354712f0762cf516915c4e3fc8a69dba19a4e4b984a187a06f2349a8c6f
                              • Opcode Fuzzy Hash: 2ee7416fa492a8800749c098b1a99ca4aed2fdec6ae2aabcc6b1fc05431e103d
                              • Instruction Fuzzy Hash: D9213772A0511AFBEF01DBA4C844EAF7BBEEB45B4DF504069BD11E2600D7309A41DAA4
                              Function 6C320F51 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C320F58
                                • Part of subcall function 6C321042: __EH_prolog3.LIBCMT ref: 6C321049
                                • Part of subcall function 6C321042: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C32109C
                                • Part of subcall function 6C321042: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C3210B2
                              • CopyRect.USER32(?,?), ref: 6C320F8D
                              • GetCursorPos.USER32(?), ref: 6C320F9F
                              • SetRect.USER32(?,?,?,?,?), ref: 6C320FB2
                              • IsRectEmpty.USER32(?), ref: 6C320FCD
                              • InflateRect.USER32(?,00000002,00000002), ref: 6C320FDF
                              • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6C321027
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                              • String ID:
                              • API String ID: 1837043813-0
                              • Opcode ID: e1dc3e6b9f6489d8756ec10df43e810e5e7b940b497622c2650bd8587a6db9bb
                              • Instruction ID: bc5104b44eb977ef297751af0cddb2438d142cfd1726d0db66a99f3a51c08423
                              • Opcode Fuzzy Hash: e1dc3e6b9f6489d8756ec10df43e810e5e7b940b497622c2650bd8587a6db9bb
                              • Instruction Fuzzy Hash: CC314F75A01259ABDF01EFE4C958DEEBBB9FF49348B500005E805AB744DB39D909CFA1
                              Function 6C2E6F59 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C2E6F73
                              • DispatchMessageW.USER32(?), ref: 6C2E6F85
                              • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C2E6F93
                              • SetRectEmpty.USER32(?), ref: 6C2E6FBB
                              • GetDesktopWindow.USER32 ref: 6C2E6FD3
                              • LockWindowUpdate.USER32(?,00000000), ref: 6C2E6FE4
                              • GetDCEx.USER32(?,00000000,00000003), ref: 6C2E6FFB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                              • String ID:
                              • API String ID: 1192691108-0
                              • Opcode ID: d5fc46c048f12ce2f7028e99abb67a947ed7411f7158cd02a8cae059c214cae8
                              • Instruction ID: 37b4f87a389941d6a839b007a06141275188466189fda6a67d0f3a9354dbc2e5
                              • Opcode Fuzzy Hash: d5fc46c048f12ce2f7028e99abb67a947ed7411f7158cd02a8cae059c214cae8
                              • Instruction Fuzzy Hash: 14212E71A0060AAFDB11AFBAC888A97BFBCFF09255B80452AF615D6541DB34E411CBA0
                              Function 00EB1319 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00EB1060: _free.LIBCMT ref: 00EB1089
                              • _free.LIBCMT ref: 00EB1367
                                • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                              • _free.LIBCMT ref: 00EB1372
                              • _free.LIBCMT ref: 00EB137D
                              • _free.LIBCMT ref: 00EB13D1
                              • _free.LIBCMT ref: 00EB13DC
                              • _free.LIBCMT ref: 00EB13E7
                              • _free.LIBCMT ref: 00EB13F2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 1b949273ff0dbac6fc567f52d423280c6276c866aa5a098b7bd2d37697f8ca35
                              • Instruction ID: 1fdf498ab1363f885143805800927d813c3f5098ff262c42aecb285528ef5d55
                              • Opcode Fuzzy Hash: 1b949273ff0dbac6fc567f52d423280c6276c866aa5a098b7bd2d37697f8ca35
                              • Instruction Fuzzy Hash: 7111BE31580B48AAD630FBB0CC07FCB77DDAF45390F805856B29ABA056DA64B9409661
                              Function 6C2C6DFA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(Advapi32.dll,EE3AED3E,?,?,?,Function_0019C030,000000FF), ref: 6C2C6E41
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6C2C6E51
                                • Part of subcall function 6C2BB7FC: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C2BB80F
                                • Part of subcall function 6C2BB7FC: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C2BB81F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: >:$Advapi32.dll$RegDeleteKeyExW
                              • API String ID: 1646373207-1630852162
                              • Opcode ID: 5ad7c91f77faf2ed25af4c2daf6aad931535cda5de95a92404cda4e337f4e03c
                              • Instruction ID: 71655aa757fa1c76f4ff3cf205a6b69cb1247a0bce82bfa4242d9db9e4ae55ef
                              • Opcode Fuzzy Hash: 5ad7c91f77faf2ed25af4c2daf6aad931535cda5de95a92404cda4e337f4e03c
                              • Instruction Fuzzy Hash: 3A116075B05159AFDF02EB15C844F9ABB75FB0A768F004627FC15E2A50C731A810CBA1
                              Function 00E7E4B5 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E4C3
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E4C9
                              • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E4F6
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E500
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E512
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E528
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E536
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                              • String ID:
                              • API String ID: 4227777306-0
                              • Opcode ID: 9bf5898355bf1206a51ad7d82d8c9fa297a2759a4594419f22338ad2e1fcaf79
                              • Instruction ID: 1dee5dfd94827a3941b921c1d7e7e1343ce6439a73c9126cbb3e1d8e5fe1c733
                              • Opcode Fuzzy Hash: 9bf5898355bf1206a51ad7d82d8c9fa297a2759a4594419f22338ad2e1fcaf79
                              • Instruction Fuzzy Hash: 6801D439600109ABCB10BB65EC09AEF37AC9F45358F109165F11AF1261FB20E9048661
                              Function 6C2C6A6F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C2C6A7E
                              • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C2C6A8E
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C6A97
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C6AA9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                              • String ID: TaskDialogIndirect$comctl32.dll
                              • API String ID: 2061474489-2809879075
                              • Opcode ID: 429aacc6947ffdd40db4159a9918468790499fd2ec84c749ec5b2eeea2fdf55f
                              • Instruction ID: 9b82ad1121276cbef9d89f45d65976d5886966ebbfb82cdadb428a36236af5eb
                              • Opcode Fuzzy Hash: 429aacc6947ffdd40db4159a9918468790499fd2ec84c749ec5b2eeea2fdf55f
                              • Instruction Fuzzy Hash: A2E048B1F822229F9F41FB799908D5637F5EF0B1973458951FC01E6600D734C80086A1
                              Function 6C2E0A44 Relevance: 9.2, APIs: 6, Instructions: 229windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F00), ref: 6C2E0A53
                                • Part of subcall function 6C2A09A7: __EH_prolog3.LIBCMT ref: 6C2A09AE
                              • GetClientRect.USER32(?,?), ref: 6C2E0A95
                                • Part of subcall function 6C2A4071: ClientToScreen.USER32(?,6C2DDE60), ref: 6C2A4080
                                • Part of subcall function 6C2A4071: ClientToScreen.USER32(?,6C2DDE68), ref: 6C2A408D
                              • IsWindowVisible.USER32(?), ref: 6C2E0CCE
                              • SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C2E0CF1
                              • InvalidateRect.USER32(?,00000000,00000001,6C477B18,00000000,00000000,00000000,00000000,00000053), ref: 6C2E0D60
                              • UpdateWindow.USER32(?), ref: 6C2E0D69
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Client$RectScreenWindow$CursorH_prolog3InvalidateLoadTimerUpdateVisible
                              • String ID:
                              • API String ID: 3378768144-0
                              • Opcode ID: 38870f3d371ebfd81e5e45b5e6ac734b4507654fdeb2cbf7d276e3d77ab0996a
                              • Instruction ID: 0bdc44adc0f100c79fb60d0aa7bb22f2f6dd19405c6dc1b7bc01b6a59ef9cb13
                              • Opcode Fuzzy Hash: 38870f3d371ebfd81e5e45b5e6ac734b4507654fdeb2cbf7d276e3d77ab0996a
                              • Instruction Fuzzy Hash: 6DA16774A0124A9FDF04EF64C894BAD3BB1BF48319F140179EC09ABB95DF74A846DB50
                              Function 00EAD64B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000001,7FFFFFFF,00000000,?,?,?,00EAD89C,00000001,00000001,?), ref: 00EAD6A5
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EAD89C,00000001,00000001,?,?,?,?), ref: 00EAD72B
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EAD825
                              • __freea.LIBCMT ref: 00EAD832
                                • Part of subcall function 00EA7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                              • __freea.LIBCMT ref: 00EAD83B
                              • __freea.LIBCMT ref: 00EAD860
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                              • String ID:
                              • API String ID: 1414292761-0
                              • Opcode ID: 56b970d8591956b2292fd86ec0deab4a5b6b0fee672180665888799d10dd17f8
                              • Instruction ID: 8557264efbeb6a321c8b68767430bbbd1ac8488e60ba4888e79679a723dbd749
                              • Opcode Fuzzy Hash: 56b970d8591956b2292fd86ec0deab4a5b6b0fee672180665888799d10dd17f8
                              • Instruction Fuzzy Hash: 5F51F372604216AFDB298F64CC41EBF77A9EF4A714F159629FC0AFA550EB34EC40C690
                              Function 00E50670 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID: list<T> too long
                              • API String ID: 0-4027344264
                              • Opcode ID: dedce37b443ff5db0b7337125b8f044e3311c5b66c126953b2508051ca6ee46c
                              • Instruction ID: f87188a02716597cb332b1e35aba2531647d6d50cda152056800a4943fdd8f57
                              • Opcode Fuzzy Hash: dedce37b443ff5db0b7337125b8f044e3311c5b66c126953b2508051ca6ee46c
                              • Instruction Fuzzy Hash: 65E1AD71A00348DFDB14DF59D995B5EBBF1EB88308F248459E805BF382C7B5A909CB91
                              Function 00E3F7A0 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E3F7E9
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E3F80B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E3F82B
                              • __Getctype.LIBCPMT ref: 00E3F8C1
                              • std::_Facet_Register.LIBCPMT ref: 00E3F8E0
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E3F8F8
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 62c7c1a42810b55ceb1686037c36a82a34afd56087e178c344fde86c7b47e445
                              • Instruction ID: abed711669eec8eea6a7444aefe346fd96c2c7192542589d57e7620e2146e8b6
                              • Opcode Fuzzy Hash: 62c7c1a42810b55ceb1686037c36a82a34afd56087e178c344fde86c7b47e445
                              • Instruction Fuzzy Hash: 2D41BDB1D00348CFCB18DF58D885AAABBF4EF14714F14916DE809BB292EB31AD45CB91
                              Function 6C2E2E52 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                              Download Yara Rule
                              APIs
                              • PtInRect.USER32(?,?,?), ref: 6C2E2E71
                              • ReleaseCapture.USER32 ref: 6C2E2E7F
                              • PtInRect.USER32(?,?,?), ref: 6C2E2ED4
                              • InvalidateRect.USER32(?,?,00000001,?,?,?,6C2E1FCF,00000000,00000000,00000000), ref: 6C2E2F3E
                              • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C2E2F62
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$CaptureInvalidateReleaseTimer
                              • String ID:
                              • API String ID: 2903485716-0
                              • Opcode ID: 07b4cc39b2e16f52de44dbac2a7bab064c7aecf7246b7b5211702bca3c4dd9e5
                              • Instruction ID: 7037cf1da3959b7dd3c3a7a3fe2c00320d03bee30cdf06e4d859e152d8b92ba4
                              • Opcode Fuzzy Hash: 07b4cc39b2e16f52de44dbac2a7bab064c7aecf7246b7b5211702bca3c4dd9e5
                              • Instruction Fuzzy Hash: 40318D7170161BEFDF05AF20C848BAABB75FF4D316F404129FD2A92690D770A424DB91
                              Function 6C2BEEDD Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2BEEE4
                              • CreateRectRgnIndirect.GDI32(00000000), ref: 6C2BEF04
                                • Part of subcall function 6C2A3A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C2A3A5A
                                • Part of subcall function 6C2A3A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C2A3A70
                              • GetParent.USER32(00000000), ref: 6C2BEF24
                              • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C2BEF45
                              • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C2BEF79
                              • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C2BEFA5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
                              • String ID:
                              • API String ID: 935984306-0
                              • Opcode ID: 461626b8cecd7e1d10fb57636db7510e09d7b4eb868b897808fa8413d59dcefe
                              • Instruction ID: 2f11b7a5f81dcddfec453ea4809f5efb19494acf5dbf38963f8cdf37c6c7af1c
                              • Opcode Fuzzy Hash: 461626b8cecd7e1d10fb57636db7510e09d7b4eb868b897808fa8413d59dcefe
                              • Instruction Fuzzy Hash: AA312776A0020EAFCF01DFE0C985BEEBBB5BF08349F004058EA15AB661DB75D905CB90
                              Function 6C2A8CAB Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2C49DD
                                • Part of subcall function 6C2A3F98: __EH_prolog3.LIBCMT ref: 6C2A3F9F
                                • Part of subcall function 6C2A3F98: GetWindowDC.USER32(00000000,00000004,6C2BE53A,00000000), ref: 6C2A3FCB
                              • GetClientRect.USER32(?,?), ref: 6C2C49FF
                              • GetWindowRect.USER32(?,?), ref: 6C2C4A13
                                • Part of subcall function 6C2A40B0: ScreenToClient.USER32(?,6C2B9501), ref: 6C2A40BF
                                • Part of subcall function 6C2A40B0: ScreenToClient.USER32(?,6C2B9509), ref: 6C2A40CC
                              • OffsetRect.USER32(?,?,?), ref: 6C2C4A34
                                • Part of subcall function 6C2A3A7D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C2A3AB4
                                • Part of subcall function 6C2A3A7D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C2A3AD1
                              • OffsetRect.USER32(?,?,?), ref: 6C2C4A56
                                • Part of subcall function 6C2A3ADE: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C2A3B15
                                • Part of subcall function 6C2A3ADE: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C2A3B32
                              • SendMessageW.USER32(?,00000014,?,00000000), ref: 6C2C4A8E
                                • Part of subcall function 6C2A3FED: ReleaseDC.USER32(?,00000000), ref: 6C2A4021
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
                              • String ID:
                              • API String ID: 3860140383-0
                              • Opcode ID: 3fe3a456c1034eb7e7ca68736b4a73b455b4b8f11664d764795a5adb955b808f
                              • Instruction ID: 15cfa2340effd4022f47dbfc32b1bc5cdcd88833e6f8cbbe03534f32e999a17b
                              • Opcode Fuzzy Hash: 3fe3a456c1034eb7e7ca68736b4a73b455b4b8f11664d764795a5adb955b808f
