Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WiezmDFd6L.exe

Overview

General Information

Sample name:WiezmDFd6L.exe
renamed because original name is a hash value
Original sample name:37B0FD9C5E815053E72C20931D2E414C.exe
Analysis ID:1580628
MD5:37b0fd9c5e815053e72c20931d2e414c
SHA1:0dc5769ff9a644e67fe9115fa6158f820a6b39e2
SHA256:e0cf2976621e7ededbbffb8c8feecc307b73ddaa89d859cb9623bfc972c1f0cc
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WiezmDFd6L.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\WiezmDFd6L.exe" MD5: 37B0FD9C5E815053E72C20931D2E414C)
    • cmd.exe (PID: 7380 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RuntimeBrokers.exe (PID: 7432 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7380, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 7432, ProcessName: RuntimeBrokers.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Bilite\Axialis\libcurl.dllReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: WiezmDFd6L.exeVirustotal: Detection: 44%Perma Link
Source: WiezmDFd6L.exeReversingLabs: Detection: 47%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E62AF0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,CertNameToStrW,CertNameToStrW,CertNameToStrW,3_2_00E62AF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E62CE0 lstrcmpA,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime,3_2_00E62CE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E62DB0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,3_2_00E62DB0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E62EE0 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertFindCertificateInStore,3_2_00E62EE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E632B1 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,3_2_00E632B1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C960200 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,3_2_6C960200
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C961340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6C961340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C95FF50 CryptStringToBinaryA,CryptStringToBinaryA,3_2_6C95FF50
Source: WiezmDFd6L.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: UpdaterSetup.exe.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: UpdaterSetup.exe.pdbP source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: updater.exe.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.00000000034D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: updater.exe.pdbP source: WiezmDFd6L.exe, 00000000.00000003.1718878797.00000000034D1000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,3_2_00E4BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9C82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C9C82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CADF2EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6CADF2EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CADF23B FindFirstFileExW,3_2_6CADF23B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9780D0 WSAStartup,getaddrinfo,WSACleanup,socket,WSACleanup,connect,closesocket,freeaddrinfo,WSACleanup,recv,closesocket,WSACleanup,VirtualAlloc,3_2_6C9780D0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrokers.exeString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.google.com/installer/
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://support.google.com/installer/%s?product=%s&error=%d
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720578760.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/bug/new
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/update2/installers/icons/
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000002.4131893924.0000000000C72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: RuntimeBrokers.exe, 00000003.00000002.4131893924.0000000000C93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2/json
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.googleapis.com/service/update2/jsonhttps://clients2.google.com/cr/reporthttps://m.goo
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CA041CD __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_6CA041CD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9C2720 GetAsyncKeyState,SendMessageW,GetClientRect,SetScrollPos,3_2_6C9C2720
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9A4517 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_6C9A4517
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C98D25E GetKeyState,GetKeyState,GetKeyState,SendMessageW,3_2_6C98D25E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C961340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,3_2_6C961340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess Stats: CPU usage > 49%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E76520: CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,3_2_00E76520
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E43A00 CloseServiceHandle,PathFileExistsW,OpenSCManagerW,GetLastError,_strrchr,_strrchr,OpenServiceW,GetLastError,_strrchr,_strrchr,QueryServiceStatus,QueryServiceStatus,GetLastError,_strrchr,_strrchr,ControlService,Sleep,Sleep,QueryServiceStatus,DeleteService,GetLastError,_strrchr,_strrchr,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00E43A00
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E660C23_2_00E660C2
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E3245C3_2_00E3245C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E346D03_2_00E346D0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E68A703_2_00E68A70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E940C03_2_00E940C0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EA61923_2_00EA6192
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E722A03_2_00E722A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E9437B3_2_00E9437B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E5A3403_2_00E5A340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7A6B03_2_00E7A6B0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E8264E3_2_00E8264E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E84A4E3_2_00E84A4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E48BE03_2_00E48BE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E5AD003_2_00E5AD00
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E58E363_2_00E58E36
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E58E103_2_00E58E10
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E3B0103_2_00E3B010
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4F1703_2_00E4F170
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EAB10C3_2_00EAB10C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E772803_2_00E77280
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E454903_2_00E45490
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E9F5203_2_00E9F520
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7F6C43_2_00E7F6C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E937DD3_2_00E937DD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E937303_2_00E93730
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EB38683_2_00EB3868
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EB78303_2_00EB7830
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E999303_2_00E99930
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E59AC03_2_00E59AC0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E93B4F3_2_00E93B4F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E99B5F3_2_00E99B5F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E63B3C3_2_00E63B3C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EADC993_2_00EADC99
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E93DF93_2_00E93DF9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E99D8E3_2_00E99D8E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7FEAA3_2_00E7FEAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C97ECF03_2_6C97ECF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAC2C003_2_6CAC2C00
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CACA8243_2_6CACA824
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9748303_2_6C974830
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAE6AA23_2_6CAE6AA2
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9884BD3_2_6C9884BD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAD06C63_2_6CAD06C6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAC66713_2_6CAC6671
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C98478E3_2_6C98478E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9BA1A13_2_6C9BA1A1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9B230B3_2_6C9B230B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C98DC9F3_2_6C98DC9F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9ABDDD3_2_6C9ABDDD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAC9EA03_2_6CAC9EA0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C973F403_2_6C973F40
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C97B8803_2_6C97B880
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C99D4553_2_6C99D455
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9BB5AF3_2_6C9BB5AF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C97F0B03_2_6C97F0B0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9990AD3_2_6C9990AD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9751103_2_6C975110
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe 9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E93040 appears 63 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E7BF08 appears 80 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C97D970 appears 31 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E42450 appears 88 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C99D8B0 appears 69 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E3E9E0 appears 43 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C99F77F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C99F675 appears 204 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E7BB3F appears 60 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C98068B appears 63 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E92860 appears 162 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E7C7A0 appears 58 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C99F6DE appears 67 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E4A030 appears 36 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00E423F0 appears 62 times
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: String function: 0040243B appears 37 times
Source: chiomsStup.exe.0.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: chiomsStup.exe.0.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameupdater.exe> vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000003519000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdaterSetup.exeB vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000003.1664284782.0000000002491000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000000.1663152145.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXZCalendarServer.exe* vs WiezmDFd6L.exe
Source: WiezmDFd6L.exe, 00000000.00000003.1720766024.0000000005CB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdaterSetup.exeB vs WiezmDFd6L.exe
Source: WiezmDFd6L.exeBinary or memory string: OriginalFilenameV vs WiezmDFd6L.exe
Source: WiezmDFd6L.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.evad.winEXE@6/9@0/0
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: OpenSCManagerW,GetLastError,_strrchr,_strrchr,PathFileExistsW,PathFileExistsW,SHCreateDirectoryExW,PathFileExistsW,CreateServiceW,GetLastError,_strrchr,_strrchr,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00E42FC0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E70420 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,CloseHandle,CloseHandle,OpenProcess,CloseHandle,OpenProcessToken,DuplicateTokenEx,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_2_00E70420
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4B479 _strrchr,_strrchr,GetConsoleWindow,ShowWindow,CoInitializeEx,StartServiceCtrlDispatcherW,OpenEventW,GetProcAddress,GetProcAddress,FreeLibrary,CoUninitialize,3_2_00E4B479
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4B479 _strrchr,_strrchr,GetConsoleWindow,ShowWindow,CoInitializeEx,StartServiceCtrlDispatcherW,OpenEventW,GetProcAddress,GetProcAddress,FreeLibrary,CoUninitialize,3_2_00E4B479
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCommand line argument: Np3_2_00EB6F90
Source: WiezmDFd6L.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WiezmDFd6L.exeVirustotal: Detection: 44%
Source: WiezmDFd6L.exeReversingLabs: Detection: 47%
Source: RuntimeBrokers.exeString found in binary or memory: --StartTask
Source: RuntimeBrokers.exeString found in binary or memory: --InstallTask
Source: RuntimeBrokers.exeString found in binary or memory: --stop
Source: RuntimeBrokers.exeString found in binary or memory: --start
Source: RuntimeBrokers.exeString found in binary or memory: --install
Source: RuntimeBrokers.exeString found in binary or memory: /launch CrashRestart
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile read: C:\Users\user\Desktop\WiezmDFd6L.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WiezmDFd6L.exe "C:\Users\user\Desktop\WiezmDFd6L.exe"
Source: C:\Users\user\Desktop\WiezmDFd6L.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\user\Desktop\WiezmDFd6L.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: chiomsStup.exe.lnk.3.drLNK file: ..\..\Public\Bilite\chiomsStup.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: WiezmDFd6L.exeStatic file information: File size 37394506 > 1048576
Source: Binary string: UpdaterSetup.exe.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \YSS\Release\libcurl.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: UpdaterSetup.exe.pdbP source: WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: updater.exe.pdb source: WiezmDFd6L.exe, 00000000.00000003.1718878797.00000000034D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: updater.exe.pdbP source: WiezmDFd6L.exe, 00000000.00000003.1718878797.00000000034D1000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: libcurl.dll.0.drStatic PE information: section name: .00cfg
Source: chiomsStup.exe.0.drStatic PE information: section name: CPADinfo
Source: chiomsStup.exe.0.drStatic PE information: section name: malloc_h
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7C7E6 push ecx; ret 3_2_00E7C7F9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7BEE2 push ecx; ret 3_2_00E7BEF5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C97F770 push eax; mov dword ptr [esp], 8007000Eh3_2_6C97F774
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9C0E84 pushfd ; retf 3_2_6C9C0E85
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C98FDC3 push esi; ret 3_2_6C98FDC5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C99F74D push ecx; ret 3_2_6C99F760
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to dropped file
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile created: C:\Users\Public\Bilite\chiomsStup.exeJump to dropped file
Source: C:\Users\user\Desktop\WiezmDFd6L.exeFile created: C:\Users\Public\Bilite\Axialis\libcurl.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4B479 _strrchr,_strrchr,GetConsoleWindow,ShowWindow,CoInitializeEx,StartServiceCtrlDispatcherW,OpenEventW,GetProcAddress,GetProcAddress,FreeLibrary,CoUninitialize,3_2_00E4B479
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C98E96E IsIconic,3_2_6C98E96E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9B87C4 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,3_2_6C9B87C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9A307D GetParent,IsIconic,GetParent,__EH_prolog3,3_2_6C9A307D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9872DF IsIconic,IsWindowVisible,3_2_6C9872DF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9932E4 IsWindowVisible,IsIconic,3_2_6C9932E4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7A6B0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00E7A6B0
Source: C:\Users\user\Desktop\WiezmDFd6L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E42690 _strrchr,_strrchr,RegOpenKeyExW,RegCloseKey,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,ShellExecuteExW,Sleep,ShellExecuteExW,3_2_00E42690
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,3_2_00E76390
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 840Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3801Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3414Jump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeDropped PE file which has not been started: C:\Users\Public\Bilite\chiomsStup.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-132004
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_3-128237
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAPI coverage: 6.1 %
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7460Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7456Thread sleep time: -2520000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 7456Thread sleep time: -10242000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E4BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,3_2_00E4BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9C82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C9C82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CADF2EC FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,3_2_6CADF2EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CADF23B FindFirstFileExW,3_2_6CADF23B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E660C2 PostMessageW,__Mtx_unlock,GetModuleHandleW,GetSystemInfo,_strrchr,_strrchr,curl_slist_free_all,_strrchr,_strrchr,__Mtx_unlock,_strrchr,_strrchr,_strrchr,_strrchr,__Mtx_unlock,__Mtx_unlock,_strrchr,_strrchr,PostMessageW,PostMessageW,__Mtx_unlock,__Mtx_unlock,3_2_00E660C2
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7C411 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E7C411
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C981028 OutputDebugStringA,GetLastError,3_2_6C981028
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E42690 _strrchr,_strrchr,RegOpenKeyExW,RegCloseKey,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,ShellExecuteExW,Sleep,ShellExecuteExW,3_2_00E42690
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EA46B3 mov eax, dword ptr fs:[00000030h]3_2_00EA46B3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EB0408 GetProcessHeap,3_2_00EB0408
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7C128 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00E7C128
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7C411 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E7C411
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E7C5A4 SetUnhandledExceptionFilter,3_2_00E7C5A4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E9655F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00E9655F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C9F87A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C9F87A6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6CAD1F38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CAD1F38
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_6C99D796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C99D796
Source: C:\Users\user\Desktop\WiezmDFd6L.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E3245C _strrchr,_strrchr,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,_strrchr,_strrchr,GetModuleHandleW,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,WaitForSingleObject,PeekMessageW,TranslateMessage,DispatchMessageW,WaitForSingleObject,WaitForSingleObject,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,curl_global_cleanup,MoveFileExW,_strrchr,_strrchr,3_2_00E3245C
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_00EB216F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_00EB22FE
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_00EB2263
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_00EB2218
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00EB238B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_00EB25DB
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00EB2704
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00EB28D8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_00EB280B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_00EA92B6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_00EA979F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00EB1FDB
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_6C9A60F1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_6CAE60D3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_6CAE6074
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_6CAE61A8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_6CAE61F3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6CAE629A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_6CAE63A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_6CAE5D86
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,3_2_6CADBD0B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6CAE5E21
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6CAE5B35
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,3_2_6CADB6EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00EAC3FF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00EAC3FF
Source: C:\Users\user\Desktop\WiezmDFd6L.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E8CBF3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,3_2_00E8CBF3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E31050 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,3_2_00E31050
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 3_2_00E8D8C9 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,3_2_00E8D8C9

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Command and Scripting Interpreter		14
Windows Service		14
Windows Service		1
Masquerading		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts12
Service Execution		1
DLL Side-Loading		11
Process Injection		111
Virtualization/Sandbox Evasion		LSASS Memory24
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Native API		Logon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets11
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem36
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WiezmDFd6L.exe45%VirustotalBrowse
WiezmDFd6L.exe47%ReversingLabsWin32.Dropper.Vilsel

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe4%ReversingLabs
C:\Users\Public\Bilite\Axialis\libcurl.dll61%ReversingLabsWin32.Trojan.DllHijack
C:\Users\Public\Bilite\chiomsStup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.0%Avira URL Cloudsafe
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/check0%Avira URL Cloudsafe
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    http://html4/loose.dtdWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.logWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://crashpad.chromium.org/WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://sectigo.com/CPS0WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://ocsp.sectigo.com0WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://m.google.com/devicemanagement/data/apiWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://crashpad.chromium.org/bug/newWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dl.google.com/update2/installers/icons/WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://support.google.com/installer/WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModuleWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://update-xztodolist.cqttech.com/api/v1/update/checkWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, RuntimeBrokers.exe, 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000000.1722836156.0000000000EBF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000003.00000002.4131893924.0000000000C72000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.RuntimeBrokers.exe, 00000003.00000002.4131893924.0000000000C93000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://support.google.com/installer/%s?product=%s&error=%dWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#WiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://.cssWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStatRuntimeBrokers.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://crashpad.chromium.org/https://crashpad.chromium.org/bug/newWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://.jpgWiezmDFd6L.exe, 00000000.00000003.1718878797.0000000002AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1580628
                                      Start date and time:2024-12-25 13:26:07 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 9s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:9
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:WiezmDFd6L.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:37B0FD9C5E815053E72C20931D2E414C.exe
                                      Detection:MAL
                                      Classification:mal48.evad.winEXE@6/9@0/0
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 98%
                                      • Number of executed functions: 132
                                      • Number of non-executed functions: 235
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      07:27:03API Interceptor30884x Sleep call for process: RuntimeBrokers.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeFqae7BLq4m.exeGet hashmaliciousUnknownBrowse
                                        Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse

                                          Created / dropped Files

                                          C:\Users\Public\Bilite\Axialis\IiViS

                                          Download File
                                          Process:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          File Type:openssl enc'd data with salted password, base64 encoded
                                          Category:dropped
                                          Size (bytes):44
                                          Entropy (8bit):4.851365993588127
                                          Encrypted:false
                                          SSDEEP:3:iqktR2INd9IbY:il/NIY
                                          MD5:AD536A9CDFCA167DE415D847C7579B8A
                                          SHA1:52405A8B8B8C8734DA13E38C8A9F9A8EA782B8AA
                                          SHA-256:59213964F6B9A818B94C0DED984E16AAFEE71CE912D88C70747E1CC6AD4D1C78
                                          SHA-512:F789FC3BF53213146A47BFCBE8D5E0775720189995488F821A928708C809E5D34AAF9869FA056B3251907B4681157D9380D0E9F259F2F0699B50899877B3F315
                                          Malicious:false
                                          Reputation:low
                                          Preview:U2FsdGVkX18JJnI18eSsh/zaQiR5umhCOXeU9e5n2OE=

                                          C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):777816
                                          Entropy (8bit):6.621348016864403
                                          Encrypted:false
                                          SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                                          MD5:30A274E00DA842B09E9763F19777ADED
                                          SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                                          SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                                          SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 4%
                                          Joe Sandbox View:
                                          • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                          • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................

                                          C:\Users\Public\Bilite\Axialis\libcurl.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):2290968
                                          Entropy (8bit):6.6054620256900645
                                          Encrypted:false
                                          SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeZyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSeu
                                          MD5:C257B09BEDDF38B3F89381997852AD36
                                          SHA1:1CD6B43CBCB0AE1BA1BE52F667F538735E89DFEB
                                          SHA-256:1618A5C7CEB3AC1B7680616339AD472EDBE3C706023D3DC7891688F40EEEA637
                                          SHA-512:DC39825D00348D9E421287904F16FEFF0AC29B92C9ACCEF5D2DD270F4A9297F1418BF62A133DCC448386DEBA931BAA14377A3CA03C9254B770EF276A33A731B1
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 61%
                                          Reputation:low
                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\Public\Bilite\Axialis\wragbgek.png

                                          Download File
                                          Process:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):33724701
                                          Entropy (8bit):7.999992899770466
                                          Encrypted:true
                                          SSDEEP:786432:CJ3OEsZI99fnh9+4RzOqcFWQTUIQUjt1ol9bHoQcq4LliKKG/:3hZIHfhJOnWQTr1olN7qoK1/
                                          MD5:68A106A46BCD32515D30B56C8ABC29BB
                                          SHA1:E8EC8977D1DB3152869C46AB630B0B6586C04F71
                                          SHA-256:10DEEBDC6F75ED88A66BEAEF6AE24D125CCCF14F97E5E03FCE7EA33FBCA37111
                                          SHA-512:BD5909C2F1904CD416F7BA759939413757D09B06DFF6C37E16B7028EDB114CEDEDE173B7BD8C47C012E38ECA6922E18921453DC79D8CF81B31B13D7CC8FBACBB
                                          Malicious:false
                                          Reputation:low
                                          Preview:..>.....x...@..s..[-.l=jc.\`S..'...;..4Q.U~t...<.WZ...=......J.N....(...th......i(<.W..#..5..`..e.\.....h.U.m..4....R[....i...)M?*..ho...u.......l.. ':........#......*@..........h.Z..9..(.@i.'.3.}.-...y.y_G.....Yc....;......$,...4.{d+.6C{.........e.I9?j\..P....\...N.9|4/./.*|..G"g./.u]tt.C....,.H..t.3..../w.....l..|}N..5y....Db+..>.N...).O......s7.}.NMP.!.!mH..@k"..u2&...D7=........w.x.#...)yy~.6.4".~Y,..x..0..w.......h.(.....)r.a...m.(x.\.>n..<g\.6..C.$...M.PD..B.R.....7........S..*Q.......2.qFtz`.Y.M.C.......tF.T...*.Ud.-....O...............!m...R...0..)....s...U....p.j....+...&q..}!..V..x.lsP....<.8...H .)A3.M...]..bTe.|....A{..y..._..A....7..>......Jl...<;..e.fT.EoY....}.X....D...7........E.\.S.&].....I..."..u....O>.I......^."...MwS.oN......\>.WC...=a1U.*6.d.@i.l.#:..kG.AQ.....z.......F.....n9.$u..\..A..<m....%..Z(..S......F.. ...~....[...G.;L..,;.,.A.D.U...N!..}L....w.2.L.........U!.iiMb..VK......'.T......p......#|..,....0f?.EO.....r....L

                                          C:\Users\Public\Bilite\chiomsStup.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):10384768
                                          Entropy (8bit):6.780996075213578
                                          Encrypted:false
                                          SSDEEP:196608:VpjYZ94Z6AhJ5NtGdDDIauMJZZCgdaTos7s4QA/rmYeus5dvXCKsJdVV3qHDYyY2:VpjwKZF5LGdDDvJZZCgdwbcAheus5xXB
                                          MD5:C8B07E0F9BA7C97B55CB29835FFAF5F6
                                          SHA1:9FFFC728C361DCDD4828212F1F0E56A0DAC92463
                                          SHA-256:A68355D5F7E99F3BE66D84EA5AD4A72F92D1611C53F959C0B4E742B363678578
                                          SHA-512:0AB0D39F0FBCDB11E241AE95CC540A54EF4D9A6E611AE516EF189627E73505696AEBEDACE7D4527C40F31A021850CB7CB563F4D0CE0411BE2F9B87ABA2493866
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...{*2g.........."......T4...i...................@......................................@.........................<.=.U.....=.@.....@..H^..........,...I...`.......k=.....................Pi=......q4.............@.=.l............................text....S4......T4................. ..`.rdata..`....p4......X4.............@..@.data........ >..R....=.............@....tls....u.....?......N>.............@...CPADinfo(.....?......P>.............@...malloc_h......@......R>............. ..`.rsrc....H^...@..H^..T>.............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-25.log

                                          Download File
                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1592
                                          Entropy (8bit):5.131453553888863
                                          Encrypted:false
                                          SSDEEP:48:o+g5Ml7wN7hy7rB7MAvgK8HKPpANf985PD:o1dyZAAvgK8HKxANf985b
                                          MD5:08577C3B1906091F5538E715A8D518DF
                                          SHA1:57EFB9CC6D5814E65305A9C23B7FB77F4654E9DF
                                          SHA-256:62481544AD6EA291C5298A54EE5B09D163EB1DC46619586BD2256CE689A868F4
                                          SHA-512:1D12605C2902ADF14A165384677F9620F2F6A10607C2520B194AF382C630DAD64737C88FB0A00F672C2110F1503FACDAB43C3ED0246E40FFF2CE980D8C96CB08
                                          Malicious:false
                                          Preview:[2024-12-25 08:42:22.542] [info] [7436] [application.cpp Run: 51] curl init res:2..[2024-12-25 08:42:22.551] [info] [7436] [application.cpp Run: 64] CreateEvent [780]..[2024-12-25 08:42:22.555] [info] [7436] [application.cpp Run: 76] CXZShellExecute init..[2024-12-25 08:42:22.554] [info] [7436] [application.cpp Run: 78] CXZUpdateModule init..[2024-12-25 08:42:22.554] [info] [7436] [application.cpp Run: 80] Timer init..[2024-12-25 08:42:22.559] [info] [7436] [application.cpp Run: 82] ServiceMgr Run..[2024-12-25 08:42:22.566] [info] [7436] [application.cpp Run: 84] ThreadPoolMgr Run..[2024-12-25 08:42:22.566] [info] [7436] [application.cpp Run: 87] Running m_hWndAsy:263254..[2024-12-25 08:42:22.566] [info] [7436] [application.cpp Run: 107] Message Loop..[2024-12-25 08:42:31.812] [info] [7468] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-25 08:42:34.839] [error] [7468] [mmcurl.cpp Get: 128] curl init failed..[2024-12-25 08:42:38.224] [info] [7468] [xzupd

                                          C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-26.log

                                          Download File
                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1245
                                          Entropy (8bit):5.156104603116801
                                          Encrypted:false
                                          SSDEEP:24:oVJzNArWyDVNFW2jVNPWk1ArI7bSS1FW2jbSS1PWvuArqmHquFW2jHquPD:ohAzL8ePxAk3Sg8KSgPJA+U8OPD
                                          MD5:D5EC5AE6E301FAC243A988D950F30569
                                          SHA1:11B29E4F2ABEB29697B28E7CAEFB6965FE61A000
                                          SHA-256:9E4A0784C5846A6FCE317759B30E2CB3BC06F701A9355FC3A9DBF3032A5B334F
                                          SHA-512:FA461D205B3677DD2372F668CAACEE6D057032B641CE55B0A4927A2701B7920F30E764C3FF725A1949AF36835ED13A6439FDA27809FCE3283EA002881F7B8A24
                                          Malicious:false
                                          Preview:[2024-12-26 00:35:59.194] [info] [7480] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-26 01:37:08.492] [error] [7480] [mmcurl.cpp Get: 128] curl init failed..[2024-12-26 02:37:23.900] [info] [7480] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-26 02:37:23.900] [info] [7480] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-26 09:20:22.776] [info] [7488] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-26 10:07:07.745] [error] [7488] [mmcurl.cpp Get: 128] curl init failed..[2024-12-26 11:11:05.467] [info] [7488] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-26 11:11:05.467] [info] [7488] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-26 17:43:39.890] [info] [7496] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-26 18:33:31.277] [error] [7496] [mmcurl.cpp Get: 1

                                          C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-27.log

                                          Download File
                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):830
                                          Entropy (8bit):5.135102930583863
                                          Encrypted:false
                                          SSDEEP:24:oVlYCArPbsZ/eCFW2j/eCPWh9ArB19FW2j19PD:ob9AfsB8WPgAV82PD
                                          MD5:4D5C23F9F6D50C1294987663AD584DEE
                                          SHA1:A4F0CB00E88F99073DC0FE4562601C6079444BE3
                                          SHA-256:6BF82CA347CF35F164F0B2CCB5339D5B8DF473973AA867156CEEE93D0FF70D90
                                          SHA-512:DE6819E3882EF0D15BAAF9DBEC747AFF6AC3316019F4802BAF7422EDE6E1D2036B5BF527A21D882363383347128E9B9DE31BEF7C6551DD196A6656AAF2C1F2DD
                                          Malicious:false
                                          Preview:[2024-12-27 02:11:03.979] [info] [7504] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-27 03:03:19.245] [error] [7504] [mmcurl.cpp Get: 128] curl init failed..[2024-12-27 03:58:28.367] [info] [7504] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-27 03:58:28.367] [info] [7504] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-27 10:15:02.585] [info] [7512] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-27 10:50:11.014] [error] [7512] [mmcurl.cpp Get: 128] curl init failed..[2024-12-27 11:32:26.376] [info] [7512] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-27 11:32:26.376] [info] [7512] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..

                                          C:\Users\user\Desktop\chiomsStup.exe.lnk

                                          Download File
                                          Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 25 11:27:01 2024, mtime=Wed Dec 25 11:27:02 2024, atime=Sun Dec 8 12:55:51 2024, length=10384768, window=hide
                                          Category:dropped
                                          Size (bytes):1051
                                          Entropy (8bit):4.686838594335257
                                          Encrypted:false
                                          SSDEEP:12:8JqGjUlGIRgCICHqXBCnXIACmqfiXUlX52NUjA68yLfGPNvavzh/kD44t2YZ/ele:8QRGh0BW4NAA6j4NyvFDqyFm
                                          MD5:E9CD33609A58F29E4B238A7BD92310F4
                                          SHA1:909E1E5A58DEE223CBE91FB8D91556C42A7AD74C
                                          SHA-256:B01B8AA3634A52CA9DBE6EC75D5FF798DABA3318818D91DF766DFB1580F64E1B
                                          SHA-512:3275056321EEB3EC7DE08E1FD77232EAF896B2A2952B23A0F75032B13B926C9F27F6957B9AB2A5BEECD24BF04BEB6E124FDFE80C3E96EA14A2B798BAC24FA146
                                          Malicious:false
                                          Preview:L..................F.... ...`..L.V..s..M.V...@.xI...u...........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y\c....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Y]c..Public..f......O.I.Ybc....+...............<.....U3o.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Yac..Bilite..>......Y]c.Yac..............................B.i.l.i.t.e.....j.2..u...Y.n .CHIOMS~1.EXE..N......Yac.Ybc.........................."e{.c.h.i.o.m.s.S.t.u.p...e.x.e.......T...............-.......S..............-.....C:\Users\Public\Bilite\chiomsStup.exe..".....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.c.h.i.o.m.s.S.t.u.p...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......045012...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.999965747494865
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:WiezmDFd6L.exe
                                          File size:37'394'506 bytes
                                          MD5:37b0fd9c5e815053e72c20931d2e414c
                                          SHA1:0dc5769ff9a644e67fe9115fa6158f820a6b39e2
                                          SHA256:e0cf2976621e7ededbbffb8c8feecc307b73ddaa89d859cb9623bfc972c1f0cc
                                          SHA512:942828476488658ce86644ea68adea083d34cd176100336c74bc86a1c564d661861934838ff019bbc53cebc3598d0e65d02f35894027f75adc0ee1a0aa7bcc13
                                          SSDEEP:786432:XlG05eVClWToLBb7rWDCbIlxKjMrCV5cKzMPzTKd/IsiJ7Z:BMAcebXvI3KjMrgTMbTKdPiT
                                          TLSH:13873369B676E479F3582A3809A04E30F8B88677311647326DB6C49DFBA0F495FD20F1
                                          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................