                              • Instruction Fuzzy Hash: 9231C976A1012DAFCF05EBA4CC58DFEB779BF59305B140219F906E3650EB24AA49CB60
                              Function 00E950B7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00E950AE,00E9284A,00E7993F,00000008,00E79C64,?,?,?,?,00E3EE17,?,?,C1427766), ref: 00E950C5
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E950D3
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E950EC
                              • SetLastError.KERNEL32(00000000,?,00E950AE,00E9284A,00E7993F,00000008,00E79C64,?,?,?,?,00E3EE17,?,?,C1427766), ref: 00E9513E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 27018b49103542c0678123c80ec32d04ee453fbd543e773a4fe1e01a846b7edf
                              • Instruction ID: 91e82c7bdb219cc2d4f0778c810793505038e3a5045de322d18f3079abd76700
                              • Opcode Fuzzy Hash: 27018b49103542c0678123c80ec32d04ee453fbd543e773a4fe1e01a846b7edf
                              • Instruction Fuzzy Hash: 3C01D83311AB115EAE2627767C85A5B3B84DB137B4720237FF610751F1EF214C4A5780
                              Function 00EA6EC4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 7d01832e229ec98773d31fc01aa8287a492baee46adccfc24ce39ba50ab05981
                              • Instruction ID: 0c926d29c522f572f2d4751901eb81f0dafbeca3ad8b657f226bd59d39daa664
                              • Opcode Fuzzy Hash: 7d01832e229ec98773d31fc01aa8287a492baee46adccfc24ce39ba50ab05981
                              • Instruction Fuzzy Hash: 07F0F93E6486012FC6217739BC16A5F25958FDF7A4F292125F614BE1B2EE20A9014020
                              Function 00E79EB5 Relevance: 9.0, APIs: 6, Instructions: 27threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,00000002,00000001,00000000,?,?,?,00E79E7F,00EDD518,00000000,811C9DC5,00E79E7F,00000006,?,00E4E21A,00000000), ref: 00E79EC4
                              • GetCurrentThread.KERNEL32 ref: 00E79ECB
                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,00E79E7F,00EDD518,00000000,811C9DC5,00E79E7F,00000006,?,00E4E21A,00000000,00000001), ref: 00E79ED2
                              • DuplicateHandle.KERNEL32(00000000,?,?,?,00E79E7F,00EDD518,00000000,811C9DC5,00E79E7F,00000006,?,00E4E21A,00000000,00000001), ref: 00E79ED9
                              • CloseHandle.KERNEL32(00000000,?,?,?,00E79E7F,00EDD518,00000000,811C9DC5,00E79E7F,00000006,?,00E4E21A,00000000,00000001), ref: 00E79EE6
                              • GetCurrentThreadId.KERNEL32 ref: 00E79EF2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Current$HandleProcessThread$CloseDuplicate
                              • String ID:
                              • API String ID: 490430852-0
                              • Opcode ID: a7aadaf98c4ea10eaa5a1511a40c7400939747860992fa2af4890aefd291df34
                              • Instruction ID: 6afc5deff0501fd17b40de779a8ab0b3703581e79a479f493a163a9ae2b35611
                              • Opcode Fuzzy Hash: a7aadaf98c4ea10eaa5a1511a40c7400939747860992fa2af4890aefd291df34
                              • Instruction Fuzzy Hash: E6F0C071911205FFDB049BA6EC4DF5B7ABDEB04705F108564F202F2162D77495448B20
                              Function 00E9B4DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID: L^
                              • API String ID: 0-79745055
                              • Opcode ID: fec966796fb47bd4174c807f24b9d18f8eff2867f7787ff548edc1f18bc017f7
                              • Instruction ID: d728b0afda9c93dc1f932a3d25aa0df9acd73049cc83795ea4d49b6bb3ef0681
                              • Opcode Fuzzy Hash: fec966796fb47bd4174c807f24b9d18f8eff2867f7787ff548edc1f18bc017f7
                              • Instruction Fuzzy Hash: B2412D72A00704BFDB249F7CDD01BAA7BEAEB84710F10952EF155FB681D371A9008780
                              Function 6C2BA904 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileStringW.KERNEL32(?,?,6C458060,?,00001000,?), ref: 6C2BAA51
                                • Part of subcall function 6C2BADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C2BA828,?,00000000), ref: 6C2BAE3E
                              • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,EE3AED3E,?,?,?,?,6C40C0C1,000000FF), ref: 6C2BA99F
                              • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6C40C0C1,000000FF), ref: 6C2BA9DB
                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C40C0C1,000000FF), ref: 6C2BA9F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseQueryValue$PrivateProfileString
                              • String ID: >:
                              • API String ID: 2114517702-3907246019
                              • Opcode ID: 84639f7090fc5b6febaf171f58c6262eb645e8e9f72a6705cad534202e98cc6c
                              • Instruction ID: 939b37fa6d0decfabf0c24c79bfe067e62bdbfd4c0db700ee2a6ba806c321b55
                              • Opcode Fuzzy Hash: 84639f7090fc5b6febaf171f58c6262eb645e8e9f72a6705cad534202e98cc6c
                              • Instruction Fuzzy Hash: 4E415E7190025DDFDB25CB59CC48EEEB7B9EF44318F0041AAE819A3681DB309E95DF61
                              Function 6C2AE98F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2BBBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C2BBBEF
                              • GetClientRect.USER32(?,?), ref: 6C2AE9F7
                              • IsMenu.USER32(00000000), ref: 6C2AEA33
                              • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C2AEA4B
                              • GetClientRect.USER32(?,?), ref: 6C2AEA93
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientWindow$AdjustLongMenu
                              • String ID: >:
                              • API String ID: 3435883281-3907246019
                              • Opcode ID: 92718e3760ea42dc765c8a11641189d8d4260609a42954c09a39cfa0f5fb96c4
                              • Instruction ID: 94e613b238d5f0f0b2690bf6d22199871c1237d4fe3d00d1288fef4c10880471
                              • Opcode Fuzzy Hash: 92718e3760ea42dc765c8a11641189d8d4260609a42954c09a39cfa0f5fb96c4
                              • Instruction Fuzzy Hash: 55319235A0030EAFDB00EBA5C988EBFBBB9BF49248F144519FD01B7640DB30A9458A90
                              Function 00E622A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              • GetNativeSystemInfo.KERNEL32(?,C1427766), ref: 00E622E0
                              • Wow64DisableWow64FsRedirection.KERNEL32(00000000), ref: 00E622FA
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00E62375
                              • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00E62384
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Wow64$Redirection$DisableExecuteInfoNativeRevertShellSystem
                              • String ID: <
                              • API String ID: 226314799-4251816714
                              • Opcode ID: c85d1b6bca1461274ceea6a16942a2376b5e119a6344bd3a76b0e4c4fd062078
                              • Instruction ID: 44a2b8f35abe26d0b5a88ebc4306452d86723addbf8626c1964f43423467a2cb
                              • Opcode Fuzzy Hash: c85d1b6bca1461274ceea6a16942a2376b5e119a6344bd3a76b0e4c4fd062078
                              • Instruction Fuzzy Hash: C8416871D40609CFCB10CFA9D948A9EBBF5FF09315F20826EE511AB260E7349985CF80
                              Function 6C2DCCB7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 6C2DCCD9
                              • PtInRect.USER32(?,?,?), ref: 6C2DCD03
                                • Part of subcall function 6C2DA972: ScreenToClient.USER32(?,?), ref: 6C2DA98E
                                • Part of subcall function 6C2DA972: GetParent.USER32(?), ref: 6C2DA99E
                                • Part of subcall function 6C2DA972: GetClientRect.USER32(?,?), ref: 6C2DAA31
                                • Part of subcall function 6C2DA972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DAA43
                                • Part of subcall function 6C2DA972: PtInRect.USER32(?,?,?), ref: 6C2DAA53
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C2DCD2C
                              • SendMessageW.USER32(?,00000202,?,?), ref: 6C2DCD4B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                              • String ID: >:
                              • API String ID: 2689702638-3907246019
                              • Opcode ID: cefcd8724dd1c7b418e6e4e5d49ea3f2a2005c1a4bbc0cbda17c2aa4c35019f7
                              • Instruction ID: 32d0002669a3d1550e87ea96c9ecbd74db657893c7c028d513ff1f81ca89d389
                              • Opcode Fuzzy Hash: cefcd8724dd1c7b418e6e4e5d49ea3f2a2005c1a4bbc0cbda17c2aa4c35019f7
                              • Instruction Fuzzy Hash: 3631EE3960061DEBDF02EF20CC048AE7FB6FF48B14B11412AF85992510EB31E910CFA0
                              Function 6C2DCDB3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32 ref: 6C2DCDE5
                              • PtInRect.USER32(?,?,?), ref: 6C2DCDFE
                                • Part of subcall function 6C2DA972: ScreenToClient.USER32(?,?), ref: 6C2DA98E
                                • Part of subcall function 6C2DA972: GetParent.USER32(?), ref: 6C2DA99E
                                • Part of subcall function 6C2DA972: GetClientRect.USER32(?,?), ref: 6C2DAA31
                                • Part of subcall function 6C2DA972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C2DAA43
                                • Part of subcall function 6C2DA972: PtInRect.USER32(?,?,?), ref: 6C2DAA53
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C2DCE34
                              • SendMessageW.USER32(?,00000201,?,?), ref: 6C2DCE53
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                              • String ID: >:
                              • API String ID: 2689702638-3907246019
                              • Opcode ID: 4a921387164c0e80c944404d3c0a748bbd936345c52deeabfd650ea49473afbf
                              • Instruction ID: 25010fa41a288cda414bbf1b92b23c277d2f6b5a45b022e8926ffc6f20cd458e
                              • Opcode Fuzzy Hash: 4a921387164c0e80c944404d3c0a748bbd936345c52deeabfd650ea49473afbf
                              • Instruction Fuzzy Hash: 7E217C35A0020EEBDF05EF61C804AFE7BB6FF48715F10811AF816A2650E771A964DBA0
                              Function 6C31CA2B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 6C31CA7E
                              • EnumFontFamiliesExW.GDI32(00000000,?,6C31CA15,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C31CA99
                              • ReleaseDC.USER32(00000000,00000000), ref: 6C31CAA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EnumFamiliesFontRelease
                              • String ID: >:$xtBl
                              • API String ID: 264590589-2708353764
                              • Opcode ID: d5bd73d5d4563162f07c25a88557a889544061087ee7bc77c59d5cafea6c63aa
                              • Instruction ID: f8ef0ce771bdb33ca77a12504b5980802a814f720cf90e59222738510c672ec2
                              • Opcode Fuzzy Hash: d5bd73d5d4563162f07c25a88557a889544061087ee7bc77c59d5cafea6c63aa
                              • Instruction Fuzzy Hash: 83118676D0161CABCB11EBA49C48DEF7BBCEF4A708F500415ED01E7640DB24DA05CAA1
                              Function 6C2AEC3E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • GetObjectW.GDI32(?,0000000C,?), ref: 6C2AEC89
                              • SetBkColor.GDI32(?,?), ref: 6C2AEC93
                              • GetSysColor.USER32(00000008), ref: 6C2AECA3
                              • SetTextColor.GDI32(?,?), ref: 6C2AECAB
                                • Part of subcall function 6C2C02A7: GetWindowLongW.USER32(?,000000F0), ref: 6C2C02C2
                                • Part of subcall function 6C2C02A7: GetClassNameW.USER32(?,?,0000000A), ref: 6C2C02D7
                                • Part of subcall function 6C2C02A7: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,6C2A7B06,?,?), ref: 6C2C02EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$ClassCompareLongNameObjectStringTextWindow
                              • String ID: >:
                              • API String ID: 3274569906-3907246019
                              • Opcode ID: c433d4ceee5fe8c66bc4d629284e968dbb0b443e3483dbd930f0b123ef3e897f
                              • Instruction ID: 60214cd473be8f6d4198e35ee298fc5f77d94a1c8bae2e4614f9759d150b8562
                              • Opcode Fuzzy Hash: c433d4ceee5fe8c66bc4d629284e968dbb0b443e3483dbd930f0b123ef3e897f
                              • Instruction Fuzzy Hash: 2201617160121DBB9B11EFA8C9449AF73BAAF4A719F600514FE21D25C0DB31D91386E1
                              Function 6C2BA87B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C2BA8B6
                              • RegCloseKey.ADVAPI32(00000000), ref: 6C2BA8BF
                              • swprintf.LIBCMT ref: 6C2BA8DC
                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C2BA8ED
                                • Part of subcall function 6C2BADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C2BA828,?,00000000), ref: 6C2BAE3E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Close$PrivateProfileStringValueWriteswprintf
                              • String ID: >:
                              • API String ID: 581541481-3907246019
                              • Opcode ID: e6b9818fab5ab052ddd5406a14352e3abd08d70be60b23a21b90c642e4c6851b
                              • Instruction ID: 486d098175245ffc835662a8972f2c19cfa78073855ea8284202d66f7141021b
                              • Opcode Fuzzy Hash: e6b9818fab5ab052ddd5406a14352e3abd08d70be60b23a21b90c642e4c6851b
                              • Instruction Fuzzy Hash: 0D018E32600209BBDB10EA64CC45FAA73BDEF49658F500429FA11A7540DB71E9558660
                              Function 00E40140 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4016D
                                • Part of subcall function 00E92A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00E92AAA
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E401B2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw$ExceptionRaise
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3476068407-1866435925
                              • Opcode ID: 6c96cd8fb88536dd7755526b5e6906ea9acb35ea47653f27bc57201c6984753d
                              • Instruction ID: 9bd6dc1050f68681b0cd0c18aebad225f04a7d0dd4d7224d675e684e6d97a084
                              • Opcode Fuzzy Hash: 6c96cd8fb88536dd7755526b5e6906ea9acb35ea47653f27bc57201c6984753d
                              • Instruction Fuzzy Hash: 41F0A272D003042BDB14D9589856FA673C89B40310F186979FAA4BA292EA75D9458791
                              Function 00E7B761 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B76B
                              • LeaveCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B79E
                              • SetEvent.KERNEL32(00000000,00E41BBF,00EE5B90,00EBE390), ref: 00E7B82C
                              • ResetEvent.KERNEL32 ref: 00E7B838
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalEventSection$EnterLeaveReset
                              • String ID: 8O
                              • API String ID: 3553466030-3761743594
                              • Opcode ID: 0021d2fd91e6bd71763d58a49f1522ef3547045ad1348ac45fa060ac572b0345
                              • Instruction ID: cead070e34f4f48fbe8beee6918555ed1fd3486b8dfd17f6083cdda75c594a28
                              • Opcode Fuzzy Hash: 0021d2fd91e6bd71763d58a49f1522ef3547045ad1348ac45fa060ac572b0345
                              • Instruction Fuzzy Hash: B7018F79A00698DFCB049F2AFD8899677A8FB49710701516AF81AFB370C7345C89CB90
                              Function 00E94FB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00E94FFB
                              • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00E9502F
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E9503F
                              Strings
                              • Bad read pointer - no RTTI data!, xrefs: 00E94FF2
                              • Attempted a typeid of nullptr pointer!, xrefs: 00E95026
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::__non_rtti_object::__construct_from_string_literal$Exception@8Throw
                              • String ID: Attempted a typeid of nullptr pointer!$Bad read pointer - no RTTI data!
                              • API String ID: 3406231999-4195314292
                              • Opcode ID: b94e4f66daa7ec605fc3b3aca118c230318176308e9eb09f3d408cafaf77ea82
                              • Instruction ID: 40d81c23f5d9872a6130e29f79e3268d76818e6c5281d7f896dce852bdfbfb82
                              • Opcode Fuzzy Hash: b94e4f66daa7ec605fc3b3aca118c230318176308e9eb09f3d408cafaf77ea82
                              • Instruction Fuzzy Hash: DFF03172604704AFDF24DA94D54AE9D73E4EB08720F20685EF501BB3D0DB71E9019750
                              Function 00EA4738 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA46E9,00000003,?,00EA4689,00000003,00EDEEE0,0000000C,00EA47E0,00000003,00000002), ref: 00EA4758
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA476B
                              • FreeLibrary.KERNEL32(00000000,?,?,?,00EA46E9,00000003,?,00EA4689,00000003,00EDEEE0,0000000C,00EA47E0,00000003,00000002,00000000), ref: 00EA478E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 5a795b298b3d90606127ac44786088f9b8cd672c0c56b326933facae7fc4f9e6
                              • Instruction ID: b4a1fe3fdfa599629aa3272d50a25fad8f26b320bea8a0999517a5249a7e2cf2
                              • Opcode Fuzzy Hash: 5a795b298b3d90606127ac44786088f9b8cd672c0c56b326933facae7fc4f9e6
                              • Instruction Fuzzy Hash: 3EF04F70A00218BFDB119FA5DC49B9EBFB8EF49715F100269F809B61A0EB719D85CA90
                              Function 6C2C6823 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C685C
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C2C6845
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C684E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmDefWindowProc$dwmapi.dll
                              • API String ID: 1102202064-234806475
                              • Opcode ID: 36f53f1da6170007ecd3c6b9bc85bf374e3111e94f4188adc426b04ad4cdc524
                              • Instruction ID: 04387e3cffeca540a671fdf0315d69b3552cfd0cdaa0906154cad76b79d2d63c
                              • Opcode Fuzzy Hash: 36f53f1da6170007ecd3c6b9bc85bf374e3111e94f4188adc426b04ad4cdc524
                              • Instruction Fuzzy Hash: B3F0363570121AAB9F42BFE5DC84C6A3FB5AF0D6697404621FD15D2A50D730C914CFA1
                              Function 6C2C68E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C6920
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C2C6909
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C6912
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetWindowAttribute$dwmapi.dll
                              • API String ID: 1102202064-3105884578
                              • Opcode ID: c5ce415263f1d340ce5150089c614e7513bb69618bae4175aa0c22612022c601
                              • Instruction ID: 50c780cdc636b9fc6e8518527e6b9b29658e656a1f7cb80060ab264ff59646f5
                              • Opcode Fuzzy Hash: c5ce415263f1d340ce5150089c614e7513bb69618bae4175aa0c22612022c601
                              • Instruction Fuzzy Hash: 72F0547574122EAB8F52FF65CD48D793BB8EF0976A7000515FD19E6A10D730C8108AA1
                              Function 6C2C6A0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C6A43
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C2C6A2C
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C6A35
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
                              • API String ID: 1102202064-1757063745
                              • Opcode ID: c550f1c2dfe419b524b5ebeeaa170cb81350c47710fefd1247e971ff1730b9fa
                              • Instruction ID: 5177e922c0e18bebeb704276beb621dc6cdab88e56e959af07ccedfae8e6ca1c
                              • Opcode Fuzzy Hash: c550f1c2dfe419b524b5ebeeaa170cb81350c47710fefd1247e971ff1730b9fa
                              • Instruction Fuzzy Hash: ABF0307674122AABDF02FA689C08D7A3FB9AB09755B448515FD15E6B10E730C9108BA1
                              Function 00E88E07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00E88E1B
                              • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00E88E3F
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E88E52
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E88E60
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                              • String ID: pScheduler
                              • API String ID: 3657713681-923244539
                              • Opcode ID: f34b3d0c7a701f130427893fa3ab5f50954710357944e354b5520b0221e46472
                              • Instruction ID: b2f7f6ced3cd496d4f471a40eeb6b846ecee5bc2722c0c90d1136eae7ac7a7cf
                              • Opcode Fuzzy Hash: f34b3d0c7a701f130427893fa3ab5f50954710357944e354b5520b0221e46472
                              • Instruction Fuzzy Hash: 83F02431900304AB8724FA50DE52C9EB3A98E90724760A55EE90E77282DF70AD03C791
                              Function 6C2C6888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000,?,?,6C2BF22E,6C47825C,0000002C), ref: 6C2C68C1
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C2C68AA
                              • EncodePointer.KERNEL32(00000000,?,?,6C2BF22E,6C47825C,0000002C), ref: 6C2C68B3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmIsCompositionEnabled$dwmapi.dll
                              • API String ID: 1102202064-1198327662
                              • Opcode ID: 4d88bcfd651b2e6d5936878cac5b08d50b4f67de1c7f4bcb780f3a2e1bc99d1f
                              • Instruction ID: f41fd2a5c7740c8de2a2e9bb7558e7f76ec66e8867aae2618866e0a91db32375
                              • Opcode Fuzzy Hash: 4d88bcfd651b2e6d5936878cac5b08d50b4f67de1c7f4bcb780f3a2e1bc99d1f
                              • Instruction Fuzzy Hash: E2F0543570166AABDB42FB64C888E693BB8BF0A75A7040621FC05D6A40EB30C8048BA5
                              Function 6C2C694C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C6985
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C2C696E
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C6977
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetIconicThumbnail$dwmapi.dll
                              • API String ID: 1102202064-2331651847
                              • Opcode ID: 46d6d3f59ba7e4ce9f21e4f17f00e0fd942a40471ddc03e062aa743840f221fa
                              • Instruction ID: 46f977349e6e3c94cd971b53981af077fd508f2b16dd515d7301aac235fedf6c
                              • Opcode Fuzzy Hash: 46d6d3f59ba7e4ce9f21e4f17f00e0fd942a40471ddc03e062aa743840f221fa
                              • Instruction Fuzzy Hash: 45F0827575162AABCF12FF64CD48D697BF8AF0A7A97000611FC19E6B10DB31C850CAA6
                              Function 6C2C69AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C2C69E7
                                • Part of subcall function 6C2AAA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C2AAA8A
                                • Part of subcall function 6C2AAA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C2AAA9A
                                • Part of subcall function 6C2AAA64: EncodePointer.KERNEL32(00000000), ref: 6C2AAAA3
                              • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C2C69D0
                              • EncodePointer.KERNEL32(00000000), ref: 6C2C69D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
                              • API String ID: 1102202064-1901905683
                              • Opcode ID: 7f5aeaeaf9683c8b1ea2a91abc3259bba7c6f976bd782b17e98f3f26745ced12
                              • Instruction ID: 850af7641d69bcaf87d63f53ad6ecc53a1881e2ddd96e21b8d5ef713ebaab52b
                              • Opcode Fuzzy Hash: 7f5aeaeaf9683c8b1ea2a91abc3259bba7c6f976bd782b17e98f3f26745ced12
                              • Instruction Fuzzy Hash: 0EF0A77174576AA79B11F6648908D2936B8AB0E7AE3408111FC06E6F00EB34CC008EE1
                              Function 6C2DAE57 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2DAE5E
                              • IsWindow.USER32(00000000), ref: 6C2DAE72
                              • GetClientRect.USER32(00000000,00000000), ref: 6C2DAEC7
                              • GetCursorPos.USER32(?), ref: 6C2DB090
                              • ScreenToClient.USER32(00000000,?), ref: 6C2DB09D
                                • Part of subcall function 6C2D59F1: __EH_prolog3_GS.LIBCMT ref: 6C2D59FB
                                • Part of subcall function 6C2D59F1: GetClientRect.USER32(00000000,00000000), ref: 6C2D5A55
                                • Part of subcall function 6C2D382B: __EH_prolog3_GS.LIBCMT ref: 6C2D3835
                                • Part of subcall function 6C2D382B: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C2D3860
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
                              • String ID:
                              • API String ID: 3214297127-0
                              • Opcode ID: 2eeb63e1984de9d7d6c8a39f778289f45e7be9335510e1de0677ae4349c4ba0b
                              • Instruction ID: 4e8070389c1a684f1d20da0ecc914533130cb6df95c069fd738bb8fa1bd7004b
                              • Opcode Fuzzy Hash: 2eeb63e1984de9d7d6c8a39f778289f45e7be9335510e1de0677ae4349c4ba0b
                              • Instruction Fuzzy Hash: A2917471A0021DDFCF05DFA8C884ADDBBB5BF58319F1541AAEC05AB651DB31A909CFA0
                              Function 00EACF33 Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0431fb6b8dc020aa5f8d7b7f557603f2b777c65103deecf841733f4757030ca5
                              • Instruction ID: 095e75f6c483b5c5f81b7c30e568e4eb3da21b5c1d8d881d7729169e0e6c0c85
                              • Opcode Fuzzy Hash: 0431fb6b8dc020aa5f8d7b7f557603f2b777c65103deecf841733f4757030ca5
                              • Instruction Fuzzy Hash: 7771C131A052169FCF218F54CC84ABFBBB5EF6A354F246229E812BB641C770AD81C790
                              Function 00EA4FFC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 75239357dc5a0ca6266a223bbeec264691427df16084c6980812c8b9f8bbd2a8
                              • Instruction ID: cf8d86bdf648042d0d5c68ce2868abe8a0c5d0cb7aa45b8bcb24521b3ce8981d
                              • Opcode Fuzzy Hash: 75239357dc5a0ca6266a223bbeec264691427df16084c6980812c8b9f8bbd2a8
                              • Instruction Fuzzy Hash: 2B41DE32A006049FDB20DF78C881A5EB3E2EF89314F2585A9E515FF281EB31AD45CB80
                              Function 6C2A6E67 Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(00000000), ref: 6C2A6E7C
                              • GetKeyState.USER32(00000011), ref: 6C2A6E84
                              • ScreenToClient.USER32(?,00000000), ref: 6C2A6F1C
                              • ClientToScreen.USER32(?,00000000), ref: 6C2A6F69
                              • SetCursorPos.USER32(00000000,00000000), ref: 6C2A6F75
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorScreen$State
                              • String ID:
                              • API String ID: 3982492586-0
                              • Opcode ID: db633e9246e4ae9863f6a685d276a87a38cccfc966f0283e1894beb5cefd4bc6
                              • Instruction ID: 040943724ed4bcbaeec4fc42950cd48089876fc14cebe13be9c6a2a6d8f9f90e
                              • Opcode Fuzzy Hash: db633e9246e4ae9863f6a685d276a87a38cccfc966f0283e1894beb5cefd4bc6
                              • Instruction Fuzzy Hash: 09318272A11519EFCB09DBFCC594BADBBB5FB4A315F20426AF812D2990D7309A528B40
                              Function 00E4A390 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E4A3C6
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E4A3E6
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4A406
                              • std::_Facet_Register.LIBCPMT ref: 00E4A4A1
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E4A4B9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                              • String ID:
                              • API String ID: 459529453-0
                              • Opcode ID: fc5191cdd58ca31d216a518f43fe9323657efe0147db064ca9150961530aa876
                              • Instruction ID: 4a6cb92b554bc01801c77383ed5565f1c17c102a5b250b84749bb7c69b0a5033
                              • Opcode Fuzzy Hash: fc5191cdd58ca31d216a518f43fe9323657efe0147db064ca9150961530aa876
                              • Instruction Fuzzy Hash: 1641DF71900258CFCB14DF54E885BAEB7F4EF10724F18916DE81ABB292DB71AD05CB82
                              Function 00E37B40 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E37B76
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00E37B96
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E37BB6
                              • std::_Facet_Register.LIBCPMT ref: 00E37C51
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E37C69
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                              • String ID:
                              • API String ID: 459529453-0
                              • Opcode ID: e72b4d08570d2c561dc476dc044ee143708882b57d13c3f9c57fe79b89e241d1
                              • Instruction ID: 3113b976bdc7d2ae1f115373ff91d924d25d3357312e50cd065ba514096281e2
                              • Opcode Fuzzy Hash: e72b4d08570d2c561dc476dc044ee143708882b57d13c3f9c57fe79b89e241d1
                              • Instruction Fuzzy Hash: 2041CCB19042598FCB24DF54C885BAEBBF5EF44714F14916DE84A7B391DB31AE05CB80
                              Function 6C2D8E2C Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2D686C: __EH_prolog3_GS.LIBCMT ref: 6C2D6873
                                • Part of subcall function 6C2D686C: GetWindowRect.USER32(00000000,00000000), ref: 6C2D68BC
                                • Part of subcall function 6C2D686C: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C2D68E6
                                • Part of subcall function 6C2D686C: SetWindowRgn.USER32(00000000,?,00000000), ref: 6C2D68FC
                              • GetSystemMenu.USER32(?,00000000), ref: 6C2D8EB6
                              • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6C2D8ED3
                              • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C2D8EE2
                              • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C2D8EF1
                              • EnableMenuItem.USER32(?,0000F060,00000001), ref: 6C2D8F19
                                • Part of subcall function 6C2D7650: SetRectEmpty.USER32(?), ref: 6C2D767B
                                • Part of subcall function 6C2D7650: ReleaseCapture.USER32 ref: 6C2D7681
                                • Part of subcall function 6C2D7650: SetCapture.USER32(?,?,?,?,6C2CF5F2,?), ref: 6C2D7694
                                • Part of subcall function 6C2D7650: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C2D7794
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
                              • String ID:
                              • API String ID: 4022425685-0
                              • Opcode ID: bf59d9057d4447e63cdd73d5522875ae2ee338575ff6f019acf2e0f3b8d2bbb9
                              • Instruction ID: c5e4ad6ee08d552f37d8767ea9279aee1d7b21d7d771c2b68f23323a0dc4cecc
                              • Opcode Fuzzy Hash: bf59d9057d4447e63cdd73d5522875ae2ee338575ff6f019acf2e0f3b8d2bbb9
                              • Instruction Fuzzy Hash: 28219F3570121AEFDF126B61C8899BE7F3AFF48659B050066FE159B691CB30A8109EA1
                              Function 6C2A8FB6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 6C2A9005
                              • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C2A9019
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C2A902C
                              • SetWindowLongW.USER32(?,000000F0,?), ref: 6C2A9063
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C2A9078
                                • Part of subcall function 6C2BBBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C2BBBEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Long
                              • String ID:
                              • API String ID: 3430364388-0
                              • Opcode ID: bac4f4c605df14a9eeb5387c7b9354ce727e2299545f695246d96188504f4faa
                              • Instruction ID: 8a4c3a4ad48dc698e7462053237f519020b73a0b2bda7c036f564b30f568a25e
                              • Opcode Fuzzy Hash: bac4f4c605df14a9eeb5387c7b9354ce727e2299545f695246d96188504f4faa
                              • Instruction Fuzzy Hash: 1A210771301619EFEB10AFA6CC84E6B7BB9FB48759F10812DBA45A7690DB72DC00C750
                              Function 00EB003A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 00EB0043
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EB0066
                                • Part of subcall function 00EA7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EB008C
                              • _free.LIBCMT ref: 00EB009F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EB00AE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: a0776ec860a0dc04e7843c6a1a891631a9be05d47d6932f4044416ce56f6a126
                              • Instruction ID: 5e5c785a89d666f7a418ff1df5e1c7b631f60f05d94a789791c4b63de625690d
                              • Opcode Fuzzy Hash: a0776ec860a0dc04e7843c6a1a891631a9be05d47d6932f4044416ce56f6a126
                              • Instruction Fuzzy Hash: A601D472A01215BF672136BBAC88DBB6AADDFC6BA4314562AF904F6151DE609D0181B0
                              Function 6C2A8DF1 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 6C2A8E40
                              • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C2A8E54
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C2A8E67
                              • SetWindowLongW.USER32(?,000000F0,?), ref: 6C2A8E86
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C2A8E9C
                                • Part of subcall function 6C2BBBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C2BBBEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Long
                              • String ID:
                              • API String ID: 3430364388-0
                              • Opcode ID: c386f0dd39908873ec4bceab72793b0d348f548f26b7c0f4348f9456fabd064a
                              • Instruction ID: 66414f51afa628a3b152bd660067f80b3b1bc6cbd4ede00c5eaae24430f655c4
                              • Opcode Fuzzy Hash: c386f0dd39908873ec4bceab72793b0d348f548f26b7c0f4348f9456fabd064a