                                          File Icon

                                          Icon Hash:878fd7f3b9353593

                                          Static PE Info

                                          General

                                          Entrypoint:0x411def
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:
                                          Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:b5a014d7eeb4c2042897567e1288a095

                                          Entrypoint Preview

                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          push FFFFFFFFh
                                          push 00414C50h
                                          push 00411F80h
                                          mov eax, dword ptr fs:[00000000h]
                                          push eax
                                          mov dword ptr fs:[00000000h], esp
                                          sub esp, 68h
                                          push ebx
                                          push esi
                                          push edi
                                          mov dword ptr [ebp-18h], esp
                                          xor ebx, ebx
                                          mov dword ptr [ebp-04h], ebx
                                          push 00000002h
                                          call dword ptr [00413184h]
                                          pop ecx
                                          or dword ptr [00419924h], FFFFFFFFh
                                          or dword ptr [00419928h], FFFFFFFFh
                                          call dword ptr [00413188h]
                                          mov ecx, dword ptr [0041791Ch]
                                          mov dword ptr [eax], ecx
                                          call dword ptr [0041318Ch]
                                          mov ecx, dword ptr [00417918h]
                                          mov dword ptr [eax], ecx
                                          mov eax, dword ptr [00413190h]
                                          mov eax, dword ptr [eax]
                                          mov dword ptr [00419920h], eax
                                          call 00007FD701258662h
                                          cmp dword ptr [00417710h], ebx
                                          jne 00007FD70125854Eh
                                          push 00411F78h
                                          call dword ptr [00413194h]
                                          pop ecx
                                          call 00007FD701258634h
                                          push 00417048h
                                          push 00417044h
                                          call 00007FD70125861Fh
                                          mov eax, dword ptr [00417914h]
                                          mov dword ptr [ebp-6Ch], eax
                                          lea eax, dword ptr [ebp-6Ch]
                                          push eax
                                          push dword ptr [00417910h]
                                          lea eax, dword ptr [ebp-64h]
                                          push eax
                                          lea eax, dword ptr [ebp-70h]
                                          push eax
                                          lea eax, dword ptr [ebp-60h]
                                          push eax
                                          call dword ptr [0041319Ch]
                                          push 00417040h
                                          push 00417000h
                                          call 00007FD7012585ECh

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                                          RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                                          RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                                          RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                                          RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                                          RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                                          RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                                          RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                                          RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                                          Imports

                                          DLLImport
                                          COMCTL32.dll
                                          KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                          USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                          GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                          SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                          ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                          OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                          MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          No network behavior found

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:07:26:57
                                          Start date:25/12/2024
                                          Path:C:\Users\user\Desktop\WiezmDFd6L.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\WiezmDFd6L.exe"
                                          Imagebase:0x400000
                                          File size:37'394'506 bytes
                                          MD5 hash:37B0FD9C5E815053E72C20931D2E414C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:07:27:03
                                          Start date:25/12/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:07:27:03
                                          Start date:25/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:07:27:03
                                          Start date:25/12/2024
                                          Path:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                                          Imagebase:0xe30000
                                          File size:777'816 bytes
                                          MD5 hash:30A274E00DA842B09E9763F19777ADED
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 4%, ReversingLabs
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:18%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:26.8%
                                            Total number of Nodes:1423
                                            Total number of Limit Nodes:15
                                            execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8241 4024c4 8242 40245a 45 API calls 8241->8242 8243 4024cd 8242->8243 8244 4024d2 8243->8244 8245 4024d3 VirtualAlloc 8243->8245 8246 4096c7 _EH_prolog 8260 4096fa 8246->8260 8247 40971c 8248 409827 8281 40118a 8248->8281 8250 409851 8255 40985e ??2@YAPAXI 8250->8255 8251 40983c 8332 409425 8251->8332 8252 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8252->8260 8254 40969d 8 API calls 8254->8260 8256 409878 8255->8256 8261 409925 ??2@YAPAXI 8256->8261 8262 4098c2 8256->8262 8266 409530 3 API calls 8256->8266 8268 409425 ctype 3 API calls 8256->8268 8270 4099a2 8256->8270 8275 409a65 8256->8275 8291 409fb4 8256->8291 8295 408ea4 8256->8295 8338 409c13 ??2@YAPAXI 8256->8338 8340 409f49 8256->8340 8258 40e959 VirtualFree ??3@YAXPAX free free ctype 8258->8260 8260->8247 8260->8248 8260->8252 8260->8254 8260->8258 8325 4095b7 8260->8325 8329 409403 8260->8329 8261->8256 8335 409530 8262->8335 8266->8256 8268->8256 8271 409530 3 API calls 8270->8271 8272 4099c7 8271->8272 8273 409425 ctype 3 API calls 8272->8273 8273->8247 8277 409530 3 API calls 8275->8277 8278 409a84 8277->8278 8279 409425 ctype 3 API calls 8278->8279 8279->8247 8282 401198 GetDiskFreeSpaceExW 8281->8282 8283 4011ee SendMessageW 8281->8283 8282->8283 8284 4011b0 8282->8284 8289 4011d6 8283->8289 8284->8283 8285 401f9d 19 API calls 8284->8285 8286 4011c9 8285->8286 8287 407717 25 API calls 8286->8287 8288 4011cf 8287->8288 8288->8289 8290 4011e7 8288->8290 8289->8250 8289->8251 8290->8283 8292 409fdd 8291->8292 8344 409dff 8292->8344 8618 40aef3 8295->8618 8298 408ec1 8298->8256 8300 408fd5 8636 408b7c 8300->8636 8301 408f0d ??2@YAPAXI 8310 408ef5 8301->8310 8303 408f31 ??2@YAPAXI 8303->8310 8310->8300 8310->8301 8310->8303 8681 40cdb8 ??2@YAPAXI 8310->8681 8326 4095c6 8325->8326 8328 4095cc 8325->8328 8326->8260 8327 4095e2 _CxxThrowException 8327->8326 8328->8326 8328->8327 8330 40e8e2 4 API calls 8329->8330 8331 40940b 8330->8331 8331->8260 8333 40e8da ctype 3 API calls 8332->8333 8334 409433 8333->8334 8336 408963 ctype 3 API calls 8335->8336 8337 40953b 8336->8337 8339 409c45 8338->8339 8339->8256 8341 409f4e 8340->8341 8342 409f75 8341->8342 8343 409cde 110 API calls 8341->8343 8342->8256 8343->8341 8346 409e04 8344->8346 8345 409e3a 8345->8256 8346->8345 8348 409cde 8346->8348 8349 409cf8 8348->8349 8353 40db1f 8349->8353 8356 401626 8349->8356 8350 409d2c 8350->8346 8419 40da56 8353->8419 8357 401642 8356->8357 8363 401638 8356->8363 8427 40a62f _EH_prolog 8357->8427 8359 40166f 8495 40eca9 8359->8495 8360 401411 2 API calls 8362 401688 8360->8362 8364 401962 ??3@YAXPAX 8362->8364 8365 40169d 8362->8365 8363->8350 8369 40eca9 VariantClear 8364->8369 8453 401329 8365->8453 8368 4016a8 8457 401454 8368->8457 8369->8363 8372 401362 2 API calls 8373 4016c7 ??3@YAXPAX 8372->8373 8378 4016d9 8373->8378 8405 401928 ??3@YAXPAX 8373->8405 8375 40eca9 VariantClear 8375->8363 8376 4016fa 8377 40eca9 VariantClear 8376->8377 8379 401702 ??3@YAXPAX 8377->8379 8378->8376 8380 401764 8378->8380 8393 401725 8378->8393 8379->8359 8382 4017a2 8380->8382 8383 401789 8380->8383 8381 40eca9 VariantClear 8384 401737 ??3@YAXPAX 8381->8384 8386 4017c4 GetLocalTime SystemTimeToFileTime 8382->8386 8387 4017aa 8382->8387 8385 40eca9 VariantClear 8383->8385 8384->8359 8388 401791 ??3@YAXPAX 8385->8388 8386->8387 8389 4017e1 8387->8389 8390 4017f8 8387->8390 8387->8393 8388->8359 8462 403354 lstrlenW 8389->8462 8486 40301a GetFileAttributesW 8390->8486 8393->8381 8395 401934 GetLastError 8395->8405 8396 401818 ??2@YAPAXI 8398 401824 8396->8398 8397 40192a 8397->8395 8499 40db53 8398->8499 8401 40190f 8404 40eca9 VariantClear 8401->8404 8402 40185f GetLastError 8502 4012f7 8402->8502 8404->8405 8405->8375 8406 401871 8407 403354 86 API calls 8406->8407 8411 40187f ??3@YAXPAX 8406->8411 8409 4018cc 8407->8409 8409->8411 8412 40db53 2 API calls 8409->8412 8410 40189c 8413 40eca9 VariantClear 8410->8413 8411->8410 8414 4018f1 8412->8414 8415 4018aa ??3@YAXPAX 8413->8415 8416 4018f5 GetLastError 8414->8416 8417 401906 ??3@YAXPAX 8414->8417 8415->8359 8416->8411 8417->8401 8424 40d985 8419->8424 8422 40da65 CreateFileW 8423 40da8a 8422->8423 8423->8350 8425 40d98f CloseHandle 8424->8425 8426 40d99a 8424->8426 8425->8426 8426->8422 8426->8423 8428 40a738 8427->8428 8429 40a66a 8427->8429 8430 40a687 8428->8430 8431 40a73d 8428->8431 8429->8430 8432 40a704 8429->8432 8433 40a679 8429->8433 8440 40a6ad 8430->8440 8531 40a3b0 8430->8531 8434 40a6f2 8431->8434 8437 40a747 8431->8437 8438 40a699 8431->8438 8432->8440 8505 40e69c 8432->8505 8433->8434 8435 40a67e 8433->8435 8527 40ed34 8434->8527 8439 40a6b2 8435->8439 8444 40a684 8435->8444 8437->8434 8437->8439 8438->8440 8519 40ed59 8438->8519 8439->8440 8523 40ed79 8439->8523 8514 40ecae 8440->8514 8443 40a71a 8508 40eced 8443->8508 8444->8430 8444->8438 8450 40eca9 VariantClear 8452 40166b 8450->8452 8452->8359 8452->8360 8454 401340 8453->8454 8455 40112b 2 API calls 8454->8455 8456 40134b 8455->8456 8456->8368 8458 4012f7 2 API calls 8457->8458 8459 401462 8458->8459 8546 4013e2 8459->8546 8461 40146d 8461->8372 8463 4024fc 2 API calls 8462->8463 8464 403375 8463->8464 8465 40112b 2 API calls 8464->8465 8468 403385 8464->8468 8465->8468 8467 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8469 4033e8 8467->8469 8470 4033f2 8467->8470 8468->8467 8476 403477 8468->8476 8549 401986 CreateDirectoryW 8468->8549 8471 40301a 22 API calls 8469->8471 8472 401986 4 API calls 8470->8472 8483 4033f8 ??3@YAXPAX 8470->8483 8471->8470 8485 403405 8472->8485 8473 4034a7 8474 407776 55 API calls 8473->8474 8479 4034b1 ??3@YAXPAX 8474->8479 8475 40340a 8555 407776 8475->8555 8476->8473 8476->8483 8477 40346b ??3@YAXPAX 8482 4034bc 8477->8482 8478 40341d memcpy 8478->8485 8479->8482 8482->8393 8483->8482 8484 401986 4 API calls 8484->8485 8485->8475 8485->8477 8485->8478 8485->8484 8487 403037 8486->8487 8493 401804 8486->8493 8488 403048 8487->8488 8489 40303b SetLastError 8487->8489 8490 403051 8488->8490 8492 40305f FindFirstFileW 8488->8492 8488->8493 8489->8493 8574 402fed 8490->8574 8492->8490 8494 403072 FindClose CompareFileTime 8492->8494 8493->8395 8493->8396 8493->8397 8494->8490 8494->8493 8496 40ec65 8495->8496 8497 40ec86 VariantClear 8496->8497 8498 40ec9d 8496->8498 8497->8363 8498->8363 8615 40db3c 8499->8615 8503 40112b 2 API calls 8502->8503 8504 401311 8503->8504 8504->8406 8506 4012f7 2 API calls 8505->8506 8507 40e6a9 8506->8507 8507->8443 8535 40ecd7 8508->8535 8511 40ed12 8512 40a726 ??3@YAXPAX 8511->8512 8513 40ed17 _CxxThrowException 8511->8513 8512->8440 8513->8512 8538 40ec65 8514->8538 8516 40ecba 8517 40a7b2 8516->8517 8518 40ecbe memcpy 8516->8518 8517->8450 8518->8517 8520 40ed62 8519->8520 8521 40ed67 8519->8521 8522 40ecd7 VariantClear 8520->8522 8521->8440 8522->8521 8524 40ed82 8523->8524 8525 40ed87 8523->8525 8526 40ecd7 VariantClear 8524->8526 8525->8440 8526->8525 8528 40ed42 8527->8528 8529 40ed3d 8527->8529 8528->8440 8530 40ecd7 VariantClear 8529->8530 8530->8528 8532 40a3c2 8531->8532 8533 40a3de 8532->8533 8542 40eda0 8532->8542 8533->8440 8536 40eca9 VariantClear 8535->8536 8537 40ecdf SysAllocString 8536->8537 8537->8511 8537->8512 8539 40ec6d 8538->8539 8540 40ec86 VariantClear 8539->8540 8541 40ec9d 8539->8541 8540->8516 8541->8516 8543 40edae 8542->8543 8544 40eda9 8542->8544 8543->8533 8545 40ecd7 VariantClear 8544->8545 8545->8543 8547 401398 2 API calls 8546->8547 8548 4013f2 8547->8548 8548->8461 8550 4019c7 8549->8550 8551 401997 GetLastError 8549->8551 8550->8468 8552 4019b1 GetFileAttributesW 8551->8552 8554 4019a6 8551->8554 8552->8550 8552->8554 8553 4019a7 SetLastError 8553->8468 8554->8550 8554->8553 8556 401f9d 19 API calls 8555->8556 8557 40778a wvsprintfW 8556->8557 8558 407859 8557->8558 8559 4077ab GetLastError FormatMessageW 8557->8559 8562 4076a8 25 API calls 8558->8562 8560 4077d9 FormatMessageW 8559->8560 8561 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8559->8561 8560->8558 8560->8561 8566 4076a8 8561->8566 8564 407865 8562->8564 8564->8483 8567 407715 ??3@YAXPAX LocalFree 8566->8567 8568 4076b7 8566->8568 8567->8564 8569 40661a 2 API calls 8568->8569 8570 4076c6 IsWindow 8569->8570 8571 4076ef 8570->8571 8572 4076dd IsBadReadPtr 8570->8572 8573 4073d1 21 API calls 8571->8573 8572->8571 8573->8567 8580 402c86 8574->8580 8576 402ff6 8577 403017 8576->8577 8578 402ffb GetLastError 8576->8578 8577->8493 8579 403006 8578->8579 8579->8493 8581 402c93 GetFileAttributesW 8580->8581 8582 402c8f 8580->8582 8583 402ca4 8581->8583 8584 402ca9 8581->8584 8582->8576 8583->8576 8585 402cc7 8584->8585 8586 402cad SetFileAttributesW 8584->8586 8591 402b79 8585->8591 8588 402cc3 8586->8588 8589 402cba DeleteFileW 8586->8589 8588->8576 8589->8576 8592 4024fc 2 API calls 8591->8592 8593 402b90 8592->8593 8594 40254d 2 API calls 8593->8594 8595 402b9d FindFirstFileW 8594->8595 8596 402c55 SetFileAttributesW 8595->8596 8609 402bbf 8595->8609 8598 402c60 RemoveDirectoryW 8596->8598 8599 402c78 ??3@YAXPAX 8596->8599 8597 401329 2 API calls 8597->8609 8598->8599 8600 402c6d ??3@YAXPAX 8598->8600 8601 402c80 8599->8601 8600->8601 8601->8576 8603 40254d 2 API calls 8603->8609 8604 402c24 SetFileAttributesW 8604->8599 8606 402c2d DeleteFileW 8604->8606 8605 402bef lstrcmpW 8607 402c05 lstrcmpW 8605->8607 8608 402c38 FindNextFileW 8605->8608 8606->8609 8607->8608 8607->8609 8608->8609 8610 402c4e FindClose 8608->8610 8609->8597 8609->8599 8609->8603 8609->8604 8609->8605 8609->8608 8611 402b79 2 API calls 8609->8611 8612 401429 8609->8612 8610->8596 8611->8609 8613 401398 2 API calls 8612->8613 8614 401433 8613->8614 8614->8609 8616 40db1f 2 API calls 8615->8616 8617 401857 8616->8617 8617->8401 8617->8402 8619 40af0c 8618->8619 8634 408ebd 8618->8634 8619->8634 8711 40ac7a 8619->8711 8621 40af3f 8622 40ac7a 7 API calls 8621->8622 8623 40b0cb 8621->8623 8627 40af96 8622->8627 8625 40e959 ctype 4 API calls 8623->8625 8624 40afbd 8718 40e959 8624->8718 8625->8634 8627->8623 8627->8624 8628 40b043 8631 40e959 ctype 4 API calls 8628->8631 8629 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8630 40afc6 8629->8630 8630->8628 8630->8629 8632 40b07f 8631->8632 8633 40e959 ctype 4 API calls 8632->8633 8633->8634 8634->8298 8635 4065ea InitializeCriticalSection 8634->8635 8635->8310 8730 4086f0 8636->8730 8682 40cdc7 8681->8682 8683 408761 4 API calls 8682->8683 8684 40cdde 8683->8684 8684->8310 8712 40e8da ctype 3 API calls 8711->8712 8713 40ac86 8712->8713 8722 40e811 8713->8722 8715 40aca2 8715->8621 8716 409403 4 API calls 8717 40ac90 8716->8717 8717->8715 8717->8716 8719 40e93b 8718->8719 8720 40e8da ctype 3 API calls 8719->8720 8721 40e943 ??3@YAXPAX 8720->8721 8721->8630 8723 40e8a5 8722->8723 8724 40e824 8722->8724 8723->8717 8725 40e833 _CxxThrowException 8724->8725 8726 40e863 ??2@YAPAXI 8724->8726 8727 40e895 ??3@YAXPAX 8724->8727 8725->8724 8726->8724 8728 40e879 memcpy 8726->8728 8727->8723 8728->8727 8731 40e8da ctype 3 API calls 8730->8731 8732 4086f8 8731->8732 8733 40e8da ctype 3 API calls 8732->8733 8734 408700 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408708 8735->8736 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9149 40509b _wtol 9151 4050b1 9149->9151 9150 4050d6 9152 403d71 6 API calls 9150->9152 9463 404405 9151->9463 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9620 404996 9154->9620 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9161 407776 55 API calls 9160->9161 9170 4050ec 9161->9170 9162 4050ee ??3@YAXPAX 9638 403e70 9162->9638 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9178 405173 9165->9178 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9173 4052f2 9169->9173 9170->9162 9171 4051fa 9171->9170 9172 40522a 9171->9172 9175 405213 _wtol 9171->9175 9176 403d71 6 API calls 9172->9176 9174 40538d ??2@YAPAXI 9173->9174 9177 401329 2 API calls 9173->9177 9184 405399 9174->9184 9175->9172 9182 405289 9176->9182 9179 405327 9177->9179 9178->9166 9178->9170 9178->9171 9178->9172 9181 401429 2 API calls 9178->9181 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9178 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9196 4053f6 9194->9196 9197 40536e 9195->9197 9198 4025ae 2 API calls 9196->9198 9199 40254d 2 API calls 9197->9199 9201 4053fe 9198->9201 9200 405377 9199->9200 9200->9174 9491 404e3f 9201->9491 9206 40546f 9207 405534 9206->9207 9210 403d71 6 API calls 9206->9210 9209 40e8da ctype 3 API calls 9207->9209 9208 402844 10 API calls 9211 405441 9208->9211 9212 40553c 9209->9212 9213 405493 9210->9213 9211->9206 9214 407776 55 API calls 9211->9214 9215 405573 9212->9215 9669 403093 9212->9669 9213->9207 9224 40549d 9213->9224 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9162 9218->9170 9222 405588 wsprintfW 9219->9222 9223 4055ed 9219->9223 9230 401411 2 API calls 9219->9230 9232 401329 ??2@YAPAXI ??3@YAXPAX 9219->9232 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9221->9225 9226 401411 2 API calls 9222->9226 9519 404603 9223->9519 9224->9218 9643 404cbc 9224->9643 9225->9218 9226->9219 9229 4054cc 9229->9218 9231 407776 55 API calls 9229->9231 9230->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9231->9233 9232->9219 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9581 404034 9240->9581 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9251 40243b lstrcmpW 9245->9251 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9250 405969 9249->9250 9252 405979 9250->9252 9255 401f9d 19 API calls 9250->9255 9253 4059fe 9251->9253 9736 403b40 9252->9736 9256 405a12 9253->9256 9259 401329 2 API calls 9253->9259 9254 401411 ??2@YAPAXI ??3@YAXPAX 9254->9268 9255->9252 9587 403b59 9256->9587 9258 401362 2 API calls 9258->9268 9259->9256 9263 4073d1 21 API calls 9267 40599c ctype 9263->9267 9264 401329 2 API calls 9264->9268 9265 4055f6 9265->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9265->9275 9279 4057dd _wtol 9265->9279 9294 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9265->9294 9710 40484d 9265->9710 9721 40408b 9265->9721 9266 405a4d 9272 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9272 9308 405a61 9266->9308 9756 4082e9 9266->9756 9273 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9273 9268->9240 9268->9241 9268->9247 9268->9254 9268->9258 9268->9264 9271 402f6c 7 API calls 9268->9271 9578 40243b 9268->9578 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9271->9268 9272->9266 9273->9170 9275->9265 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9308 9279->9265 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301 405bf3 9280->9301 9281 405a9f GetKeyState 9281->9308 9282 405c6c 9285 405ca2 9282->9285 9286 405c74 9282->9286 9283 401329 ??2@YAPAXI ??3@YAXPAX 9283->9308 9284 40243b lstrcmpW 9284->9308 9289 4012f7 2 API calls 9285->9289 9798 403f85 9286->9798 9292 405cb0 9289->9292 9295 403b59 15 API calls 9292->9295 9293 401362 2 API calls 9299 405c91 ??3@YAXPAX 9293->9299 9294->9170 9297 405cb9 9295->9297 9296 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9296->9298 9300 405cca ??3@YAXPAX 9297->9300 9304 401362 2 API calls 9297->9304 9298->9301 9305 405cd9 9299->9305 9300->9305 9301->9296 9302 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9301->9302 9302->9301 9303 405bcd ??3@YAXPAX 9303->9308 9304->9300 9306 405d24 9305->9306 9307 405d16 9305->9307 9811 40786b 9306->9811 9594 404a44 9307->9594 9308->9277 9308->9280 9308->9281 9308->9282 9308->9283 9308->9284 9308->9301 9308->9302 9308->9303 9311 401429 ??2@YAPAXI ??3@YAXPAX 9308->9311 9783 407613 9308->9783 9792 407674 9308->9792 9311->9308 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 406373 9316->9318 9319 401411 2 API calls 9316->9319 9321 4063f7 ctype 9318->9321 9324 40243b lstrcmpW 9318->9324 9320 405d95 9319->9320 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9325 406461 9323->9325 9326 406467 ??3@YAXPAX 9323->9326 9327 4063a4 9324->9327 9325->9326 9328 403e70 ctype 4 API calls 9326->9328 9327->9321 9848 403f48 9327->9848 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9338 405de5 9335->9338 9339 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9339 9341 4012f7 2 API calls 9336->9341 9337 4073d1 21 API calls 9342 4063e0 ??3@YAXPAX 9337->9342 9830 4043c6 9338->9830 9343 406312 9339->9343 9340 40243b lstrcmpW 9340->9364 9345 406432 9341->9345 9342->9321 9349 40636a ??3@YAXPAX 9343->9349 9350 404034 21 API calls 9343->9350 9853 404aff 9345->9853 9348 405e45 9352 401329 2 API calls 9348->9352 9349->9318 9354 406321 9350->9354 9355 405e4e 9352->9355 9353 4043c6 2 API calls 9356 405e0e 9353->9356 9838 4048ab 9354->9838 9360 403b7f 19 API calls 9355->9360 9361 401362 2 API calls 9356->9361 9358 40626b ??3@YAXPAX ??3@YAXPAX 9358->9343 9359 401329 2 API calls 9359->9364 9378 405e57 9360->9378 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9361->9362 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9340 9364->9348 9364->9358 9364->9359 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9348 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9349 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9358 9377 403bce lstrlenW lstrlenW _wcsnicmp 9377->9378 9378->9377 9379 405f61 _wtol 9378->9379 9380 406025 9378->9380 9379->9378 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9614 4021ed 9409->9614 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9343 9414->9339 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9420 40254d 2 API calls 9418->9420 9422 406282 9419->9422 9423 40618c 9419->9423 9420->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 402b5f 9448->9446 9450 401411 2 API calls 9450->9453 9451 401429 ??2@YAPAXI ??3@YAXPAX 9451->9453 9453->9448 9453->9450 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9149 9460->9151 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9150 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9208 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 40243b lstrcmpW 9519->9520 9521 40461c 9520->9521 9522 40466c 9521->9522 9524 401329 2 API calls 9521->9524 9523 40243b lstrcmpW 9522->9523 9525 40468a 9523->9525 9526 404633 9524->9526 9528 40243b lstrcmpW 9525->9528 9527 401f9d 19 API calls 9526->9527 9529 40463a 9527->9529 9531 4046a2 9528->9531 9530 40254d 2 API calls 9529->9530 9532 404643 9530->9532 9533 40243b lstrcmpW 9531->9533 9534 401329 2 API calls 9532->9534 9535 4046ba 9533->9535 9536 40465c 9534->9536 9538 40243b lstrcmpW 9535->9538 9537 401f9d 19 API calls 9536->9537 9539 404663 9537->9539 9540 4046d2 9538->9540 9541 40254d 2 API calls 9539->9541 9542 4046e9 9540->9542 9543 4046d9 lstrcmpiW 9540->9543 9541->9522 9544 40243b lstrcmpW 9542->9544 9543->9542 9545 4046ff 9544->9545 9546 40243b lstrcmpW 9545->9546 9547 40472c 9546->9547 9550 404739 9547->9550 9946 403d1f 9547->9946 9549 40243b lstrcmpW 9554 40474d 9549->9554 9550->9549 9551 40476d 9553 40243b lstrcmpW 9551->9553 9559 404780 9553->9559 9554->9551 9555 40243b lstrcmpW 9554->9555 9950 403cc6 9554->9950 9555->9554 9556 4047a0 9558 40243b lstrcmpW 9556->9558 9560 4047ac 9558->9560 9559->9556 9561 40243b lstrcmpW 9559->9561 9954 403cf7 9559->9954 9562 40243b lstrcmpW 9560->9562 9561->9559 9563 4047bd 9562->9563 9564 40243b lstrcmpW 9563->9564 9565 4047ce 9564->9565 9566 4047e4 9565->9566 9567 4047db _wtol 9565->9567 9568 40243b lstrcmpW 9566->9568 9567->9566 9569 4047f0 9568->9569 9570 404800 9569->9570 9571 4047f7 _wtol 9569->9571 9572 40243b lstrcmpW 9570->9572 9571->9570 9573 40480c 9572->9573 9574 40243b lstrcmpW 9573->9574 9575 404824 9574->9575 9576 40243b lstrcmpW 9575->9576 9577 40483c 9576->9577 9577->9265 9962 4023dd 9578->9962 9582 404045 9581->9582 9583 404088 9581->9583 9584 4012f7 2 API calls 9582->9584 9585 403b7f 19 API calls 9582->9585 9583->9245 9583->9246 9584->9582 9586 404062 SetEnvironmentVariableW ??3@YAXPAX 9585->9586 9586->9582 9586->9583 9588 40393b 7 API calls 9587->9588 9589 403b69 9588->9589 9590 4039f6 7 API calls 9589->9590 9591 403b74 9590->9591 9592 4027c7 6 API calls 9591->9592 9593 403b7a 9592->9593 9593->9266 9739 4083b6 9593->9739 9966 408676 9594->9966 9596 404a55 ??2@YAPAXI 9597 404a64 9596->9597 9611 40dcfb 3 API calls 9597->9611 9598 404a85 9968 40a7de _EH_prolog 9598->9968 9984 40b2fc 9598->9984 9599 404a95 9600 404ab3 9599->9600 9601 404a99 9599->9601 9603 404ada ??2@YAPAXI 9600->9603 9607 403354 86 API calls 9600->9607 9602 407776 55 API calls 9601->9602 9606 404aa1 9602->9606 9604 404ae6 9603->9604 9605 404aed 9603->9605 10009 404292 9604->10009 9990 40150b 9605->9990 9606->9312 9609 404ac6 9607->9609 9609->9603 9609->9606 9611->9598 9615 402200 LoadLibraryA GetProcAddress 9614->9615 9616 4021fb 9614->9616 9617 40221b 9615->9617 9618 402223 9615->9618 9616->9410 9616->9415 9616->9416 9617->9616 9618->9617 10472 4021b9 LoadLibraryA GetProcAddress 9618->10472 9621 40661a 2 API calls 9620->9621 9622 4049af 9621->9622 9623 401f9d 19 API calls 9622->9623 9624 4049bd 9623->9624 9625 4024fc 2 API calls 9624->9625 9626 4049c7 9625->9626 9627 4049fd 9626->9627 9629 40254d ??2@YAPAXI ??3@YAXPAX 9626->9629 9628 40254d 2 API calls 9627->9628 9630 404a0a 9628->9630 9629->9626 9631 401f9d 19 API calls 9630->9631 9632 404a11 9631->9632 9633 40254d 2 API calls 9632->9633 9634 404a1b 9633->9634 9635 4073d1 21 API calls 9634->9635 9636 404a30 ??3@YAXPAX 9635->9636 9637 404a41 ctype 9636->9637 9637->9170 9639 40e8da ctype 3 API calls 9638->9639 9640 403e7e 9639->9640 9641 40e8da ctype 3 API calls 9640->9641 9642 40e943 ??3@YAXPAX 9641->9642 9642->9164 9644 40db53 2 API calls 9643->9644 9645 404ce8 9644->9645 9646 404d44 9645->9646 9648 4024fc 2 API calls 9645->9648 9647 4025ae 2 API calls 9646->9647 9649 404d4c 9647->9649 9650 404cf7 9648->9650 9651 403e86 2 API calls 9649->9651 9654 404db5 ??3@YAXPAX 9650->9654 9656 403354 86 API calls 9650->9656 9652 404d59 9651->9652 9653 403ef6 2 API calls 9652->9653 9655 404d66 9653->9655 9668 404db1 9654->9668 9657 403ef6 2 API calls 9655->9657 9658 404d1b 9656->9658 9659 404d73 9657->9659 9658->9654 9661 40db53 2 API calls 9658->9661 9660 403ef6 2 API calls 9659->9660 9662 404d80 9660->9662 9663 404d37 9661->9663 9664 40dd5f 2 API calls 9662->9664 9663->9654 9665 404d3b ??3@YAXPAX 9663->9665 9666 404d94 9664->9666 9665->9646 9666->9654 9667 404d9d ??3@YAXPAX 9666->9667 9667->9668 9668->9229 9670 4025ae 2 API calls 9669->9670 9686 4030a8 9670->9686 9671 403301 9672 403344 ??3@YAXPAX 9671->9672 9673 40334e 9672->9673 9673->9215 9673->9221 9674 401411 ??2@YAPAXI ??3@YAXPAX 9674->9686 9676 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9676->9686 9677 401362 2 API calls 9678 4030f3 ??3@YAXPAX ??3@YAXPAX 9677->9678 9679 403303 9678->9679 9678->9686 10480 4029c3 9679->10480 9683 40331c ??3@YAXPAX 9683->9673 9684 4031e5 strncmp 9685 4031d0 strncmp 9684->9685 9684->9686 9685->9684 9685->9686 9686->9671 9686->9674 9686->9676 9686->9677 9686->9679 9686->9684 9687 401362 2 API calls 9686->9687 9688 402640 2 API calls 9686->9688 9691 402640 ??2@YAPAXI ??3@YAXPAX 9686->9691 9693 4023dd lstrcmpW 9686->9693 9694 402f6c 7 API calls 9686->9694 9696 403330 9686->9696 9697 4032b2 lstrcmpW 9686->9697 9701 401329 2 API calls 9686->9701 10474 402986 9686->10474 10479 402425 ??3@YAXPAX ??3@YAXPAX 9686->10479 9689 403252 ??3@YAXPAX 9687->9689 9688->9685 9690 402a69 9 API calls 9689->9690 9692 403263 lstrcmpW 9690->9692 9691->9686 9692->9686 9693->9686 9694->9686 9699 402f6c 7 API calls 9696->9699 9697->9686 9698 4032c0 lstrcmpW 9697->9698 9698->9686 9700 40333c 9699->9700 10498 402425 ??3@YAXPAX ??3@YAXPAX 9700->10498 9701->9686 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9265 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9265 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9263 9740 408646 9739->9740 9752 4083d5 ctype 9739->9752 9740->9272 9741 40661a 2 API calls 9741->9752 9742 40243b lstrcmpW 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 403f48 4 API calls 9749->9752 9750 4073d1 21 API calls 9750->9752 9751 407776 55 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9763 408333 9761->9763 10521 4019f0 GetStdHandle WriteFile 9761->10521 9767 408344 9763->9767 10522 4019f0 GetStdHandle WriteFile 9763->10522 9765 40243b lstrcmpW 9769 408351 9765->9769 9767->9765 9768 40835f 9771 40243b lstrcmpW 9768->9771 9769->9768 10523 4019f0 GetStdHandle WriteFile 9769->10523 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9308 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9308 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9808 403fcf 9802->9808 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9808 9806 402535 2 API calls 9807 403ff2 wsprintfW 9806->9807 9807->9808 9808->9806 9809 404009 GetFileAttributesW 9808->9809 9810 40402d 9808->9810 9809->9808 9809->9810 9810->9293 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9337 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022be ??2@YAPAXI 9901->9902 9903 4022ea 9901->9903 9902->9903 9904 4022cf ??3@YAXPAX 9902->9904 9903->9453 9904->9903 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9922 40437e 9920->9922 9923 4022b0 2 API calls 9922->9923 9924 404387 9923->9924 9926 4025f6 2 API calls 9924->9926 9925 404373 9928 403ec1 9925->9928 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9925 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9933->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9925 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 403d3d 9946->9947 9958 403c63 9947->9958 9951 403cd3 9950->9951 9952 403c63 _wtol 9951->9952 9953 403cf4 9952->9953 9953->9554 9955 403d04 9954->9955 9956 403c63 _wtol 9955->9956 9957 403d1c 9956->9957 9957->9559 9959 403c6d 9958->9959 9960 403c88 _wtol 9959->9960 9961 403cc1 9959->9961 9960->9959 9961->9550 9963 4023e8 9962->9963 9964 4023f4 lstrcmpW 9963->9964 9965 402411 9963->9965 9964->9963 9964->9965 9965->9268 9967 408679 9966->9967 9967->9596 9969 40a7fe 9968->9969 9970 40b2fc 11 API calls 9969->9970 9971 40a823 9970->9971 9972 40a845 9971->9972 9973 40a82c 9971->9973 10014 40cc59 _EH_prolog 9972->10014 10017 40a3fe 9973->10017 9985 40b30d 9984->9985 9989 40dcfb 3 API calls 9985->9989 9986 40b321 9987 40b331 9986->9987 10453 40b163 9986->10453 9987->9599 9989->9986 9991 40151e 9990->9991 9992 401329 2 API calls 9991->9992 9993 40152b 9992->9993 9994 401429 2 API calls 9993->9994 9995 401534 CreateThread 9994->9995 9996 401563 9995->9996 9997 401568 WaitForSingleObject 9995->9997 10466 40129c 9995->10466 9998 40786b 23 API calls 9996->9998 9999 401585 9997->9999 10000 4015b7 9997->10000 9998->9997 10003 4015a3 9999->10003 10006 401594 9999->10006 10001 4015b3 10000->10001 10002 4015bf GetExitCodeThread 10000->10002 10001->9606 10004 4015d6 10002->10004 10005 407776 55 API calls 10003->10005 10004->10001 10004->10006 10007 401605 SetLastError 10004->10007 10005->10001 10006->10001 10008 407776 55 API calls 10006->10008 10007->10006 10008->10001 10010 401411 2 API calls 10009->10010 10011 4042ab 10010->10011 10012 401411 2 API calls 10011->10012 10013 4042b7 10012->10013 10013->9605 10025 40c9fc 10014->10025 10436 40a28e 10017->10436 10047 40a0bf 10025->10047 10181 40a030 10047->10181 10182 40e8da ctype 3 API calls 10181->10182 10183 40a039 10182->10183 10184 40e8da ctype 3 API calls 10183->10184 10185 40a041 10184->10185 10186 40e8da ctype 3 API calls 10185->10186 10187 40a049 10186->10187 10188 40e8da ctype 3 API calls 10187->10188 10189 40a051 10188->10189 10190 40e8da ctype 3 API calls 10189->10190 10191 40a059 10190->10191 10192 40e8da ctype 3 API calls 10191->10192 10193 40a061 10192->10193 10194 40e8da ctype 3 API calls 10193->10194 10195 40a06b 10194->10195 10196 40e8da ctype 3 API calls 10195->10196 10197 40a073 10196->10197 10198 40e8da ctype 3 API calls 10197->10198 10199 40a080 10198->10199 10200 40e8da ctype 3 API calls 10199->10200 10201 40a088 10200->10201 10202 40e8da ctype 3 API calls 10201->10202 10203 40a095 10202->10203 10204 40e8da ctype 3 API calls 10203->10204 10205 40a09d 10204->10205 10206 40e8da ctype 3 API calls 10205->10206 10207 40a0aa 10206->10207 10208 40e8da ctype 3 API calls 10207->10208 10209 40a0b2 10208->10209 10437 40e8da ctype 3 API calls 10436->10437 10438 40a29c 10437->10438 10454 40f0b6 GetLastError 10453->10454 10456 40b17e 10454->10456 10455 40b192 10455->9987 10456->10455 10457 40adc3 3 API calls 10456->10457 10458 40b1b6 memcpy 10457->10458 10463 40b1d9 10458->10463 10459 40b297 ??3@YAXPAX 10459->10455 10460 40b2a2 ??3@YAXPAX 10460->10455 10462 40b27a memmove 10462->10463 10463->10459 10463->10460 10463->10462 10464 40b2ac memcpy 10463->10464 10465 40dcfb 3 API calls 10464->10465 10465->10460 10467 4012a5 10466->10467 10468 4012b8 10466->10468 10467->10468 10469 4012a7 Sleep 10467->10469 10470 4012f1 10468->10470 10471 4012e3 EndDialog 10468->10471 10469->10467 10471->10470 10473 4021db 10472->10473 10473->9617 10475 4025ae 2 API calls 10474->10475 10476 402992 10475->10476 10477 4029be 10476->10477 10478 402640 2 API calls 10476->10478 10477->9686 10478->10476 10479->9686 10481 4029d2 10480->10481 10482 4029de 10480->10482 10499 4019f0 GetStdHandle WriteFile 10481->10499 10484 4025ae 2 API calls 10482->10484 10488 4029e8 10484->10488 10485 4029d9 10497 402425 ??3@YAXPAX ??3@YAXPAX 10485->10497 10486 402a13 10487 40272e 3 API calls 10486->10487 10489 402a25 10487->10489 10488->10486 10492 402640 2 API calls 10488->10492 10490 402a33 10489->10490 10491 402a47 10489->10491 10493 407776 55 API calls 10490->10493 10494 407776 55 API calls 10491->10494 10492->10488 10495 402a42 ??3@YAXPAX ??3@YAXPAX 10493->10495 10494->10495 10495->10485 10497->9683 10498->9672 10499->10485 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9763 10522->9767 10523->9768 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8035 40f3f1 8038 4024e7 8035->8038 8043 40245a 8038->8043 8041 4024f5 8042 4024f6 malloc 8044 40246a 8043->8044 8050 402466 8043->8050 8045 40247a GlobalMemoryStatusEx 8044->8045 8044->8050 8046 402488 8045->8046 8045->8050 8046->8050 8051 401f9d 8046->8051 8050->8041 8050->8042 8052 401fb4 8051->8052 8053 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8052->8053 8057 401fdb 8052->8057 8054 402095 SetLastError 8053->8054 8055 40201d ??2@YAPAXI GetEnvironmentVariableW 8053->8055 8054->8057 8058 4020ac 8054->8058 8056 40204c GetLastError 8055->8056 8069 40207e ??3@YAXPAX 8055->8069 8059 402052 8056->8059 8056->8069 8071 407717 8057->8071 8061 4020cb lstrlenA ??2@YAPAXI 8058->8061 8078 401f47 8058->8078 8064 402081 8059->8064 8065 40205c lstrcmpiW 8059->8065 8062 402136 MultiByteToWideChar 8061->8062 8063 4020fc GetLocaleInfoW 8061->8063 8062->8057 8063->8062 8067 402123 _wtol 8063->8067 8064->8054 8068 40206b ??3@YAXPAX 8065->8068 8065->8069 8067->8062 8068->8064 8069->8064 8070 4020c1 8070->8061 8085 40661a 8071->8085 8074 40774e 8089 4073d1 8074->8089 8075 40773c IsBadReadPtr 8075->8074 8079 401f51 GetUserDefaultUILanguage 8078->8079 8080 401f95 8078->8080 8081 401f72 GetSystemDefaultUILanguage 8079->8081 8082 401f6e 8079->8082 8080->8070 8081->8080 8083 401f7e GetSystemDefaultLCID 8081->8083 8082->8070 8083->8080 8084 401f8e 8083->8084 8084->8080 8086 406643 8085->8086 8087 40666f IsWindow 8085->8087 8086->8087 8088 40664b GetSystemMetrics GetSystemMetrics 8086->8088 8087->8074 8087->8075 8088->8087 8090 407444 8089->8090 8091 4073e0 8089->8091 8090->8050 8091->8090 8101 4024fc 8091->8101 8093 4073f1 8094 4024fc 2 API calls 8093->8094 8095 4073fc 8094->8095 8105 403b7f 8095->8105 8098 403b7f 19 API calls 8099 40740e ??3@YAXPAX ??3@YAXPAX 8098->8099 8099->8090 8102 402513 8101->8102 8114 40112b 8102->8114 8104 40251e 8104->8093 8178 403880 8105->8178 8107 403b59 8119 40393b 8107->8119 8109 403b69 8142 4039f6 8109->8142 8111 403b74 8165 4027c7 8111->8165 8115 401177 8114->8115 8116 401139 ??2@YAPAXI 8114->8116 8115->8104 8116->8115 8118 40115a 8116->8118 8117 40116f ??3@YAXPAX 8117->8115 8118->8117 8118->8118 8201 401411 8119->8201 8123 403954 8208 40254d 8123->8208 8125 403961 8126 4024fc 2 API calls 8125->8126 8127 40396e 8126->8127 8212 403805 8127->8212 8130 401362 2 API calls 8131 403992 8130->8131 8132 40254d 2 API calls 8131->8132 8133 40399f 8132->8133 8134 4024fc 2 API calls 8133->8134 8135 4039ac 8134->8135 8136 403805 3 API calls 8135->8136 8137 4039bc ??3@YAXPAX 8136->8137 8138 4024fc 2 API calls 8137->8138 8139 4039d3 8138->8139 8140 403805 3 API calls 8139->8140 8141 4039e2 ??3@YAXPAX ??3@YAXPAX 8140->8141 8141->8109 8143 401411 2 API calls 8142->8143 8144 403a04 8143->8144 8145 401362 2 API calls 8144->8145 8146 403a0f 8145->8146 8147 40254d 2 API calls 8146->8147 8148 403a1c 8147->8148 8149 4024fc 2 API calls 8148->8149 8150 403a29 8149->8150 8151 403805 3 API calls 8150->8151 8152 403a39 ??3@YAXPAX 8151->8152 8153 401362 2 API calls 8152->8153 8154 403a4d 8153->8154 8155 40254d 2 API calls 8154->8155 8156 403a5a 8155->8156 8157 4024fc 2 API calls 8156->8157 8158 403a67 8157->8158 8159 403805 3 API calls 8158->8159 8160 403a77 ??3@YAXPAX 8159->8160 8161 4024fc 2 API calls 8160->8161 8162 403a8e 8161->8162 8163 403805 3 API calls 8162->8163 8164 403a9d ??3@YAXPAX ??3@YAXPAX 8163->8164 8164->8111 8166 401411 2 API calls 8165->8166 8167 4027d5 8166->8167 8168 4027e5 ExpandEnvironmentStringsW 8167->8168 8171 40112b 2 API calls 8167->8171 8169 402809 8168->8169 8170 4027fe ??3@YAXPAX 8168->8170 8237 402535 8169->8237 8172 402840 8170->8172 8171->8168 8172->8098 8175 402824 8176 401362 2 API calls 8175->8176 8177 402838 ??3@YAXPAX 8176->8177 8177->8172 8179 401411 2 API calls 8178->8179 8180 40388e 8179->8180 8181 401362 2 API calls 8180->8181 8182 403899 8181->8182 8183 40254d 2 API calls 8182->8183 8184 4038a6 8183->8184 8185 4024fc 2 API calls 8184->8185 8186 4038b3 8185->8186 8187 403805 3 API calls 8186->8187 8188 4038c3 ??3@YAXPAX 8187->8188 8189 401362 2 API calls 8188->8189 8190 4038d7 8189->8190 8191 40254d 2 API calls 8190->8191 8192 4038e4 8191->8192 8193 4024fc 2 API calls 8192->8193 8194 4038f1 8193->8194 8195 403805 3 API calls 8194->8195 8196 403901 ??3@YAXPAX 8195->8196 8197 4024fc 2 API calls 8196->8197 8198 403918 8197->8198 8199 403805 3 API calls 8198->8199 8200 403927 ??3@YAXPAX ??3@YAXPAX 8199->8200 8200->8107 8202 40112b 2 API calls 8201->8202 8203 401425 8202->8203 8204 401362 8203->8204 8205 40136e 8204->8205 8207 401380 8204->8207 8206 40112b 2 API calls 8205->8206 8206->8207 8207->8123 8209 40255a 8208->8209 8217 401398 8209->8217 8211 402565 8211->8125 8213 40381b 8212->8213 8214 403817 ??3@YAXPAX 8212->8214 8213->8214 8221 4026b1 8213->8221 8225 402f96 8213->8225 8214->8130 8218 4013dc 8217->8218 8219 4013ac 8217->8219 8218->8211 8220 40112b 2 API calls 8219->8220 8220->8218 8222 4026c7 8221->8222 8223 4026db 8222->8223 8229 402346 memmove 8222->8229 8223->8213 8226 402fa5 8225->8226 8228 402fbe 8226->8228 8230 4026e6 8226->8230 8228->8213 8229->8223 8231 4026f6 8230->8231 8232 401398 2 API calls 8231->8232 8233 402702 8232->8233 8236 402346 memmove 8233->8236 8235 40270f 8235->8228 8236->8235 8238 402541 8237->8238 8239 402547 ExpandEnvironmentStringsW 8237->8239 8240 40112b 2 API calls 8238->8240 8239->8175 8240->8239 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211 9087 411388 ??2@YAPAXI 9088 411397 9087->9088