                              • Instruction Fuzzy Hash: FF11E971701648FFEB106B65CC08F5BBAB9FBC5B55F204529B541A66A0DBB19C40C760
                              Function 6C2D686C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C2D6873
                              • GetWindowRect.USER32(00000000,00000000), ref: 6C2D68BC
                              • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C2D68E6
                              • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C2D68FC
                              • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C2D6914
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Rect$CreateH_prolog3_Round
                              • String ID:
                              • API String ID: 2502471913-0
                              • Opcode ID: b83f91b8aa61f0033d373e3b0d9ccba38cc6c6dcb4db44a42932ea61d2d43ada
                              • Instruction ID: 71386bf5b78d430b24f5c5f33cbc6c7d324a8f640ede171944dd4dffff7bce8d
                              • Opcode Fuzzy Hash: b83f91b8aa61f0033d373e3b0d9ccba38cc6c6dcb4db44a42932ea61d2d43ada
                              • Instruction Fuzzy Hash: 21116A75A0020EAFDF05EFA4C894EEDBB78FF08309F210119E905B2A50DB34AD40CB60
                              Function 00EA6F48 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,00E96807,00EA9265,?,00EA6EF2,00000001,00000364,?,00E9CAB3,00EDEEC0,00000010), ref: 00EA6F4D
                              • _free.LIBCMT ref: 00EA6F82
                              • _free.LIBCMT ref: 00EA6FA9
                              • SetLastError.KERNEL32(00000000), ref: 00EA6FB6
                              • SetLastError.KERNEL32(00000000), ref: 00EA6FBF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: f365b64865638f3fd0464a421543a18ff163cc369c175e0bc7091869a23e93c7
                              • Instruction ID: f1015600ea3c2a4219ef94676848d3ad72fbfe6c4d9468589ef69b738350fef0
                              • Opcode Fuzzy Hash: f365b64865638f3fd0464a421543a18ff163cc369c175e0bc7091869a23e93c7
                              • Instruction Fuzzy Hash: 5401F93E3486002FC2126E357C85D5F159ADBCF3A47292135F605FE1A2EE30AC055070
                              Function 00E838BF Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E7E800: TlsGetValue.KERNEL32(?,?,00E7DD7A,00E7DB93,?,?), ref: 00E7E806
                              • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00E838E9
                                • Part of subcall function 00E8CFB0: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00E8CFD7
                                • Part of subcall function 00E8CFB0: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00E8CFF0
                                • Part of subcall function 00E8CFB0: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00E8D066
                                • Part of subcall function 00E8CFB0: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00E8D06E
                              • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00E838F7
                              • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00E83901
                              • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00E8390B
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E83929
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                              • String ID:
                              • API String ID: 4266703842-0
                              • Opcode ID: d74bdafab1562bd5e8b2e564bede8562c25d8e5966b31eaa51b41815cb97a74e
                              • Instruction ID: 96b511cc7c4e804f90735fb8750dfa754f181bd3ce99ecdf8fb0a542d9279014
                              • Opcode Fuzzy Hash: d74bdafab1562bd5e8b2e564bede8562c25d8e5966b31eaa51b41815cb97a74e
                              • Instruction Fuzzy Hash: 55F0F672A0061427CA25B735D80296DF7A99F80B54B00202AF51D73292DF74DF0597D5
                              Function 00EB0DDB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00EB0DF3
                                • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                              • _free.LIBCMT ref: 00EB0E05
                              • _free.LIBCMT ref: 00EB0E17
                              • _free.LIBCMT ref: 00EB0E29
                              • _free.LIBCMT ref: 00EB0E3B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: ad90ff086a7266998db0d4016c9f40a0c44a3209d392da11137eebdf2a63ff81
                              • Instruction ID: adf870e79c5477b4963ff4efb8f24e9845422d632d1ca511ad05d320586cc516
                              • Opcode Fuzzy Hash: ad90ff086a7266998db0d4016c9f40a0c44a3209d392da11137eebdf2a63ff81
                              • Instruction Fuzzy Hash: 23F01232508344AB8A64DB69ECC7C5B73DAEB497547556C46F148FF561CB30FCC04A54
                              Function 00E50E50 Relevance: 7.5, APIs: 5, Instructions: 40threadCOMMON
                              Download Yara Rule
                              APIs
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00E50E74
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00E50E63
                                • Part of subcall function 00E79E80: std::system_error::system_error.LIBCPMT ref: 00E79EA1
                                • Part of subcall function 00E79E80: __CxxThrowException@8.LIBVCRUNTIME ref: 00E79EAF
                              • GetCurrentThreadId.KERNEL32 ref: 00E50E7C
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00E50E88
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00E50EA5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cpp_errorThrow_std::_$CurrentException@8ThreadThrowstd::system_error::system_error
                              • String ID:
                              • API String ID: 1635414652-0
                              • Opcode ID: 03a6080fc6aca861af7f47eb9df50a6336c73184098da6c0a8359ec9da657530
                              • Instruction ID: a2287bb865574bed75391cb51cddfd951457426df0868e898ca10ce34761445d
                              • Opcode Fuzzy Hash: 03a6080fc6aca861af7f47eb9df50a6336c73184098da6c0a8359ec9da657530
                              • Instruction Fuzzy Hash: A9F096B1A407005AEB30ABA4AC03B9372D88F10709F14AD3CFD5DB51C3FA92E41486D7
                              Function 00E7A56C Relevance: 7.5, APIs: 5, Instructions: 39timeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00E7E1A3
                              • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00E7E1C3
                                • Part of subcall function 00E7DB6C: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00E7DB8E
                                • Part of subcall function 00E7DB6C: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00E7DBAF
                              • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00E7E1D6
                              • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00E7E1E2
                              • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00E7E1EB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadRegisterSchedulerSwitch_to_active
                              • String ID:
                              • API String ID: 1236927926-0
                              • Opcode ID: 19d51cd6e97131496b51e3b8f54f64097f1ffe8b192741e01e767ab575c26a4a
                              • Instruction ID: 6dad4bb64abe1466af40607980aced57410f4ae854e0debf6f99b0d111f360b2
                              • Opcode Fuzzy Hash: 19d51cd6e97131496b51e3b8f54f64097f1ffe8b192741e01e767ab575c26a4a
                              • Instruction Fuzzy Hash: 32F0B430605215679B147E644C136BE3AE69F85350F58E1A8F51AFB3D1DE704D019794
                              Function 00E49950 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 414COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strcspn
                              • String ID: D$H
                              • API String ID: 3709121408-841036128
                              • Opcode ID: 433f9cc0595d1899a8cd676a368fd368985272403e3a045ea291f5562dfaa81e
                              • Instruction ID: 50b9d69e5807ea0b7919b5a4745024580c55c1d7bff15f4a45e4e01149205781
                              • Opcode Fuzzy Hash: 433f9cc0595d1899a8cd676a368fd368985272403e3a045ea291f5562dfaa81e
                              • Instruction Fuzzy Hash: 9EF17C71A002499FDF04CFA8D985AEEBBF6FF49304F148069E819BB352D731A945CB91
                              Function 00EA0A29 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __freea
                              • String ID: a/p$am/pm
                              • API String ID: 240046367-3206640213
                              • Opcode ID: d5d4b9282f24da0558e1ea71e2973744bd4493d5c55e1f5d218d1fdc2d675a0a
                              • Instruction ID: 24f2eb5d75e37ab885bc94167f3f23f3f4470bdfc23b6faeba176e2ad41d458f
                              • Opcode Fuzzy Hash: d5d4b9282f24da0558e1ea71e2973744bd4493d5c55e1f5d218d1fdc2d675a0a
                              • Instruction Fuzzy Hash: 12D1FF31900206DBCB298F68C995BFAB7B0EF0B718F24A559E905BF251D335BD80DB61
                              Function 00E72AD0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 354COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr
                              • String ID: Stop$g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp
                              • API String ID: 3213747228-2130820020
                              • Opcode ID: f9dc975eb631a41cf18d8c1b5f5d711c00d9f9f363e913b07582ccbd5f03837c
                              • Instruction ID: 2fee4e864ff2288e64b1c62b1d5f96bd2748c18816c389f298e0acb33f0d79b7
                              • Opcode Fuzzy Hash: f9dc975eb631a41cf18d8c1b5f5d711c00d9f9f363e913b07582ccbd5f03837c
                              • Instruction Fuzzy Hash: C9D1F230A002449FDB15DFA8C88AB9DBBF1EF85300F14D52DEA19BB392D771A945CB91
                              Function 00E3C530 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00E3C981
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E3C9AC
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E3C9ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: L
                              • API String ID: 1173841540-4033448573
                              • Opcode ID: 3bd2c8abfa89644a0e5ff2d8afdc8cf1264d28ecbf887c7e3851a72ead5e829f
                              • Instruction ID: dc27dc54fb70f40423a7a486f554a0768a54aa51330ad2dc1ede0b112f22120b
                              • Opcode Fuzzy Hash: 3bd2c8abfa89644a0e5ff2d8afdc8cf1264d28ecbf887c7e3851a72ead5e829f
                              • Instruction Fuzzy Hash: ABD1F4B5D042598FCB15CFA8C884A9DFBF5BF48300F1496AAD859B7342D730A985CFA0
                              Function 6C3FCC3E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __freea.LIBCMT ref: 6C3FCDF3
                                • Part of subcall function 6C3F94F1: HeapAlloc.KERNEL32(00000000,6C3FD462,?,?,6C3FD462,00000220,?,00000000,?), ref: 6C3F9523
                              • __freea.LIBCMT ref: 6C3FCE06
                              • __freea.LIBCMT ref: 6C3FCE13
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __freea$AllocHeap
                              • String ID: >:
                              • API String ID: 85559729-3907246019
                              • Opcode ID: b034eadecd8bd5e82372834bb8cf121f0ba650eb1429db736f099067619d8ef1
                              • Instruction ID: 6826122ddd67cdbd5c29bab3b38b0fb84521efdb77ebb96a43ca00166b4a1721
                              • Opcode Fuzzy Hash: b034eadecd8bd5e82372834bb8cf121f0ba650eb1429db736f099067619d8ef1
                              • Instruction Fuzzy Hash: 2F51C6726412066FEB20AE64DC80DAB76A9DF54758B210829FD24D7610EB32CC26DEA1
                              Function 00EAF358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • _strpbrk.LIBCMT ref: 00EAF3A7
                              • _free.LIBCMT ref: 00EAF4C4
                                • Part of subcall function 00E96756: IsProcessorFeaturePresent.KERNEL32(00000017,00E96728,00000016,00E9CA5B,0000002C,00EDF1E8,00EADA8F,?,?,?,00E96735,00000000,00000000,00000000,00000000,00000000), ref: 00E96758
                                • Part of subcall function 00E96756: GetCurrentProcess.KERNEL32(C0000417,00E9CA5B,00000016,00EA6F47), ref: 00E9677A
                                • Part of subcall function 00E96756: TerminateProcess.KERNEL32(00000000), ref: 00E96781
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: cce4fac394f90a233da062968b7d4018cdc495cc5be0f769d60417158563eb6b
                              • Instruction ID: d2104b3976e76fc805a047387a87fafdec79e6f2e1cd0d786e4ff7f1673bb523
                              • Opcode Fuzzy Hash: cce4fac394f90a233da062968b7d4018cdc495cc5be0f769d60417158563eb6b
                              • Instruction Fuzzy Hash: DD516C75E00209ABDF14DFE8C881AAEBBF5EF5D314F24516AE854FB341E671AA018B50
                              Function 00EA4833 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe,00000104), ref: 00EA4873
                              • _free.LIBCMT ref: 00EA493E
                              • _free.LIBCMT ref: 00EA4948
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                              • API String ID: 2506810119-2871517531
                              • Opcode ID: 441f39e1d84f6007c72f68531c9fe01ce246c46d44859761d3caf99061c74340
                              • Instruction ID: 6c5cceafa3513598bbf40dfdc58f418511aefd65d8265e7b8a2f5fb3a3499e33
                              • Opcode Fuzzy Hash: 441f39e1d84f6007c72f68531c9fe01ce246c46d44859761d3caf99061c74340
                              • Instruction Fuzzy Hash: F03193B2A00258AFCB25DB99DC819AFBBE8EBCA314F105067F504BB251D6B06E44CB51
                              Function 00E6E5A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E7B7AB: EnterCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7B6
                                • Part of subcall function 00E7B7AB: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7F3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E6E6AE
                                • Part of subcall function 00E7A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00E7A64A
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E6E6BC
                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000010,00000000,00000000,?,?,?,?,00000000,00000001,?), ref: 00E6E70E
                                • Part of subcall function 00E7B761: EnterCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B76B
                                • Part of subcall function 00E7B761: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B79E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeaveMtx_init_in_situ$Concurrency::details::create_stl_critical_sectionCreateEvent
                              • String ID: _
                              • API String ID: 2236257864-2350027178
                              • Opcode ID: 79bc9e1bab2583ff5a626f0188ecf048c6909b08e491ad13345de7b4d070b863
                              • Instruction ID: 96a08a554cc55570cd65c92147f4e4502c5a462462c2fa9664118ea8f60fe8a6
                              • Opcode Fuzzy Hash: 79bc9e1bab2583ff5a626f0188ecf048c6909b08e491ad13345de7b4d070b863
                              • Instruction Fuzzy Hash: FC415CB1640749EFE700DFA5D886F8ABBE4FB04718F208169E518AF3C2D7B56508CB91
                              Function 6C2B8C9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 6C2B8CFB
                              • GetWindowRect.USER32(?,?), ref: 6C2B8D30
                              • IntersectRect.USER32(?,?,?), ref: 6C2B8D5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: RectWindow$IntersectVisible
                              • String ID: >:
                              • API String ID: 508375533-3907246019
                              • Opcode ID: c6a1c5cf629561e70b4308ab7fc71320ed8d3847c112915195688f300b7ec995
                              • Instruction ID: 655393422359a69e993d2b8d6a4767cbf8fef8abc02b25688a5e4b560a313118
                              • Opcode Fuzzy Hash: c6a1c5cf629561e70b4308ab7fc71320ed8d3847c112915195688f300b7ec995
                              • Instruction Fuzzy Hash: C9313879A0120F9BDB05DF65C884BEABBB4BF18389F14016BE819E7641DB34E945CB90
                              Function 6C2D2D5A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                              • InvalidateRect.USER32(?,?,00000001,?), ref: 6C2D2DD1
                              • InflateRect.USER32(?,00000000,?), ref: 6C2D2E17
                              • RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C2D2E2B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$InflateInvalidateRedrawWindow
                              • String ID: >:
                              • API String ID: 3842175019-3907246019
                              • Opcode ID: 95101618d1b5ed384b606c7ca136bc22c5adc14636667bcdd2146e4eb52955a6
                              • Instruction ID: 841775c003c08a25353126362e54cb3a6a8c39fa96161ead7ff16101ed023595
                              • Opcode Fuzzy Hash: 95101618d1b5ed384b606c7ca136bc22c5adc14636667bcdd2146e4eb52955a6
                              • Instruction Fuzzy Hash: 20219171B0021EABCF05EBA4C958AAEB7B5BF59305F110119ED05E7640DB30BD048BA1
                              Function 6C2D0D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2D0D09
                                • Part of subcall function 6C31E380: __EH_prolog3.LIBCMT ref: 6C31E387
                                • Part of subcall function 6C2BBCF3: GetDlgCtrlID.USER32(?), ref: 6C2BBCFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3$Ctrl
                              • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                              • API String ID: 3879667756-2016111687
                              • Opcode ID: 3ff64d040a0013efe0388d0bb1cd862fe98eb9fe15494e0f7c05cd5878dab9d0
                              • Instruction ID: f2483bbb94ef490d72df2e76bf4ba959c86f91b5ee54929a8ee5b19ccda2d70c
                              • Opcode Fuzzy Hash: 3ff64d040a0013efe0388d0bb1cd862fe98eb9fe15494e0f7c05cd5878dab9d0
                              • Instruction Fuzzy Hash: 9E219A75A0025EABDF00DFA4C894AFEB734BF44318F140969E82127791DB30AA09CBA1
                              Function 00E3D190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00E3D21C
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E3D247
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E3D27D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: L
                              • API String ID: 1173841540-4033448573
                              • Opcode ID: 0a8272516d9ff4f50c16694059fe60f54d4331ca5652c1dccec8f9968d32fb82
                              • Instruction ID: 6688ba27e99ed5ee7bf312e38a11e293dbfdf5e60ef2dedcd54a5aaa72c16e5f
                              • Opcode Fuzzy Hash: 0a8272516d9ff4f50c16694059fe60f54d4331ca5652c1dccec8f9968d32fb82
                              • Instruction Fuzzy Hash: 8C31E3B0C08288EEDF02DFA0DC457EFBFF9AB56304F18229AD40476251D7758984C751
                              Function 6C2DCF77 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CursorH_prolog3
                              • String ID: Control Panel\Desktop$MenuShowDelay
                              • API String ID: 634316419-702829638
                              • Opcode ID: c8adb4976877d44d84492ac4ed4caee7f7f5e7a5dd7f2a8d6cf03a559344a204
                              • Instruction ID: 23b1cd37d97b3652db5a9b1811dacbb3e2d91978307b5068eae18fbebb0868d2
                              • Opcode Fuzzy Hash: c8adb4976877d44d84492ac4ed4caee7f7f5e7a5dd7f2a8d6cf03a559344a204
                              • Instruction Fuzzy Hash: 1C21A134B0125A8FCF05DB64C844ABD7BB1BF88318F150429ED21DB780EF75A905CBA1
                              Function 6C2CCA7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • GetWindow.USER32(00000000,00000005), ref: 6C2CCAA9
                              • GetClassNameW.USER32(?,?,00000400), ref: 6C2CCACB
                                • Part of subcall function 6C31BA46: __EH_prolog3.LIBCMT ref: 6C31BA4D
                              • GetWindow.USER32(?,00000002), ref: 6C2CCB09
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$ClassH_prolog3Name
                              • String ID: >:
                              • API String ID: 632776892-3907246019
                              • Opcode ID: 9b007029943da994315a0a0718b13e30e129b920c3bad005687ae7fdba5f47c1
                              • Instruction ID: 96c23d9fd9cde3078d44dd2853d0b99daa44b5ac705bfd1f6ef8c82ee58d7757
                              • Opcode Fuzzy Hash: 9b007029943da994315a0a0718b13e30e129b920c3bad005687ae7fdba5f47c1
                              • Instruction Fuzzy Hash: 4811D672B0061AABCB51EBB8CC44EAA76E8FF08749F010264ED45E6A50DF30DC45CB81
                              Function 6C2D0DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2D0DE7
                                • Part of subcall function 6C31E380: __EH_prolog3.LIBCMT ref: 6C31E387
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3
                              • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
                              • API String ID: 431132790-953485693
                              • Opcode ID: 0eae80882113ff4ca48a85bcd7c613c51e54602a628047c1c7c3d132c2d5042d
                              • Instruction ID: 722c7702877470adaa545d5a415428497fd4d446248f1768a61f8e2d73bbf968
                              • Opcode Fuzzy Hash: 0eae80882113ff4ca48a85bcd7c613c51e54602a628047c1c7c3d132c2d5042d
                              • Instruction Fuzzy Hash: 3A213A74A0025E9BDF04DFA4C898EEEB775BF54308F100869E9116B791EB35A909CBA1
                              Function 6C2C09F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2C34C0: EnterCriticalSection.KERNEL32(6C478410,?,?,0000007C,?,6C2AF878,00000001), ref: 6C2C34F1
                                • Part of subcall function 6C2C34C0: InitializeCriticalSection.KERNEL32(00000000,?,6C2AF878,00000001), ref: 6C2C3507
                                • Part of subcall function 6C2C34C0: LeaveCriticalSection.KERNEL32(6C478410,?,6C2AF878,00000001), ref: 6C2C3515
                                • Part of subcall function 6C2C34C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C2AF878,00000001), ref: 6C2C3522
                              • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C2C0A38
                              • CreatePatternBrush.GDI32(00000000), ref: 6C2C0A45
                              • DeleteObject.GDI32(00000000), ref: 6C2C0A51
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
                              • String ID: >:
                              • API String ID: 3767330792-3907246019
                              • Opcode ID: c0586ae1ec095027da5711284bd1d189b3bf5e2f90d5fefef03e52a77419ef5c
                              • Instruction ID: 28b832f997005bc87cc0cd37eb2c69305637cdcb805c4595bd6e4bfa8a780abe
                              • Opcode Fuzzy Hash: c0586ae1ec095027da5711284bd1d189b3bf5e2f90d5fefef03e52a77419ef5c
                              • Instruction Fuzzy Hash: 3B010C71B0199DABDB42FB749844AFE3775EB86709F50022AE901A2A90DB714505C762
                              Function 6C2C29BB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2A3DD5: __EH_prolog3.LIBCMT ref: 6C2A3DDC
                                • Part of subcall function 6C2A3DD5: BeginPaint.USER32(?,?,00000004,6C273B9D), ref: 6C2A3E08
                              • GetClientRect.USER32(?,?), ref: 6C2C29E6
                              • Ellipse.GDI32(?,?,?,?,?), ref: 6C2C2A0F
                              • DrawIcon.USER32(?,00000000,00000000,?), ref: 6C2C2A22
                                • Part of subcall function 6C2A3E2A: EndPaint.USER32(?,?,EE3AED3E,?,00000000,6C40B537,000000FF,?,00000000), ref: 6C2A3E5C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Paint$BeginClientDrawEllipseH_prolog3IconRect
                              • String ID: >:
                              • API String ID: 1069182592-3907246019
                              • Opcode ID: 8154bf382c512f4389c00ed7d7a935235fd5951772c3a4eda18a6171e602175e
                              • Instruction ID: 0aff2033fc0c8ad1c838955bb44dcf2325d82e4a99c230f3f7ce6fc6ab5ac676
                              • Opcode Fuzzy Hash: 8154bf382c512f4389c00ed7d7a935235fd5951772c3a4eda18a6171e602175e
                              • Instruction Fuzzy Hash: B7112731E0020DAFCF05EFA5C944AEEBBB9FF49704F504119E805B7250DB70AA11CB90
                              Function 00E7F50D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00E7F57B
                              • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00E7F588
                              • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00E7F5DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
                              • String ID: \S
                              • API String ID: 220083066-2521472832
                              • Opcode ID: 1c85ff4d0b531afde6d4360387abe408abaa69257d882720909ede0187a8e554
                              • Instruction ID: 02015970e69e622337037a72999a55455ddc7892606bc705b5a9f471b1f35bee
                              • Opcode Fuzzy Hash: 1c85ff4d0b531afde6d4360387abe408abaa69257d882720909ede0187a8e554
                              • Instruction Fuzzy Hash: 7E01D831D086859EDB14EFB8994275DAAE06F08344F54A0BDF51DFF382DB704E004791
                              Function 00E79929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch.LIBCMT ref: 00E79930
                              • make_shared.LIBCPMT ref: 00E7997B
                                • Part of subcall function 00E79570: __EH_prolog3.LIBCMT ref: 00E79577
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3H_prolog3_catchmake_shared
                              • String ID: MOC$RCC
                              • API String ID: 1798871530-2084237596
                              • Opcode ID: 2d7c27045cf9ea69d52f604ebe00cbb5c100d2e0afc4a8d57785668e3c355ae6
                              • Instruction ID: 94271c227cd2c2597be21d0ce8c15ec882cd7c6a7827cd67ba1889c28d66f420
                              • Opcode Fuzzy Hash: 2d7c27045cf9ea69d52f604ebe00cbb5c100d2e0afc4a8d57785668e3c355ae6
                              • Instruction Fuzzy Hash: 7CF03C70900114EFDF26EF54C80259C3BA0EF95704B45A099F6087F322CB395E41CBA2
                              Function 00E90216 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00E90248
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E9025A
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E90268
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                              • String ID: pScheduler
                              • API String ID: 1381464787-923244539
                              • Opcode ID: b81d4cff963699d377c721d4897eb04d1937694854790caa0a4807f7e9a69e63
                              • Instruction ID: d116297d46df87653893175c8f5d81ed042112eb1e794d1db69cf5aaa09ffd1a
                              • Opcode Fuzzy Hash: b81d4cff963699d377c721d4897eb04d1937694854790caa0a4807f7e9a69e63
                              • Instruction Fuzzy Hash: A0F0A731A05304AF8F28FBA0D896C9E73A45E00704B54A56EB90677293DBB0D906C685
                              Function 6C318A2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • swprintf.LIBCMT ref: 6C318A58
                              • GetFileAttributesW.KERNEL32(00000104,AFX,00000000,00000104,00000104,000000FF), ref: 6C318A63
                              • GetTempFileNameW.KERNEL32(000000FF,00000104,00000000,00000104,?,?,6C2F16C9,?,AFX,00000000,00000104,00000104,000000FF), ref: 6C318A7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$AttributesNameTempswprintf
                              • String ID: %s%s%X.tmp
                              • API String ID: 2659213859-596088238
                              • Opcode ID: 4720102e4a984565afb0fae2f41511fd5cff596912e518ef4a9da2bca368a95a
                              • Instruction ID: f718080b9131fe95f92e3e27bd6a70043e6dc23196a2cdb50604bc2454454c51
                              • Opcode Fuzzy Hash: 4720102e4a984565afb0fae2f41511fd5cff596912e518ef4a9da2bca368a95a
                              • Instruction Fuzzy Hash: 4FF0F83650420AFBCF02AFA4DC05ECD3B76BF09369F504551FA21A45A0D732C664AB55
                              Function 00E7B7AB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7B6
                              • LeaveCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID: 8O
                              • API String ID: 3168844106-3761743594
                              • Opcode ID: 2f92df301ed27d5ee33767c5a6283fcac2c7cf12ea334f2685eac1494a0fb062
                              • Instruction ID: 3a536cdeca4b6317f79e44f57f02f90b3eecd37cba7e14e6960a34c518fe9c83
                              • Opcode Fuzzy Hash: 2f92df301ed27d5ee33767c5a6283fcac2c7cf12ea334f2685eac1494a0fb062
                              • Instruction Fuzzy Hash: DBF0A739500245DFC7185F16EC44B66B7B8EB85B75F10932FF969672F0CB301882CA51
                              Function 00E8A617 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00E8A639
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E8A64C
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8A65A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                              • String ID: pContext
                              • API String ID: 1990795212-2046700901
                              • Opcode ID: 673f0832eb1545cb65b54cedf81fd6b7884be096340e1f308da368e8720f2e3a
                              • Instruction ID: 6575478685f9e17945759ddb0da566bd7f3e94b5572857903b8b65931ad092cc
                              • Opcode Fuzzy Hash: 673f0832eb1545cb65b54cedf81fd6b7884be096340e1f308da368e8720f2e3a
                              • Instruction Fuzzy Hash: 31E09236B002046BCE04BBA4D95AC9EB7A99F94720704502AE615B3351EBB4A946C6D1
                              Function 00E80BE7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00E80B92
                              • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00E80BA8
                              • Concurrency::details::ResourceManager::InitializeSystemInformation.LIBCONCRT ref: 00E80BBB
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00E810DE
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00E810F2
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00E81113
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00E8114A
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00E8118D
                                • Part of subcall function 00E810CF: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00E81280
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::Manager::Resource$Information$Affinity$ApplyRestrictionsSystemTopology$AcquireCaptureCleanupConcurrency::details::_H_prolog3InitializeLock::_ProcessReentrantRetrieveVersion
                              • String ID: \S
                              • API String ID: 435733138-2521472832
                              • Opcode ID: 7b7ee207469a679c1a4cfdefd077fba1274a2f8e10547cc8f3c55e4d2bb62e41
                              • Instruction ID: 4f902ed21515194fe6b59bbd451613e4e396e1b91f057f40a52ec6d392218825
                              • Opcode Fuzzy Hash: 7b7ee207469a679c1a4cfdefd077fba1274a2f8e10547cc8f3c55e4d2bb62e41
                              • Instruction Fuzzy Hash: F8E01A71710688CADB64FF76AD82B5A33E4AB0038DF006418F20CBF295D7B588084B51
                              Function 00E81D29 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E81D59
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E81D67
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pScheduler$version
                              • API String ID: 1687795959-3154422776
                              • Opcode ID: f684e1155304d06aa9b0704a4dbcf49a75e6bce03e2c3b617602f58e27a5d3a9
                              • Instruction ID: f37bb4cd5f7861a7358c4eeb2661499861c4043c01759795f564b0b6c9871d88
                              • Opcode Fuzzy Hash: f684e1155304d06aa9b0704a4dbcf49a75e6bce03e2c3b617602f58e27a5d3a9
                              • Instruction Fuzzy Hash: 84E04F30840308BACF24FA90D94AFD977A85B10345F10E4A5B51A351E2D6B4968BC642
                              Function 00EAA467 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: 96a269de09d9680867b794114bf0d318214a916deeafb4c3a33bbf21dd94a7a3
                              • Instruction ID: fb44bc8d57e533a8e28391527b8f1210bfeb58458a016a6ef5850079efbab5bf
                              • Opcode Fuzzy Hash: 96a269de09d9680867b794114bf0d318214a916deeafb4c3a33bbf21dd94a7a3
                              • Instruction Fuzzy Hash: 53A167719003869FDB258E28C8917AEBBE1EF5A314F1C51BEE485AF281C734AD41CB52
                              Function 00E6BAF0 Relevance: 6.3, APIs: 4, Instructions: 264COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00E6BB61
                              • __Mtx_unlock.LIBCPMT ref: 00E6BB73
                              • __Mtx_unlock.LIBCPMT ref: 00E6BD9B
                              • __Mtx_unlock.LIBCPMT ref: 00E6BC5C
                                • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Cpp_errorThrow_std::_
                              • String ID:
                              • API String ID: 787541473-0
                              • Opcode ID: b550401fd699391616968dae5808d43ee91d47280fdbdc35fc3bf918353f7df1
                              • Instruction ID: 04f73efc0571b228dd031d1acc529be8118f9e1812cf5066244b9190683f09a1
                              • Opcode Fuzzy Hash: b550401fd699391616968dae5808d43ee91d47280fdbdc35fc3bf918353f7df1
                              • Instruction Fuzzy Hash: 7CA16DB0A01209DFDB04DF68D955BAEB7F5BF48304F189169E80AEB342DB35E944CB91
                              Function 00E6BE20 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$CountTick
                              • String ID:
                              • API String ID: 1506932912-0
                              • Opcode ID: 508aa4d303ea0f42234c6d9a016ffb97750f483d3d6b0de73a78e2fe0e066514
                              • Instruction ID: 4c51dda6e15c86737f2befb7db0aea9a5809df63c2d32499abed6e94a894d26f
                              • Opcode Fuzzy Hash: 508aa4d303ea0f42234c6d9a016ffb97750f483d3d6b0de73a78e2fe0e066514
                              • Instruction Fuzzy Hash: 718148B0E01209DFDB14DFA4D985BAEBBB4FF04304F1481A9E819E7352DB35AA44DB91
                              Function 6C3F8876 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: 6f83eda818f5690374595e0e9e77b1a7be2a4e6035da469afb0f3f285f335806
                              • Instruction ID: e60d8f617c69800166455bcca9ea3c54d028f453d4bb71fa9c104513b2b97cb8
                              • Opcode Fuzzy Hash: 6f83eda818f5690374595e0e9e77b1a7be2a4e6035da469afb0f3f285f335806
                              • Instruction Fuzzy Hash: FB51E272601206AFEB198F52C940BEA73B4FF06718F240D2ED86157AA0E732D842CF53
                              Function 00EB6678 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: e5f225ec85f5d169d4cf45c5d2bf602f8879979a2f684e66c1e7fe38480f3a53
                              • Instruction ID: c917a5a0c4930260e0408c2ca52b0f097de69acd0b447beb824866c84250a502
                              • Opcode Fuzzy Hash: e5f225ec85f5d169d4cf45c5d2bf602f8879979a2f684e66c1e7fe38480f3a53
                              • Instruction Fuzzy Hash: E3412E72A001206BDF256BB8CC96AEF3BE5EF46378F242617F418F6191DF7C484156A1
                              Function 00E6F720 Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __Cnd_destroy_in_situ.LIBCPMT ref: 00E6F753
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00E6F7ED
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00E6F7F6
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00E6F814
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_destroy_in_situ$Cnd_destroy_in_situ
                              • String ID:
                              • API String ID: 3308344742-0
                              • Opcode ID: 5dd6accddb45f1b1ac4f7ad7c37cefa2033612261882883f34cce9b1148ac408
                              • Instruction ID: a141a09a79349dcbb30b8bf82fc0f2856707c2068f64d971ed2f6bc797eabb99
                              • Opcode Fuzzy Hash: 5dd6accddb45f1b1ac4f7ad7c37cefa2033612261882883f34cce9b1148ac408
                              • Instruction Fuzzy Hash: 81412371A00609AFDB08DF24EC41B69FBE8FB04324F04967AE418E7691EB35F954CB91
                              Function 00E6E9C0 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$CloseEventHandle
                              • String ID:
                              • API String ID: 986198054-0
                              • Opcode ID: dd2dab017d50e89f18e0da60a221a7a88a3c2d7e02df1b0bcdf52a2aaf413612
                              • Instruction ID: da4e70dc15374614aef27b14d542f454cc0026f6592c9757c04bd6e4e3a851c5