                                            Executed Functions

                                            Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                              • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                              • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                              • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                              • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                              • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                              • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                            • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                                            • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                              • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                              • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                                            • _wtol.MSVCRT ref: 0040509F
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                                            • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                                            • _wtol.MSVCRT ref: 00405217
                                            • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                              • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                              • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                              • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                              • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                              • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                              • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                              • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                              • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                                            • wsprintfW.USER32 ref: 00405595
                                            • _wtol.MSVCRT ref: 004057DE
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                                            • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                                            • CoInitialize.OLE32(00000000), ref: 004059E9
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                                            • GetKeyState.USER32(00000010), ref: 00405AA1
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                                            • memset.MSVCRT ref: 004060AE
                                            • ShellExecuteExW.SHELL32(?), ref: 0040617E
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                                            • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                                            • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                                            • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                                            • _wtol.MSVCRT ref: 00405F65
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                                            • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                                            • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                                            • API String ID: 3696187633-3058303289
                                            • Opcode ID: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                            • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                                            • Opcode Fuzzy Hash: cabb4e2e52945036c720e1880f7d789d9992fedd99c9f327f88584105f760328
                                            • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                                            Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 700 4017a2-4017a8 695->700 701 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->701 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 700->704 705 4017aa-4017ad 700->705 701->660 709 4017dc-4017df 704->709 707 4017b6-4017c2 705->707 708 4017af-4017b1 705->708 707->709 708->693 710 4017e1-4017e3 call 403354 709->710 711 4017f8-4017ff call 40301a 709->711 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 746 4018d1-4018d9 739->746 747 4018db-4018f3 call 40db53 739->747 742 40188a-40189a ??3@YAXPAX@Z 740->742 744 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 742->744 745 40189c-40189e 742->745 744->660 745->744 746->742 753 4018f5-401904 GetLastError 747->753 754 401906-40190e ??3@YAXPAX@Z 747->754 753->742 754->729
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                            • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                                            • Opcode Fuzzy Hash: f637a799f1653e3b63fa741730d3cbaf64608c0369243d42a1217ae41316ed6c
                                            • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                                            Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                                            • SetLastError.KERNEL32(00000010), ref: 0040303D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLast
                                            • String ID:
                                            • API String ID: 1799206407-0
                                            • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                            • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                                            • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                                            • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                                            Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                                            • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: DiskFreeMessageSendSpace
                                            • String ID:
                                            • API String ID: 696007252-0
                                            • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                            • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                                            • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                                            • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                                            Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                            • String ID: HpA
                                            • API String ID: 801014965-2938899866
                                            • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                            • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                                            • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                                            • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                                            Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                            • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                            • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                            • DispatchMessageW.USER32(?), ref: 00401B89
                                            • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                            • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                                            • String ID: Static
                                            • API String ID: 1156981321-2272013587
                                            • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                            • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                                            • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                                            • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                                            Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                                            APIs
                                            • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                                            • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@memcpymemmove
                                            • String ID:
                                            • API String ID: 3549172513-3916222277
                                            • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                            • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                                            • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                                            • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                                            Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 851 4033f8-4033fa 838->851 852 403419-40341b 839->852 853 40340a-403417 call 407776 839->853 840->831 847 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->847 848 40347f-40348a 841->848 844->837 849 4033b6 844->849 864 4034bc-4034c0 847->864 848->847 854 40348c-403490 848->854 849->835 858 40349c-4034a5 ??3@YAXPAX@Z 851->858 855 40346b-403475 ??3@YAXPAX@Z 852->855 856 40341d-40343c memcpy 852->856 853->851 854->847 860 403492-403497 854->860 855->864 862 403451-403455 856->862 863 40343e 856->863 858->864 860->847 861 403499-40349b 860->861 861->858 867 403440-403448 862->867 868 403457-403464 call 401986 862->868 866 403450 863->866 866->862 867->868 869 40344a-40344e 867->869 868->853 872 403466-403469 868->872 869->866 869->868 872->855 872->856
                                            APIs
                                            • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                            • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                            • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                            • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                                            • String ID:
                                            • API String ID: 846840743-0
                                            • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                            • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                                            • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                                            • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                                            Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                              • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                              • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                                            • wsprintfW.USER32 ref: 004044A7
                                              • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                            • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                                            • String ID: 7zSfxFolder%02d$IA
                                            • API String ID: 3387708999-1317665167
                                            • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                            • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                                            • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                                            • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                                            Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 925 408f26 923->925 926 408f19-408f24 923->926 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 925->927 926->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 944 409199-4091b0 935->944 945 409019-40901c 935->945 939 409020-409035 call 40e8da call 40874d 936->939 965 408fb0-408fb2 937->965 966 408fb6-408fbb 937->966 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 944->952 953 40934c-409367 call 4087ea 944->953 945->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 970 4090ad-4090b3 955->970 971 40907f 955->971 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 963 409051-409061 call 408726 958->963 959->963 987 409063-409066 963->987 988 409068 963->988 965->966 968 408fc3-408fcf 966->968 969 408fbd-408fbf 966->969 968->922 968->923 969->968 981 409187-409196 call 408e83 970->981 982 4090b9-4090d9 call 40d94b 970->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 971->977 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->970 1016 409261-409264 978->1016 1017 4092c9 978->1017 985 4091f7-409209 979->985 986 4092b9-4092bb 979->986 981->944 997 4090de-4090e6 982->997 999 4093a4-4093b8 call 408761 983->999 1000 4093ba-4093d6 983->1000 1013 409293-409295 985->1013 1014 40920f-409211 985->1014 1001 4092bf-4092c4 986->1001 994 40906a 987->994 988->994 994->955 1005 409283-409288 997->1005 1006 4090ec-4090f3 997->1006 999->1000 1080 4093d7 call 40ce70 1000->1080 1081 4093d7 call 40f160 1000->1081 1001->977 1011 409290 1005->1011 1012 40928a-40928c 1005->1012 1007 409121-409124 1006->1007 1008 4090f5-4090f9 1006->1008 1022 4092b2-4092b7 1007->1022 1023 40912a-409138 call 408726 1007->1023 1008->1007 1018 4090fb-4090fe 1008->1018 1011->1013 1012->1011 1025 409297-409299 1013->1025 1026 40929d-4092a0 1013->1026 1014->978 1024 409213-409215 1014->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->986 1022->1001 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1049 409281 1027->1049 1028->1046 1050 409114-40911f call 40d6cb 1028->1050 1029->1001 1041 4092ac-4092ae 1029->1041 1036 4092d4-4092e0 call 408a55 1030->1036 1037 40931d-409346 call 40e959 * 2 1030->1037 1057 4092e2-4092ec 1036->1057 1058 4092ee-4092fa call 408aa0 1036->1058 1037->953 1037->957 1041->1022 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1049->1030 1050->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1065 409165-409167 1060->1065 1066 40916b-409170 1060->1066 1063->1036 1063->1037 1065->1066 1071 409172-409174 1066->1071 1072 409178-409181 1066->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                                            • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@
                                            • String ID: IA$IA
                                            • API String ID: 1033339047-1400641299
                                            • Opcode ID: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                            • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                                            • Opcode Fuzzy Hash: 6a22e71803ea0f4d69e2f58a84b042c4ce0c016d1f42beed39b79896576e25f5
                                            • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                                            Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID: $KA$4KA$HKA$\KA
                                            • API String ID: 1294909896-3316857779
                                            • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                            • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                                            • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                                            • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                                            Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1120 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1120 1121 40983c-409846 call 409425 1112->1121 1113->1114 1116 409780-409796 call 4094e0 call 40969d call 40e959 1114->1116 1117 4097a3-4097a8 1114->1117 1137 40979b-4097a1 1116->1137 1118 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1117->1118 1119 4097aa-4097b4 1117->1119 1124 4097f3-409809 1118->1124 1119->1118 1119->1124 1133 409881-40989a call 4010e2 call 40eb24 1120->1133 1134 409878-40987f call 40ebf7 1120->1134 1144 40984a-40984c 1121->1144 1129 40980c-409814 1124->1129 1136 409816-409825 call 409403 1129->1136 1129->1137 1153 40989d-4098c0 call 40eb19 1133->1153 1134->1133 1136->1129 1137->1109 1144->1110 1157 4098c2-4098c7 1153->1157 1158 4098f6-4098f9 1153->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1163 409954 1159->1163 1164 40994b-409952 call 409c13 1159->1164 1165 409902-409904 1160->1165 1166 409908-40991e call 409530 call 409425 1160->1166 1161->1162 1179 4098e9-4098eb 1162->1179 1180 4098ef-4098f1 1162->1180 1170 409956-40996d call 4010e2 1163->1170 1164->1170 1165->1166 1166->1159 1181 40997b-4099a0 call 409fb4 1170->1181 1182 40996f-409978 1170->1182 1179->1180 1180->1110 1186 4099a2-4099a7 1181->1186 1187 4099e3-4099e6 1181->1187 1182->1181 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1153 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1225 409aa2-409aa4 1213->1225 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1222 409a73-409a75 1218->1222 1223 409a79-409a91 call 409530 call 409425 1218->1223 1219->1213 1220->1195 1224 409adf-409ae5 1220->1224 1222->1223 1223->1144 1233 409a97-409a9d 1223->1233 1224->1195 1228 409aa6-409aa8 1225->1228 1229 409aac-409ab0 1225->1229 1228->1229 1229->1195 1233->1144
                                            APIs
                                            • _EH_prolog.MSVCRT ref: 004096D0
                                            • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                                            • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                              • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@$H_prolog
                                            • String ID: HIA
                                            • API String ID: 3431946709-2712174624
                                            • Opcode ID: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                            • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                                            • Opcode Fuzzy Hash: 3a91edc2a80342029bdf13785710b8021a7be55c7c109f54d8d38dfd795fbdbc
                                            • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                                            Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                                            APIs
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                            • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                            • memcmp.MSVCRT(?,?,?), ref: 004028E4
                                            • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                            • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: lstrlenmemcmp$memmove
                                            • String ID:
                                            • API String ID: 3251180759-0
                                            • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                            • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                                            • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                                            • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                                            Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                                            • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                              • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                              • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                              • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                              • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                              • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                              • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                              • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                              • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                                            • String ID:
                                            • API String ID: 359084233-0
                                            • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                            • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                                            • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                                            • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                                            Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                                            • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                                            • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AttributesCreateDirectoryFile
                                            • String ID:
                                            • API String ID: 635176117-0
                                            • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                            • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                                            • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                                            • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                                            Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                                            • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@
                                            • String ID: ExecuteFile
                                            • API String ID: 1033339047-323923146
                                            • Opcode ID: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                            • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                                            • Opcode Fuzzy Hash: 612dc6f8e3fe8df0745ed42aa02adea807ab2e0a0b71f5bf8dc2b3d1454147a6
                                            • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                                            Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                            • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@??3@memmove
                                            • String ID:
                                            • API String ID: 3828600508-0
                                            • Opcode ID: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                            • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                                            • Opcode Fuzzy Hash: 2c1e852e3357fe345785b0ad8426fcfe448c8ec3a37487201466d82e595bf6a2
                                            • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                                            Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID: @
                                            • API String ID: 1890195054-2766056989
                                            • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                            • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                                            • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                                            • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                                            Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$??2@ExceptionThrowmemmove
                                            • String ID:
                                            • API String ID: 4269121280-0
                                            • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                            • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                                            • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                                            • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                                            Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@H_prolog
                                            • String ID:
                                            • API String ID: 1329742358-0
                                            • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                            • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                                            • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                                            • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                                            Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@??3@
                                            • String ID:
                                            • API String ID: 1936579350-0
                                            • Opcode ID: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                            • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                                            • Opcode Fuzzy Hash: ebac23084a16b944365a47061f6b21e986bd860b63916dd214b45b095081060c
                                            • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                                            Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID:
                                            • API String ID: 2976181284-0
                                            • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                            • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                                            • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                                            • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                                            Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 0040ED05
                                            • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AllocExceptionStringThrow
                                            • String ID:
                                            • API String ID: 3773818493-0
                                            • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                            • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                                            • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                                            • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                                            Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                            • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                                            • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                                            • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                                            Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID:
                                            • API String ID: 3519838083-0
                                            • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                            • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                                            • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                                            • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                                            Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                            • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                                            • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                                            • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                                            Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID:
                                            • API String ID: 3519838083-0
                                            • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                            • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                                            • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                                            • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                                            Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                            • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CloseCreateFileHandle
                                            • String ID:
                                            • API String ID: 3498533004-0
                                            • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                            • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                                            • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                                            • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                                            Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID:
                                            • API String ID: 3934441357-0
                                            • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                            • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                                            • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                                            • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                                            Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • _beginthreadex.MSVCRT ref: 00406552
                                              • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorLast_beginthreadex
                                            • String ID:
                                            • API String ID: 4034172046-0
                                            • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                            • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                                            • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                                            • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                                            Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID:
                                            • API String ID: 3519838083-0
                                            • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                            • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                                            • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                                            • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                                            Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                            • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                                            • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                                            • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                                            Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FileTime
                                            • String ID:
                                            • API String ID: 1425588814-0
                                            • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                            • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                                            • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                                            • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                                            Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: memmove
                                            • String ID:
                                            • API String ID: 2162964266-0
                                            • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                            • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                                            • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                                            • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                                            Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ExceptionThrow
                                            • String ID:
                                            • API String ID: 432778473-0
                                            • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                            • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                                            • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                                            • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                                            Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                            • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                                            • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                                            • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                                            Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@
                                            • String ID:
                                            • API String ID: 1033339047-0
                                            • Opcode ID: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                            • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                                            • Opcode Fuzzy Hash: 76c2607c9262a084594b8968e60506e1095ba5b3921c342d3f15f01c827a8030
                                            • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                                            Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                            • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                                            • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                                            • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                                            Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                            • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                                            • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                                            • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                                            Function 00411388 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??2@YAPAXI@Z.MSVCRT(000000D0), ref: 0041138D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@
                                            • String ID:
                                            • API String ID: 1033339047-0
                                            • Opcode ID: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
                                            • Instruction ID: d5b8b2b556814232dc2945b8f7e5995fed121ff751d048b21687cc00dda573f5
                                            • Opcode Fuzzy Hash: 08d588780a3caab37cf70573278ad1822b03e6a84bf609910ea5ba04e31b1b9c
                                            • Instruction Fuzzy Hash: B4B0123438914504FE5413B208013FB01800F40303F10087B5B02E4DF9FD0884805139
                                            Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FreeVirtual
                                            • String ID:
                                            • API String ID: 1263568516-0
                                            • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                            • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                                            • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                                            • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                                            Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                            • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                                            • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                                            • Instruction Fuzzy Hash:

                                            Non-executed Functions

                                            Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _wtol.MSVCRT ref: 004034E5
                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                                            • _wtol.MSVCRT ref: 0040367F
                                            • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                                            • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                                            • String ID: .lnk
                                            • API String ID: 408529070-24824748
                                            • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                            • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                                            • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                                            • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                                            Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                            • wsprintfW.USER32 ref: 00401FFD
                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                            • GetLastError.KERNEL32 ref: 00402017
                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                            • GetLastError.KERNEL32 ref: 0040204C
                                            • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                            • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                            • SetLastError.KERNEL32(00000000), ref: 00402098
                                            • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                            • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                            • _wtol.MSVCRT ref: 0040212A
                                            • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                                            • String ID: 7zSfxString%d$XpA$\3A
                                            • API String ID: 2117570002-3108448011
                                            • Opcode ID: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                            • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                                            • Opcode Fuzzy Hash: 332d11925e247980b34bd098e8b038dc96ba1155979fc83484f9ac8f636b93aa
                                            • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                                            Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                            • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                            • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                            • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                            • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                            • LockResource.KERNEL32(00000000), ref: 00401C41
                                            • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                                            • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                                            • wsprintfW.USER32 ref: 00401C95
                                            • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                                            • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                                            • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                                            • API String ID: 2639302590-365843014
                                            • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                            • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                                            • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                                            • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                                            Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                            • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                            • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                            • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                            • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                            • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                            • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                            • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                            • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                                            • String ID:
                                            • API String ID: 829399097-0
                                            • Opcode ID: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                            • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                                            • Opcode Fuzzy Hash: bf60f95a6a1f59c2bb6c04e2e113b9a1b5cd8de0030c6a868400c9436056581d
                                            • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                                            Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                                            • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                                            • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                                            • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                                            • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                                            • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                                            • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                                            • String ID:
                                            • API String ID: 1862581289-0
                                            • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                            • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                                            • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                                            • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                                            Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                                            • GetWindow.USER32(?,00000005), ref: 00406D8F
                                            • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Window$AddressLibraryLoadProc
                                            • String ID: SetWindowTheme$\EA$uxtheme
                                            • API String ID: 324724604-1613512829
                                            • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                            • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                                            • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                                            • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                                            Function 0041022D Relevance: .5, Instructions: 501COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                            • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                                            • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                                            • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                                            Function 0041206B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                            • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                                            • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                                            • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                                            Function 00411F91 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                            • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                                            • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                            • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                                            Function 0040D72E Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                            • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                                            • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                                            • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                                            Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                                            • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                                            • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                                            • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                                            • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                                            • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                                            • API String ID: 3007203151-3467708659
                                            • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                            • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                                            • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                                            • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                                            Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                              • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                              • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                              • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                              • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                              • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                              • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                              • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                              • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                              • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                            • _wtol.MSVCRT ref: 004047DC
                                            • _wtol.MSVCRT ref: 004047F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                                            • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                                            • API String ID: 2725485552-3187639848
                                            • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                            • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                                            • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                                            • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                                            Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                                            • GetParent.USER32(?), ref: 00402E2E
                                            • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                                            • GetMenu.USER32(?), ref: 00402E55
                                            • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                                            • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                                            • DestroyWindow.USER32(?), ref: 00402EA3
                                            • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                                            • GetSysColor.USER32(0000000F), ref: 00402EBC
                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                                            • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                                            • String ID: RichEdit20W$STATIC$riched20${\rtf
                                            • API String ID: 1731037045-2281146334
                                            • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                            • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                                            • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                                            • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                                            Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowDC.USER32(00000000), ref: 00401CD4
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                            • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                            • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                            • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                            • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                            • CreateCompatibleDC.GDI32(?), ref: 00401D52
                                            • SelectObject.GDI32(00000000,?), ref: 00401D60
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                            • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                            • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                            • SelectObject.GDI32(00000000,?), ref: 00401DB3
                                            • SelectObject.GDI32(00000000,?), ref: 00401DB9
                                            • DeleteDC.GDI32(00000000), ref: 00401DC2
                                            • DeleteDC.GDI32(00000000), ref: 00401DC5
                                            • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                            • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                                            • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                                            • String ID:
                                            • API String ID: 3462224810-0
                                            • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                            • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                                            • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                                            • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                                            Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                                            • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                                            • GetMenu.USER32(?), ref: 00401E44
                                              • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                              • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                              • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                              • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                              • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                                            • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                                            • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                                            • CoInitialize.OLE32(00000000), ref: 00401E8C
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                                            • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                              • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                              • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                              • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                              • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                              • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                              • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                              • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                              • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                              • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                              • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                              • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                              • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                                            • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                                            • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                                            • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                                            • String ID: IMAGES$STATIC
                                            • API String ID: 4202116410-1168396491
                                            • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                            • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                                            • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                                            • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                                            Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                            • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                                            • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                                            • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                                            • SetWindowLongW.USER32(00000000), ref: 004081D8
                                            • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                                            • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                                            • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                                            • SetFocus.USER32(00000000), ref: 0040821D
                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                                            • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                                            • GetDlgItem.USER32(?,00000002), ref: 00408294
                                            • IsWindow.USER32(00000000), ref: 00408297
                                            • GetDlgItem.USER32(?,00000002), ref: 004082A7
                                            • EnableWindow.USER32(00000000), ref: 004082AA
                                            • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                                            • ShowWindow.USER32(00000000), ref: 004082C1
                                              • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                              • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                              • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                              • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                              • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                              • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                            • String ID:
                                            • API String ID: 855516470-0
                                            • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                            • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                                            • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                                            • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                                            Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                                            • strncmp.MSVCRT ref: 004031F1
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                                            • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                                            • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$lstrcmpstrncmp
                                            • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                                            • API String ID: 2881732429-172299233
                                            • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                            • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                                            • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                                            • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                                            Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                                            • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                                            • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                                            • GetSystemMetrics.USER32(00000011), ref: 00406B11
                                            • GetSystemMetrics.USER32(00000008), ref: 00406B18
                                            • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                                            • GetParent.USER32(?), ref: 00406B43
                                            • GetClientRect.USER32(00000000,?), ref: 00406B55
                                            • ClientToScreen.USER32(?,?), ref: 00406B68
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                                            • GetClientRect.USER32(?,?), ref: 00406C55
                                            • ClientToScreen.USER32(?,?), ref: 00406B71
                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                            • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                                            • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                              • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                              • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                                            • String ID:
                                            • API String ID: 747815384-0
                                            • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                            • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                                            • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                                            • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                                            Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                            • LoadIconW.USER32(00000000), ref: 00407D33
                                            • GetSystemMetrics.USER32(00000032), ref: 00407D43
                                            • GetSystemMetrics.USER32(00000031), ref: 00407D48
                                            • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                            • LoadImageW.USER32(00000000), ref: 00407D54
                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                            • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                            • GetWindow.USER32(?,00000005), ref: 00407E76
                                            • GetWindow.USER32(?,00000005), ref: 00407E92
                                            • GetWindow.USER32(?,00000005), ref: 00407EAA
                                            • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                                            • LoadIconW.USER32(00000000), ref: 00407F0D
                                            • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                                            • SendMessageW.USER32(00000000), ref: 00407F2F
                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                                            • String ID:
                                            • API String ID: 1889686859-0
                                            • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                            • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                                            • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                                            • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                                            Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00406F45
                                            • GetWindowLongW.USER32(00000000), ref: 00406F4C
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                                            • GetSystemMetrics.USER32(00000031), ref: 00406F91
                                            • GetSystemMetrics.USER32(00000032), ref: 00406F98
                                            • GetWindowDC.USER32(?), ref: 00406FAA
                                            • GetWindowRect.USER32(?,?), ref: 00406FB7
                                            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                                            • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                                            • String ID:
                                            • API String ID: 2586545124-0
                                            • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                            • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                                            • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                                            • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                                            Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                                            • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                                            • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                                            • GetDlgItem.USER32(?,?), ref: 004067CC
                                            • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                                            • GetDlgItem.USER32(?,?), ref: 004067DD
                                            • SetFocus.USER32(00000000,?,000004B4,74DF0E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ItemMessageSend$Focus
                                            • String ID:
                                            • API String ID: 3946207451-0
                                            • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                            • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                                            • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                                            • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                                            Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID: IA$IA$IA$IA$IA$IA
                                            • API String ID: 613200358-3743982587
                                            • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                            • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                                            • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                                            • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                                            Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                                            • API String ID: 613200358-994561823
                                            • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                            • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                                            • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                                            • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                                            Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                                            • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                                            • GetDC.USER32(00000000), ref: 00406DFB
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                                            • ReleaseDC.USER32(00000000,?), ref: 00406E24
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                                            • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                                            • String ID:
                                            • API String ID: 2693764856-0
                                            • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                            • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                                            • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                                            • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                                            Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 0040696E
                                            • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                                            • GetSystemMetrics.USER32(0000003D), ref: 00406993
                                            • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                                            • SelectObject.GDI32(?,?), ref: 004069B8
                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                                            • SelectObject.GDI32(?,?), ref: 004069F9
                                            • ReleaseDC.USER32(?,?), ref: 00406A08
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                                            • String ID:
                                            • API String ID: 2466489532-0
                                            • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                            • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                                            • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                                            • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                                            Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                            • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                            • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                            • wsprintfW.USER32 ref: 00407BBB
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                            • String ID: %d%%
                                            • API String ID: 3753976982-1518462796
                                            • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                            • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                                            • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                                            • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                                            Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                              • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$CharUpper$lstrlen
                                            • String ID: hAA
                                            • API String ID: 2587799592-1362906312
                                            • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                            • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                                            • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                                            • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                                            Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                              • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                              • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                              • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                              • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$FileTime$AttributesSystemlstrlen
                                            • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                                            • API String ID: 4038993085-2279431206
                                            • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                            • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                                            • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                                            • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                                            Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EndDialog.USER32(?,00000000), ref: 00407579
                                            • KillTimer.USER32(?,00000001), ref: 0040758A
                                            • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                                            • SuspendThread.KERNEL32(00000274), ref: 004075CD
                                            • ResumeThread.KERNEL32(00000274), ref: 004075EA
                                            • EndDialog.USER32(?,00000000), ref: 0040760C
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: DialogThreadTimer$KillResumeSuspend
                                            • String ID:
                                            • API String ID: 4151135813-0
                                            • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                            • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                                            • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                                            • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                                            Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                              • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                                            • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000024,004177C4,004177C4,00000000,00000024,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                            • wsprintfA.USER32 ref: 00404EBC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$wsprintf
                                            • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                                            • API String ID: 2704270482-1550708412
                                            • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                            • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                                            • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                                            • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                                            Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                                            • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID: %%T/$%%T\
                                            • API String ID: 613200358-2679640699
                                            • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                            • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                                            • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                                            • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                                            Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID: %%S/$%%S\
                                            • API String ID: 613200358-358529586
                                            • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                            • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                                            • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                                            • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                                            Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                                            • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID: %%M/$%%M\
                                            • API String ID: 613200358-4143866494
                                            • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                            • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                                            • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                                            • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                                            Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ExceptionThrow
                                            • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                                            • API String ID: 432778473-803145960
                                            • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                            • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                                            • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                                            • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                                            Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                              • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                              • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                              • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@$??3@$memmove
                                            • String ID: IA$IA$IA
                                            • API String ID: 4294387087-924693538
                                            • Opcode ID: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                            • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                                            • Opcode Fuzzy Hash: 3ef1446a3f9eae3cfdc2853b922aca3bc2f9cc2cd28dfb990552d7283ffc15f1
                                            • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                                            Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                                            • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                                            • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                                            • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??2@??3@ExceptionThrowmemcpy
                                            • String ID: IA
                                            • API String ID: 3462485524-3293647318
                                            • Opcode ID: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                            • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                                            • Opcode Fuzzy Hash: 6b78721643db57d5e00a8af36ebe01533f1ba9cf87e040577b2ff72779c9c95d
                                            • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                                            Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: wsprintf$ExitProcesslstrcat
                                            • String ID: 0x%p
                                            • API String ID: 2530384128-1745605757
                                            • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                            • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                                            • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                                            • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                                            Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                              • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                                            • GetSystemMetrics.USER32(00000007), ref: 00407A51
                                            • GetSystemMetrics.USER32(00000007), ref: 00407A62
                                            • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: MetricsSystem$??3@
                                            • String ID: 100%%
                                            • API String ID: 2562992111-568723177
                                            • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                            • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                                            • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                                            • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                                            Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfW.USER32 ref: 00407A12
                                              • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                              • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                            • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: TextWindow$ItemLength$??3@wsprintf
                                            • String ID: (%u%s)
                                            • API String ID: 3595513934-2496177969
                                            • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                            • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                                            • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                                            • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                                            Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                                            • GetProcAddress.KERNEL32(00000000), ref: 00402211
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetNativeSystemInfo$kernel32
                                            • API String ID: 2574300362-3846845290
                                            • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                            • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                                            • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                                            • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                                            Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                                            • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                            • API String ID: 2574300362-3900151262
                                            • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                            • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                                            • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                                            • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                                            Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                                            • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                            • API String ID: 2574300362-736604160
                                            • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                            • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                                            • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                                            • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                                            Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                              • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$ByteCharMultiWide
                                            • String ID:
                                            • API String ID: 1731127917-0
                                            • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                            • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                                            • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                                            • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                                            Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                                            • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                                            • wsprintfW.USER32 ref: 00403FFB
                                            • GetFileAttributesW.KERNEL32(?), ref: 00404016
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: PathTemp$AttributesFilewsprintf
                                            • String ID:
                                            • API String ID: 1746483863-0
                                            • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                            • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                                            • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                                            • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                                            Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperW.USER32(?,74DEE0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                                            • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CharUpper
                                            • String ID:
                                            • API String ID: 9403516-0
                                            • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                            • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                                            • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                                            • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                                            Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                              • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                              • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                                            • GetDlgItem.USER32(?,000004B7), ref: 00408020
                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                              • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                              • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                              • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                              • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                              • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                              • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                                            • String ID:
                                            • API String ID: 2538916108-0
                                            • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                            • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                                            • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                                            • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                                            Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                                            • GetSystemMetrics.USER32(00000031), ref: 0040683A
                                            • CreateFontIndirectW.GDI32(?), ref: 00406849
                                            • DeleteObject.GDI32(00000000), ref: 00406878
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                                            • String ID:
                                            • API String ID: 1900162674-0
                                            • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                            • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                                            • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                                            • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                                            Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0040749F
                                            • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                                            • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                                            • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                              • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                              • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                                            • String ID:
                                            • API String ID: 1557639607-0
                                            • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                            • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                                            • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                                            • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                                            Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                              • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                              • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@$EnvironmentExpandStrings$??2@
                                            • String ID:
                                            • API String ID: 612612615-0
                                            • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                            • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                                            • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                                            • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                                            Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                              • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                                            • SetWindowTextW.USER32(?,?), ref: 00403B12
                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ??3@TextWindow$Length
                                            • String ID:
                                            • API String ID: 2308334395-0
                                            • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                            • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                                            • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                                            • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                                            Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                                            • CreateFontIndirectW.GDI32(?), ref: 0040705B
                                            • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                                            • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: CreateFontIndirectItemMessageObjectSend
                                            • String ID:
                                            • API String ID: 2001801573-0
                                            • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                            • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                                            • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                                            • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                                            Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00401BA8
                                            • GetWindowRect.USER32(?,?), ref: 00401BC1
                                            • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                                            • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: ClientScreen$ParentRectWindow
                                            • String ID:
                                            • API String ID: 2099118873-0
                                            • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                            • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                                            • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                                            • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                                            Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: _wtol
                                            • String ID: GUIFlags$[G@
                                            • API String ID: 2131799477-2126219683
                                            • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                            • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                                            • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                                            • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                                            Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                                            • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1723273119.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.1723259093.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723321013.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723340024.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.1723384343.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_WiezmDFd6L.jbxd
                                            Similarity
                                            • API ID: EnvironmentVariable
                                            • String ID: ?O@
                                            • API String ID: 1431749950-3511380453
                                            • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                            • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                                            • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                                            • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                                            Execution Graph

                                            Execution Coverage:5.1%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:10.8%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:64
                                            execution_graph 127170 e4d740 127199 e4e5e0 127170->127199 127175 e4d91a 127272 e3fda0 27 API calls std::system_error::system_error 127175->127272 127177 e4d844 127209 e7939b 127177->127209 127178 e4d929 127273 e92a4a RaiseException 127178->127273 127184 e4d93e 127274 e96739 127184->127274 127188 e4d943 127190 e96739 std::_Winerror_message 26 API calls 127188->127190 127191 e4d948 127190->127191 127192 e4d8a6 Concurrency::details::_TaskCollection::_ReleaseAlias 127264 e4d660 315 API calls 4 library calls 127192->127264 127195 e4d8bb 127195->127188 127196 e4d8ee Concurrency::details::_TaskCollection::_ReleaseAlias 127195->127196 127265 e7b5dd 127196->127265 127198 e4d911 127279 e7bb4d 127199->127279 127201 e4e623 ListArray 127286 e41ee0 127201->127286 127203 e4e65e 127303 e4e410 127203->127303 127205 e4d792 127206 e7a63f 127205->127206 127323 e7a337 127206->127323 127208 e4d7a3 127208->127175 127208->127177 127329 e7ac13 127209->127329 127212 e4d5f0 127213 e4d616 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 127212->127213 127214 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127213->127214 127215 e4d64e 127214->127215 127216 e4d3b0 127215->127216 127332 e4cfc0 127216->127332 127218 e4d425 127352 e4ae30 127218->127352 127220 e4d433 127221 e4ae30 26 API calls 127220->127221 127222 e4d43c 127221->127222 127357 e4d270 127222->127357 127224 e4d447 ListArray 127362 e4d300 127224->127362 127227 e41ee0 std::system_error::system_error 27 API calls 127228 e4d4f9 127227->127228 127229 e4d537 Concurrency::details::_TaskCollection::_ReleaseAlias 127228->127229 127230 e4d5da 127228->127230 127233 e4d5df 127229->127233 127234 e4d571 Concurrency::details::_TaskCollection::_ReleaseAlias 127229->127234 127232 e96739 std::_Winerror_message 26 API calls 127230->127232 127231 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127235 e4d5d6 127231->127235 127232->127233 127236 e96739 std::_Winerror_message 26 API calls 127233->127236 127237 e4d5e4 127234->127237 127238 e4d5b3 Concurrency::details::_TaskCollection::_ReleaseAlias 127234->127238 127241 e4ccf0 127235->127241 127236->127237 127239 e96739 std::_Winerror_message 26 API calls 127237->127239 127238->127231 127240 e4d5e9 127239->127240 127242 e4cd33 127241->127242 127243 e4cd2d 127241->127243 127247 e41ee0 std::system_error::system_error 27 API calls 127242->127247 127261 e4cd6c Concurrency::details::_TaskCollection::_ReleaseAlias 127242->127261 127370 e97b21 315 API calls 5 library calls 127243->127370 127245 e4ce36 127371 e96802 20 API calls __dosmaperr 127245->127371 127247->127261 127248 e4ce3b 127372 e4ccd0 27 API calls std::system_error::system_error 127248->127372 127250 e41ee0 std::system_error::system_error 27 API calls 127250->127261 127251 e4ce48 127373 e4db90 27 API calls 127251->127373 127253 e4ce79 127374 e54350 27 API calls 6 library calls 127253->127374 127255 e4ce8a 127375 e92a4a RaiseException 127255->127375 127256 e4ce04 Sleep 127256->127245 127259 e4ce12 127256->127259 127257 e4ce1d 127257->127184 127257->127192 127259->127261 127260 e4ce31 127263 e96739 std::_Winerror_message 26 API calls 127260->127263 127261->127245 127261->127250 127261->127256 127261->127257 127261->127260 127262 e4ce98 127263->127245 127264->127195 127266 e7b5e6 127265->127266 127267 e7b5e8 IsProcessorFeaturePresent 127265->127267 127266->127198 127269 e7c164 127267->127269 127376 e7c128 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 127269->127376 127271 e7c247 127271->127198 127272->127178 127273->127184 127377 e966ae 26 API calls 4 library calls 127274->127377 127277 e96748 127277->127274 127278 ebe610 Concurrency::details::_TaskCollection::_ReleaseAlias 127277->127278 127378 e96756 IsProcessorFeaturePresent 127277->127378 127278->127188 127280 e7bb52 _Yarn 127279->127280 127281 e7bb6c 127280->127281 127283 e7bb6e Concurrency::details::SchedulerProxy::CreateExternalThreadResource 127280->127283 127319 ea52fa 7 API calls 2 library calls 127280->127319 127281->127201 127320 e92a4a RaiseException 127283->127320 127285 e7c84a 127289 e41efe BuildCatchObjectHelperInternal 127286->127289 127290 e41f24 127286->127290 127287 e4200e 127321 e40c70 27 API calls std::system_error::system_error 127287->127321 127289->127203 127290->127287 127291 e41f9d 127290->127291 127292 e41f78 127290->127292 127294 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 127291->127294 127300 e41f89 _Yarn 127291->127300 127293 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 127292->127293 127293->127300 127294->127300 127299 e96739 std::_Winerror_message 26 API calls 127299->127287 127300->127299 127301 e41ff0 Concurrency::details::_TaskCollection::_ReleaseAlias 127300->127301 127301->127203 127304 e41ee0 std::system_error::system_error 27 API calls 127303->127304 127305 e4e480 127304->127305 127306 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 127305->127306 127307 e4e4fc ListArray 127306->127307 127322 e51b10 26 API calls 2 library calls 127307->127322 127309 e4e5b8 Concurrency::details::_TaskCollection::_ReleaseAlias 127309->127205 127310 e4e592 127310->127309 127311 e96739 std::_Winerror_message 26 API calls 127310->127311 127312 e4e5df 127311->127312 127313 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 127312->127313 127314 e4e623 ListArray 127313->127314 127315 e41ee0 std::system_error::system_error 27 API calls 127314->127315 127316 e4e65e 127315->127316 127317 e4e410 27 API calls 127316->127317 127318 e4e666 127317->127318 127318->127205 127319->127280 127320->127285 127322->127310 127324 e7a320 ___crtAcquireSRWLockExclusive 127323->127324 127325 e7a300 127323->127325 127324->127208 127325->127324 127328 e7ad10 InitializeCriticalSectionAndSpinCount 127325->127328 127327 e7a319 127327->127208 127328->127327 127330 e7ac34 GetSystemTimeAsFileTime 127329->127330 127331 e4d849 127329->127331 127330->127331 127331->127212 127334 e4d014 127332->127334 127333 e4d1f1 127369 e3f9c0 27 API calls 8 library calls 127333->127369 127334->127333 127337 e4d059 127334->127337 127336 e4d0d8 127367 e4cf60 27 API calls 3 library calls 127336->127367 127337->127336 127339 e4d071 127337->127339 127366 e4cee0 27 API calls std::system_error::system_error 127339->127366 127341 e4d0e7 127368 e4cf60 27 API calls 3 library calls 127341->127368 127343 e4d0c9 Concurrency::details::_TaskCollection::_ReleaseAlias 127343->127218 127344 e4d098 127344->127343 127346 e96739 std::_Winerror_message 26 API calls 127344->127346 127345 e4d0ff 127347 e96739 std::_Winerror_message 26 API calls 127345->127347 127348 e4d18b Concurrency::details::_TaskCollection::_ReleaseAlias 127345->127348 127346->127345 127347->127348 127349 e96739 std::_Winerror_message 26 API calls 127348->127349 127350 e4d1d1 Concurrency::details::_TaskCollection::_ReleaseAlias 127348->127350 127351 e4d26d 127349->127351 127350->127218 127353 e4ae61 Concurrency::details::_TaskCollection::_ReleaseAlias 127352->127353 127354 e4ae3e 127352->127354 127353->127220 127354->127353 127355 e96739 std::_Winerror_message 26 API calls 127354->127355 127356 e4aeac 127355->127356 127358 e4d27b Concurrency::details::_TaskCollection::_ReleaseAlias 127357->127358 127359 e4d2d8 Concurrency::details::_TaskCollection::_ReleaseAlias 127358->127359 127360 e96739 std::_Winerror_message 26 API calls 127358->127360 127359->127224 127361 e4d2fc 127360->127361 127363 e4d322 127362->127363 127364 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127363->127364 127365 e4d3a6 127364->127365 127365->127227 127366->127344 127367->127341 127368->127345 127369->127343 127370->127242 127371->127248 127372->127251 127373->127253 127374->127255 127375->127262 127376->127271 127377->127277 127379 e96761 127378->127379 127382 e9655f 127379->127382 127383 e9657b ListArray ___scrt_fastfail 127382->127383 127384 e965a7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 127383->127384 127385 e96678 ___scrt_fastfail 127384->127385 127386 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127385->127386 127387 e96696 GetCurrentProcess TerminateProcess 127386->127387 127387->127277 127388 e61440 GetWindowLongW 127389 e61496 DefWindowProcW 127388->127389 127390 e61468 127388->127390 127391 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127389->127391 127390->127389 127393 e61482 127390->127393 127392 e614b1 127391->127392 127394 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 127393->127394 127395 e61490 127394->127395 127396 6c996fdf 127397 6c996ff9 127396->127397 127398 6c996fe3 127396->127398 127398->127397 127400 6c9a583d 7 API calls 3 library calls 127398->127400 127400->127397 127403 6c97ab10 MessageBoxA 127404 6c97fb5f 127409 6c99e0bb 127404->127409 127406 6c97fb69 127413 6c98068b 127406->127413 127410 6c99e0c7 __EH_prolog3 127409->127410 127416 6c99e417 127410->127416 127412 6c99e2b0 Concurrency::details::ExternalContextBase::~ExternalContextBase 127412->127406 127710 6c9806a0 127413->127710 127417 6c99e438 __fread_nolock 127416->127417 127426 6c99e4bf 127416->127426 127419 6c99e468 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 127417->127419 127427 6c99e4d4 127419->127427 127420 6c99e4d2 127420->127412 127422 6c99e4b1 127504 6c99e8f2 127422->127504 127590 6c99f667 127426->127590 127597 6c99f675 127427->127597 127429 6c99e4e0 GetSysColor 127430 6c99e4f5 GetSysColor 127429->127430 127431 6c99e501 GetSysColor 127429->127431 127430->127431 127433 6c99e524 127431->127433 127434 6c99e518 GetSysColor 127431->127434 127598 6c983f98 127433->127598 127434->127433 127436 6c99e53a 22 API calls 127437 6c99e66d GetSysColor 127436->127437 127438 6c99e664 127436->127438 127439 6c99e67f GetSysColorBrush 127437->127439 127438->127439 127440 6c99e69b GetSysColorBrush 127439->127440 127441 6c99e8ec 127439->127441 127440->127441 127442 6c99e6ae GetSysColorBrush 127440->127442 127638 6c99789a RaiseException Concurrency::cancel_current_task 127441->127638 127442->127441 127444 6c99e6c1 127442->127444 127606 6c9832ba 127444->127606 127447 6c99e6ce CreateSolidBrush 127611 6c983264 127447->127611 127450 6c9832ba 4 API calls 127451 6c99e6ec CreateSolidBrush 127450->127451 127452 6c983264 3 API calls 127451->127452 127453 6c99e6fd 127452->127453 127454 6c9832ba 4 API calls 127453->127454 127455 6c99e70a CreateSolidBrush 127454->127455 127456 6c983264 3 API calls 127455->127456 127457 6c99e71b 127456->127457 127458 6c9832ba 4 API calls 127457->127458 127459 6c99e728 CreateSolidBrush 127458->127459 127460 6c983264 3 API calls 127459->127460 127461 6c99e73c 127460->127461 127462 6c9832ba 4 API calls 127461->127462 127463 6c99e749 CreateSolidBrush 127462->127463 127464 6c983264 3 API calls 127463->127464 127465 6c99e75a 127464->127465 127466 6c9832ba 4 API calls 127465->127466 127467 6c99e767 CreateSolidBrush 127466->127467 127468 6c983264 3 API calls 127467->127468 127469 6c99e778 127468->127469 127470 6c9832ba 4 API calls 127469->127470 127471 6c99e785 CreateSolidBrush 127470->127471 127472 6c983264 3 API calls 127471->127472 127473 6c99e796 127472->127473 127474 6c9832ba 4 API calls 127473->127474 127475 6c99e7a3 CreatePen 127474->127475 127476 6c983264 3 API calls 127475->127476 127477 6c99e7bc 127476->127477 127478 6c9832ba 4 API calls 127477->127478 127479 6c99e7c9 CreatePen 127478->127479 127480 6c983264 3 API calls 127479->127480 127481 6c99e7e0 127480->127481 127482 6c9832ba 4 API calls 127481->127482 127483 6c99e7ed CreatePen 127482->127483 127484 6c983264 3 API calls 127483->127484 127485 6c99e804 127484->127485 127486 6c99e81b 127485->127486 127489 6c9832ba 4 API calls 127485->127489 127487 6c99e888 127486->127487 127488 6c99e824 CreateSolidBrush 127486->127488 127634 6c99f4a2 7 API calls 2 library calls 127487->127634 127490 6c983264 3 API calls 127488->127490 127489->127486 127492 6c99e886 127490->127492 127617 6c9d2019 127492->127617 127493 6c99e892 127493->127441 127494 6c99e896 127493->127494 127496 6c983264 3 API calls 127494->127496 127498 6c99e8af CreatePatternBrush 127496->127498 127500 6c983264 3 API calls 127498->127500 127502 6c99e8c0 127500->127502 127501 6c99e8e6 Concurrency::details::ExternalContextBase::~ExternalContextBase 127501->127422 127635 6c97d720 127502->127635 127505 6c99e901 __EH_prolog3_GS 127504->127505 127506 6c983f98 4 API calls 127505->127506 127507 6c99e910 GetDeviceCaps 127506->127507 127509 6c99e94a 127507->127509 127508 6c99e97e 127510 6c99e99c 127508->127510 127513 6c983290 3 API calls 127508->127513 127509->127508 127512 6c983290 3 API calls 127509->127512 127511 6c99e9ba 127510->127511 127517 6c983290 3 API calls 127510->127517 127514 6c99e9d8 127511->127514 127521 6c983290 3 API calls 127511->127521 127515 6c99e977 DeleteObject 127512->127515 127516 6c99e995 DeleteObject 127513->127516 127518 6c99e9f6 127514->127518 127524 6c983290 3 API calls 127514->127524 127515->127508 127516->127510 127520 6c99e9b3 DeleteObject 127517->127520 127519 6c99ea14 127518->127519 127526 6c983290 3 API calls 127518->127526 127522 6c99ea32 127519->127522 127530 6c983290 3 API calls 127519->127530 127520->127511 127523 6c99e9d1 DeleteObject 127521->127523 127527 6c99ea50 127522->127527 127533 6c983290 3 API calls 127522->127533 127523->127514 127525 6c99e9ef DeleteObject 127524->127525 127525->127518 127529 6c99ea0d DeleteObject 127526->127529 127528 6c99ea6e 127527->127528 127534 6c983290 3 API calls 127527->127534 127531 6c99ea8c 127528->127531 127538 6c983290 3 API calls 127528->127538 127529->127519 127532 6c99ea2b DeleteObject 127530->127532 127670 6c99f3a3 127531->127670 127532->127522 127536 6c99ea49 DeleteObject 127533->127536 127537 6c99ea67 DeleteObject 127534->127537 127536->127527 127537->127528 127540 6c99ea85 DeleteObject 127538->127540 127539 6c99eaa4 __fread_nolock 127541 6c99eab1 GetTextCharsetInfo 127539->127541 127540->127531 127542 6c99eaeb lstrcpyW 127541->127542 127544 6c99eb8b CreateFontIndirectW 127542->127544 127545 6c99eb1f 127542->127545 127547 6c983264 3 API calls 127544->127547 127545->127544 127546 6c99eb28 EnumFontFamiliesW 127545->127546 127548 6c99eb59 EnumFontFamiliesW 127546->127548 127549 6c99eb44 lstrcpyW 127546->127549 127552 6c99eb9d 127547->127552 127549->127544 127591 6c99f66f 127590->127591 127592 6c99f670 IsProcessorFeaturePresent 127590->127592 127591->127420 127594 6c9f86c0 127592->127594 127709 6c9f87a6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 127594->127709 127596 6c9f87a3 127596->127420 127597->127429 127599 6c983fa4 __EH_prolog3 127598->127599 127600 6c983fc7 GetWindowDC 127599->127600 127639 6c983446 127600->127639 127602 6c983fdd Concurrency::details::ExternalContextBase::~ExternalContextBase 127602->127436 127607 6c9832c0 127606->127607 127608 6c9832c3 127606->127608 127607->127447 127648 6c983290 127608->127648 127610 6c9832c8 DeleteObject 127610->127447 127612 6c983286 127611->127612 127613 6c983271 127611->127613 127612->127450 127653 6c984160 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 127613->127653 127615 6c98327b 127654 6c9a0682 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 127615->127654 127618 6c9d2022 127617->127618 127628 6c99e8d4 127617->127628 127618->127628 127655 6ca02832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127618->127655 127620 6c9d2035 127656 6ca02832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127620->127656 127622 6c9d203f 127657 6ca02832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127622->127657 127624 6c9d2049 127658 6ca02832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127624->127658 127626 6c9d2053 127659 6ca02832 DeleteObject RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127626->127659 127629 6c983fed 127628->127629 127660 6c983488 127629->127660 127631 6c98401d ReleaseDC 127664 6c983d3a 127631->127664 127634->127493 127636 6c9832ba 4 API calls 127635->127636 127637 6c97d770 127636->127637 127637->127492 127640 6c983453 127639->127640 127644 6c983469 127639->127644 127646 6c9840ef RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 127640->127646 127642 6c98345e 127647 6c9a0682 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 127642->127647 127644->127602 127645 6c982beb RaiseException Concurrency::cancel_current_task 127644->127645 127646->127642 127647->127644 127649 6c98329b 127648->127649 127650 6c9832a2 127648->127650 127652 6c984160 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 127649->127652 127650->127610 127652->127650 127653->127615 127654->127612 127655->127620 127656->127622 127657->127624 127658->127626 127659->127628 127661 6c98349b 127660->127661 127662 6c983494 127660->127662 127661->127631 127669 6c9840ef RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 127662->127669 127665 6c983d68 127664->127665 127666 6c983d74 127664->127666 127667 6c983488 3 API calls 127665->127667 127666->127501 127668 6c983d6d DeleteDC 127667->127668 127668->127666 127669->127661 127671 6c99f3b8 SystemParametersInfoW 127670->127671 127672 6c99f3b2 127670->127672 127671->127539 127672->127671 127709->127596 127711 6c9806af 127710->127711 127712 6c9806b6 127710->127712 127716 6cacff98 32 API calls 127711->127716 127717 6cacff27 32 API calls 127712->127717 127715 6c97fb73 127716->127715 127717->127715 127718 eacd20 127723 eac8aa 127718->127723 127722 eacd48 127724 eac8d5 127723->127724 127734 eaca1e 127724->127734 127738 eb4d7c 315 API calls 2 library calls 127724->127738 127726 eacac8 127742 e96729 26 API calls __cftoe 127726->127742 127728 eaca27 127728->127722 127735 eb5596 127728->127735 127730 eaca68 127730->127734 127739 eb4d7c 315 API calls 2 library calls 127730->127739 127732 eaca87 127732->127734 127740 eb4d7c 315 API calls 2 library calls 127732->127740 127734->127728 127741 e96802 20 API calls __dosmaperr 127734->127741 127743 eb4e9f 127735->127743 127737 eb55b1 127737->127722 127738->127730 127739->127732 127740->127734 127741->127726 127742->127728 127745 eb4eab __FrameHandler3::FrameUnwindToState 127743->127745 127744 eb4eb9 127761 e96802 20 API calls __dosmaperr 127744->127761 127745->127744 127747 eb4ef2 127745->127747 127754 eb5545 127747->127754 127748 eb4ebe 127762 e96729 26 API calls __cftoe 127748->127762 127753 eb4ec8 __wsopen_s 127753->127737 127764 eb65b1 127754->127764 127757 eb4f16 127763 eb4f3f LeaveCriticalSection __wsopen_s 127757->127763 127761->127748 127762->127753 127763->127753 127765 eb65bd 127764->127765 127766 eb65d4 127764->127766 127840 e96802 20 API calls __dosmaperr 127765->127840 127768 eb65dc 127766->127768 127769 eb65f3 127766->127769 127842 e96802 20 API calls __dosmaperr 127768->127842 127844 ea9493 10 API calls 2 library calls 127769->127844 127770 eb65c2 127841 e96729 26 API calls __cftoe 127770->127841 127774 eb65e1 127843 e96729 26 API calls __cftoe 127774->127843 127775 eb65fa MultiByteToWideChar 127777 eb6629 127775->127777 127778 eb6619 GetLastError 127775->127778 127846 ea7a29 127777->127846 127845 e967cc 20 API calls 2 library calls 127778->127845 127781 eb555b 127781->127757 127788 eb55b6 127781->127788 127783 eb6638 MultiByteToWideChar 127784 eb664d GetLastError 127783->127784 127787 eb6659 127783->127787 127853 e967cc 20 API calls 2 library calls 127784->127853 127785 ea79ef _free 20 API calls 127785->127781 127787->127785 127789 eb55d3 127788->127789 127790 eb55e8 127789->127790 127791 eb5601 127789->127791 127870 e967ef 20 API calls __dosmaperr 127790->127870 127856 eb0714 127791->127856 127794 eb5606 127795 eb560f 127794->127795 127796 eb5626 127794->127796 127872 e967ef 20 API calls __dosmaperr 127795->127872 127869 eb5284 CreateFileW 127796->127869 127800 eb565f 127802 eb56dc GetFileType 127800->127802 127804 eb56b1 GetLastError 127800->127804 127874 eb5284 CreateFileW 127800->127874 127801 eb5614 127873 e96802 20 API calls __dosmaperr 127801->127873 127805 eb56e7 GetLastError 127802->127805 127807 eb572e 127802->127807 127875 e967cc 20 API calls 2 library calls 127804->127875 127876 e967cc 20 API calls 2 library calls 127805->127876 127806 eb55ed 127871 e96802 20 API calls __dosmaperr 127806->127871 127878 eb065d 21 API calls 3 library calls 127807->127878 127811 eb56f5 CloseHandle 127811->127806 127814 eb571e 127811->127814 127813 eb56a4 127813->127802 127813->127804 127877 e96802 20 API calls __dosmaperr 127814->127877 127815 eb574f 127817 eb579b 127815->127817 127879 eb5495 326 API calls 4 library calls 127815->127879 127822 eb57c8 127817->127822 127880 eb5037 324 API calls 4 library calls 127817->127880 127818 eb5723 127818->127806 127821 eb57c1 127821->127822 127823 eb57d9 127821->127823 127881 ea9e9c 29 API calls 2 library calls 127822->127881 127825 eb5583 127823->127825 127826 eb5857 CloseHandle 127823->127826 127834 ea79ef 127825->127834 127882 eb5284 CreateFileW 127826->127882 127828 eb5882 127829 eb57d1 127828->127829 127830 eb588c GetLastError 127828->127830 127829->127825 127883 e967cc 20 API calls 2 library calls 127830->127883 127832 eb5898 127884 eb0826 21 API calls 3 library calls 127832->127884 127835 ea79fa HeapFree 127834->127835 127836 ea7a23 _free 127834->127836 127835->127836 127837 ea7a0f 127835->127837 127836->127757 127892 e96802 20 API calls __dosmaperr 127837->127892 127839 ea7a15 GetLastError 127839->127836 127840->127770 127841->127781 127842->127774 127843->127781 127844->127775 127845->127781 127847 ea7a67 127846->127847 127851 ea7a37 _strftime 127846->127851 127855 e96802 20 API calls __dosmaperr 127847->127855 127849 ea7a52 RtlAllocateHeap 127850 ea7a65 127849->127850 127849->127851 127850->127783 127850->127787 127851->127847 127851->127849 127854 ea52fa 7 API calls 2 library calls 127851->127854 127853->127787 127854->127851 127855->127850 127857 eb0720 __FrameHandler3::FrameUnwindToState 127856->127857 127885 e9c53e EnterCriticalSection 127857->127885 127859 eb0727 127861 eb074c 127859->127861 127865 eb07ba EnterCriticalSection 127859->127865 127867 eb076e 127859->127867 127889 eb04f3 21 API calls 3 library calls 127861->127889 127863 eb0751 127863->127867 127890 eb063a EnterCriticalSection 127863->127890 127864 eb0797 __wsopen_s 127864->127794 127865->127867 127868 eb07c7 LeaveCriticalSection 127865->127868 127886 eb081d 127867->127886 127868->127859 127869->127800 127870->127806 127871->127825 127872->127801 127873->127806 127874->127813 127875->127806 127876->127811 127877->127818 127878->127815 127879->127817 127880->127821 127881->127829 127882->127828 127883->127832 127884->127829 127885->127859 127891 e9c586 LeaveCriticalSection 127886->127891 127888 eb0824 127888->127864 127889->127863 127890->127867 127891->127888 127892->127839 127893 6c9a5794 127894 6c9a57ad 127893->127894 127895 6c9a579d 127893->127895 127899 6c9a57ff 127894->127899 127905 6c9a53fd EnterCriticalSection 127894->127905 127924 6c9a53bd TlsAlloc InitializeCriticalSection RaiseException 127895->127924 127898 6c9a57c1 127898->127899 127900 6c9a57c7 127898->127900 127926 6c99789a RaiseException Concurrency::cancel_current_task 127899->127926 127925 6c9a56f6 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 127900->127925 127904 6c9a57d3 Concurrency::details::ExternalContextBase::~ExternalContextBase 127906 6c9a5421 127905->127906 127909 6c9a5488 GlobalHandle 127906->127909 127910 6c9a5473 127906->127910 127916 6c9a5534 LeaveCriticalSection 127906->127916 127923 6c9a54d1 __fread_nolock 127906->127923 127908 6c9a5501 LeaveCriticalSection 127908->127898 127912 6c9a549b GlobalUnlock 127909->127912 127913 6c9a551c 127909->127913 127917 6c9a547b GlobalAlloc 127910->127917 127918 6c9972c2 127912->127918 127915 6c9a5521 GlobalHandle 127913->127915 127913->127916 127915->127916 127919 6c9a552d GlobalLock 127915->127919 127927 6c997866 RaiseException Concurrency::cancel_current_task 127916->127927 127920 6c9a54bd 127917->127920 127921 6c9a54b1 GlobalReAlloc 127918->127921 127919->127916 127920->127913 127922 6c9a54c1 GlobalLock 127920->127922 127921->127920 127922->127916 127922->127923 127923->127908 127924->127894 127925->127904 127928 ea83a4 127943 ea79c9 127928->127943 127930 ea83b2 127931 ea83df 127930->127931 127932 ea83c0 127930->127932 127934 ea83ec 127931->127934 127939 ea83f9 127931->127939 127961 e96802 20 API calls __dosmaperr 127932->127961 127962 e96802 20 API calls __dosmaperr 127934->127962 127936 ea8489 127950 ea84b5 127936->127950 127938 ea83c5 127939->127936 127939->127938 127941 ea847c 127939->127941 127963 eb3555 127939->127963 127941->127936 127972 ea91b6 21 API calls 2 library calls 127941->127972 127944 ea79ea 127943->127944 127945 ea79d5 127943->127945 127944->127930 127973 e96802 20 API calls __dosmaperr 127945->127973 127947 ea79da 127974 e96729 26 API calls __cftoe 127947->127974 127949 ea79e5 127949->127930 127951 ea79c9 __fread_nolock 26 API calls 127950->127951 127952 ea84c4 127951->127952 127953 ea8568 127952->127953 127954 ea84d6 127952->127954 127955 ea76d2 __wsopen_s 315 API calls 127953->127955 127956 ea84f3 127954->127956 127959 ea8519 127954->127959 127957 ea8500 127955->127957 127978 ea76d2 127956->127978 127957->127938 127959->127957 127975 ea8180 127959->127975 127961->127938 127962->127938 127964 eb356f 127963->127964 127965 eb3562 127963->127965 127967 eb357b 127964->127967 128188 e96802 20 API calls __dosmaperr 127964->128188 128187 e96802 20 API calls __dosmaperr 127965->128187 127967->127941 127969 eb3567 127969->127941 127970 eb359c 128189 e96729 26 API calls __cftoe 127970->128189 127972->127936 127973->127947 127974->127949 128003 ea7ffd 127975->128003 127977 ea8196 127977->127957 127979 ea76de __FrameHandler3::FrameUnwindToState 127978->127979 127980 ea76fe 127979->127980 127981 ea76e6 127979->127981 127982 ea779c 127980->127982 127988 ea7733 127980->127988 128120 e967ef 20 API calls __dosmaperr 127981->128120 128125 e967ef 20 API calls __dosmaperr 127982->128125 127985 ea76eb 128121 e96802 20 API calls __dosmaperr 127985->128121 127987 ea77a1 128126 e96802 20 API calls __dosmaperr 127987->128126 128066 eb063a EnterCriticalSection 127988->128066 127991 ea77a9 128127 e96729 26 API calls __cftoe 127991->128127 127992 ea7739 127994 ea776a 127992->127994 127995 ea7755 127992->127995 128067 ea77bd 127994->128067 128122 e96802 20 API calls __dosmaperr 127995->128122 127996 ea76f3 __wsopen_s 127996->127957 127999 ea775a 128123 e967ef 20 API calls __dosmaperr 127999->128123 128000 ea7765 128124 ea7794 LeaveCriticalSection __wsopen_s 128000->128124 128004 ea8009 __FrameHandler3::FrameUnwindToState 128003->128004 128005 ea8029 128004->128005 128006 ea8011 128004->128006 128008 ea80dd 128005->128008 128012 ea8061 128005->128012 128038 e967ef 20 API calls __dosmaperr 128006->128038 128043 e967ef 20 API calls __dosmaperr 128008->128043 128009 ea8016 128039 e96802 20 API calls __dosmaperr 128009->128039 128011 ea80e2 128044 e96802 20 API calls __dosmaperr 128011->128044 128028 eb063a EnterCriticalSection 128012->128028 128016 ea80ea 128045 e96729 26 API calls __cftoe 128016->128045 128017 ea8067 128019 ea808b 128017->128019 128020 ea80a0 128017->128020 128040 e96802 20 API calls __dosmaperr 128019->128040 128029 ea8102 128020->128029 128023 ea8090 128041 e967ef 20 API calls __dosmaperr 128023->128041 128024 ea801e __wsopen_s 128024->127977 128025 ea809b 128042 ea80d5 LeaveCriticalSection __wsopen_s 128025->128042 128028->128017 128046 eb08b7 128029->128046 128031 ea8114 128032 ea811c 128031->128032 128033 ea812d SetFilePointerEx 128031->128033 128059 e96802 20 API calls __dosmaperr 128032->128059 128035 ea8145 GetLastError 128033->128035 128037 ea8121 128033->128037 128060 e967cc 20 API calls 2 library calls 128035->128060 128037->128025 128038->128009 128039->128024 128040->128023 128041->128025 128042->128024 128043->128011 128044->128016 128045->128024 128047 eb08c4 128046->128047 128049 eb08d9 128046->128049 128061 e967ef 20 API calls __dosmaperr 128047->128061 128052 eb08fe 128049->128052 128063 e967ef 20 API calls __dosmaperr 128049->128063 128051 eb08c9 128062 e96802 20 API calls __dosmaperr 128051->128062 128052->128031 128053 eb0909 128064 e96802 20 API calls __dosmaperr 128053->128064 128056 eb08d1 128056->128031 128057 eb0911 128065 e96729 26 API calls __cftoe 128057->128065 128059->128037 128060->128037 128061->128051 128062->128056 128063->128053 128064->128057 128065->128056 128066->127992 128068 ea77eb 128067->128068 128116 ea77e4 128067->128116 128069 ea780e 128068->128069 128070 ea77ef 128068->128070 128073 ea785f 128069->128073 128074 ea7842 128069->128074 128138 e967ef 20 API calls __dosmaperr 128070->128138 128071 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 128075 ea79c5 128071->128075 128078 ea7875 128073->128078 128128 ea819b 128073->128128 128141 e967ef 20 API calls __dosmaperr 128074->128141 128075->128000 128076 ea77f4 128139 e96802 20 API calls __dosmaperr 128076->128139 128131 ea7362 128078->128131 128081 ea7847 128142 e96802 20 API calls __dosmaperr 128081->128142 128083 ea77fb 128140 e96729 26 API calls __cftoe 128083->128140 128087 ea78bc 128093 ea78d0 128087->128093 128094 ea7916 WriteFile 128087->128094 128088 ea7883 128090 ea78a9 128088->128090 128091 ea7887 128088->128091 128089 ea784f 128143 e96729 26 API calls __cftoe 128089->128143 128145 ea7142 315 API calls 3 library calls 128090->128145 128110 ea797d 128091->128110 128144 ea72f5 GetLastError WriteConsoleW CreateFileW __wsopen_s 128091->128144 128097 ea78d8 128093->128097 128098 ea7906 128093->128098 128096 ea7939 GetLastError 128094->128096 128103 ea789f 128094->128103 128096->128103 128099 ea78dd 128097->128099 128100 ea78f6 128097->128100 128148 ea73d8 7 API calls 2 library calls 128098->128148 128104 ea78e6 128099->128104 128099->128110 128147 ea75a5 8 API calls 2 library calls 128100->128147 128109 ea7959 128103->128109 128103->128110 128103->128116 128146 ea74b7 7 API calls 2 library calls 128104->128146 128108 ea78f4 128108->128103 128112 