                              • Opcode Fuzzy Hash: dd2dab017d50e89f18e0da60a221a7a88a3c2d7e02df1b0bcdf52a2aaf413612
                              • Instruction Fuzzy Hash: 9C41E175900205DFDB10DF54E885BAAB7E4FF04348F1999B5E819AB382EB30ED48CB91
                              Function 6C2DAD18 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C2DADB1
                              • ScreenToClient.USER32(000000FF,?), ref: 6C2DADC1
                              • PtInRect.USER32(000000D8,?,?), ref: 6C2DADD4
                              • PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C2DADEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorMessagePostRectScreen
                              • String ID:
                              • API String ID: 1913696736-0
                              • Opcode ID: fa65b4c909cf43a29978c2b6c8a315bb53dc9068a68c915ebd7344484dd74a94
                              • Instruction ID: 48d41389cfb9b7899f3cea8924f41d0741f68325d42ab62180fca3d1a6c32e87
                              • Opcode Fuzzy Hash: fa65b4c909cf43a29978c2b6c8a315bb53dc9068a68c915ebd7344484dd74a94
                              • Instruction Fuzzy Hash: 50318139A0061EEFCF01DF64C844EAE7B79FF59359B220165EC25A7690DB30E901CB50
                              Function 00EAD52E Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000001,7FFFFFFF,?,00000001,00000000,?,00000001,00000000,00000000), ref: 00EAD57B
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EAD604
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EAD616
                              • __freea.LIBCMT ref: 00EAD61F
                                • Part of subcall function 00EA7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                              • String ID:
                              • API String ID: 2652629310-0
                              • Opcode ID: d173cc59c00c9e66a86e6c20378563e7b3edccbdbc20eee50ec5d4ed9f1dadb6
                              • Instruction ID: c9f65767527fa77a6a8cc1e2e6e3ed3ba5df1cc53d5ebda8057c85dd4ffc8663
                              • Opcode Fuzzy Hash: d173cc59c00c9e66a86e6c20378563e7b3edccbdbc20eee50ec5d4ed9f1dadb6
                              • Instruction Fuzzy Hash: C031EE72A0020AAFDF249F65DC41EAE7BA5EF45318F044129FC09EB291EB35DD54CBA0
                              Function 00E50EC0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_destroy_in_situCnd_signalMtx_destroy_in_situMtx_unlock
                              • String ID:
                              • API String ID: 876560159-0
                              • Opcode ID: 7f6ed7445ddddced0d9594652ee9070eb3634d4a5624231ca6d6ef6aa66f5a47
                              • Instruction ID: 96d794b46d90207f00719bd6547f1d64c698821cb941e65a60c12a7275d8be58
                              • Opcode Fuzzy Hash: 7f6ed7445ddddced0d9594652ee9070eb3634d4a5624231ca6d6ef6aa66f5a47
                              • Instruction Fuzzy Hash: ED21F8B1904344AAD721E7649C06B9FB7EC9F11715F18A879FC09B3242EB75A90CC2B2
                              Function 00E37070 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000003,?,?,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 00E370CD
                              • GetLastError.KERNEL32(?,?,?,?,?), ref: 00E370DE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000003,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00E370FB
                              • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 00E37124
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 8a30e9fd598d452c201abb9e6f4f4893db87bd72e2e5440a68769889ed125520
                              • Instruction ID: 2f81d6317a70e3ef9c7e9de2841a44e52cbf145158f7ee1fdef2ae137f166f43
                              • Opcode Fuzzy Hash: 8a30e9fd598d452c201abb9e6f4f4893db87bd72e2e5440a68769889ed125520
                              • Instruction Fuzzy Hash: 9621F7B6600206BFEB205F95EC89F9B7BA9EF05354F204225FA45AB191E7B0BD14C690
                              Function 6C3AAC09 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C3AAC13
                              • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6C32729C,?,00000000,00000000,0000005C), ref: 6C3AACB7
                              • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6C32729C,?,00000000,00000000,0000005C), ref: 6C3AACF7
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6C32729C,?,00000000,00000000), ref: 6C3AAD15
                                • Part of subcall function 6C2A09A7: __EH_prolog3.LIBCMT ref: 6C2A09AE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
                              • String ID:
                              • API String ID: 655328227-0
                              • Opcode ID: 1620244e30b56f2d6e9d7ebc3935d042a73b26909aee37963adae2e2224bada2
                              • Instruction ID: 5506d9a5afeed2405d7175672e535f4915dd989b365b7866bd2e45318c3a7a29
                              • Opcode Fuzzy Hash: 1620244e30b56f2d6e9d7ebc3935d042a73b26909aee37963adae2e2224bada2
                              • Instruction Fuzzy Hash: 0231B431A0522DABDF10EBA5CC48BDEB778FF14718F0001A5E944A7A90CB319E85DF91
                              Function 6C3E4D4D Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 196c14d037c1876d79020d7d107237e2d996167c96df616c2c2835b0d689588e
                              • Instruction ID: a1e4a3a513aaedd6d24a14c1fe3c9e130dd950ffc3ec95201f160f2589628d18
                              • Opcode Fuzzy Hash: 196c14d037c1876d79020d7d107237e2d996167c96df616c2c2835b0d689588e
                              • Instruction Fuzzy Hash: 5D21A471204225AFDB10AFE68C9099B77BCEF8D36C7048617E965D7A90E731EC508FA1
                              Function 6C3F09B7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b549e9506441ae309b64cd2a022d004ec6d5b5c307bcc03ee6bef2c28a64ae4c
                              • Instruction ID: 7b51ed2cbb68598f4d0a6330b14873a02504dc4667e3aa2da716303bd553c560
                              • Opcode Fuzzy Hash: b549e9506441ae309b64cd2a022d004ec6d5b5c307bcc03ee6bef2c28a64ae4c
                              • Instruction Fuzzy Hash: F7110A71701254AFEF20AA698C04B4B7B7CEB867A8F500516E961D7590F771DC01CF61
                              Function 00E8FF67 Relevance: 6.1, APIs: 4, Instructions: 71COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00E8FFFB
                              • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00E8FFAC
                                • Part of subcall function 00E86BE5: SafeRWList.LIBCONCRT ref: 00E86BF6
                              • SafeRWList.LIBCONCRT ref: 00E8FFF1
                              • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00E90011
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                              • String ID:
                              • API String ID: 336577199-0
                              • Opcode ID: 99ea92dbbd136fe9ce42962914ff4989b28437cf2ec429dde71607aee3f804c7
                              • Instruction ID: cde391513e482ce89f7c4835f61327becab477df8883ed48302e0056a66eda54
                              • Opcode Fuzzy Hash: 99ea92dbbd136fe9ce42962914ff4989b28437cf2ec429dde71607aee3f804c7
                              • Instruction Fuzzy Hash: F021B07160420A9FCB04EF24C881FA5FBE9BB85318F14E2A6E50D5A242D731E995CBD0
                              Function 00E8F6EC Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,00000000), ref: 00E8F736
                              • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00E8F71E
                                • Part of subcall function 00E877EF: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00E87810
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8F767
                              • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00E8F790
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                              • String ID:
                              • API String ID: 2630251706-0
                              • Opcode ID: d13cc3f3731c0873755ad2a8ba7b4d8fb09cbb43c3c962ae65fbeabeb5ebbb28
                              • Instruction ID: eaffa47028e7995bf1c638a82d150941decdd5a1abb18995ff5d45d9b3030ba8
                              • Opcode Fuzzy Hash: d13cc3f3731c0873755ad2a8ba7b4d8fb09cbb43c3c962ae65fbeabeb5ebbb28
                              • Instruction Fuzzy Hash: AC11C831700200AFDB14BB65DC899AE77A9EF44761B145176FA1EB7392CB61DC06CB90
                              Function 6C2DC9C1 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON
                              Download Yara Rule
                              APIs
                              • KillTimer.USER32(?,0000EC17), ref: 6C2DC9D5
                              • KillTimer.USER32(?,0000EC18), ref: 6C2DC9E3
                              • IsWindow.USER32(?), ref: 6C2DCA53
                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C2DCA7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: KillTimer$MessagePostWindow
                              • String ID:
                              • API String ID: 3970157719-0
                              • Opcode ID: a435eefac447baa765c559961d26594a7d7d71285cee980d88683730905375a0
                              • Instruction ID: 19bf64611afb95cdf89da10ca5796a6c608e2c5fa2320e2b19a9d895d25bb90f
                              • Opcode Fuzzy Hash: a435eefac447baa765c559961d26594a7d7d71285cee980d88683730905375a0
                              • Instruction Fuzzy Hash: 26219F3270021AAFEF04EF61CC88B997BB5FF49755F1101A9E905AB691DB70E805CB90
                              Function 6C2AEFE2 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C2AF01C
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C2AF046
                              • GetCapture.USER32 ref: 6C2AF05C
                              • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C2AF06B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$Capture
                              • String ID:
                              • API String ID: 1665607226-0
                              • Opcode ID: 3e23950c71bac54b586f3791dd1a0263b03fd3d057e27ce285900996349f1db2
                              • Instruction ID: f82c2338e61ed59b3cc89a0a6e3f6c7f2da55329bbf034638c62d36672b462db
                              • Opcode Fuzzy Hash: 3e23950c71bac54b586f3791dd1a0263b03fd3d057e27ce285900996349f1db2
                              • Instruction Fuzzy Hash: 5111657630161EBFEA2167608C8CFBA777DFB48799F140064FA0167695DB919C0196A0
                              Function 00EA9418 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00EA93BF,?,00000000,00000000,00000000,?,00EA96EB,00000006,FlsSetValue), ref: 00EA944A
                              • GetLastError.KERNEL32(?,00EA93BF,?,00000000,00000000,00000000,?,00EA96EB,00000006,FlsSetValue,00EC51F0,FlsSetValue,00000000,00000364,?,00EA6F96), ref: 00EA9456
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EA93BF,?,00000000,00000000,00000000,?,00EA96EB,00000006,FlsSetValue,00EC51F0,FlsSetValue,00000000), ref: 00EA9464
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: 3412c7c08d84a642cf2192ed2729ff932e25249c2049f64979e61f6937431a64
                              • Instruction ID: 711df22c370a5303108117f15a02da164d8f5fdc6e4d0eaa26bd82722d3e2e43
                              • Opcode Fuzzy Hash: 3412c7c08d84a642cf2192ed2729ff932e25249c2049f64979e61f6937431a64
                              • Instruction Fuzzy Hash: AB014736606226AFC7204A69AC84A973B98AF4E765B100730F966FB142C720E806C7E0
                              Function 6C2A6FD7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgCtrlID.USER32(?), ref: 6C2A6FE7
                              • GetScrollPos.USER32(?,00000002), ref: 6C2A6FFA
                              • SendMessageW.USER32(?,00000114,?,?), ref: 6C2A7034
                              • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C2A7052
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Scroll$CtrlMessageSend
                              • String ID:
                              • API String ID: 1219558039-0
                              • Opcode ID: f584241a0ecd1f1cf9eee0cc5aef6bdc93f208d381a82671d7bfcbfa6d2834c1
                              • Instruction ID: f0423a748ca4d12c56edc0191d6a25005de59c4f568e987a680ba5fa0434478e
                              • Opcode Fuzzy Hash: f584241a0ecd1f1cf9eee0cc5aef6bdc93f208d381a82671d7bfcbfa6d2834c1
                              • Instruction Fuzzy Hash: E211CE32700218EFEB01AFA9CC49EAE7B75FB49741F014469FD45AB151DA709C11DB60
                              Function 00E9207D Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00E92097
                              • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00E920AB
                              • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00E920C3
                              • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00E920DB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                              • String ID:
                              • API String ID: 78362717-0
                              • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                              • Instruction ID: 5c71915278ad1b79c189aa11f00dbf574faf9b3698c41f5a71cb65cb5de27607
                              • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                              • Instruction Fuzzy Hash: 1F012632200214B7CF26BE548841EEF779DAF50310F00105AFE06B7281DA71ED00C2E0
                              Function 6C2E68FD Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: OffsetRect
                              • String ID:
                              • API String ID: 177026234-0
                              • Opcode ID: 997aba76fae7827c406bf7bb10507aa1565009917e6355fce05078bf6bc84693
                              • Instruction ID: 701d34383f1957b2bfa81c5cbf4d4092b3108aee084fcb1d67d3d7593afb9e2d
                              • Opcode Fuzzy Hash: 997aba76fae7827c406bf7bb10507aa1565009917e6355fce05078bf6bc84693
                              • Instruction Fuzzy Hash: 8301E176601118AFCF50EFA9D888DCA7FBCEF89755B40416AFD09DB105D630E848CBA0
                              Function 6C2AEECE Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • GetTopWindow.USER32(?), ref: 6C2AEED5
                              • GetTopWindow.USER32(00000000), ref: 6C2AEF18
                              • GetWindow.USER32(00000000,00000002), ref: 6C2AEF3A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window
                              • String ID:
                              • API String ID: 2353593579-0
                              • Opcode ID: 3db2b8625aede9c9ba3eb76dd480e0f39b494c92a70a71ff88c406ea7bc8f95d
                              • Instruction ID: 99ce188294717dd5bb25b033093c7356e909df95ff8d2d31351e722f292d87cd
                              • Opcode Fuzzy Hash: 3db2b8625aede9c9ba3eb76dd480e0f39b494c92a70a71ff88c406ea7bc8f95d
                              • Instruction Fuzzy Hash: 6501933210561EABCF126F948D04EDF3A2AEF09355F044014FE21A4560C736C577EBD5
                              Function 6C2AEE57 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 6C2AEE61
                              • GetTopWindow.USER32(00000000), ref: 6C2AEE6E
                                • Part of subcall function 6C2AEE57: GetWindow.USER32(00000000,00000002), ref: 6C2AEEBD
                              • GetTopWindow.USER32(?), ref: 6C2AEEA2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Item
                              • String ID:
                              • API String ID: 369458955-0
                              • Opcode ID: 5471fa378592813b93b1e0b31adc94af0d20ba226f44a96567626ca3c5d12990
                              • Instruction ID: 1833519176b41aeca8321ff1bfd18bdbb8be4e362db1cd327d3e90fd2a4f97fb
                              • Opcode Fuzzy Hash: 5471fa378592813b93b1e0b31adc94af0d20ba226f44a96567626ca3c5d12990
                              • Instruction Fuzzy Hash: C8014B3510561EABCB136FE98E04A8F3A79AF067BAF044110FD14A5914DB31C933CAE1
                              Function 00E87EF0 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00E87F22
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00E87F32
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00E87F42
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00E87F56
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Compare_exchange_acquire_4std::_
                              • String ID:
                              • API String ID: 3973403980-0
                              • Opcode ID: 69c85f9f307058b13594f485f38b45a969a34791a48dfde31d74927e42f0f942
                              • Instruction ID: 1003aae378735092e6679d13f5ca4aa9159f441384b877cd0a3de6cf927bd4a4
                              • Opcode Fuzzy Hash: 69c85f9f307058b13594f485f38b45a969a34791a48dfde31d74927e42f0f942
                              • Instruction Fuzzy Hash: E6013C36208109BBCF12BF95DE428AD3B66BB15358B24A415FF5CE5031CB33C6B2AB41
                              Function 00E7F4AB Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00E7F4C4
                                • Part of subcall function 00E7E972: ___crtGetTimeFormatEx.LIBCMT ref: 00E7E988
                                • Part of subcall function 00E7E972: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00E7E9A7
                              • GetLastError.KERNEL32 ref: 00E7F4E0
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7F4F6
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7F504
                                • Part of subcall function 00E7E748: SetThreadPriority.KERNEL32(?,?), ref: 00E7E754
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                              • String ID:
                              • API String ID: 1674182817-0
                              • Opcode ID: 9739620fbf5d7c613d8fc70256578ed24773208c4731ec4315cbc515c391fa60
                              • Instruction ID: ea92fcc37b426c7ce8437c4a742ff17c10ae3459f1647b8511bb7b64edc9bb80
                              • Opcode Fuzzy Hash: 9739620fbf5d7c613d8fc70256578ed24773208c4731ec4315cbc515c391fa60
                              • Instruction Fuzzy Hash: 41F08CB2A003297AEB20B6755C0BFBB36DC9B01650F50986AB95DF6192E9E8E40442A0
                              Function 00E7E6B4 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RegisterWaitForSingleObject.KERNEL32(?,00000000,00E8F58F,000000A4,000000FF,0000000C), ref: 00E7E6CB