ea7960 128109->128112 128113 ea7974 128109->128113 128110->128116 128152 e96802 20 API calls __dosmaperr 128110->128152 128111 ea79a2 128153 e967ef 20 API calls __dosmaperr 128111->128153 128149 e96802 20 API calls __dosmaperr 128112->128149 128151 e967cc 20 API calls 2 library calls 128113->128151 128116->128071 128118 ea7965 128150 e967ef 20 API calls __dosmaperr 128118->128150 128120->127985 128121->127996 128122->127999 128123->128000 128124->127996 128125->127987 128126->127991 128127->127996 128129 ea8102 __fread_nolock 28 API calls 128128->128129 128130 ea81b1 128129->128130 128130->128078 128132 eb3555 __fread_nolock 26 API calls 128131->128132 128133 ea7372 128132->128133 128134 ea7377 128133->128134 128154 ea6ec4 GetLastError 128133->128154 128134->128087 128134->128088 128136 ea739a 128136->128134 128137 ea73b8 GetConsoleMode 128136->128137 128137->128134 128138->128076 128139->128083 128140->128116 128141->128081 128142->128089 128143->128116 128144->128103 128145->128103 128146->128108 128147->128108 128148->128108 128149->128118 128150->128116 128151->128116 128152->128111 128153->128116 128155 ea6eda 128154->128155 128156 ea6ee0 128154->128156 128181 ea966e 11 API calls 2 library calls 128155->128181 128160 ea6f2f SetLastError 128156->128160 128174 ea9213 128156->128174 128160->128136 128161 ea6efa 128163 ea79ef _free 20 API calls 128161->128163 128165 ea6f00 128163->128165 128164 ea6f0f 128164->128161 128166 ea6f16 128164->128166 128167 ea6f3b SetLastError 128165->128167 128183 ea6d36 20 API calls __dosmaperr 128166->128183 128184 e9ca4b 315 API calls 2 library calls 128167->128184 128169 ea6f21 128171 ea79ef _free 20 API calls 128169->128171 128173 ea6f28 128171->128173 128172 ea6f47 128173->128160 128173->128167 128175 ea9220 _strftime 128174->128175 128176 ea9260 128175->128176 128177 ea924b RtlAllocateHeap 128175->128177 128185 ea52fa 7 API calls 2 library calls 128175->128185 128186 e96802 20 API calls __dosmaperr 128176->128186 128177->128175 128179 ea6ef2 128177->128179 128179->128161 128182 ea96c4 11 API calls 2 library calls 128179->128182 128181->128156 128182->128164 128183->128169 128184->128172 128185->128175 128186->128179 128187->127969 128188->127970 128189->127969 128190 eacda5 128195 eacadc 128190->128195 128193 eacdcd 128200 eacb0d 128195->128200 128197 eacd0c 128219 e96729 26 API calls __cftoe 128197->128219 128199 eacc61 128199->128193 128207 eb58df 128199->128207 128200->128200 128203 eacc56 128200->128203 128210 ea423c 128200->128210 128203->128199 128218 e96802 20 API calls __dosmaperr 128203->128218 128204 ea423c 315 API calls 128205 eaccc9 128204->128205 128205->128203 128206 ea423c 315 API calls 128205->128206 128206->128203 128223 eb4f6b 128207->128223 128209 eb58fa 128209->128193 128211 ea42dc 128210->128211 128212 ea4250 128210->128212 128222 ea42f4 315 API calls 3 library calls 128211->128222 128217 ea4272 128212->128217 128220 e96802 20 API calls __dosmaperr 128212->128220 128215 ea4267 128221 e96729 26 API calls __cftoe 128215->128221 128217->128203 128217->128204 128218->128197 128219->128199 128220->128215 128221->128217 128222->128217 128225 eb4f77 __FrameHandler3::FrameUnwindToState 128223->128225 128224 eb4f85 128234 e96802 20 API calls __dosmaperr 128224->128234 128225->128224 128227 eb4fbe 128225->128227 128230 eb55b6 __wsopen_s 336 API calls 128227->128230 128228 eb4f8a 128235 e96729 26 API calls __cftoe 128228->128235 128231 eb4fe2 128230->128231 128236 eb500b LeaveCriticalSection __wsopen_s 128231->128236 128233 eb4f94 __wsopen_s 128233->128209 128234->128228 128235->128233 128236->128233 128237 e4be70 GetLocalTime 128238 e4bed0 ListArray 128237->128238 128274 e4be50 128238->128274 128240 e4befd 128240->128240 128241 e41ee0 std::system_error::system_error 27 API calls 128240->128241 128242 e4bf40 ListArray 128241->128242 128277 e9c29e 128242->128277 128247 e4bfc6 128295 e4b260 315 API calls 128247->128295 128248 e4bfd8 FindNextFileA 128249 e4bfd0 128248->128249 128270 e4bfee Concurrency::details::_TaskCollection::_ReleaseAlias 128248->128270 128251 e4c28e Concurrency::details::_TaskCollection::_ReleaseAlias 128249->128251 128254 e4c2b6 128249->128254 128252 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 128251->128252 128253 e4c2b0 128252->128253 128255 e96739 std::_Winerror_message 26 API calls 128254->128255 128256 e4c2bb 128255->128256 128296 e4ca20 315 API calls 2 library calls 128256->128296 128257 e4c24b FindNextFileA 128257->128249 128257->128270 128259 e4c2ce 128260 e96739 std::_Winerror_message 26 API calls 128259->128260 128262 e4c2f2 Concurrency::details::_TaskCollection::_ReleaseAlias __Mtx_destroy_in_situ 128259->128262 128261 e4c349 128260->128261 128297 e4ca20 315 API calls 2 library calls 128261->128297 128264 e4c35b 128265 e4c37f Concurrency::details::_TaskCollection::_ReleaseAlias __Mtx_destroy_in_situ 128264->128265 128266 e96739 std::_Winerror_message 26 API calls 128264->128266 128268 e4c3bd Concurrency::details::_TaskCollection::_ReleaseAlias 128266->128268 128267 e41ee0 27 API calls std::system_error::system_error 128267->128270 128269 e4ae30 26 API calls 128269->128270 128270->128254 128270->128257 128270->128267 128270->128269 128271 e4c1dc 128270->128271 128272 e4be50 315 API calls 128271->128272 128273 e4c1fb DeleteFileA 128272->128273 128273->128270 128298 e4b1d0 128274->128298 128278 e9c2ab 128277->128278 128279 e9c2b9 128277->128279 128278->128279 128282 e9c2d0 128278->128282 128327 e96802 20 API calls __dosmaperr 128279->128327 128283 e4bf85 128282->128283 128329 e96802 20 API calls __dosmaperr 128282->128329 128286 e9c235 128283->128286 128285 e9c2c1 128328 e96729 26 API calls __cftoe 128285->128328 128288 e9c251 128286->128288 128291 e9c243 128286->128291 128330 e96802 20 API calls __dosmaperr 128288->128330 128289 e9c259 128331 e96729 26 API calls __cftoe 128289->128331 128291->128288 128293 e9c27a 128291->128293 128292 e4bf9e FindFirstFileA 128292->128247 128292->128248 128293->128292 128332 e96802 20 API calls __dosmaperr 128293->128332 128295->128249 128296->128259 128297->128264 128299 e4b1ea ___scrt_initialize_default_local_stdio_options 128298->128299 128302 e9ae6a 128299->128302 128305 e983e4 128302->128305 128304 e4b1f4 128304->128240 128306 e983ef 128305->128306 128307 e98404 128305->128307 128321 e96802 20 API calls __dosmaperr 128306->128321 128309 e98446 128307->128309 128312 e98412 128307->128312 128325 e96802 20 API calls __dosmaperr 128309->128325 128311 e983f4 128322 e96729 26 API calls __cftoe 128311->128322 128323 e97de2 315 API calls 3 library calls 128312->128323 128313 e9843e 128326 e96729 26 API calls __cftoe 128313->128326 128316 e983ff 128316->128304 128317 e9842a 128319 e98456 128317->128319 128324 e96802 20 API calls __dosmaperr 128317->128324 128319->128304 128321->128311 128322->128316 128323->128317 128324->128313 128325->128313 128326->128319 128327->128285 128328->128283 128329->128285 128330->128289 128331->128292 128332->128289 128333 6cae00fb CreateFileW 128334 6c97a620 128388 6c955510 128334->128388 128340 6c97a698 128421 6c978c30 128340->128421 128517 6c955660 128388->128517 128392 6c955557 128524 6c953da0 128392->128524 128394 6c95558c 128563 6c9545b0 128394->128563 128399 6c955575 128399->128394 128404 6c9555c2 Sleep 128399->128404 128531 6c953fb0 128399->128531 128549 6c954d80 128399->128549 128555 6c954ed0 128399->128555 128403 6c9545b0 39 API calls 128405 6c955620 128403->128405 128404->128399 128580 6c9556b0 128405->128580 128408 6c97a150 GetModuleFileNameA 128409 6c957bf0 30 API calls 128408->128409 128410 6c97a1c9 128409->128410 128411 6c97a240 128410->128411 128412 6c97a1fc 128410->128412 128414 6c957bf0 30 API calls 128411->128414 128725 6c978050 30 API calls 128412->128725 128415 6c97a229 128414->128415 128416 6c9587d0 29 API calls 128415->128416 128417 6c97a277 128416->128417 128418 6c965960 128417->128418 128726 6c958b50 128418->128726 128420 6c9659a6 128420->128340 128735 6c965c50 128421->128735 128518 6c95566c 128517->128518 128583 6cad2f02 GetSystemTimeAsFileTime 128518->128583 128520 6c95554c 128521 6cad6288 128520->128521 128585 6cad9743 GetLastError 128521->128585 128639 6cad629a 128524->128639 128527 6cad629a 50 API calls 128528 6c953e18 128527->128528 128642 6c953f30 128528->128642 128532 6c954005 128531->128532 128533 6c954071 128532->128533 128535 6c9545b0 39 API calls 128532->128535 128534 6c9545b0 39 API calls 128533->128534 128540 6c95408c 128534->128540 128535->128532 128536 6c9540c7 128537 6c954520 128536->128537 128538 6c9545b0 39 API calls 128536->128538 128539 6c9545b0 39 API calls 128537->128539 128538->128536 128541 6c95453b 128539->128541 128540->128536 128547 6c9545b0 39 API calls 128540->128547 128542 6c9545b0 39 API calls 128541->128542 128543 6c954559 128542->128543 128544 6c954ae0 82 API calls 128543->128544 128545 6c954587 128544->128545 128546 6c9545b0 39 API calls 128545->128546 128548 6c95459e 128546->128548 128547->128540 128548->128399 128550 6c954d8e 128549->128550 128650 6cad1637 128550->128650 128553 6c954da1 128553->128399 128556 6c954ef0 128555->128556 128557 6cad629a 50 API calls 128556->128557 128561 6c9551ca 128556->128561 128558 6c95515c 128557->128558 128559 6cad629a 50 API calls 128558->128559 128560 6c95516e 128559->128560 128562 6c953f30 30 API calls 128560->128562 128561->128399 128562->128561 128564 6c954600 128563->128564 128685 6c956b60 128564->128685 128569 6c954929 128571 6c954ae0 128569->128571 128570 6c9546a1 128689 6c956ed0 128570->128689 128572 6c956b60 39 API calls 128571->128572 128573 6c954b2d 128572->128573 128579 6c954b40 std::ios_base::_Ios_base_dtor 128573->128579 128716 6c959980 76 API calls 2 library calls 128573->128716 128574 6c956ed0 39 API calls 128575 6c954cbc 128574->128575 128577 6c956f40 39 API calls 128575->128577 128578 6c954ccc 128577->128578 128578->128403 128579->128574 128717 6c955840 128580->128717 128584 6cad2f3b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 128583->128584 128584->128520 128586 6cad9759 128585->128586 128587 6cad975f 128585->128587 128612 6cadb66b 6 API calls __Getctype 128586->128612 128591 6cad9763 SetLastError 128587->128591 128613 6cadb6aa 128587->128613 128595 6cad97f8 128591->128595 128596 6cad6292 128591->128596 128628 6cad46b1 50 API calls std::locale::_Setgloballocale 128595->128628 128596->128392 128597 6cad97a9 128601 6cadb6aa __Getctype 6 API calls 128597->128601 128598 6cad9798 128600 6cadb6aa __Getctype 6 API calls 128598->128600 128604 6cad97a6 128600->128604 128603 6cad97b5 128601->128603 128602 6cad97fd 128605 6cad97b9 128603->128605 128606 6cad97d0 128603->128606 128625 6cad94b7 14 API calls __dosmaperr 128604->128625 128609 6cadb6aa __Getctype 6 API calls 128605->128609 128626 6cad9a80 14 API calls __Getctype 128606->128626 128609->128604 128610 6cad97db 128627 6cad94b7 14 API calls __dosmaperr 128610->128627 128612->128587 128629 6cadbb28 128613->128629 128616 6cad977b 128616->128591 128618 6cadc808 128616->128618 128617 6cadb6e4 TlsSetValue 128619 6cadc815 __Getctype 128618->128619 128620 6cadc855 128619->128620 128621 6cadc840 RtlAllocateHeap 128619->128621 128637 6cacf81b EnterCriticalSection LeaveCriticalSection __Getctype 128619->128637 128638 6cac5636 14 API calls __dosmaperr 128620->128638 128621->128619 128623 6cad9790 128621->128623 128623->128597 128623->128598 128625->128591 128626->128610 128627->128591 128628->128602 128630 6cadbb58 128629->128630 128633 6cadb6c6 128629->128633 128630->128633 128636 6cadba5d LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 128630->128636 128632 6cadbb6c 128632->128633 128634 6cadbb72 GetProcAddress 128632->128634 128633->128616 128633->128617 128634->128633 128635 6cadbb82 __Getctype 128634->128635 128635->128633 128636->128632 128637->128619 128638->128623 128640 6cad9743 __Getctype 50 API calls 128639->128640 128641 6c953e06 128640->128641 128641->128527 128645 6c955ad0 128642->128645 128644 6c953e79 128644->128399 128646 6c955b0a 128645->128646 128648 6c955b0f 128645->128648 128649 6c955c00 30 API calls 128646->128649 128648->128644 128649->128648 128651 6cad1643 ___scrt_is_nonwritable_in_current_image 128650->128651 128659 6cad25cc EnterCriticalSection 128651->128659 128653 6cad164a 128660 6cad18f5 128653->128660 128658 6cad1687 29 API calls 2 library calls 128658->128553 128659->128653 128661 6cad1913 128660->128661 128662 6cad1922 128661->128662 128679 6cadff66 CreateFileW ___initconin 128661->128679 128665 6c99f667 _ValidateLocalCookies 5 API calls 128662->128665 128664 6cad192f 128664->128662 128680 6cadffd7 5 API calls ___initconin 128664->128680 128667 6cad1658 128665->128667 128676 6cad167e 128667->128676 128668 6cad1940 128668->128662 128669 6cad1980 128668->128669 128673 6cad196d __DllMainCRTStartup@12 128668->128673 128675 6cad19aa 128668->128675 128681 6cad94f1 15 API calls 2 library calls 128669->128681 128671 6cad1986 128671->128673 128673->128675 128682 6cae001d 5 API calls ___initconin 128673->128682 128683 6c9c856c 14 API calls ___vcrt_freefls@4 128675->128683 128684 6cad25e3 LeaveCriticalSection 128676->128684 128678 6c954d93 128678->128553 128678->128658 128679->128664 128680->128668 128681->128671 128682->128675 128683->128662 128684->128678 128686 6c956ba9 128685->128686 128687 6c956bc1 128686->128687 128697 6c957070 39 API calls 128686->128697 128687->128570 128690 6c956f0e 128689->128690 128698 6c957390 128690->128698 128693 6c956f40 128694 6c956f54 128693->128694 128695 6c956f75 128694->128695 128715 6c959770 39 API calls 128694->128715 128695->128569 128697->128687 128701 6c957400 128698->128701 128702 6c957493 128701->128702 128703 6c954913 128701->128703 128705 6c9574a4 128702->128705 128711 6cac2301 RaiseException 128702->128711 128703->128693 128712 6c9575c0 38 API calls 128705->128712 128707 6c95756e 128713 6c957600 30 API calls 128707->128713 128709 6c957591 128714 6cac2301 RaiseException 128709->128714 128711->128705 128712->128707 128713->128709 128714->128703 128715->128695 128716->128579 128720 6c955860 128717->128720 128722 6c955874 128720->128722 128721 6c95562d 128721->128408 128722->128721 128724 6c955970 29 API calls 128722->128724 128724->128721 128725->128415 128727 6c958b6d 128726->128727 128730 6c958cb0 128727->128730 128729 6c958b93 128729->128420 128731 6c958dbf 128730->128731 128733 6c958d19 128730->128733 128734 6c958ec0 30 API calls 128731->128734 128733->128729 128734->128733 128736 6c965ca5 128735->128736 128773 6c96b540 128736->128773 128774 6c96b596 128773->128774 128783 6c96b730 128774->128783 128784 6c96b789 128783->128784 128800 6c96aa70 128784->128800 128809 6c96abd0 128800->128809 128821 6c96ad40 128809->128821 128816 6c96ac70 128817 6c96acb7 128816->128817 128873 6c95c080 128817->128873 128822 6c957400 39 API calls 128821->128822 128823 6c96ac3e 128822->128823 128824 6c980537 128823->128824 128825 6c98053c _Yarn 128824->128825 128826 6c96ac4d 128825->128826 128828 6c980558 128825->128828 128838 6cacf81b EnterCriticalSection LeaveCriticalSection __Getctype 128825->128838 128835 6c96ad80 128826->128835 128829 6c99d438 Concurrency::details::ExternalContextBase::~ExternalContextBase 128828->128829 128831 6c980562 Concurrency::cancel_current_task 128828->128831 128840 6cac2301 RaiseException 128829->128840 128839 6cac2301 RaiseException 128831->128839 128833 6c99d454 128834 6c99c8f1 128841 6c99c6ea 128835->128841 128837 6c96aa95 128837->128816 128838->128825 128839->128834 128840->128833 128842 6c99c6f6 __EH_prolog3 128841->128842 128853 6c99c2ae 128842->128853 128847 6c99c714 128867 6c99c77d 52 API calls std::locale::_Setgloballocale 128847->128867 128849 6c99c76f Concurrency::details::ExternalContextBase::~ExternalContextBase 128849->128837 128850 6c99c71c 128868 6c99c574 14 API calls 2 library calls 128850->128868 128852 6c99c732 128859 6c99c2df 128852->128859 128854 6c99c2bd 128853->128854 128855 6c99c2c4 128853->128855 128869 6cad25fa 6 API calls 2 library calls 128854->128869 128858 6c99c2c2 128855->128858 128870 6c9c84b9 EnterCriticalSection 128855->128870 128858->128852 128866 6c99c5f3 15 API calls 2 library calls 128858->128866 128860 6c99c2e9 128859->128860 128861 6cad2608 128859->128861 128862 6c99c2fc 128860->128862 128871 6c9c84c7 LeaveCriticalSection 128860->128871 128872 6cad25e3 LeaveCriticalSection 128861->128872 128862->128849 128865 6cad260f 128865->128849 128866->128847 128867->128850 128868->128852 128869->128858 128870->128858 128871->128862 128872->128865 128874 6c99c2ae std::_Lockit::_Lockit 7 API calls 128873->128874 129764 6cad9894 GetLastError 129765 6cad98aa 129764->129765 129766 6cad98b0 129764->129766 129787 6cadb66b 6 API calls __Getctype 129765->129787 129768 6cadb6aa __Getctype 6 API calls 129766->129768 129770 6cad98b4 SetLastError 129766->129770 129769 6cad98cc 129768->129769 129769->129770 129772 6cadc808 __Getctype 12 API calls 129769->129772 129773 6cad98e1 129772->129773 129774 6cad98e9 129773->129774 129775 6cad98fa 129773->129775 129776 6cadb6aa __Getctype 6 API calls 129774->129776 129777 6cadb6aa __Getctype 6 API calls 129775->129777 129784 6cad98f7 129776->129784 129778 6cad9906 129777->129778 129779 6cad990a 129778->129779 129780 6cad9921 129778->129780 129781 6cadb6aa __Getctype 6 API calls 129779->129781 129789 6cad9a80 14 API calls __Getctype 129780->129789 129781->129784 129788 6cad94b7 14 API calls __dosmaperr 129784->129788 129785 6cad992c 129790 6cad94b7 14 API calls __dosmaperr 129785->129790 129787->129766 129788->129770 129789->129785 129790->129770 129791 e63b3c 129988 e41ad0 129791->129988 129794 e63b56 130003 e41180 129794->130003 129795 e651c3 130051 e417d0 HeapAlloc RaiseException __CxxThrowException@8 129795->130051 129797 e651cd 130052 e417d0 HeapAlloc RaiseException __CxxThrowException@8 129797->130052 129801 e651d7 129802 e96739 std::_Winerror_message 26 API calls 129801->129802 129803 e651fa 129802->129803 130053 e41600 129803->130053 129807 e63b8e 129808 e63bc1 129807->129808 129811 e41ad0 39 API calls 129807->129811 129808->129797 129810 e63bd6 129808->129810 130017 e40450 HeapAlloc RaiseException 129810->130017 129811->129808 129989 e41ae6 129988->129989 129991 e41b41 129988->129991 130056 e7b7ab 5 API calls __Init_thread_wait 129989->130056 129990 e41bbf 129990->129794 129990->129795 129991->129990 130059 e7b7ab 5 API calls __Init_thread_wait 129991->130059 129994 e41af0 129994->129991 129996 e41afc GetProcessHeap 129994->129996 129995 e41b5c 129995->129990 130060 e7bb2a 29 API calls __onexit 129995->130060 130057 e7bb2a 29 API calls __onexit 129996->130057 129998 e41b37 130058 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 129998->130058 130001 e41bb5 130061 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 130001->130061 130004 e41193 130003->130004 130008 e41219 130003->130008 130004->130008 130062 e41000 9 API calls 130004->130062 130006 e411aa 130007 e411b0 FindResourceW 130006->130007 130006->130008 130007->130008 130009 e411c4 130007->130009 130008->129807 130018 e41470 130008->130018 130063 e41080 LoadResource LockResource SizeofResource 130009->130063 130011 e411ce 130011->130008 130012 e411fa 130011->130012 130064 e41410 22 API calls 130011->130064 130065 e96815 26 API calls 4 library calls 130012->130065 130015 e41213 130066 e410e0 HeapAlloc RaiseException 130015->130066 130019 e4147f 130018->130019 130025 e4148c 130018->130025 130067 e41250 HeapAlloc RaiseException 130019->130067 130021 e41548 130074 e417d0 HeapAlloc RaiseException __CxxThrowException@8 130021->130074 130023 e41484 130023->129807 130024 e41552 130030 e41ad0 39 API calls 130024->130030 130025->130021 130026 e414ca 130025->130026 130068 e41410 22 API calls 130025->130068 130028 e414d4 130026->130028 130029 e4151c 130026->130029 130033 e414e5 130028->130033 130034 e414f7 130028->130034 130036 e414f5 BuildCatchObjectHelperInternal 130028->130036 130073 e41610 20 API calls 3 library calls 130029->130073 130032 e4158f 130030->130032 130037 e41595 130032->130037 130038 e415ef 130032->130038 130069 e96802 20 API calls __dosmaperr 130033->130069 130034->130036 130071 e96802 20 API calls __dosmaperr 130034->130071 130035 e41535 130035->129807 130036->130021 130036->130035 130047 e41180 38 API calls 130037->130047 130075 e417d0 HeapAlloc RaiseException __CxxThrowException@8 130038->130075 130042 e414ea 130070 e96729 26 API calls __cftoe 130042->130070 130044 e41502 130072 e96729 26 API calls __cftoe 130044->130072 130045 e415f9 130049 e415b1 130047->130049 130048 e415da 130048->129807 130049->130048 130050 e41470 51 API calls 130049->130050 130050->130048 130051->129797 130052->129801 130076 e417d0 HeapAlloc RaiseException __CxxThrowException@8 130053->130076 130055 e4160a 130056->129994 130057->129998 130058->129991 130059->129995 130060->130001 130061->129990 130062->130006 130063->130011 130064->130012 130065->130015 130066->130008 130067->130023 130068->130026 130069->130042 130070->130036 130071->130044 130072->130036 130073->130036 130074->130024 130075->130045 130076->130055 130077 e7bd5c 130078 e7bd68 __FrameHandler3::FrameUnwindToState 130077->130078 130109 e7b938 130078->130109 130080 e7bd6f 130081 e7bec2 130080->130081 130084 e7bd99 130080->130084 130195 e7c411 4 API calls 2 library calls 130081->130195 130083 e7bec9 130196 ea481d 28 API calls _abort 130083->130196 130093 e7bdd8 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 130084->130093 130189 ea54df 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 130084->130189 130086 e7becf 130197 ea47cf 28 API calls _abort 130086->130197 130089 e7bed7 130090 e7bdb2 130091 e7bdb8 130090->130091 130190 ea5483 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 130090->130190 130094 e7be39 130093->130094 130191 e97ba1 315 API calls 3 library calls 130093->130191 130120 e7c52b 130094->130120 130103 e7be5b 130103->130083 130104 e7be5f 130103->130104 130105 e7be68 130104->130105 130193 ea47c0 28 API calls _abort 130104->130193 130194 e7bac7 13 API calls 2 library calls 130105->130194 130108 e7be70 130108->130091 130110 e7b941 130109->130110 130198 e7c5f9 IsProcessorFeaturePresent 130110->130198 130112 e7b94d 130199 e95045 10 API calls 3 library calls 130112->130199 130114 e7b952 130115 e7b956 130114->130115 130200 ea52c2 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 130114->130200 130115->130080 130117 e7b95f 130118 e7b96d 130117->130118 130201 e9506e 8 API calls 3 library calls 130117->130201 130118->130080 130202 e935c0 130120->130202 130122 e7c53e GetStartupInfoW 130123 e7be3f 130122->130123 130124 ea5430 130123->130124 130204 eafcc8 130124->130204 130126 e7be48 130129 e4b850 GetConsoleWindow ShowWindow CoInitializeEx 130126->130129 130128 ea5439 130128->130126 130208 eaffd2 315 API calls 130128->130208 130210 e40d30 130129->130210 130131 e4b8d3 130225 e40760 130131->130225 130133 e4b8de 130135 e4b940 Concurrency::details::_TaskCollection::_ReleaseAlias 130133->130135 130137 e4bcb4 130133->130137 130134 e4b98e Concurrency::details::_TaskCollection::_ReleaseAlias 130240 e42560 130134->130240 130135->130134 130138 e4bcb9 130135->130138 130140 e96739 std::_Winerror_message 26 API calls 130137->130140 130142 e96739 std::_Winerror_message 26 API calls 130138->130142 130140->130138 130144 e4bcbe 130142->130144 130145 e96739 std::_Winerror_message 26 API calls 130144->130145 130146 e4bcc3 130145->130146 130293 e417d0 HeapAlloc RaiseException __CxxThrowException@8 130146->130293 130148 e41ee0 std::system_error::system_error 27 API calls 130152 e4b9f4 130148->130152 130149 e4bccd 130150 e96739 std::_Winerror_message 26 API calls 130149->130150 130151 e4bcd2 130150->130151 130154 e96739 std::_Winerror_message 26 API calls 130151->130154 130152->130144 130153 e4ba29 Concurrency::details::_TaskCollection::_ReleaseAlias 130152->130153 130156 e41ad0 39 API calls 130153->130156 130155 e4bcd7 130154->130155 130157 e4ba6a 130156->130157 130157->130146 130158 e4ba74 130157->130158 130260 e36fe0 130158->130260 130160 e4ba93 130161 e4bad6 StartServiceCtrlDispatcherW 130160->130161 130162 e4baf9 130160->130162 130163 e4bc37 CoUninitialize 130161->130163 130164 e4bbc1 OpenEventW 130162->130164 130165 e4bb03 130162->130165 130171 e4bc54 130163->130171 130164->130163 130167 e4bbd7 130164->130167 130166 e37070 36 API calls 130165->130166 130169 e4bb1d 130166->130169 130274 e70750 130167->130274 130168 e4bc88 Concurrency::details::_TaskCollection::_ReleaseAlias 130172 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130168->130172 130178 e41ee0 std::system_error::system_error 27 API calls 130169->130178 130171->130151 130171->130168 130175 e4bcab 130172->130175 130174 e4bbec 130177 e70750 29 API calls 130174->130177 130192 e7c561 GetModuleHandleW 130175->130192 130180 e4bbfa GetProcAddress 130177->130180 130179 e4bb53 130178->130179 130292 e42690 395 API calls 7 library calls 130179->130292 130182 e4bc0c 130180->130182 130184 e4bc24 FreeLibrary 130182->130184 130185 e4bc2b 130182->130185 130183 e4bb5c 130183->130149 130186 e4bb86 Concurrency::details::_TaskCollection::_ReleaseAlias 130183->130186 130184->130185 130282 e32360 130185->130282 130186->130163 130188 e4bc30 130188->130163 130189->130090 130190->130093 130191->130094 130192->130103 130193->130105 130194->130108 130195->130083 130196->130086 130197->130089 130198->130112 130199->130114 130200->130117 130201->130115 130203 e935d7 130202->130203 130203->130122 130203->130203 130205 eafcda 130204->130205 130206 eafcd1 130204->130206 130205->130128 130209 eafbc7 320 API calls 4 library calls 130206->130209 130208->130128 130209->130205 130213 e40d51 BuildCatchObjectHelperInternal 130210->130213 130214 e40d7c 130210->130214 130211 e40e7b 130294 e40c70 27 API calls std::system_error::system_error 130211->130294 130213->130131 130214->130211 130215 e40dd2 130214->130215 130216 e40e02 130214->130216 130217 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 130215->130217 130219 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 130216->130219 130223 e40df0 _Yarn 130216->130223 130217->130223 130219->130223 130222 e96739 std::_Winerror_message 26 API calls 130222->130211 130223->130222 130224 e40e5d Concurrency::details::_TaskCollection::_ReleaseAlias 130223->130224 130224->130131 130226 e935c0 ListArray 130225->130226 130227 e40798 SHGetSpecialFolderPathW 130226->130227 130228 e407b2 SHGetSpecialFolderPathW 130227->130228 130229 e407da 130227->130229 130228->130229 130230 e407c8 GetTempPathW 130228->130230 130231 e407f6 PathAddBackslashW PathFileExistsW 130229->130231 130232 e407e8 PathAppendW 130229->130232 130230->130229 130233 e40826 PathFileExistsW 130231->130233 130234 e40816 SHCreateDirectoryExW 130231->130234 130232->130231 130235 e40850 130233->130235 130234->130233 130235->130235 130236 e40d30 27 API calls 130235->130236 130237 e4086e 130236->130237 130238 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130237->130238 130239 e4087c 130238->130239 130239->130133 130241 e42575 130240->130241 130247 e425bd 130240->130247 130295 e7b7ab 5 API calls __Init_thread_wait 130241->130295 130243 e4257f 130243->130247 130296 e7bb2a 29 API calls __onexit 130243->130296 130245 e425b3 130297 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 130245->130297 130248 e37070 130247->130248 130249 e37089 130248->130249 130250 e3707f 130248->130250 130298 e37c90 31 API calls 2 library calls 130249->130298 130250->130148 130252 e370b9 WideCharToMultiByte 130253 e370de GetLastError 130252->130253 130255 e37131 130252->130255 130254 e370e9 WideCharToMultiByte 130253->130254 130253->130255 130299 e37c90 31 API calls 2 library calls 130254->130299 130255->130250 130300 e40200 GetLastError HeapAlloc RaiseException 130255->130300 130257 e37111 WideCharToMultiByte 130257->130255 130259 e3714d 130261 e37005 130260->130261 130262 e36fef MultiByteToWideChar 130260->130262 130263 e37052 130261->130263 130264 e3700b 130261->130264 130262->130261 130302 e41250 HeapAlloc RaiseException 130263->130302 130265 e37028 MultiByteToWideChar 130264->130265 130301 e41410 22 API calls 130264->130301 130268 e37062 130265->130268 130269 e3703e 130265->130269 130303 e417d0 HeapAlloc RaiseException __CxxThrowException@8 130268->130303 130269->130160 130270 e37059 130270->130160 130271 e37026 130271->130265 130273 e3706c 130275 e707cd 130274->130275 130276 e7076c ListArray 130274->130276 130277 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130275->130277 130279 e7077e GetModuleFileNameW PathRemoveFileSpecW 130276->130279 130278 e4bbdc GetProcAddress 130277->130278 130278->130174 130304 ea4173 130279->130304 130283 e32375 130282->130283 130291 e323d5 130282->130291 130316 e7b7ab 5 API calls __Init_thread_wait 130283->130316 130285 e3237f ListArray 130285->130291 130317 e41bd0 41 API calls 130285->130317 130287 e323c1 130318 e7bb2a 29 API calls __onexit 130287->130318 130289 e323cb 130319 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 130289->130319 130291->130188 130292->130183 130293->130149 130295->130243 130296->130245 130297->130247 130298->130252 130299->130257 130300->130259 130301->130271 130302->130270 130303->130273 130305 ea4190 130304->130305 130308 ea4182 130304->130308 130313 e96802 20 API calls __dosmaperr 130305->130313 130307 ea419a 130314 e96729 26 API calls __cftoe 130307->130314 130308->130305 130311 ea41c0 130308->130311 130310 e707b8 LoadLibraryW 130310->130275 130311->130310 130315 e96802 20 API calls __dosmaperr 130311->130315 130313->130307 130314->130310 130315->130307 130316->130285 130317->130287 130318->130289 130319->130291 130320 6c97fc6a 130325 6ca06ed2 130320->130325 130323 6c98068b 32 API calls 130324 6c97fc7e 130323->130324 130328 6ca01042 130325->130328 130327 6c97fc74 130327->130323 130329 6ca0104e __EH_prolog3 130328->130329 130336 6c9a34c0 130329->130336 130331 6ca01086 130332 6ca010c7 130331->130332 130333 6ca0108f GetProfileIntW GetProfileIntW 130331->130333 130347 6c9a3534 LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 130332->130347 130333->130332 130335 6ca010ce Concurrency::details::ExternalContextBase::~ExternalContextBase 130335->130327 130337 6c9a352e 130336->130337 130338 6c9a34cc 130336->130338 130349 6c99789a RaiseException Concurrency::cancel_current_task 130337->130349 130340 6c9a34da 130338->130340 130348 6c9a3558 InitializeCriticalSection 130338->130348 130342 6c9a34ea EnterCriticalSection 130340->130342 130343 6c9a351c EnterCriticalSection 130340->130343 130345 6c9a3501 InitializeCriticalSection 130342->130345 130346 6c9a3514 LeaveCriticalSection 130342->130346 130343->130331 130345->130346 130346->130343 130347->130335 130348->130340 130350 e9b6d7 130351 e9b6fa 130350->130351 130352 e9b6e7 130350->130352 130354 e9b70c 130351->130354 130355 e9b71f 130351->130355 130389 e96802 20 API calls __dosmaperr 130352->130389 130391 e96802 20 API calls __dosmaperr 130354->130391 130359 e9b73f 130355->130359 130360 e9b752 130355->130360 130356 e9b6ec 130390 e96729 26 API calls __cftoe 130356->130390 130358 e9b711 130392 e96729 26 API calls __cftoe 130358->130392 130393 e96802 20 API calls __dosmaperr 130359->130393 130381 eac80f 130360->130381 130365 e9b757 130394 eac044 130365->130394 130367 e9b769 130368 e9b956 130367->130368 130401 eac070 130367->130401 130369 e96756 __Getctype 11 API calls 130368->130369 130371 e9b960 130369->130371 130372 e9b77b 130372->130368 130408 eac09c 130372->130408 130374 e9b78d 130374->130368 130375 e9b796 130374->130375 130376 e9b81e 130375->130376 130378 e9b7ba 130375->130378 130380 e9b6f6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 130376->130380 130416 eac860 26 API calls 3 library calls 130376->130416 130378->130380 130415 eac860 26 API calls 3 library calls 130378->130415 130382 eac81b __FrameHandler3::FrameUnwindToState 130381->130382 130384 eac851 __wsopen_s 130382->130384 130417 e9c53e EnterCriticalSection 130382->130417 130384->130365 130385 eac82b 130386 eac83e 130385->130386 130418 eac72f 130385->130418 130436 eac857 LeaveCriticalSection std::_Lockit::~_Lockit 130386->130436 130389->130356 130390->130380 130391->130358 130392->130380 130393->130380 130395 eac050 130394->130395 130396 eac065 130394->130396 130541 e96802 20 API calls __dosmaperr 130395->130541 130396->130367 130398 eac055 130542 e96729 26 API calls __cftoe 130398->130542 130400 eac060 130400->130367 130402 eac07c 130401->130402 130403 eac091 130401->130403 130543 e96802 20 API calls __dosmaperr 130402->130543 130403->130372 130405 eac081 130544 e96729 26 API calls __cftoe 130405->130544 130407 eac08c 130407->130372 130409 eac0a8 130408->130409 130410 eac0bd 130408->130410 130545 e96802 20 API calls __dosmaperr 130409->130545 130410->130374 130412 eac0ad 130546 e96729 26 API calls __cftoe 130412->130546 130414 eac0b8 130414->130374 130415->130380 130416->130380 130417->130385 130419 eac77b _strftime 130418->130419 130420 ea7a29 _strftime 21 API calls 130419->130420 130433 eac782 130419->130433 130431 eac79a _strftime 130420->130431 130421 eac7f2 130423 eac7ef 130421->130423 130498 eac5d4 130421->130498 130422 eac7e9 130437 eac3ff 130422->130437 130426 ea79ef _free 20 API calls 130423->130426 130428 eac7fd 130426->130428 130427 eac7a1 130430 ea79ef _free 20 API calls 130427->130430 130429 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130428->130429 130432 eac80b 130429->130432 130430->130433 130431->130427 130434 eac7c7 130431->130434 130432->130386 130433->130421 130433->130422 130435 ea79ef _free 20 API calls 130434->130435 130435->130433 130436->130384 130438 eac40e _strftime 130437->130438 130439 eac09c _strftime 26 API calls 130438->130439 130440 eac424 130439->130440 130442 eac044 _strftime 26 API calls 130440->130442 130495 eac59e 130440->130495 130441 e96756 __Getctype 11 API calls 130443 eac5d3 _strftime 130441->130443 130445 eac436 130442->130445 130446 eac09c _strftime 26 API calls 130443->130446 130444 ea79ef _free 20 API calls 130447 eac486 130444->130447 130445->130444 130449 eac5a7 _strftime 130445->130449 130445->130495 130448 eac5f9 130446->130448 130453 ea7a29 _strftime 21 API calls 130447->130453 130450 eac724 130448->130450 130451 eac044 _strftime 26 API calls 130448->130451 130449->130423 130452 e96756 __Getctype 11 API calls 130450->130452 130454 eac60b 130451->130454 130459 eac72e _strftime 130452->130459 130455 eac49e 130453->130455 130454->130450 130457 eac070 _strftime 26 API calls 130454->130457 130456 ea79ef _free 20 API calls 130455->130456 130461 eac4aa 130456->130461 130458 eac61d 130457->130458 130458->130450 130460 eac626 130458->130460 130464 ea7a29 _strftime 21 API calls 130459->130464 130482 eac782 130459->130482 130462 ea79ef _free 20 API calls 130460->130462 130461->130449 130463 e9c29e Concurrency::details::SchedulerBase::SchedulerBase 26 API calls 130461->130463 130466 eac631 GetTimeZoneInformation 130462->130466 130468 eac4d4 130463->130468 130479 eac79a _strftime 130464->130479 130465 eac7f2 130469 eac7ef 130465->130469 130470 eac5d4 _strftime 312 API calls 130465->130470 130476 eac64d 130466->130476 130486 eac6ee _strftime 130466->130486 130467 eac7e9 130471 eac3ff _strftime 312 API calls 130467->130471 130468->130495 130534 eabe67 26 API calls 2 library calls 130468->130534 130472 ea79ef _free 20 API calls 130469->130472 130470->130469 130471->130469 130474 eac7fd 130472->130474 130473 eac7a1 130478 ea79ef _free 20 API calls 130473->130478 130477 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130474->130477 130539 e9c636 315 API calls __Getctype 130476->130539 130481 eac80b 130477->130481 130478->130482 130479->130473 130483 eac7c7 130479->130483 130481->130423 130482->130465 130482->130467 130484 ea79ef _free 20 API calls 130483->130484 130484->130482 130485 eac6a2 WideCharToMultiByte 130487 eac6c0 WideCharToMultiByte 130485->130487 130486->130423 130487->130486 130488 eac4ed 130488->130495 130535 ea4212 315 API calls _strftime 130488->130535 130491 eac561 130491->130449 130538 eabe67 26 API calls 2 library calls 130491->130538 130492 eac515 130492->130491 130536 ea4212 315 API calls _strftime 130492->130536 130495->130441 130495->130449 130496 eac53c 130496->130491 130537 ea4212 315 API calls _strftime 130496->130537 130499 eac5e3 _strftime 130498->130499 130500 eac09c _strftime 26 API calls 130499->130500 130501 eac5f9 130500->130501 130502 eac724 130501->130502 130503 eac044 _strftime 26 API calls 130501->130503 130504 e96756 __Getctype 11 API calls 130502->130504 130505 eac60b 130503->130505 130508 eac72e _strftime 130504->130508 130505->130502 130506 eac070 _strftime 26 API calls 130505->130506 130507 eac61d 130506->130507 130507->130502 130509 eac626 130507->130509 130511 ea7a29 _strftime 21 API calls 130508->130511 130527 eac782 130508->130527 130510 ea79ef _free 20 API calls 130509->130510 130513 eac631 GetTimeZoneInformation 130510->130513 130524 eac79a _strftime 130511->130524 130512 eac7f2 130515 eac7ef 130512->130515 130516 eac5d4 _strftime 312 API calls 130512->130516 130521 eac64d 130513->130521 130531 eac6ee _strftime 130513->130531 130514 eac7e9 130517 eac3ff _strftime 312 API calls 130514->130517 130518 ea79ef _free 20 API calls 130515->130518 130516->130515 130517->130515 130520 eac7fd 130518->130520 130519 eac7a1 130523 ea79ef _free 20 API calls 130519->130523 130522 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 130520->130522 130540 e9c636 315 API calls __Getctype 130521->130540 130526 eac80b 130522->130526 130523->130527 130524->130519 130528 eac7c7 130524->130528 130526->130423 130527->130512 130527->130514 130529 ea79ef _free 20 API calls 130528->130529 130529->130527 130530 eac6a2 WideCharToMultiByte 130532 eac6c0 WideCharToMultiByte 130530->130532 130531->130423 130532->130531 130534->130488 130535->130492 130536->130496 130537->130491 130538->130495 130539->130485 130540->130530 130541->130398 130542->130400 130543->130405 130544->130407 130545->130412 130546->130414 130547 e3245c 130548 e32461 shared_ptr 130547->130548 130549 e42560 38 API calls 130548->130549 130587 e325d6 shared_ptr 130548->130587 130566 e32475 _strrchr 130549->130566 130551 e325fa InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateEventW 130552 e42560 38 API calls 130551->130552 130554 e3264e shared_ptr 130552->130554 130553 e32811 GetModuleHandleW 131088 e61930 130553->131088 130554->130553 130556 e42560 38 API calls 130554->130556 130573 e3268d _strrchr 130556->130573 130562 e42560 38 API calls 130563 e3286e shared_ptr 130562->130563 130564 e42560 38 API calls 130563->130564 130616 e329fd shared_ptr 130563->130616 130596 e328a7 _strrchr 130564->130596 131016 e42180 130566->131016 130567 e32a3b 131137 e35dd0 130567->131137 130572 e32559 131021 e38330 130572->131021 130576 e42180 std::system_error::system_error 27 API calls 130573->130576 130574 e32a66 131156 e652d0 IsWindow 130574->131156 130584 e32777 130576->130584 130580 e325c7 131459 e420d0 26 API calls 2 library calls 130580->131459 130581 e32a9d 131200 e40ee0 130581->131200 131055 e385a0 130584->131055 130585 e32aac 130586 e42560 38 API calls 130585->130586 130591 e32ab5 shared_ptr 130586->130591 131040 e61190 IsWindow 130587->131040 130593 e42560 38 API calls 130591->130593 130641 e32c4a shared_ptr 130591->130641 130592 e327e5 131461 e420d0 26 API calls 2 library calls 130592->131461 130624 e32aee _strrchr 130593->130624 130601 e42180 std::system_error::system_error 27 API calls 130596->130601 130598 e327f4 shared_ptr 130598->130553 130603 e32984 130601->130603 130602 e42560 38 API calls 130604 e32c72 shared_ptr 130602->130604 131114 e3f1d0 130603->131114 130607 e42560 38 API calls 130604->130607 130657 e32e01 shared_ptr 130604->130657 130612 e329ee 131463 e420d0 26 API calls 2 library calls 130612->131463 131123 e416a0 130616->131123 130625 e42180 std::system_error::system_error 27 API calls 130624->130625 130627 e32bd1 130625->130627 130631 e3f1d0 315 API calls 130627->130631 130632 e32c2c 130631->130632 131464 e420d0 26 API calls 2 library calls 130632->131464 130635 e32c3b 131465 e420d0 26 API calls 2 library calls 130635->131465 131205 e6b870 130641->131205 131235 e6e5a0 130657->131235 131017 e42194 131016->131017 131020 e421a4 BuildCatchObjectHelperInternal 131017->131020 131892 e42290 27 API calls 6 library calls 131017->131892 131019 e421ea 131019->130572 131020->130572 131022 e3837e ListArray 131021->131022 131030 e3845c Concurrency::details::_TaskCollection::_ReleaseAlias 131021->131030 131893 e39020 131022->131893 131023 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131024 e325b8 131023->131024 131458 e420d0 26 API calls 2 library calls 131024->131458 131029 e3841e 131029->131030 131031 e3858c 131029->131031 131030->131023 131032 e96739 std::_Winerror_message 26 API calls 131031->131032 131033 e38591 131032->131033 131921 e785d4 RaiseException __CxxThrowException@8 131033->131921 131041 e611b5 SetWindowLongW 131040->131041 131044 e611d4 131040->131044 131042 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131041->131042 131043 e611d0 131042->131043 131043->130551 131045 e40d30 27 API calls 131044->131045 131046 e6121a GetModuleHandleW RegisterClassW CreateWindowExW 131045->131046 131047 e6129f SetWindowLongW 131046->131047 131048 e612a9 131046->131048 131047->131048 131050 e612f4 131048->131050 131051 e612d7 Concurrency::details::_TaskCollection::_ReleaseAlias 131048->131051 131049 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131052 e612f0 131049->131052 131053 e96739 std::_Winerror_message 26 API calls 131050->131053 131051->131049 131052->130551 131054 e612f9 131053->131054 131057 e385ee ListArray 131055->131057 131064 e386cb Concurrency::details::_TaskCollection::_ReleaseAlias 131055->131064 131056 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131058 e327d6 131056->131058 132097 e390a0 131057->132097 131460 e420d0 26 API calls 2 library calls 131058->131460 131061 e3f140 2 API calls 131062 e38682 131061->131062 131086 e4fd00 315 API calls 131062->131086 131087 e50090 315 API calls 131062->131087 131063 e3868d 131063->131064 131065 e387fb 131063->131065 131064->131056 131066 e96739 std::_Winerror_message 26 API calls 131065->131066 131067 e38800 131066->131067 132101 e785d4 RaiseException __CxxThrowException@8 131067->132101 131086->131063 131087->131063 132102 e61700 131088->132102 131090 e6197f 131091 e41ad0 39 API calls 131090->131091 131092 e619c3 131091->131092 131093 e61a19 131092->131093 131094 e619c9 131092->131094 132142 e417d0 HeapAlloc RaiseException __CxxThrowException@8 131093->132142 132128 e61ac0 131094->132128 131096 e61a23 131099 e41700 RegOpenKeyExW 131100 e41767 131099->131100 131101 e41733 RegQueryValueExW RegCloseKey 131099->131101 131102 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131100->131102 131101->131100 131103 e32850 131102->131103 131104 e61bd0 131103->131104 131105 e61c07 131104->131105 131106 e32869 131104->131106 132206 e7b7ab 5 API calls __Init_thread_wait 131105->132206 131106->130562 131108 e61c11 131108->131106 132207 e707e0 28 API calls 3 library calls 131108->132207 131110 e61c39 132208 e7bb2a 29 API calls __onexit 131110->132208 131112 e61c4d 132209 e7b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 131112->132209 131115 e3f210 131114->131115 131116 e3f259 131114->131116 131119 e3f140 2 API calls 131115->131119 131117 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131116->131117 131118 e329df 131117->131118 131462 e420d0 26 API calls 2 library calls 131118->131462 131120 e3f24e 131119->131120 131121 e4fd00 315 API calls 131120->131121 131122 e50090 315 API calls 131120->131122 131121->131116 131122->131116 131124 e416ab 131123->131124 131125 e416ba 131124->131125 131126 e416f2 131124->131126 131127 e416d3 131124->131127 131125->130567 131129 e41600 2 API calls 131126->131129 132210 e41610 20 API calls 3 library calls 131127->132210 131131 e416f7 RegOpenKeyExW 131129->131131 131130 e416ea 131130->130567 131133 e41767 131131->131133 131134 e41733 RegQueryValueExW RegCloseKey 131131->131134 131135 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131133->131135 131134->131133 131136 e41772 131135->131136 131136->130567 131138 e41ad0 39 API calls 131137->131138 131139 e35dfe 131138->131139 131140 e35e41 131139->131140 131141 e35e04 131139->131141 132211 e417d0 HeapAlloc RaiseException __CxxThrowException@8 131140->132211 131144 e41180 38 API calls 131141->131144 131143 e35e4b 131145 e35e1f 131144->131145 131146 e32a57 131145->131146 131147 e36fe0 24 API calls 131145->131147 131148 e40f40 131146->131148 131147->131146 131149 e935c0 ListArray 131148->131149 131150 e40f75 GetModuleFileNameW PathRemoveFileSpecW PathAddBackslashW 131149->131150 131151 e40fc2 131150->131151 131151->131151 131152 e40d30 27 API calls 131151->131152 131153 e40fe0 131152->131153 131154 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131153->131154 131155 e40fed 131154->131155 131155->130574 131157 e6532a SetWindowLongW 131156->131157 131158 e6533b ListArray 131156->131158 131160 e65733 Concurrency::details::_TaskCollection::_ReleaseAlias 131157->131160 131159 e6534e lstrcpynW PathAddBackslashW 131158->131159 131161 e6539c 131159->131161 131162 e653c0 131159->131162 131168 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131160->131168 131163 e65407 131161->131163 131164 e653b5 131161->131164 131162->131162 131166 e41470 51 API calls 131162->131166 131165 e41470 51 API calls 131163->131165 131167 e416a0 25 API calls 131164->131167 131165->131162 131171 e6544b 131166->131171 131167->131162 131169 e657ec 131168->131169 131169->130581 131170 e654d5 131175 e41470 51 API calls 131170->131175 131171->131170 131173 e65483 131171->131173 131181 e6548e 131171->131181 131172 e6556e 131178 e41470 51 API calls 131172->131178 131177 e416a0 25 API calls 131173->131177 131175->131181 131176 e6551c 131180 e416a0 25 API calls 131176->131180 131177->131181 131185 e65527 131178->131185 131180->131185 131181->131172 131181->131176 131181->131185 131183 e655ad 131184 e6562f GetModuleHandleW RegisterClassW CreateWindowExW 131183->131184 131186 e65625 Concurrency::details::_TaskCollection::_ReleaseAlias 131183->131186 131189 e657f5 131183->131189 131187 e656e4 SetWindowLongW 131184->131187 131188 e656ee 131184->131188 132212 e61a30 CoCreateGuid UuidToStringW 131185->132212 131186->131184 131187->131188 132223 e68980 8 API calls Concurrency::details::SchedulerProxy::CreateExternalThreadResource 131188->132223 131191 e96739 std::_Winerror_message 26 API calls 131189->131191 131193 e657fa 131191->131193 131194 e96739 std::_Winerror_message 26 API calls 131193->131194 131201 e40eeb 131200->131201 131202 e40f0c Concurrency::details::_TaskCollection::_ReleaseAlias 131200->131202 131201->131202 131203 e96739 std::_Winerror_message 26 API calls 131201->131203 131202->130585 131204 e40f32 131203->131204 131206 e6b8b0 131205->131206 131207 e32c66 131205->131207 132227 e7b7ab 5 API calls __Init_thread_wait 131206->132227 131219 e6b9a0 131207->131219 131209 e6b8ba 131209->131207 131210 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131209->131210 131211 e6b8e3 ListArray 131210->131211 131212 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131211->131212 131213 e6b92b 131212->131213 131214 e7a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 131213->131214 131220 e6b9e9 131219->131220 131232 e6ba8d 131219->131232 131222 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131220->131222 131221 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131223 e32c6d 131221->131223 131224 e6b9f3 131222->131224 131223->130602 132230 e61020 131224->132230 131232->131221 131458->130580 131459->130587 131460->130592 131461->130598 131462->130612 131463->130616 131464->130635 131465->130641 131892->131019 131894 e39067 131893->131894 131895 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131894->131895 131896 e383e1 131895->131896 131897 e3f140 131896->131897 131898 e7939b __Xtime_get_ticks GetSystemTimeAsFileTime 131897->131898 131899 e3f157 131898->131899 131900 e38413 131899->131900 131901 e3f16f GetCurrentThreadId 131899->131901 131902 e4fd00 131900->131902 131917 e50090 131900->131917 131901->131900 131922 e4f6a0 131902->131922 131904 e4fdaa 131905 e4fe02 Concurrency::details::_TaskCollection::_ReleaseAlias 131904->131905 131906 e96739 std::_Winerror_message 26 API calls 131904->131906 131905->131029 131907 e4fe28 131906->131907 131908 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131907->131908 131909 e4fe8a 131908->131909 131910 e4fd00 315 API calls 131909->131910 131911 e4fee8 131910->131911 131912 e4fffe Concurrency::details::_TaskCollection::_ReleaseAlias 131911->131912 131913 e96739 std::_Winerror_message 26 API calls 131911->131913 131912->131029 131914 e50022 131913->131914 131915 e50062 131914->131915 131925 e4c450 131914->131925 131915->131029 131918 e5009c 131917->131918 131919 e500ae 131917->131919 131918->131919 131920 e4c6a0 315 API calls 131918->131920 131919->131029 131920->131918 131934 e4f850 131922->131934 131924 e4f6bf 131924->131904 131951 e7a660 131925->131951 131928 e4c490 131954 e4c6a0 131928->131954 131930 e4c4be 131930->131914 131931 e4c4a4 __Mtx_unlock 131931->131930 131985 e79e53 27 API calls std::_Throw_Cpp_error 131931->131985 131935 e4f872 131934->131935 131936 e4f87a 131934->131936 131935->131924 131937 e4f882 131936->131937 131938 e4f8fb 131936->131938 131940 e4f8c4 131937->131940 131941 e4f88d 131937->131941 131950 e4ee30 27 API calls std::system_error::system_error 131938->131950 131942 e4f8e5 131940->131942 131945 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131940->131945 131943 e7bb4d Concurrency::details::SchedulerProxy::CreateExternalThreadResource 8 API calls 131941->131943 131942->131924 131944 e4f89e 131943->131944 131946 e96739 std::_Winerror_message 26 API calls 131944->131946 131947 e4f8a7 131944->131947 131948 e4f8ce 131945->131948 131949 e4f905 131946->131949 131947->131924 131948->131924 131986 e7a3ba 131951->131986 131955 e4c7c8 ListArray 131954->131955 131956 e4c6e7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 131954->131956 132006 e971fa 131955->132006 131956->131955 131958 e4d3b0 27 API calls 131956->131958 131960 e4c763 131958->131960 131964 e4ccf0 315 API calls 131960->131964 131961 e4c8b3 132027 e96802 20 API calls __dosmaperr 131961->132027 131962 e4c84d 131965 e4c887 Concurrency::details::_TaskCollection::_ReleaseAlias 131962->131965 131971 e4c902 131962->131971 131967 e4c77c 131964->131967 131968 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131965->131968 131966 e4c8b8 132028 e4ccd0 27 API calls std::system_error::system_error 131966->132028 131970 e4c7b3 Concurrency::details::_TaskCollection::_ReleaseAlias 131967->131970 131976 e4c8ae 131967->131976 131972 e4c8a8 131968->131972 132026 e4d660 315 API calls 4 library calls 131970->132026 131974 e96739 std::_Winerror_message 26 API calls 131971->131974 131972->131931 131973 e4c8c8 132029 e54350 27 API calls 6 library calls 131973->132029 131977 e4c907 131974->131977 131979 e96739 std::_Winerror_message 26 API calls 131976->131979 132015 e96a27 131977->132015 131979->131961 131981 e4c918 131981->131931 131982 e4c8f1 132030 e92a4a RaiseException 131982->132030 131984 e79e53 27 API calls std::_Throw_Cpp_error 131984->131928 131985->131930 131987 e7a3e2 GetCurrentThreadId 131986->131987 131988 e7a410 131986->131988 131991 e7a3ed GetCurrentThreadId 131987->131991 132000 e7a408 131987->132000 131989 e7a414 GetCurrentThreadId 131988->131989 131990 e7a43a 131988->131990 131992 e7a423 131989->131992 131993 e7a4d3 GetCurrentThreadId 131990->131993 131996 e7a45a 131990->131996 131991->132000 131994 e7a52a GetCurrentThreadId 131992->131994 131992->132000 131993->131992 131994->132000 131995 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 131997 e4c483 131995->131997 132004 e79475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 131996->132004 131997->131928 131997->131984 132000->131995 132001 e7a492 GetCurrentThreadId 132001->131992 132003 e7a465 __Xtime_diff_to_millis2 132001->132003 132003->131992 132003->132000 132003->132001 132005 e79475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 132003->132005 132004->132003 132005->132003 132007 e97208 132006->132007 132013 e4c846 132006->132013 132008 e9722a 132007->132008 132009 e97214 132007->132009 132007->132013 132031 e97013 132008->132031 132034 e96802 20 API calls __dosmaperr 132009->132034 132012 e97219 132035 e96729 26 API calls __cftoe 132012->132035 132013->131961 132013->131962 132016 e96a33 __FrameHandler3::FrameUnwindToState 132015->132016 132017 e96a3a 132016->132017 132018 e96a43 132016->132018 132093 e9694f 315 API calls 4 library calls 132017->132093 132082 e97a83 EnterCriticalSection 132018->132082 132021 e96a4d 132083 e968ff 132021->132083 132025 e96a40 __wsopen_s 132025->131981 132026->131955 132027->131966 132028->131973 132029->131982 132030->131971 132036 e96fc2 132031->132036 132033 e97037 132033->132013 132034->132012 132035->132013 132037 e96fce __FrameHandler3::FrameUnwindToState 132036->132037 132044 e97a83 EnterCriticalSection 132037->132044 132039 e96fdc 132045 e9703b 132039->132045 132043 e96ffa __wsopen_s 132043->132033 132044->132039 132053 ea858c 132045->132053 132051 e96fe9 132052 e97007 LeaveCriticalSection __fread_nolock 132051->132052 132052->132043 132054 ea79c9 __fread_nolock 26 API calls 132053->132054 132055 ea859b 132054->132055 132056 eb3555 __fread_nolock 26 API calls 132055->132056 132058 ea85a1 132056->132058 132057 e97050 132062 e97081 132057->132062 132058->132057 132059 ea7a29 _strftime 21 API calls 132058->132059 132060 ea8600 132059->132060 132061 ea79ef _free 20 API calls 132060->132061 132061->132057 132065 e97093 132062->132065 132068 e9706b 132062->132068 132063 e970a1 132074 e96802 20 API calls __dosmaperr 132063->132074 132065->132063 132065->132068 132071 e970cc _Yarn 132065->132071 132066 e970a6 132075 e96729 26 API calls __cftoe 132066->132075 132073 ea8641 315 API calls 132068->132073 132070 ea79c9 __fread_nolock 26 API calls 132070->132071 132071->132068 132071->132070 132072 ea76d2 __wsopen_s 315 API calls 132071->132072 132076 e96899 132071->132076 132072->132071 132073->132051 132074->132066 132075->132068 132077 e968b1 132076->132077 132078 e968ad 132076->132078 132077->132078 132079 ea79c9 __fread_nolock 26 API calls 132077->132079 132078->132071 132080 e968d1 132079->132080 132081 ea76d2 __wsopen_s 315 API calls 132080->132081 132081->132078 132082->132021 132084 e9690c 132083->132084 132085 e96915 132083->132085 132095 e9694f 315 API calls 4 library calls 132084->132095 132087 e96899 315 API calls 132085->132087 132088 e9691b 132087->132088 132089 ea79c9 __fread_nolock 26 API calls 132088->132089 132092 e96912 132088->132092 132090 e96935 132089->132090 132096 ea70d3 30 API calls 2 library calls 132090->132096 132094 e96a78 LeaveCriticalSection __fread_nolock 132092->132094 132093->132025 132094->132025 132095->132092 132096->132092 132098 e390e7 132097->132098 132099 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 132098->132099 132100 e38651 132099->132100 132100->131061 132103 e935c0 ListArray 132102->132103 132104 e6175f GetModuleFileNameW 132103->132104 132105 e617c0 132104->132105 132105->132105 132106 e40d30 27 API calls 132105->132106 132107 e617e2 GetFileVersionInfoSizeW 132106->132107 132112 e61817 ListArray Concurrency::details::ResourceManager::RedistributeCoresAmongAll 132107->132112 132117 e6188f Concurrency::details::_TaskCollection::_ReleaseAlias 132107->132117 132108 e618f5 Concurrency::details::_TaskCollection::_ReleaseAlias 132109 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 132108->132109 132111 e6191c 132109->132111 132110 e61923 132113 e96739 std::_Winerror_message 26 API calls 132110->132113 132111->131090 132114 e61846 GetFileVersionInfoW 132112->132114 132115 e61928 132113->132115 132116 e61871 VerQueryValueW 132114->132116 132114->132117 132118 e61700 311 API calls 132115->132118 132116->132117 132117->132108 132117->132110 132119 e6197f 132118->132119 132120 e41ad0 39 API calls 132119->132120 132121 e619c3 132120->132121 132122 e61a19 132121->132122 132123 e619c9 132121->132123 132143 e417d0 HeapAlloc RaiseException __CxxThrowException@8 132122->132143 132126 e61ac0 311 API calls 132123->132126 132125 e61a23 132127 e61a02 132126->132127 132127->131090 132129 e61ad4 132128->132129 132130 e61b2e 132128->132130 132144 e3f110 132129->132144 132153 e417d0 HeapAlloc RaiseException __CxxThrowException@8 132130->132153 132133 e61b38 132154 e417d0 HeapAlloc RaiseException __CxxThrowException@8 132133->132154 132136 e61b42 132137 e61aff 132148 e3f0c0 132137->132148 132141 e3282a 132141->131099 132142->131096 132143->132125 132145 e3f123 ___scrt_initialize_default_local_stdio_options 132144->132145 132155 e9ae8e 132145->132155 132149 e3f0d5 ___scrt_initialize_default_local_stdio_options 132148->132149 132181 e9aeb2 132149->132181 132152 e41410 22 API calls 132152->132137 132153->132133 132154->132136 132158 e9825f 132155->132158 132159 e9829f 132158->132159 132160 e98287 132158->132160 132159->132160 132161 e982a7 132159->132161 132175 e96802 20 API calls __dosmaperr 132160->132175 132177 e9891c 315 API calls 2 library calls 132161->132177 132164 e9828c 132176 e96729 26 API calls __cftoe 132164->132176 132165 e982b7 132178 e988e7 20 API calls _free 132165->132178 132168 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 132169 e3f131 132168->132169 132169->132133 132169->132137 132169->132152 132170 e9832f 132179 e99169 315 API calls 3 library calls 132170->132179 132173 e9833a 132180 e9899f 20 API calls _free 132173->132180 132174 e98297 132174->132168 132175->132164 132176->132174 132177->132165 132178->132170 132179->132173 132180->132174 132184 e9845c 132181->132184 132183 e3f0e3 132183->132130 132183->132141 132185 e9847c 132184->132185 132186 e98467 132184->132186 132188 e984c0 132185->132188 132191 e9848a 132185->132191 132200 e96802 20 API calls __dosmaperr 132186->132200 132204 e96802 20 API calls __dosmaperr 132188->132204 132190 e9846c 132201 e96729 26 API calls __cftoe 132190->132201 132202 e97f5e 315 API calls 3 library calls 132191->132202 132194 e98477 132194->132183 132195 e984a2 132197 e984d0 132195->132197 132203 e96802 20 API calls __dosmaperr 132195->132203 132197->132183 132199 e984b8 132205 e96729 26 API calls __cftoe 132199->132205 132200->132190 132201->132194 132202->132195 132203->132199 132204->132199 132205->132197 132206->131108 132207->131110 132208->131112 132209->131106 132210->131130 132211->131143 132213 e61a84 132212->132213 132213->132213 132214 e40d30 27 API calls 132213->132214 132215 e61a9c RpcStringFreeW 132214->132215 132216 e7b5dd __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 132215->132216 132217 e61ab4 132216->132217 132218 e614c0 132217->132218 132219 e61567 132218->132219 132222 e614e2 _Yarn BuildCatchObjectHelperInternal 132218->132222 132226 e61590 27 API calls 5 library calls 132219->132226 132221 e6157b 132221->131183 132222->131183 132226->132221 132227->131209 132231 e61055 __Cnd_init 132230->132231 132232 e61062 132231->132232 132258 e79e53 27 API calls std::_Throw_Cpp_error 132231->132258 132258->132232 133740 6cac21b3 133741 6cac21bc 133740->133741 133742 6cac21c1 133740->133742 133757 6cac21d6 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 133741->133757 133746 6cac20a8 133742->133746 133748 6cac20b4 ___scrt_is_nonwritable_in_current_image 133746->133748 133747 6cac20dd dllmain_raw 133749 6cac20f7 dllmain_crt_dispatch 133747->133749 133754 6cac20c3 133747->133754 133748->133747 133753 6cac20d8 __DllMainCRTStartup@12 133748->133753 133748->133754 133749->133753 133749->133754 133750 6cac2149 133751 6cac2152 dllmain_crt_dispatch 133750->133751 133750->133754 133752 6cac2165 dllmain_raw 133751->133752 133751->133754 133752->133754 133753->133750 133758 6cac1f7c 122 API calls 4 library calls 133753->133758 133756 6cac213e dllmain_raw 133756->133750 133757->133742 133758->133756