                              • GetLastError.KERNEL32(?,?,?,?,?,00E84568,?), ref: 00E7E6DA
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E6F0
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E6FE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                              • String ID:
                              • API String ID: 3803302727-0
                              • Opcode ID: b3529695a73414dc8a75e6af38b7567a51c95d5b3dc8f2f10b7c9284cb990651
                              • Instruction ID: ae41fca311852e3ceba27a40e451c71831680b70ff0bc54d41b70a1104192833
                              • Opcode Fuzzy Hash: b3529695a73414dc8a75e6af38b7567a51c95d5b3dc8f2f10b7c9284cb990651
                              • Instruction Fuzzy Hash: 8FF0A03560020EBBCF10EFA0DD46EAF37ACAB04314F204265F619F51E1DA74D6048760
                              Function 00E7E3D9 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___crtCreateEventExW.LIBCPMT ref: 00E7E3EF
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?), ref: 00E7E3FD
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E413
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E421
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                              • String ID:
                              • API String ID: 200240550-0
                              • Opcode ID: 1708d086c375677d5b591cf5fa304204f2b1fc4a095253a6a541e1c4ca17485d
                              • Instruction ID: 7802754f175674da52e647a9041c4501543a01dd459d6ab660146384e704f17d
                              • Opcode Fuzzy Hash: 1708d086c375677d5b591cf5fa304204f2b1fc4a095253a6a541e1c4ca17485d
                              • Instruction Fuzzy Hash: 07E0D861A403192AD710B7759C07F7F35DC9B00744F4454B5FA1DF01D3F9A4D50042A1
                              Function 00E85268 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00E7E7B5: TlsAlloc.KERNEL32(00000000,?,?), ref: 00E7E7BB
                              • TlsAlloc.KERNEL32(00000000,?,?), ref: 00E8F97C
                              • GetLastError.KERNEL32 ref: 00E8F98E
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E8F9A4
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8F9B2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                              • String ID:
                              • API String ID: 3735082963-0
                              • Opcode ID: 860456a0de04a83637136ee7afbe0c1e264294021072984c6435fd85e4937323
                              • Instruction ID: 57985679ed6aa1e7afbf095a52ab0bf767f36aec3c8ce71200d79a9e3afa88ca
                              • Opcode Fuzzy Hash: 860456a0de04a83637136ee7afbe0c1e264294021072984c6435fd85e4937323
                              • Instruction Fuzzy Hash: BEE09274800309AFC710BFB5AC8A6AA32E86B44358B505A76F02EF52B6EAB4D40547A1
                              Function 00E7E5F0 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,00000000,?), ref: 00E7E5FA
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00E7E609
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E61F
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E62D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                              • String ID:
                              • API String ID: 3016159387-0
                              • Opcode ID: de55ce80acd252428f63fafa52c3263723810ee09bae97478eb5a922a22f37f1
                              • Instruction ID: 08e3349339c5026da86d88db98a4765fa05d26489058c07ed01892b315deeb4c
                              • Opcode Fuzzy Hash: de55ce80acd252428f63fafa52c3263723810ee09bae97478eb5a922a22f37f1
                              • Instruction Fuzzy Hash: 5BE04874A00209EBCB10FBF5ED5AEAF73EC5B00604F605565E145F2161EA74DB058761
                              Function 00E7E748 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetThreadPriority.KERNEL32(?,?), ref: 00E7E754
                              • GetLastError.KERNEL32 ref: 00E7E760
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E776
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E784
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                              • String ID:
                              • API String ID: 4286982218-0
                              • Opcode ID: c6823b5fe5a0fee1d70141ec40de625e6f3e8ce5633c140b735df19b1a341b09
                              • Instruction ID: 9da968e1452f9c2db1200ddcbe072846fb688d7ceaf24fbec1feb36c713a1699
                              • Opcode Fuzzy Hash: c6823b5fe5a0fee1d70141ec40de625e6f3e8ce5633c140b735df19b1a341b09
                              • Instruction Fuzzy Hash: 33E04F385002096BCB14BB65DC06BAB36ACAB00348F009966F559F11B2DA75D50486A0
                              Function 00E7E80E Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • TlsSetValue.KERNEL32(?,00000000,00E83910,00000000,?,?,?,?), ref: 00E7E81A
                              • GetLastError.KERNEL32 ref: 00E7E826
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E83C
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E84A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                              • String ID:
                              • API String ID: 1964976909-0
                              • Opcode ID: b5d20cbe4b87249dfe6f8fd3d5b507785e097a3e8ddef0de052376d878a1e10f
                              • Instruction ID: b165746aa7be62c7e0f0e9719fbbf1aa304ddcc41ce5159225dd9b9fc80b0be1
                              • Opcode Fuzzy Hash: b5d20cbe4b87249dfe6f8fd3d5b507785e097a3e8ddef0de052376d878a1e10f
                              • Instruction Fuzzy Hash: 8BE086345002096BDF14BF75EC06BBF36ACAB04304F409565F519F51B2DA75E5058791
                              Function 00E7E7B5 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • TlsAlloc.KERNEL32(00000000,?,?), ref: 00E7E7BB
                              • GetLastError.KERNEL32 ref: 00E7E7C8
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00E7E7DE
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7E7EC
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                              • String ID:
                              • API String ID: 3103352999-0
                              • Opcode ID: 2c02e3ac1aa84a1f6cb1cc5f5fd6614cf4389105420b187ca79cc2a0367ebcef
                              • Instruction ID: d3abc38b44b61db42f80e01178ef39809a50a52bdbddc8c8757b0ae3647769cc
                              • Opcode Fuzzy Hash: 2c02e3ac1aa84a1f6cb1cc5f5fd6614cf4389105420b187ca79cc2a0367ebcef
                              • Instruction Fuzzy Hash: 27E0C2345002195BCB14B775AC5AABF32ECAB00328F505B76F129F02F2EA74E50642A0
                              Function 6C2BCDF3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                              • API String ID: 3732870572-1956417402
                              • Opcode ID: 1c34416c863a513a49bbbad3c5c024e7a70ab40f79f219012db30a4c1e794386
                              • Instruction ID: 1ec0b74ff2d50da0ea1e5a0f7818db802155ceee507f072394061617e0d95111
                              • Opcode Fuzzy Hash: 1c34416c863a513a49bbbad3c5c024e7a70ab40f79f219012db30a4c1e794386
                              • Instruction Fuzzy Hash: DF61F970E0424E9FDB15EEA98840BAEBBF5AF4578DF24409AFC94F7640D37495418B50
                              Function 6C2D2F9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EmptyRect
                              • String ID: >:
                              • API String ID: 2270935405-3907246019
                              • Opcode ID: 952f62cfa7cf72c286547bdab4126ca3033fe8290e1ccf133fb6ecc08fa7178b
                              • Instruction ID: 6eeff4e4c805e3e5874961265068bdd0a26c608288d6ea2283af84b1998b1a06
                              • Opcode Fuzzy Hash: 952f62cfa7cf72c286547bdab4126ca3033fe8290e1ccf133fb6ecc08fa7178b
                              • Instruction Fuzzy Hash: AD7179B5A0060E9FDB00CF68C885BEEB7B5FF99305F158169E915A7351DB34A844CBA0
                              Function 00EAF05F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00EB6D4F), ref: 00EAF082
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DecodePointer
                              • String ID: Om$|X
                              • API String ID: 3527080286-2067853356
                              • Opcode ID: 9d682cc071ae88f158f14f3ad055e682db4bd8d4c93d5992a0f8c14b1bb60395
                              • Instruction ID: 9078a86b522efd4bf9c4b2d7c4c23361112bb66dc60c4c8c3e0f5afd6a993e25
                              • Opcode Fuzzy Hash: 9d682cc071ae88f158f14f3ad055e682db4bd8d4c93d5992a0f8c14b1bb60395
                              • Instruction Fuzzy Hash: 21515F75904609CBCF149FE4EA886EDBBB0FF4E308F1052A9D481BF265CB71A9548724
                              Function 00E4F490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F5,C1427766,?,?,?), ref: 00E4F4E9
                                • Part of subcall function 00E7B7AB: EnterCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7B6
                                • Part of subcall function 00E7B7AB: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,?,00E41B5C,00EE5B90,00E31077,C1427766,?,00EBBE3E,000000FF), ref: 00E7B7F3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00E4F524
                                • Part of subcall function 00E7A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00E7A64A
                                • Part of subcall function 00E7BB2A: __onexit.LIBCMT ref: 00E7BB30
                                • Part of subcall function 00E7B761: EnterCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B76B
                                • Part of subcall function 00E7B761: LeaveCriticalSection.KERNEL32(00EE4F38,?,?,00E41BBF,00EE5B90,00EBE390), ref: 00E7B79E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$Concurrency::details::create_stl_critical_sectionHandleMtx_init_in_situ__onexit
                              • String ID: list<T> too long
                              • API String ID: 2689493819-4027344264
                              • Opcode ID: 392b457c2821234119d4442f0becedee34dbe6358819edfd6c5822890974ab64
                              • Instruction ID: 9bcca15af52ce4b989133f701534f777f6e2d7327b49354d6fa0c1dc13ac7c6f
                              • Opcode Fuzzy Hash: 392b457c2821234119d4442f0becedee34dbe6358819edfd6c5822890974ab64
                              • Instruction Fuzzy Hash: 64518CB1900219DBDB00DF95D845BAFBBF4FF44704F00566AE819AB291E7B49A18CBE1
                              Function 6C2D0EC6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                              • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C2D103C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: RedrawWindow
                              • String ID: >:
                              • API String ID: 2219533335-3907246019
                              • Opcode ID: 6e14c030ec30c1c6a03baf5608d2971e3398374d9966d14bf809cfccade14004
                              • Instruction ID: 4d726b873e9bb04aa0123c44bcae3cba06880baf4d172ed7fed13490de36f63d
                              • Opcode Fuzzy Hash: 6e14c030ec30c1c6a03baf5608d2971e3398374d9966d14bf809cfccade14004
                              • Instruction Fuzzy Hash: 9C413835B002299FDF05EB64C858ABEBBB6FF8C314F150019E816A7380DB35AD41CBA5
                              Function 00E4DE70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4DFC0
                                • Part of subcall function 00E92A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00E92AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseThrow
                              • String ID: ' already exists$logger with name '
                              • API String ID: 3976011213-1723946186
                              • Opcode ID: 8df40dfed6c57dd8c45102023f2083125f5bd2d66629c12d8be0337ec3bfaef0
                              • Instruction ID: efddffe95a8564a3b8766a7c01efb86745e407dfa296060b9c45bd9f5f5ec7fc
                              • Opcode Fuzzy Hash: 8df40dfed6c57dd8c45102023f2083125f5bd2d66629c12d8be0337ec3bfaef0
                              • Instruction Fuzzy Hash: F941BE71B046059BCF18DF58E881AAEB7B6FF88304F20416DE816BB741D731AD46CBA0
                              Function 6C2A0C4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 6C2A0C9A
                              • FillRect.USER32(?,?,00000000), ref: 6C2A0CC9
                                • Part of subcall function 6C2A0AB0: DrawStateW.USER32(?,?,00000000,?,00000000,?,?,?,?,?), ref: 6C2A0AD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientDrawFillState
                              • String ID: >:
                              • API String ID: 2006854769-3907246019
                              • Opcode ID: 341fe3c3653e8344c71d914d352a2ddd17b2a1fedd0a2bbc5d1edad0081ffb18
                              • Instruction ID: f619301286610c84987084f5cf27b69cec3375a51b6d8940cbc466a82414d40b
                              • Opcode Fuzzy Hash: 341fe3c3653e8344c71d914d352a2ddd17b2a1fedd0a2bbc5d1edad0081ffb18
                              • Instruction Fuzzy Hash: 31410C36A00B4EEFDB14DEA8C944BAFB7B2EB45305F104518E96AA3640DB30B946CB51
                              Function 6C3F8F73 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6C3F8E74,?,?,00000000,00000000,00000000,?), ref: 6C3F8F98
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: b57251f18d03f6b9de8308a8bd7985b82f5801aeb450f387f6df69e7a642cb72
                              • Instruction ID: 519aa64a5abba57adc08f0164edeb1ff73f2a4c648b3bf0d872ae3dfa1244249
                              • Opcode Fuzzy Hash: b57251f18d03f6b9de8308a8bd7985b82f5801aeb450f387f6df69e7a642cb72
                              • Instruction Fuzzy Hash: 5441AA72A0020AAFDF06DF94CD80AEE7BB5FF48308F144599FA24A7611D336A952DF51
                              Function 00E89A05 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E89A4D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E89A5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pContext
                              • API String ID: 1687795959-2046700901
                              • Opcode ID: 5c55e22e68b29776ac33f5443c85b534c4c367fb8f2038cc41b82e1eae45fb52
                              • Instruction ID: 4eb15b55374371409328bab20f8443bccbc51ff434bacca4c558c7e4ff5ed1ae
                              • Opcode Fuzzy Hash: 5c55e22e68b29776ac33f5443c85b534c4c367fb8f2038cc41b82e1eae45fb52
                              • Instruction Fuzzy Hash: 1B412C35F002159FCB08EF99C8C096EB7B5FF84714B5990AAD919BB312DB70AD42CB90
                              Function 00E7B971 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID: lO$xO
                              • API String ID: 0-400032753
                              • Opcode ID: a57180ab76cc66d9fd9066a47d67b5f49b5c2bb8073246aa327e5fb42e13d960
                              • Instruction ID: 189da90c0407a9a770ad08175a85f876fb5442f9dc21f53465568e7c9c2fa6d2
                              • Opcode Fuzzy Hash: a57180ab76cc66d9fd9066a47d67b5f49b5c2bb8073246aa327e5fb42e13d960
                              • Instruction Fuzzy Hash: 5D310472E00748AEDB14EF68E80579D37E5DB41324F10E59AE958BB2C1E7709A84DB90
                              Function 6C2A4C45 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 6C2A4C6B
                              • InflateRect.USER32(?,?,?), ref: 6C2A4C87
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientInflate
                              • String ID: >:
                              • API String ID: 256450704-3907246019
                              • Opcode ID: 6063f069149366c604d4cd30db512e57876df2a8109fbec0a43060fffd4cc548
                              • Instruction ID: b1e5152a4e267b73ccbbec0e94895616636cdd25d4c382c931ce161af8bef0f4
                              • Opcode Fuzzy Hash: 6063f069149366c604d4cd30db512e57876df2a8109fbec0a43060fffd4cc548
                              • Instruction Fuzzy Hash: 9941B375B00619AFCB09DFA8C984AEDF7F5BF49304F14425AE819A3240DB30AA55CBA5
                              Function 6C2E6E4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 6C2E6F12
                              • ClientToScreen.USER32(?,?), ref: 6C2E6F25
                                • Part of subcall function 6C2B35BB: GetDlgCtrlID.USER32(?), ref: 6C2B35EA
                                • Part of subcall function 6C2A4071: ClientToScreen.USER32(?,6C2DDE60), ref: 6C2A4080
                                • Part of subcall function 6C2A4071: ClientToScreen.USER32(?,6C2DDE68), ref: 6C2A408D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientScreen$CtrlParent
                              • String ID: >:
                              • API String ID: 4229523897-3907246019
                              • Opcode ID: 67eadad852d5d8fc9a08f3fa6e35641659805d17f573f91a829b19cd763d1ef1
                              • Instruction ID: 4fe0d959b8065e8c385d6b425e32453fb594296ca5090c1aaa92f13c3e8db462
                              • Opcode Fuzzy Hash: 67eadad852d5d8fc9a08f3fa6e35641659805d17f573f91a829b19cd763d1ef1
                              • Instruction Fuzzy Hash: 8D315A75A012099FDF05EF64C884EAA7BB9EF49308F4400A8ED05AB756DB31AD05CBA0
                              Function 6C326C19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • GetObjectW.GDI32(?,00000018,?), ref: 6C326C47
                              • IntersectRect.USER32(00000000,00000000,00000000), ref: 6C326CB3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: IntersectObjectRect
                              • String ID: >:
                              • API String ID: 3895296623-3907246019
                              • Opcode ID: 218bec367123fbe69877e6433423166bcad2f2c7728cd642db1ead30ab91db48
                              • Instruction ID: ac416a95da0f37e7ad59510c66459144d5441439851a08693305ba3bb8cb804f
                              • Opcode Fuzzy Hash: 218bec367123fbe69877e6433423166bcad2f2c7728cd642db1ead30ab91db48
                              • Instruction Fuzzy Hash: 24315071D01219ABCF04DFA5D944AEEBBF9FF48314F24812AE411E3250DB759A45CF90
                              Function 00E54680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDynamicTimeZoneInformation.KERNEL32(?,?,?,00989680,00000000,C1427766), ref: 00E546F1
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E54787
                              Strings
                              • Failed getting timezone info. , xrefs: 00E5474F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DynamicException@8InformationThrowTimeZone
                              • String ID: Failed getting timezone info.
                              • API String ID: 1852265600-813541962
                              • Opcode ID: d27e64403c321e635f94b8c86e102e932c82eec82837b1d451eff557a8c1faa5
                              • Instruction ID: c58f10f1b64929697a9f9bfafcf7c00072df81e15d8f9501ed4ee4b7ee252bfc
                              • Opcode Fuzzy Hash: d27e64403c321e635f94b8c86e102e932c82eec82837b1d451eff557a8c1faa5
                              • Instruction Fuzzy Hash: 513190B5900618AFCB14DF68CC85F99B7B4FB49314F0096AAEC19B7691D730A984CF90
                              Function 6C2BAC56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2BADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C2BA828,?,00000000), ref: 6C2BAE3E
                              • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C2BAC88
                              • RegCloseKey.ADVAPI32(00000000), ref: 6C2BAC91
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Close$Value
                              • String ID: A
                              • API String ID: 299128501-3554254475
                              • Opcode ID: 9d9ef3a53e5ffbbcccb487deaf7124f91030d0ce2ed4ce89384548702f8a15b9
                              • Instruction ID: d0704f31029a15ac5fb404eafd39de8837dd1a9bdd86b95ec375862bd85b6a15
                              • Opcode Fuzzy Hash: 9d9ef3a53e5ffbbcccb487deaf7124f91030d0ce2ed4ce89384548702f8a15b9
                              • Instruction Fuzzy Hash: 5C213636500229EBCF159FA8D809AEE7BB5EF49768F204019FD44DB250EB32CD42C760
                              Function 6C33AE91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 6C33AEB3
                              • GetParent.USER32(?), ref: 6C33AEBC
                                • Part of subcall function 6C2A40B0: ScreenToClient.USER32(?,6C2B9501), ref: 6C2A40BF
                                • Part of subcall function 6C2A40B0: ScreenToClient.USER32(?,6C2B9509), ref: 6C2A40CC
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientScreen$ParentRectWindow
                              • String ID: >:
                              • API String ID: 2099118873-3907246019
                              • Opcode ID: 425114b921b4d4a4676581242a90f5927424c819de5c2174d10b2008fd4242ce
                              • Instruction ID: 470d82df3aa6da9b03425de0faae4db3fddd02a91f859f29267b901ed4a7f416
                              • Opcode Fuzzy Hash: 425114b921b4d4a4676581242a90f5927424c819de5c2174d10b2008fd4242ce
                              • Instruction Fuzzy Hash: 2D218E35A00159AFCF05EFA8C848BED77B5BF49308F104429F919E7690DB34AA81CFA5
                              Function 00EA858C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID: DY$HY
                              • API String ID: 269201875-3580111881
                              • Opcode ID: 6e9752b0e93f8eed839fde663db88ba88811783bd417ce9012ded6d61696b57b
                              • Instruction ID: d9fbee763684cc1e200cbb6a2b75ca4a365e4cadd9d01f0a707fec6a63b814eb
                              • Opcode Fuzzy Hash: 6e9752b0e93f8eed839fde663db88ba88811783bd417ce9012ded6d61696b57b
                              • Instruction Fuzzy Hash: B9110A715087029FE7209F29D58279277E4EF9A3A8F20641EE489BF281EB31F9418790
                              Function 6C356F50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C356FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID: ($>:
                              • API String ID: 2449625523-3990679639
                              • Opcode ID: 9dcfc4af3ae4d2eedb9247d6b52f47d96b177ae786e13c70c825037fff69574c
                              • Instruction ID: 59614df5287833daa1e6406a37bb8a7ef13c203dcc97ecf6e4cec168892598d0
                              • Opcode Fuzzy Hash: 9dcfc4af3ae4d2eedb9247d6b52f47d96b177ae786e13c70c825037fff69574c
                              • Instruction Fuzzy Hash: AE216F72E12208ABDB48DF69D944EEEB7B9EF48704F60412EE801EB740D772D8048B64
                              Function 6C2C6F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(?,?,EE3AED3E,?,?,?,?,?,6C40C92B,000000FF), ref: 6C2C6FC6
                              • KillTimer.USER32(00000000,?,?,?,?,?,?,6C40C92B,000000FF), ref: 6C2C6FE6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DeleteFileKillTimer
                              • String ID: >:
                              • API String ID: 1409395338-3907246019
                              • Opcode ID: d56ec37b8b9bdb1e24a26b8288c9c19d93a04b9f90d4c4551f400a53861e5b6d
                              • Instruction ID: ccf7bed6ddfbeea688862d5241dfa577cd5aab4aae1371fafc2c675d9671daf5
                              • Opcode Fuzzy Hash: d56ec37b8b9bdb1e24a26b8288c9c19d93a04b9f90d4c4551f400a53861e5b6d
                              • Instruction Fuzzy Hash: 4E2186B1600608DFDB14EFA5C885FEAFBB9FB44308F10491DD85667B80DB366908CB22
                              Function 6C2D6EF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3
                              • String ID: /-l$OrigResetItems
                              • API String ID: 431132790-3226264516
                              • Opcode ID: e69cb81e7d2e167e2cb61f33e8c31328c376f9a88bbc180adc9b2b370a8ff249
                              • Instruction ID: ace8e09ddb8f4645815727488a1a5a77fbb59379dbbcc029cb9bc7865474216c
                              • Opcode Fuzzy Hash: e69cb81e7d2e167e2cb61f33e8c31328c376f9a88bbc180adc9b2b370a8ff249
                              • Instruction Fuzzy Hash: 22219035610A0A8FDF05DB60C594FED73B1AF54319F1A0569EC16ABA40DF30F945CB92
                              Function 6C318F1A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6C318F94
                                • Part of subcall function 6C2AB481: SendMessageW.USER32(00000000,00000401,00000000,00000000), ref: 6C2AB4A5
                                • Part of subcall function 6C2AB481: GetKeyState.USER32(00000001), ref: 6C2AB4BA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$State
                              • String ID: ,$>:
                              • API String ID: 739152826-3828830253
                              • Opcode ID: 27b775a506630b0f356be6253af3d97bc505d045d1d2890a0886355ace21f6af
                              • Instruction ID: 828f06a848bdaf726e9f16603eb9f3145decc6adc95bcf9c4c3dc5346c9973ce
                              • Opcode Fuzzy Hash: 27b775a506630b0f356be6253af3d97bc505d045d1d2890a0886355ace21f6af
                              • Instruction Fuzzy Hash: 33119370A05308AFDB14DF65D885BDEB7B5FF08318F21012EE942AAA41D7B19504CF55
                              Function 00E405B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?,7508EB20,00000000,00000000,?,00E356F6,AppPath,?), ref: 00E405DA
                              • RegCloseKey.ADVAPI32(?), ref: 00E40631
                              Strings
                              • SOFTWARE\XZDesktopCalendar, xrefs: 00E405D4
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpen
                              • String ID: SOFTWARE\XZDesktopCalendar
                              • API String ID: 47109696-2602408674
                              • Opcode ID: 056cb23bde32c9c6635ea964eb619f0d31aa7eb85f767e919d78d95682d4e634
                              • Instruction ID: 21619643bcd9e71bb7f48667d500f51f425ad44a96ec045088fdc6824289ec86
                              • Opcode Fuzzy Hash: 056cb23bde32c9c6635ea964eb619f0d31aa7eb85f767e919d78d95682d4e634
                              • Instruction Fuzzy Hash: CF118675A00208AFDB10EF69DC45AAEB7F5EF44704F4045A9E905E7251D730AE4887D0
                              Function 6C2B0F66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2BBBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C2BBBEF
                              • GetWindowRect.USER32(00000082,6C2A17EB), ref: 6C2B0F9F
                              • GetWindow.USER32(00000082,00000004), ref: 6C2B0FBC
                                • Part of subcall function 6C2BBFCC: IsWindowEnabled.USER32(?), ref: 6C2BBFD7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$EnabledLongRect
                              • String ID: >:
                              • API String ID: 3170195891-3907246019
                              • Opcode ID: 8298cce093b20882aeafaf5903236bb9d0c81c1b1ca14b7761966125c66ef3f2
                              • Instruction ID: 6ec4dd2ebf1fefbb5ed562ae3a2e0740d8dbb7de4117d599e4b63b8f34048415
                              • Opcode Fuzzy Hash: 8298cce093b20882aeafaf5903236bb9d0c81c1b1ca14b7761966125c66ef3f2
                              • Instruction Fuzzy Hash: C6116D74B0124F9BDB02EB65CA50BAEB7B5AF4534DF544159FC02B7A40EF30E9418A91
                              Function 6C2D6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • InflateRect.USER32(000000AC,00000000,?), ref: 6C2D6979
                              • RedrawWindow.USER32(00000000,000000AC,00000000,00000505,?,?,000000AC,?), ref: 6C2D6995
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InflateRectRedrawWindow
                              • String ID: >:
                              • API String ID: 3190756164-3907246019
                              • Opcode ID: ebc3b1ca7ee3a2befb947a281698f1d74f66e6fb19785ba16f63356b1602cf34
                              • Instruction ID: 837e7b7fd2d7ba0df4c0774474bf91e44258022d6eaa5ef25f3a5ea291b74c44
                              • Opcode Fuzzy Hash: ebc3b1ca7ee3a2befb947a281698f1d74f66e6fb19785ba16f63356b1602cf34
                              • Instruction Fuzzy Hash: D0115E31B0060EABCF04EFA4C988AEEB7B9FF48319F51006AE405E7550DB31B918CB65
                              Function 6C3F2F02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,6C275678,?,?,6C27554C), ref: 6C3F2F17
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C3F2F36
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: LU'l
                              • API String ID: 1518329722-70274004
                              • Opcode ID: c87546878f88b07f54d5588c35e350f5f8509fe225596c2a59208cf4d289707d
                              • Instruction ID: 43aaa82f06830ae2b6699431dc76c1d5286869876e1f430d7aea529c0c4670c7
                              • Opcode Fuzzy Hash: c87546878f88b07f54d5588c35e350f5f8509fe225596c2a59208cf4d289707d
                              • Instruction Fuzzy Hash: 9EF021B1A10214FB9B148F69C90889EBEE9EBC63647204699F829D3740D672CE028A90
                              Function 6C2B8FB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EmptyRect
                              • String ID: >:$AfxControlBar140su
                              • API String ID: 2270935405-369748038
                              • Opcode ID: 1b750089a8de0f75d546816b6b4c227cccc0ab9389ab3231cecf40a5ba1ca3fc
                              • Instruction ID: e471984d3c5b336175c309739bc73cd764ffec7d59a1febdb82aed29c0d6bd39
                              • Opcode Fuzzy Hash: 1b750089a8de0f75d546816b6b4c227cccc0ab9389ab3231cecf40a5ba1ca3fc
                              • Instruction Fuzzy Hash: C3016235A0124DABCB00DFA5C845FEFB7B5AF15714F204526B900B7640DB71AA1487A1
                              Function 6C2C0D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • SetBkColor.GDI32(?,?), ref: 6C2C0DAA
                              • ExtTextOutW.GDI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 6C2C0DDC
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ColorText
                              • String ID: >:
                              • API String ID: 2223400495-3907246019
                              • Opcode ID: 48d95ce64695493247f2ad65853d621d82da84728e8c8181cf623906c9f4174d
                              • Instruction ID: c817a4faa395f86d0005e0586f8a4e2be26cc60cfd59012bd7aed9b87b177d7d
                              • Opcode Fuzzy Hash: 48d95ce64695493247f2ad65853d621d82da84728e8c8181cf623906c9f4174d
                              • Instruction Fuzzy Hash: 1001F6B5A00209AFDB08DF58CD4A9AFBBB5EF08304B40812DF816A3350D771AE14CAA5
                              Function 00E4B2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(00000008), ref: 00E4B2EE
                              • SysFreeString.OLEAUT32(00000000), ref: 00E4B303
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DecrementFreeInterlockedString
                              • String ID: `)u
                              • API String ID: 3298718523-4279031584
                              • Opcode ID: e55d6a711fb27df26a9bf25d2bc3b940facb5c6d169474245df1df413b7bda82
                              • Instruction ID: 325cfaaf8cb22879f241e52c1a7d9d077f321c1305b0053d6e28f609a0d9d4a7
                              • Opcode Fuzzy Hash: e55d6a711fb27df26a9bf25d2bc3b940facb5c6d169474245df1df413b7bda82
                              • Instruction Fuzzy Hash: A2F0FE71A016119BD7305F26EC04B5BB7D89F00B45F156429EC49FB254E7B4E8548690
                              Function 00E4B290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(?), ref: 00E4B298
                              • SysFreeString.OLEAUT32(00000000), ref: 00E4B2AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DecrementFreeInterlockedString
                              • String ID: `)u
                              • API String ID: 3298718523-4279031584
                              • Opcode ID: 129cc268f51e365c6b098636fdc143d086b583bcf50565a58df9289ad8587bd2
                              • Instruction ID: d1567f9856d8ac7806561110f7976c85bab6ecaa1f587c7fa3a9ce8d9c05a397
                              • Opcode Fuzzy Hash: 129cc268f51e365c6b098636fdc143d086b583bcf50565a58df9289ad8587bd2
                              • Instruction Fuzzy Hash: E1F030B6A006115BD6316F29AC09B5B77EC9F90751F09552AFC89F7220EBB0E8048764
                              Function 6C2AAD4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message$Time
                              • String ID: l}Gl
                              • API String ID: 4026574468-4154562581
                              • Opcode ID: d41fad560d73beaa03da862647076052f4c53fcf19da4bdac073645631cea342
                              • Instruction ID: 90e9d5d136204be741be224d4a000a8c41a4075aad74cb1a12899a15e3571f89
                              • Opcode Fuzzy Hash: d41fad560d73beaa03da862647076052f4c53fcf19da4bdac073645631cea342
                              • Instruction Fuzzy Hash: CAE08635805B558B8722EF7450484967BE0EF042593800D1EDDC297F00DF30D445CA51
                              Function 00E8D2B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E8D2D8
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E8D2E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pThreadProxy
                              • API String ID: 1687795959-3651400591
                              • Opcode ID: dbf11fa4fd0678fabbb9169439848ae2933a45004901aa5c2c820e12037720eb
                              • Instruction ID: 133d3039fc92f0b84edd5e95fe16645d74cac262db13c95633acac63250f49d4
                              • Opcode Fuzzy Hash: dbf11fa4fd0678fabbb9169439848ae2933a45004901aa5c2c820e12037720eb
                              • Instruction Fuzzy Hash: E4D05E31D0030C6ACB10FAA4D95AF8F77E85B10714F009079AA18F6292EAB0E5058AE1
                              Function 6C2769E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C276A00
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4518653350.000000006C271000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C270000, based on PE: true
                              • Associated: 00000004.00000002.4518630247.000000006C270000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518787647.000000006C41A000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518836234.000000006C470000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518862031.000000006C473000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C475000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518886956.000000006C477000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4518936587.000000006C47D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c270000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: pi'l h'l$wg'l
                              • API String ID: 4194217158-2166665465
                              • Opcode ID: b2003c74dfa3fd4ef395201022c986760ac589ff66cd40372ea06e35f855e054
                              • Instruction ID: a1288e56774dc959585cf5e2524929623a126da0ba31b7ae3f4c8af4c444d7c7
                              • Opcode Fuzzy Hash: b2003c74dfa3fd4ef395201022c986760ac589ff66cd40372ea06e35f855e054
                              • Instruction Fuzzy Hash: 8BD05EB0D04308DFCF00EFA8D18249CBBB4AB04324F0000B9D88897300E230AA98CF41
                              Function 00E78631 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00E7863D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7864B
                                • Part of subcall function 00E92A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00E92AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseThrowstd::invalid_argument::invalid_argument
                              • String ID: bad function call
                              • API String ID: 4038826145-3612616537
                              • Opcode ID: f3644aab24fc751000fb785de637fe247f7d9dd24247639c4b38f3a4f57dcb4a
                              • Instruction ID: df8774ddc36e1d298a7a389121243a10eb421fed5ee36884d068b287a17e0c7a
                              • Opcode Fuzzy Hash: f3644aab24fc751000fb785de637fe247f7d9dd24247639c4b38f3a4f57dcb4a
                              • Instruction Fuzzy Hash: 4BC01229D0020C7BCF00FAA4DD56D8D7768AB40700F906461B610B2155EAF4A61586D2
                              Function 00EABBEB Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,C1427766,00000000,00000000,00000000,00000000,00E3E161,00E3E161,00000000,00000000,00000000,C1427766), ref: 00EABC81
                              • GetLastError.KERNEL32(?,00E3E161), ref: 00EABC8F
                              • MultiByteToWideChar.KERNEL32(00000004,00000001,?,?,C1427766,00000000,?,00E3E161), ref: 00EABCEA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 6f5756003c427f4df47bd0d0d019db9552f7ddfbb5062807726fd940a1d5ea89
                              • Instruction ID: 5e2876e745d03420a046c5c2d56659823f20add39f95f76fc4fcbd31831c4b80
                              • Opcode Fuzzy Hash: 6f5756003c427f4df47bd0d0d019db9552f7ddfbb5062807726fd940a1d5ea89
                              • Instruction Fuzzy Hash: B841F931A00245AFCF219F65CC44BBABBA4EF4B324F159169F859BF1A2DB31AD01C761
                              Function 00E37150 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E3719B
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E371AC
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?), ref: 00E371C5
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,00000000,?,?), ref: 00E371EA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4516002467.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                              • Associated: 00000004.00000002.4515957980.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516146435.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516196094.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516230245.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516259649.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4516277169.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_e30000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 50e817c5969203dc73945d20ebde7c250a78865e0bab5b6a6f576cbd7a59e2b6
                              • Instruction ID: 457cae2bd1f9c1c78bc9f425803271d678dd5af4dbb9a388c298a666b9dcd041
                              • Opcode Fuzzy Hash: 50e817c5969203dc73945d20ebde7c250a78865e0bab5b6a6f576cbd7a59e2b6
                              • Instruction Fuzzy Hash: 8F2107B660420ABFDB205F54EC89FABBB9DEF05344F108225F945A7111DB71AD18C7A0