                                            Executed Functions

                                            Function 00E3245C Relevance: 152.8, APIs: 53, Strings: 33, Instructions: 2261windowsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _strrchr.LIBCMT ref: 00E324CE
                                            • _strrchr.LIBCMT ref: 00E324E1
                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00E3261A
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00E3262A
                                            • CreateEventW.KERNEL32(0000000C,00000000,00000000,{BD1397DC-D793-4948-B24A-116ED32CB105}), ref: 00E32640
                                            • _strrchr.LIBCMT ref: 00E326EC
                                            • _strrchr.LIBCMT ref: 00E326FF
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00E3281A
                                            • _strrchr.LIBCMT ref: 00E328F9
                                            • _strrchr.LIBCMT ref: 00E3290C
                                            • _strrchr.LIBCMT ref: 00E32B40
                                            • _strrchr.LIBCMT ref: 00E32B53
                                            • _strrchr.LIBCMT ref: 00E32CFD
                                            • _strrchr.LIBCMT ref: 00E32D10
                                            • _strrchr.LIBCMT ref: 00E32EB6
                                            • _strrchr.LIBCMT ref: 00E32EC9
                                            • _strrchr.LIBCMT ref: 00E33090
                                            • _strrchr.LIBCMT ref: 00E330A3
                                            • _strrchr.LIBCMT ref: 00E3324E
                                            • _strrchr.LIBCMT ref: 00E33261
                                            • _strrchr.LIBCMT ref: 00E33412
                                            • _strrchr.LIBCMT ref: 00E33425
                                            • _strrchr.LIBCMT ref: 00E335DE
                                            • _strrchr.LIBCMT ref: 00E335F1
                                            • _strrchr.LIBCMT ref: 00E33885
                                            • _strrchr.LIBCMT ref: 00E33898
                                            • _strrchr.LIBCMT ref: 00E339FF
                                            • _strrchr.LIBCMT ref: 00E33A12
                                            • PeekMessageW.USER32(00000001,00000000,00000000,00000000,00000001), ref: 00E33AE1
                                            • TranslateMessage.USER32(00000001), ref: 00E33AEF
                                            • DispatchMessageW.USER32(00000001), ref: 00E33AF9
                                            • WaitForSingleObject.KERNEL32(?,00000001,?,00000000,?,?,?,00000064,00000001), ref: 00E33B0B
                                            • WaitForSingleObject.KERNEL32(?,00000064,?,00000000,?,?,?,00000064,00000001), ref: 00E33B1D
                                            • _strrchr.LIBCMT ref: 00E33BA4
                                            • _strrchr.LIBCMT ref: 00E33BBB
                                            • _strrchr.LIBCMT ref: 00E33C47
                                            • _strrchr.LIBCMT ref: 00E33C5A
                                            • _strrchr.LIBCMT ref: 00E33E04
                                            • _strrchr.LIBCMT ref: 00E33E17
                                              • Part of subcall function 00E6FD30: __Cnd_broadcast.LIBCPMT ref: 00E6FD86
                                              • Part of subcall function 00E6FD30: __Mtx_unlock.LIBCPMT ref: 00E6FE35
                                            • _strrchr.LIBCMT ref: 00E33F4B
                                            • _strrchr.LIBCMT ref: 00E33F5E
                                            • _strrchr.LIBCMT ref: 00E34092
                                            • _strrchr.LIBCMT ref: 00E340A5
                                            • _strrchr.LIBCMT ref: 00E341F9
                                            • _strrchr.LIBCMT ref: 00E3420C
                                              • Part of subcall function 00E61300: IsWindow.USER32(00000001), ref: 00E61306
                                              • Part of subcall function 00E61300: SetWindowLongW.USER32(00000001,000000EB,00000000), ref: 00E61317
                                              • Part of subcall function 00E61300: DestroyWindow.USER32(00000001), ref: 00E61320
                                            • _strrchr.LIBCMT ref: 00E34340
                                            • _strrchr.LIBCMT ref: 00E34353
                                            • _strrchr.LIBCMT ref: 00E34487
                                            • _strrchr.LIBCMT ref: 00E3449A
                                            • curl_global_cleanup.LIBCURL(?,00000000,?,?,?,00000064,00000001), ref: 00E34556
                                            • MoveFileExW.KERNEL32(00000000,00000000,00000004,?,00000000,?,?,?,00000064,00000001), ref: 00E34569
                                            • _strrchr.LIBCMT ref: 00E345F0
                                            • _strrchr.LIBCMT ref: 00E34603
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _strrchr$MessageWindow$DescriptorObjectSecuritySingleWait$Cnd_broadcastCreateDaclDestroyDispatchEventFileHandleInitializeLongModuleMoveMtx_unlockPeekTranslatecurl_global_cleanup
                                            • String ID: /%s %u$/%s true$CXZShellExecute UnInit$CXZShellExecute init$CXZUpdateModule Stop$CXZUpdateModule UnInit$CXZUpdateModule init$CreateEvent [{}]$InstallListenWnd$InstallSlience$Message Loop$PerformExecute Ok$PerformLoadUpdateInfo Ok$Run$Running m_hWndAsy:{}$SOFTWARE\XZDesktopCalendar$ServiceMgr Run$ServiceMgr Stop$ThreadPoolMgr Run$ThreadPoolMgr stop$Timer init$Timer stop$UnionId$UpdateInfo.bHasNewVersion:{}-UpdateInfo.UpdateType:{}$WaitForSingleObject Event is touch$XZDesktopCalendar$curl init res:{}$d$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$https://update-xztodolist.cqttech.com/api/v1/update/check$stoped${BD1397DC-D793-4948-B24A-116ED32CB105}$}
                                            • API String ID: 3533261124-1744484503
                                            • Opcode ID: 4b5f4cef8f92c929d92cec88fe93ed69bc177b2da5a872d960ee0747df1accd9
                                            • Instruction ID: 7c6a171499d13218c273a954e22896cf370b322e359f0ae22fceb48ffd6a3340
                                            • Opcode Fuzzy Hash: 4b5f4cef8f92c929d92cec88fe93ed69bc177b2da5a872d960ee0747df1accd9
                                            • Instruction Fuzzy Hash: D113C234E043089ADF14FBB4AD1ABAD7AE19F54304F4060ECF249772C2EEB55A45CB66
                                            Function 00E660C2 Relevance: 88.6, APIs: 22, Strings: 27, Instructions: 2873windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000BC6,00000000,00000000), ref: 00E660E1
                                            • __Mtx_unlock.LIBCPMT ref: 00E660EF
                                            • GetModuleHandleW.KERNEL32(C:\Windows\System32\kernel32.dll), ref: 00E6611B
                                              • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                                              • Part of subcall function 00E41AD0: GetProcessHeap.KERNEL32 ref: 00E41B11
                                            • GetSystemInfo.KERNEL32(?), ref: 00E661F5
                                            • _strrchr.LIBCMT ref: 00E66400
                                            • _strrchr.LIBCMT ref: 00E66413
                                            • curl_slist_free_all.LIBCURL(?), ref: 00E668CF
                                            • _strrchr.LIBCMT ref: 00E669C8
                                            • _strrchr.LIBCMT ref: 00E669DB
                                            • __Mtx_unlock.LIBCPMT ref: 00E66DD3
                                            • _strrchr.LIBCMT ref: 00E670DA
                                            • _strrchr.LIBCMT ref: 00E670ED
                                            • _strrchr.LIBCMT ref: 00E6763D
                                            • _strrchr.LIBCMT ref: 00E67650
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E67D47
                                            • __Mtx_unlock.LIBCPMT ref: 00E67FB4
                                            • PostMessageW.USER32 ref: 00E687BB
                                            • PostMessageW.USER32(00000BC6,00000BC5,00000000,00000000), ref: 00E687D3
                                            • __Mtx_unlock.LIBCPMT ref: 00E687DE
                                            • __Mtx_unlock.LIBCPMT ref: 00E68843
                                              • Part of subcall function 00E71D60: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00E71D86
                                              • Part of subcall function 00E71D60: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00E71DD3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _strrchr$Mtx_unlock$MessagePost$ByteCharMultiWide$Cpp_errorHandleHeapInfoModuleProcessSystemThrow_curl_slist_free_allmtx_do_lockstd::_
                                            • String ID: %d.%d.%d.%d$%s?version=%s&union=%u&os=%s&arch=%d&bit_type=%d$C:\Windows\System32\kernel32.dll$CheckUpdate Res:{}-strRes:{}$CheckUpdate getstart$Parse code:{},msg:{}$Parse res fail:{}$PerformCheckUpdateSync$[$`$code$crc32$data$file_type$g:\zcsd\xzpublic\xzpublic\xzbase\update\xzupdatemodule.cpp$invalid stoul argument$lnk$md5$msg$startup_type$stoul argument out of range$update_id$update_log$update_type$updatecheck fail$version_name$version_num
                                            • API String ID: 1421301853-885562099
                                            • Opcode ID: 50feb642fa3845d7490c15688068c8d170b1eda6814d6c22128fd3c360d7b07b
                                            • Instruction ID: e860676d29ed433881b0f43b5dd30d7a5560eb39b4d2d925f21bacfec4cddb19
                                            • Opcode Fuzzy Hash: 50feb642fa3845d7490c15688068c8d170b1eda6814d6c22128fd3c360d7b07b
                                            • Instruction Fuzzy Hash: B443CE70A002089FDB24DF68DC45B9DBBF1AF45308F1491A8E449BB392DB71AE85CF91
                                            Function 00E4B479 Relevance: 42.7, APIs: 11, Strings: 13, Instructions: 651COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2402 e4b479-e4b47c 2403 e4b486-e4b48d 2402->2403 2404 e4b47e-e4b484 2402->2404 2405 e4b4ae-e4b4b7 2403->2405 2406 e4b48f-e4b496 2403->2406 2404->2403 2407 e4b816-e4b833 call e7b5dd 2405->2407 2408 e4b4bd-e4b4ca call e42560 2405->2408 2406->2405 2409 e4b498-e4b4a5 2406->2409 2415 e4b4d6-e4b562 call e93040 call e92860 * 2 call e42450 2408->2415 2416 e4b4cc-e4b4d3 2408->2416 2409->2405 2417 e4b4a7-e4b4a9 2409->2417 2429 e4b564 2415->2429 2430 e4b566-e4b5b2 call e93040 2415->2430 2416->2415 2417->2405 2429->2430 2435 e4b5b4 2430->2435 2436 e4b5b6-e4b602 call e93040 2430->2436 2435->2436 2441 e4b604 2436->2441 2442 e4b606-e4b63b call e93040 2436->2442 2441->2442 2446 e4b640-e4b660 2442->2446 2446->2446 2447 e4b662-e4b674 2446->2447 2448 e4b676-e4b67d call e41ee0 2447->2448 2449 e4b682-e4b6ad call e42180 2447->2449 2448->2449 2454 e4b6b1-e4b6fd call e93040 2449->2454 2455 e4b6af 2449->2455 2460 e4b701-e4b737 call e93040 2454->2460 2461 e4b6ff 2454->2461 2455->2454 2465 e4b739 2460->2465 2466 e4b73b-e4b773 call e3f1d0 2460->2466 2461->2460 2465->2466 2469 e4b775-e4b781 2466->2469 2470 e4b7a1-e4b7ab 2466->2470 2471 e4b797-e4b79e call e7bb3f 2469->2471 2472 e4b783-e4b791 2469->2472 2473 e4b7d5-e4b7f3 2470->2473 2474 e4b7ad-e4b7b9 2470->2474 2471->2470 2472->2471 2478 e4b836 call e96739 2472->2478 2473->2407 2477 e4b7f5-e4b7ff 2473->2477 2475 e4b7cb-e4b7d2 call e7bb3f 2474->2475 2476 e4b7bb-e4b7c9 2474->2476 2475->2473 2476->2475 2480 e4b83b-e4b916 call e96739 GetConsoleWindow ShowWindow CoInitializeEx call e40d30 call e40760 call e40a00 2476->2480 2477->2407 2482 e4b801-e4b80d 2477->2482 2478->2480 2497 e4b918-e4b92a 2480->2497 2498 e4b94a-e4b964 2480->2498 2482->2407 2490 e4b80f-e4b811 2482->2490 2490->2407 2501 e4b940-e4b947 call e7bb3f 2497->2501 2502 e4b92c-e4b93a 2497->2502 2499 e4b966-e4b978 2498->2499 2500 e4b998-e4b9de call e42560 call e37070 2498->2500 2503 e4b98e-e4b995 call e7bb3f 2499->2503 2504 e4b97a-e4b988 2499->2504 2518 e4b9e1-e4b9e6 2500->2518 2501->2498 2502->2501 2507 e4bcb4 call e96739 2502->2507 2503->2500 2504->2503 2509 e4bcb9 call e96739 2504->2509 2507->2509 2517 e4bcbe call e96739 2509->2517 2520 e4bcc3-e4bcc8 call e417d0 2517->2520 2518->2518 2521 e4b9e8-e4ba05 call e41ee0 call e56fb0 2518->2521 2524 e4bccd call e96739 2520->2524 2530 e4ba07-e4ba13 2521->2530 2531 e4ba33-e4ba53 2521->2531 2528 e4bcd2-e4bcd7 call e96739 2524->2528 2533 e4ba15-e4ba23 2530->2533 2534 e4ba29-e4ba30 call e7bb3f 2530->2534 2535 e4ba55-e4ba5b call e97bdd 2531->2535 2536 e4ba5e-e4ba6e call e41ad0 2531->2536 2533->2517 2533->2534 2534->2531 2535->2536 2536->2520 2544 e4ba74-e4ba9d call e36fe0 2536->2544 2548 e4baa0-e4baa6 2544->2548 2549 e4bac6-e4bac8 2548->2549 2550 e4baa8-e4baab 2548->2550 2553 e4bacb-e4bad4 2549->2553 2551 e4bac2-e4bac4 2550->2551 2552 e4baad-e4bab5 2550->2552 2551->2553 2552->2549 2554 e4bab7-e4bac0 2552->2554 2555 e4bad6-e4baf4 StartServiceCtrlDispatcherW 2553->2555 2556 e4baf9-e4bafd 2553->2556 2554->2548 2554->2551 2557 e4bc37-e4bc52 CoUninitialize 2555->2557 2558 e4bbc1-e4bbd5 OpenEventW 2556->2558 2559 e4bb03-e4bb3a call e37070 2556->2559 2562 e4bc54-e4bc57 2557->2562 2563 e4bc5c-e4bc62 2557->2563 2558->2557 2561 e4bbd7-e4bbea call e70750 GetProcAddress 2558->2561 2571 e4bb40-e4bb45 2559->2571 2573 e4bbf5-e4bc0a call e70750 GetProcAddress 2561->2573 2574 e4bbec-e4bbee 2561->2574 2562->2563 2564 e4bc64-e4bc76 2563->2564 2565 e4bc92-e4bcb1 call e7b5dd 2563->2565 2568 e4bc88-e4bc8f call e7bb3f 2564->2568 2569 e4bc78-e4bc86 2564->2569 2568->2565 2569->2528 2569->2568 2571->2571 2577 e4bb47-e4bb62 call e41ee0 call e42690 2571->2577 2584 e4bc20-e4bc22 2573->2584 2585 e4bc0c-e4bc1e 2573->2585 2574->2573 2589 e4bb64-e4bb70 2577->2589 2590 e4bb90-e4bbb0 2577->2590 2587 e4bc24-e4bc25 FreeLibrary 2584->2587 2588 e4bc2b-e4bc32 call e32360 call e323e0 2584->2588 2585->2584 2585->2588 2587->2588 2588->2557 2593 e4bb86-e4bb8d call e7bb3f 2589->2593 2594 e4bb72-e4bb80 2589->2594 2590->2557 2595 e4bbb6-e4bbbf call e97bdd 2590->2595 2593->2590 2594->2524 2594->2593 2595->2557
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _strrchr
                                            • String ID: --service$/launch CrashRestart$CCInit$CCSetCallback$Cqttech\XZDesktopCalendar\crash\log$CrashCallback$XZCalendarServer$XZCalendarServer.log$crash!!!$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\main.cpp$http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat$j\hX${BD1397DC-D793-4948-B24A-116ED32CB105}
                                            • API String ID: 3213747228-810406204
                                            • Opcode ID: 34e7b1c1d966f91d1e190a029b69b9254b97d35eeb63e4d5eeb61bb779e2f94f
                                            • Instruction ID: 6884f6459ae628e79ba5e3cc96f7be572c826be5180afa5ff85f9aa800ae6f4a
                                            • Opcode Fuzzy Hash: 34e7b1c1d966f91d1e190a029b69b9254b97d35eeb63e4d5eeb61bb779e2f94f
                                            • Instruction Fuzzy Hash: 4332F570A002049FDB14DF68ED89BADBBB1EF84304F14916DE415BB392EB75EA45CB90
                                            Function 00E346D0 Relevance: 29.0, APIs: 6, Strings: 10, Instructions: 953COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00E407A8
                                              • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00E407BE
                                              • Part of subcall function 00E40760: GetTempPathW.KERNEL32(00000104,?), ref: 00E407D4
                                              • Part of subcall function 00E40760: PathAppendW.SHLWAPI(?), ref: 00E407F0
                                              • Part of subcall function 00E40760: PathAddBackslashW.SHLWAPI(?), ref: 00E407FD
                                              • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E40810
                                              • Part of subcall function 00E40760: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E40820
                                              • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E4082D
                                            • _strrchr.LIBCMT ref: 00E34C19
                                            • _strrchr.LIBCMT ref: 00E34C2C
                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00E34F9D
                                            • PathFileExistsW.SHLWAPI(00000003,Name_UpdateForceID_Key,00ECDB92,?,?,00000000,0000FDE9,Name_UpdateForceFile_Key,00ECDB78,?,?,00000000,0000FDE9,Name_UpdateForceLog_Key,00ECDB5F,?), ref: 00E35257
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E353D9
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E354D1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Path$ExistsFile$FolderIos_base_dtorSpecial_strrchrstd::ios_base::_$AppendBackslashCreateDirectoryHandleModuleTemp
                                            • String ID: Cqttech\XZDesktopCalendar$Name_UpdateForceFile_Key$Name_UpdateForceFromVersion_Key$Name_UpdateForceID_Key$Name_UpdateForceLog_Key$Name_UpdateForceNewVersion_Key$Parse Config fail$PerformLoadUpdateInfo$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$update.cfg
                                            • API String ID: 4104599493-1853103233
                                            • Opcode ID: 3016a19996c30d2a8caab458d77b86709ef9cc028984b348d95b1f01b7f44aa8
                                            • Instruction ID: 6c31c1b571581e17ce1141a7f4651a34a7de61e6315c8d62b14469c4f69e4437
                                            • Opcode Fuzzy Hash: 3016a19996c30d2a8caab458d77b86709ef9cc028984b348d95b1f01b7f44aa8
                                            • Instruction Fuzzy Hash: F492AE71A002489FDB14CF68CD49BEDBBB1AF45304F1491E8E409BB392EB75AA85CF51
                                            Function 00E68A70 Relevance: 27.4, APIs: 10, Strings: 5, Instructions: 1128COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E75630: SetupDiGetClassDevsW.SETUPAPI(00ECF610,00000000,00000000,00000002), ref: 00E756A7
                                              • Part of subcall function 00E75630: SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00E756D7
                                              • Part of subcall function 00E75630: SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00E7570B
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000024,?,?,?,?,?,AC2C577A), ref: 00E68B61
                                            • curl_slist_append.LIBCURL(00000000,-00000010,?,?,?,?,?,AC2C577A), ref: 00E68C84
                                            • curl_slist_append.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,?,?,AC2C577A), ref: 00E68CE2
                                            • curl_slist_append.LIBCURL(?,?), ref: 00E68D31
                                              • Part of subcall function 00E417D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00E417E6
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E68E29
                                            • __Mtx_unlock.LIBCPMT ref: 00E68E8A
                                            • __Mtx_unlock.LIBCPMT ref: 00E69178
                                            • __Mtx_unlock.LIBCPMT ref: 00E68FF1
                                              • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E69868
                                            • GetWindowLongW.USER32(?,000000EB), ref: 00E69908
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlock$Setupcurl_slist_append$Device$ByteCharClassCpp_errorDevsEnumException@8InfoInstanceIos_base_dtorLongMultiThrowThrow_WideWindowmtx_do_lockstd::_std::ios_base::_
                                            • String ID: $$%c%c$X$appid: %d$id: %s
                                            • API String ID: 1896962942-1652127108
                                            • Opcode ID: d92418d0a0042e36f562899e5df5132cb13fdf4aa222c5082b07791ad2b8b7f4
                                            • Instruction ID: 2e58157f288fd9819e39589d500db1500dcb04c8aeb9b66cfa94d21539602d0d
                                            • Opcode Fuzzy Hash: d92418d0a0042e36f562899e5df5132cb13fdf4aa222c5082b07791ad2b8b7f4
                                            • Instruction Fuzzy Hash: 34A2AF71D00219DFDB14DFA8DD89BAEBBB4EF45304F1481A9E409B7292DB319A84CF91
                                            Function 00E4BE70 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 421filetimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3517 e4be70-e4bf21 GetLocalTime call e935c0 call e4be50 3522 e4bf24-e4bf29 3517->3522 3522->3522 3523 e4bf2b-e4bfc4 call e41ee0 call e935c0 * 2 call e9c29e call e9c235 FindFirstFileA 3522->3523 3534 e4bfc6-e4bfd3 call e4b260 3523->3534 3535 e4bfd8-e4bfe8 FindNextFileA 3523->3535 3536 e4c266-e4c26f 3534->3536 3535->3536 3537 e4bfee 3535->3537 3540 e4c271-e4c27c 3536->3540 3541 e4c298-e4c2b3 call e7b5dd 3536->3541 3539 e4bff0-e4bffb 3537->3539 3543 e4c000-e4c004 3539->3543 3544 e4c28e-e4c295 call e7bb3f 3540->3544 3545 e4c27e-e4c28c 3540->3545 3548 e4c006-e4c008 3543->3548 3549 e4c020-e4c022 3543->3549 3544->3541 3545->3544 3550 e4c2b6-e4c2d4 call e96739 call e4ca20 3545->3550 3553 e4c01c-e4c01e 3548->3553 3554 e4c00a-e4c010 3548->3554 3555 e4c025-e4c027 3549->3555 3567 e4c2d6-e4c2e0 3550->3567 3568 e4c2fe-e4c321 call e7a5e3 3550->3568 3553->3555 3554->3549 3558 e4c012-e4c01a 3554->3558 3559 e4c02d-e4c032 3555->3559 3560 e4c24b-e4c260 FindNextFileA 3555->3560 3558->3543 3558->3553 3562 e4c038-e4c03c 3559->3562 3560->3536 3560->3539 3564 e4c03e-e4c040 3562->3564 3565 e4c058-e4c05a 3562->3565 3569 e4c054-e4c056 3564->3569 3570 e4c042-e4c048 3564->3570 3566 e4c05d-e4c05f 3565->3566 3566->3560 3571 e4c065-e4c089 3566->3571 3572 e4c2f4-e4c2fb call e7bb3f 3567->3572 3573 e4c2e2-e4c2f0 3567->3573 3584 e4c323-e4c325 3568->3584 3585 e4c329-e4c32d 3568->3585 3569->3566 3570->3565 3575 e4c04a-e4c052 3570->3575 3576 e4c090-e4c095 3571->3576 3572->3568 3577 e4c344-e4c361 call e96739 call e4ca20 3573->3577 3578 e4c2f2 3573->3578 3575->3562 3575->3569 3576->3576 3581 e4c097-e4c0f0 call e41ee0 call e4adc0 3576->3581 3597 e4c363-e4c36d 3577->3597 3598 e4c38b-e4c3af call e7a5e3 3577->3598 3578->3572 3600 e4c127-e4c196 call e4bce0 call e41ee0 call e4ae30 3581->3600 3601 e4c0f2-e4c0f9 3581->3601 3584->3585 3586 e4c33d-e4c341 3585->3586 3587 e4c32f-e4c33a call e7bb3f 3585->3587 3587->3586 3602 e4c381-e4c388 call e7bb3f 3597->3602 3603 e4c36f-e4c37d 3597->3603 3612 e4c3b7 3598->3612 3613 e4c3b1-e4c3b3 3598->3613 3630 e4c1c7-e4c1da call e4bdb0 3600->3630 3631 e4c198-e4c1a7 3600->3631 3605 e4c245 3601->3605 3606 e4c0ff-e4c10a 3601->3606 3602->3598 3607 e4c37f 3603->3607 3608 e4c3b8-e4c3ca call e96739 3603->3608 3605->3560 3615 e4c120-e4c122 3606->3615 3616 e4c10c-e4c11a 3606->3616 3607->3602 3623 e4c3cc-e4c3d7 call e7bb3f 3608->3623 3624 e4c3da-e4c3de 3608->3624 3613->3612 3620 e4c23d-e4c242 call e7bb3f 3615->3620 3616->3550 3616->3615 3620->3605 3623->3624 3638 e4c1dc-e4c205 call e4be50 DeleteFileA 3630->3638 3639 e4c20b-e4c218 3630->3639 3632 e4c1bd-e4c1c4 call e7bb3f 3631->3632 3633 e4c1a9-e4c1b7 3631->3633 3632->3630 3633->3550 3633->3632 3638->3639 3639->3605 3640 e4c21a-e4c229 3639->3640 3642 e4c23b-e4c23c 3640->3642 3643 e4c22b-e4c239 3640->3643 3642->3620 3643->3550 3643->3642
                                            APIs
                                            • GetLocalTime.KERNEL32(?,AC2C577A,?,00000001), ref: 00E4BEB7
                                            • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4BFAF
                                            • FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4BFE0
                                            • DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 00E4C205
                                            • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E4C258
                                            • __Mtx_destroy_in_situ.LIBCPMT ref: 00E4C314
                                            • __Mtx_destroy_in_situ.LIBCPMT ref: 00E4C3A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: File$Find$Mtx_destroy_in_situNext$DeleteFirstLocalTime
                                            • String ID: %s\%s$%s_%d-%02d-%02d.log$L$\*.*
                                            • API String ID: 1207274154-3549012632
                                            • Opcode ID: 05f7a609148b038957f8a9dd070f64ffc91908cbf349d8eb742bd4ac78991b1e
                                            • Instruction ID: 2795f2c31cde676c3d81998f44a348fe1b71f76cdd726664308c267bd0ab058a
                                            • Opcode Fuzzy Hash: 05f7a609148b038957f8a9dd070f64ffc91908cbf349d8eb742bd4ac78991b1e
                                            • Instruction Fuzzy Hash: 8FE12671A002189BDB24DF64DC85BEEB7A9EF04304F1451E9E90AB7292D771AB88CF54
                                            Function 00EAC3FF Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4024 eac3ff-eac427 call eac03e call eac09c 4029 eac42d-eac439 call eac044 4024->4029 4030 eac5c7-eac5fc call e96756 call eac03e call eac09c 4024->4030 4029->4030 4036 eac43f-eac44a 4029->4036 4055 eac602-eac60e call eac044 4030->4055 4056 eac724-eac780 call e96756 call eb4d71 4030->4056 4038 eac44c-eac44e 4036->4038 4039 eac480-eac489 call ea79ef 4036->4039 4042 eac450-eac454 4038->4042 4051 eac48c-eac491 4039->4051 4043 eac470-eac472 4042->4043 4044 eac456-eac458 4042->4044 4049 eac475-eac477 4043->4049 4047 eac45a-eac460 4044->4047 4048 eac46c-eac46e 4044->4048 4047->4043 4052 eac462-eac46a 4047->4052 4048->4049 4053 eac47d 4049->4053 4054 eac5c1-eac5c6 4049->4054 4051->4051 4057 eac493-eac4b4 call ea7a29 call ea79ef 4051->4057 4052->4042 4052->4048 4053->4039 4055->4056 4064 eac614-eac620 call eac070 4055->4064 4075 eac78a-eac78d 4056->4075 4076 eac782-eac788 4056->4076 4057->4054 4070 eac4ba-eac4bd 4057->4070 4064->4056 4074 eac626-eac647 call ea79ef GetTimeZoneInformation 4064->4074 4073 eac4c0-eac4c5 4070->4073 4073->4073 4077 eac4c7-eac4d9 call e9c29e 4073->4077 4087 eac64d-eac66e 4074->4087 4088 eac700-eac723 call eac038 call eac02c call eac032 4074->4088 4078 eac78f-eac79f call ea7a29 4075->4078 4079 eac7d0-eac7e2 4075->4079 4076->4079 4077->4030 4098 eac4df-eac4f2 call eabf18 4077->4098 4099 eac7a9-eac7c2 call eb4d71 4078->4099 4100 eac7a1 4078->4100 4083 eac7f2 4079->4083 4084 eac7e4-eac7e7 4079->4084 4091 eac7f7-eac80e call ea79ef call e7b5dd 4083->4091 4092 eac7f2 call eac5d4 4083->4092 4084->4083 4086 eac7e9-eac7f0 call eac3ff 4084->4086 4086->4091 4094 eac678-eac67f 4087->4094 4095 eac670-eac675 4087->4095 4092->4091 4103 eac681-eac688 4094->4103 4104 eac697-eac69a 4094->4104 4095->4094 4098->4030 4119 eac4f8-eac4fb 4098->4119 4121 eac7c7-eac7cd call ea79ef 4099->4121 4122 eac7c4-eac7c5 4099->4122 4107 eac7a2-eac7a7 call ea79ef 4100->4107 4103->4104 4110 eac68a-eac695 4103->4110 4111 eac69d-eac6be call e9c636 WideCharToMultiByte 4104->4111 4128 eac7cf 4107->4128 4110->4111 4131 eac6cc-eac6ce 4111->4131 4132 eac6c0-eac6c3 4111->4132 4126 eac4fd-eac501 4119->4126 4127 eac503-eac50c 4119->4127 4121->4128 4122->4107 4126->4119 4126->4127 4133 eac50e 4127->4133 4134 eac50f-eac51c call ea4212 4127->4134 4128->4079 4136 eac6d0-eac6ec WideCharToMultiByte 4131->4136 4132->4131 4135 eac6c5-eac6ca 4132->4135 4133->4134 4142 eac51f-eac523 4134->4142 4135->4136 4138 eac6fb-eac6fe 4136->4138 4139 eac6ee-eac6f1 4136->4139 4138->4088 4139->4138 4141 eac6f3-eac6f9 4139->4141 4141->4088 4143 eac52d-eac52e 4142->4143 4144 eac525-eac527 4142->4144 4143->4142 4145 eac529-eac52b 4144->4145 4146 eac530-eac533 4144->4146 4145->4143 4145->4146 4147 eac577-eac579 4146->4147 4148 eac535-eac548 call ea4212 4146->4148 4149 eac57b-eac57d 4147->4149 4150 eac580-eac58f 4147->4150 4156 eac54f-eac553 4148->4156 4149->4150 4152 eac591-eac5a3 call eabf18 4150->4152 4153 eac5a7-eac5aa 4150->4153 4157 eac5ad-eac5bf call eac038 call eac02c 4152->4157 4162 eac5a5 4152->4162 4153->4157 4159 eac54a-eac54c 4156->4159 4160 eac555-eac558 4156->4160 4157->4054 4159->4160 4163 eac54e 4159->4163 4160->4147 4164 eac55a-eac56a call ea4212 4160->4164 4162->4030 4163->4156 4170 eac571-eac575 4164->4170 4170->4147 4171 eac56c-eac56e 4170->4171 4171->4147 4172 eac570 4171->4172 4172->4170
                                            APIs
                                            • _free.LIBCMT ref: 00EAC481
                                            • _free.LIBCMT ref: 00EAC4A5
                                            • _free.LIBCMT ref: 00EAC62C
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                                            • _free.LIBCMT ref: 00EAC7F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                            • API String ID: 314583886-239921721
                                            • Opcode ID: c835f1c2863108a0da4c06ac36e9bec848d2c73d1f650dd0cca6e7781cf37113
                                            • Instruction ID: 6cee93c19260b067986e43a35eb8433f076c6cc6033b6609a2e683fab353527a
                                            • Opcode Fuzzy Hash: c835f1c2863108a0da4c06ac36e9bec848d2c73d1f650dd0cca6e7781cf37113
                                            • Instruction Fuzzy Hash: 8DC11672D002459FCB209F799C81AAA7BE8AF4B354F3461AAF495BF291D730BD41CB50
                                            Function 00E76520 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 168fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4377 e76520-e7656d call e935c0 4380 e76570-e76578 4377->4380 4381 e7658e-e765ba call e76490 * 2 4380->4381 4382 e7657a-e76581 4380->4382 4388 e765c0-e765c9 4381->4388 4382->4381 4383 e76583-e7658c 4382->4383 4383->4380 4383->4381 4388->4388 4389 e765cb-e765ee 4388->4389 4390 e76604-e76622 CreateFileW 4389->4390 4391 e765f0 4389->4391 4393 e7671f-e76730 call e7b5dd 4390->4393 4394 e76628-e76669 DeviceIoControl 4390->4394 4392 e765f3-e765f7 4391->4392 4396 e765fc-e76602 4392->4396 4397 e765f9 4392->4397 4398 e7666b-e76685 call e92ac0 4394->4398 4399 e76688-e766c1 DeviceIoControl 4394->4399 4396->4390 4396->4392 4397->4396 4398->4399 4400 e76705-e76716 CloseHandle call e7b5dd 4399->4400 4401 e766c3-e76702 call e92ac0 * 2 4399->4401 4408 e7671b-e7671e 4400->4408 4401->4400
                                            APIs
                                            • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,#{ad498944-762f-11d0-8dcb-00c04fc3358c},?,?,00000000,00000000), ref: 00E76617
                                            • DeviceIoControl.KERNEL32(00000000,00170002,?,00000004,?,00000008,?,00000000), ref: 00E76660
                                            • DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,?,00000008,00000000,00000000), ref: 00E766BB
                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00E76706
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ControlDevice$CloseCreateFileHandle
                                            • String ID: #{ad498944-762f-11d0-8dcb-00c04fc3358c}$\W$\\.\
                                            • API String ID: 1375849437-1674818372
                                            • Opcode ID: 7ef8651e79c14ba60fa80b92382cfe79fc22e391d27b385e604f9e727008e4e3
                                            • Instruction ID: 45b5fb8ad0933f9dd083fc44a447e9496602508e32e89c3bd8c4be5c192c49e7
                                            • Opcode Fuzzy Hash: 7ef8651e79c14ba60fa80b92382cfe79fc22e391d27b385e604f9e727008e4e3
                                            • Instruction Fuzzy Hash: 8E51EB75A4021CAFDB24DB14CC86BEA73B8EF54708F4051AAE909F7190EB749E498BD4
                                            Function 6C960200 Relevance: 9.5, APIs: 6, Instructions: 505encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptAcquireContextW.ADVAPI32 ref: 6C96028A
                                            • CryptCreateHash.ADVAPI32 ref: 6C960328
                                              • Part of subcall function 6CAC2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C956633,?,?,?,6C9564E8,?), ref: 6CAC2362
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Crypt$AcquireContextCreateExceptionHashRaise
                                            • String ID:
                                            • API String ID: 333276693-0
                                            • Opcode ID: c78c62a0c1967dcf85b8a552117eb063d57fab3fd4b575752f24c7a5524ee5a0
                                            • Instruction ID: 0ec147118193d110c1b6920e927d698c84f7f94b014fa2066df66d24183278a4
                                            • Opcode Fuzzy Hash: c78c62a0c1967dcf85b8a552117eb063d57fab3fd4b575752f24c7a5524ee5a0
                                            • Instruction Fuzzy Hash: 1A324EB4A003548FDB14DF69D9957DDBBB0BF59304F0181A9D809ABB90DB30EA48CF92
                                            Function 6C961340 Relevance: 7.9, APIs: 5, Instructions: 405encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C95FF50: CryptStringToBinaryA.CRYPT32 ref: 6C95FFD0
                                              • Part of subcall function 6C95FF50: CryptStringToBinaryA.CRYPT32 ref: 6C960077
                                            • CryptAcquireContextW.ADVAPI32 ref: 6C961589
                                            • CryptImportKey.ADVAPI32 ref: 6C961657
                                            • CryptSetKeyParam.ADVAPI32 ref: 6C9616E2
                                            • CryptSetKeyParam.ADVAPI32 ref: 6C961789
                                              • Part of subcall function 6CAC2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C956633,?,?,?,6C9564E8,?), ref: 6CAC2362
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Crypt$BinaryParamString$AcquireContextExceptionImportRaise
                                            • String ID:
                                            • API String ID: 2873263705-0
                                            • Opcode ID: 754a7f1f79b4398609afcce882fb47ccda183ad879a7c64e4396c8007c5b6417
                                            • Instruction ID: e1a2f1dba88974ac68d6f0e032488c401e82f5ce0f92c89d85648610ad16687b
                                            • Opcode Fuzzy Hash: 754a7f1f79b4398609afcce882fb47ccda183ad879a7c64e4396c8007c5b6417
                                            • Instruction Fuzzy Hash: 3E123BB0A042488FDB14DF69D9957DDBBF0BF59304F0084A9D449A7B90DB34EA88CF92
                                            Function 6C99E8F2 Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2196 6c99e8f2-6c99e948 call 6c99f6de call 6c983f98 GetDeviceCaps 2201 6c99e94a-6c99e956 2196->2201 2202 6c99e960-6c99e968 2196->2202 2201->2202 2203 6c99e958 2201->2203 2204 6c99e96a-6c99e96e 2202->2204 2205 6c99e97e-6c99e986 2202->2205 2203->2202 2204->2205 2206 6c99e970-6c99e978 call 6c983290 DeleteObject 2204->2206 2207 6c99e988-6c99e98c 2205->2207 2208 6c99e99c-6c99e9a4 2205->2208 2206->2205 2207->2208 2212 6c99e98e-6c99e996 call 6c983290 DeleteObject 2207->2212 2209 6c99e9ba-6c99e9c2 2208->2209 2210 6c99e9a6-6c99e9aa 2208->2210 2215 6c99e9d8-6c99e9e0 2209->2215 2216 6c99e9c4-6c99e9c8 2209->2216 2210->2209 2214 6c99e9ac-6c99e9b4 call 6c983290 DeleteObject 2210->2214 2212->2208 2214->2209 2221 6c99e9e2-6c99e9e6 2215->2221 2222 6c99e9f6-6c99e9fe 2215->2222 2216->2215 2220 6c99e9ca-6c99e9d2 call 6c983290 DeleteObject 2216->2220 2220->2215 2221->2222 2227 6c99e9e8-6c99e9f0 call 6c983290 DeleteObject 2221->2227 2223 6c99ea00-6c99ea04 2222->2223 2224 6c99ea14-6c99ea1c 2222->2224 2223->2224 2228 6c99ea06-6c99ea0e call 6c983290 DeleteObject 2223->2228 2229 6c99ea1e-6c99ea22 2224->2229 2230 6c99ea32-6c99ea3a 2224->2230 2227->2222 2228->2224 2229->2230 2235 6c99ea24-6c99ea2c call 6c983290 DeleteObject 2229->2235 2236 6c99ea3c-6c99ea40 2230->2236 2237 6c99ea50-6c99ea58 2230->2237 2235->2230 2236->2237 2242 6c99ea42-6c99ea4a call 6c983290 DeleteObject 2236->2242 2238 6c99ea5a-6c99ea5e 2237->2238 2239 6c99ea6e-6c99ea76 2237->2239 2238->2239 2243 6c99ea60-6c99ea68 call 6c983290 DeleteObject 2238->2243 2244 6c99ea78-6c99ea7c 2239->2244 2245 6c99ea8c-6c99eae9 call 6c99f3a3 call 6cac4600 GetTextCharsetInfo 2239->2245 2242->2237 2243->2239 2244->2245 2249 6c99ea7e-6c99ea86 call 6c983290 DeleteObject 2244->2249 2258 6c99eaeb-6c99eaee 2245->2258 2259 6c99eaf0-6c99eaf4 2245->2259 2249->2245 2260 6c99eaf7-6c99eb1d lstrcpyW 2258->2260 2259->2260 2261 6c99eaf6 2259->2261 2262 6c99eb8b-6c99ebcc CreateFontIndirectW call 6c983264 call 6cad46f5 2260->2262 2263 6c99eb1f-6c99eb26 2260->2263 2261->2260 2274 6c99ebce-6c99ebd0 2262->2274 2275 6c99ebd3-6c99ecd9 CreateFontIndirectW call 6c983264 call 6c99f3a3 CreateFontIndirectW call 6c983264 CreateFontIndirectW call 6c983264 CreateFontIndirectW call 6c983264 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c983264 GetStockObject 2262->2275 2263->2262 2264 6c99eb28-6c99eb42 EnumFontFamiliesW 2263->2264 2266 6c99eb59-6c99eb76 EnumFontFamiliesW 2264->2266 2267 6c99eb44-6c99eb57 lstrcpyW 2264->2267 2269 6c99eb78-6c99eb7d 2266->2269 2270 6c99eb7f 2266->2270 2267->2262 2272 6c99eb84-6c99eb85 lstrcpyW 2269->2272 2270->2272 2272->2262 2274->2275 2288 6c99eda9-6c99edb6 call 6c99f3e4 2275->2288 2289 6c99ecdf-6c99ecee GetObjectW 2275->2289 2295 6c99ede1-6c99ede3 2288->2295 2289->2288 2291 6c99ecf4-6c99eda4 lstrcpyW CreateFontIndirectW call 6c983264 CreateFontIndirectW call 6c983264 GetObjectW CreateFontIndirectW call 6c983264 CreateFontIndirectW call 6c983264 2289->2291 2291->2288 2297 6c99edb8-6c99edbf 2295->2297 2298 6c99ede5-6c99edf5 call 6c97d720 2295->2298 2301 6c99ee0b-6c99ee10 call 6c99789a 2297->2301 2302 6c99edc1-6c99edcb call 6c98ade5 2297->2302 2304 6c99edfa-6c99ee0a call 6c983fed call 6c99f761 2298->2304 2302->2295 2313 6c99edcd-6c99eddd 2302->2313 2313->2295
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C99E8FC
                                              • Part of subcall function 6C983F98: __EH_prolog3.LIBCMT ref: 6C983F9F
                                              • Part of subcall function 6C983F98: GetWindowDC.USER32(00000000,00000004,6C99E53A,00000000), ref: 6C983FCB
                                            • GetDeviceCaps.GDI32(?,00000058), ref: 6C99E91C
                                            • DeleteObject.GDI32(00000000), ref: 6C99E978
                                            • DeleteObject.GDI32(00000000), ref: 6C99E996
                                            • DeleteObject.GDI32(00000000), ref: 6C99E9B4
                                            • DeleteObject.GDI32(00000000), ref: 6C99E9D2
                                            • DeleteObject.GDI32(00000000), ref: 6C99E9F0
                                            • DeleteObject.GDI32(00000000), ref: 6C99EA0E
                                            • DeleteObject.GDI32(00000000), ref: 6C99EA2C
                                            • DeleteObject.GDI32(00000000), ref: 6C99EA4A
                                            • DeleteObject.GDI32(00000000), ref: 6C99EA68
                                            • DeleteObject.GDI32(00000000), ref: 6C99EA86
                                            • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C99EABE
                                            • lstrcpyW.KERNEL32(?,?), ref: 6C99EB13
                                            • EnumFontFamiliesW.GDI32(?,00000000,6C99F59F,Segoe UI), ref: 6C99EB3A
                                            • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C99EB4D
                                            • EnumFontFamiliesW.GDI32(?,00000000,6C99F59F,Tahoma), ref: 6C99EB6B
                                            • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C99EB85
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EB8F
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EBD7
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EC16
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EC42
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EC63
                                            • GetSystemMetrics.USER32(00000048), ref: 6C99EC82
                                            • lstrcpyW.KERNEL32(?,Marlett), ref: 6C99EC95
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99EC9F
                                            • GetStockObject.GDI32(00000011), ref: 6C99ECCB
                                            • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C99ECE6
                                            • lstrcpyW.KERNEL32(?,Arial), ref: 6C99ED27
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99ED31
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99ED4A
                                            • GetObjectW.GDI32(?,0000005C,?), ref: 6C99ED68
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99ED76
                                            • CreateFontIndirectW.GDI32(?), ref: 6C99ED97
                                              • Part of subcall function 6C99F3E4: __EH_prolog3_GS.LIBCMT ref: 6C99F3EB
                                              • Part of subcall function 6C99F3E4: GetTextMetricsW.GDI32(?,?), ref: 6C99F420
                                              • Part of subcall function 6C99F3E4: GetTextMetricsW.GDI32(?,?), ref: 6C99F460
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                                            • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
                                            • API String ID: 2837096512-1395034203
                                            • Opcode ID: 9f2123f85f584eff8d73d4fe0fe5a4a775a1f405f2ef8658801b2b15c5f7f71e
                                            • Instruction ID: cccc176e5eed2cc6735e7b2574571fc69cee8e021ab9cc2b3a879da71eec8d73
                                            • Opcode Fuzzy Hash: 9f2123f85f584eff8d73d4fe0fe5a4a775a1f405f2ef8658801b2b15c5f7f71e
                                            • Instruction Fuzzy Hash: 8CE17B70A013599FDF21DFB0C848BDEB7BCBF16308F148569A55AA7680EB74E548CB50
                                            Function 6C99E4D4 Relevance: 64.8, APIs: 43, Instructions: 298COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2317 6c99e4d4-6c99e4f3 call 6c99f675 GetSysColor 2320 6c99e4f5-6c99e4ff GetSysColor 2317->2320 2321 6c99e504 2317->2321 2320->2321 2322 6c99e501-6c99e502 2320->2322 2323 6c99e506-6c99e516 GetSysColor 2321->2323 2322->2323 2324 6c99e529 2323->2324 2325 6c99e518-6c99e522 GetSysColor 2323->2325 2327 6c99e52b-6c99e662 call 6c983f98 GetDeviceCaps GetSysColor * 21 2324->2327 2325->2324 2326 6c99e524-6c99e527 2325->2326 2326->2327 2330 6c99e66d-6c99e679 GetSysColor 2327->2330 2331 6c99e664-6c99e66b 2327->2331 2332 6c99e67f-6c99e695 GetSysColorBrush 2330->2332 2331->2332 2333 6c99e69b-6c99e6a8 GetSysColorBrush 2332->2333 2334 6c99e8ec-6c99e8f1 call 6c99789a 2332->2334 2333->2334 2335 6c99e6ae-6c99e6bb GetSysColorBrush 2333->2335 2335->2334 2337 6c99e6c1-6c99e80c call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreateSolidBrush call 6c983264 call 6c9832ba CreatePen call 6c983264 call 6c9832ba CreatePen call 6c983264 call 6c9832ba CreatePen call 6c983264 2335->2337 2379 6c99e81b-6c99e822 2337->2379 2380 6c99e80e-6c99e812 2337->2380 2382 6c99e888-6c99e894 call 6c99f4a2 2379->2382 2383 6c99e824-6c99e886 CreateSolidBrush call 6c983264 2379->2383 2380->2379 2381 6c99e814-6c99e816 call 6c9832ba 2380->2381 2381->2379 2382->2334 2390 6c99e896-6c99e8ca call 6c983264 CreatePatternBrush call 6c983264 call 6c97d720 2382->2390 2389 6c99e8cf-6c99e8eb call 6c9d2019 call 6c983fed call 6c99f74d 2383->2389 2390->2389
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C99E4DB
                                            • GetSysColor.USER32(00000016), ref: 6C99E4E4
                                            • GetSysColor.USER32(0000000F), ref: 6C99E4F7
                                            • GetSysColor.USER32(00000015), ref: 6C99E50E
                                            • GetSysColor.USER32(0000000F), ref: 6C99E51A
                                            • GetDeviceCaps.GDI32(?,0000000C), ref: 6C99E542
                                            • GetSysColor.USER32(0000000F), ref: 6C99E550
                                            • GetSysColor.USER32(00000010), ref: 6C99E55E
                                            • GetSysColor.USER32(00000015), ref: 6C99E56C
                                            • GetSysColor.USER32(00000016), ref: 6C99E57A
                                            • GetSysColor.USER32(00000014), ref: 6C99E588
                                            • GetSysColor.USER32(00000012), ref: 6C99E596
                                            • GetSysColor.USER32(00000011), ref: 6C99E5A4
                                            • GetSysColor.USER32(00000006), ref: 6C99E5AF
                                            • GetSysColor.USER32(0000000D), ref: 6C99E5BA
                                            • GetSysColor.USER32(0000000E), ref: 6C99E5C5
                                            • GetSysColor.USER32(00000005), ref: 6C99E5D0
                                            • GetSysColor.USER32(00000008), ref: 6C99E5DE
                                            • GetSysColor.USER32(00000009), ref: 6C99E5E9
                                            • GetSysColor.USER32(00000007), ref: 6C99E5F4
                                            • GetSysColor.USER32(00000002), ref: 6C99E5FF
                                            • GetSysColor.USER32(00000003), ref: 6C99E60A
                                            • GetSysColor.USER32(0000001B), ref: 6C99E618
                                            • GetSysColor.USER32(0000001C), ref: 6C99E626
                                            • GetSysColor.USER32(0000000A), ref: 6C99E634
                                            • GetSysColor.USER32(0000000B), ref: 6C99E642
                                            • GetSysColor.USER32(00000013), ref: 6C99E650
                                            • GetSysColor.USER32(0000001A), ref: 6C99E679
                                            • GetSysColorBrush.USER32(00000010), ref: 6C99E68A
                                            • GetSysColorBrush.USER32(00000014), ref: 6C99E69D
                                            • GetSysColorBrush.USER32(00000005), ref: 6C99E6B0
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E6D1
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E6EF
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E70D
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E72E
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E74C
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E76A
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E788
                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C99E7AE
                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C99E7D2
                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C99E7F6
                                            • CreateSolidBrush.GDI32(?), ref: 6C99E874
                                            • CreatePatternBrush.GDI32(00000000), ref: 6C99E8B2
                                              • Part of subcall function 6C9832BA: DeleteObject.GDI32(00000000), ref: 6C9832C9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                                            • String ID:
                                            • API String ID: 3754413814-0
                                            • Opcode ID: c9a2756a80cca943b300067cbf6cc4a0523ac82d61088c802fdb77c4cc5113c1
                                            • Instruction ID: 04e311fc871cdc24c5bb38ee39c2420d299d9e934b3049c734ca0d731a678e2f
                                            • Opcode Fuzzy Hash: c9a2756a80cca943b300067cbf6cc4a0523ac82d61088c802fdb77c4cc5113c1
                                            • Instruction Fuzzy Hash: 9BC1A270B00B52AFDB05AFB8880879DBB74BF1A706F444619E619D7A80DF74E528DBD0
                                            Function 00E77700 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 237libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2602 e77700-e7772d call e77280 2605 e77733-e77746 GetProcAddress 2602->2605 2606 e778dc-e778f1 GetProcAddress 2602->2606 2609 e77765-e777dc LoadLibraryA 2605->2609 2610 e77748-e77758 GetCurrentProcess 2605->2610 2611 e778f3-e77905 call e77ee0 2606->2611 2612 e77948-e77959 GetSystemFirmwareTable 2606->2612 2613 e77873-e77881 call e77ee0 2609->2613 2614 e777e2-e77816 GetProcAddress * 4 2609->2614 2610->2609 2629 e7775a-e7775f 2610->2629 2624 e77907-e77918 call e77d60 2611->2624 2625 e77923-e77929 2611->2625 2615 e77982-e77995 call e7b5dd 2612->2615 2616 e7795b-e77977 call e7bb8b GetSystemFirmwareTable 2612->2616 2613->2615 2631 e77887-e7788f 2613->2631 2614->2613 2620 e77818-e7781e 2614->2620 2636 e77996-e779b9 2616->2636 2637 e77979-e7797f call e7bb94 2616->2637 2620->2613 2626 e77820-e77825 2620->2626 2644 e7791e 2624->2644 2645 e779ca-e779dd call e7b5dd 2624->2645 2625->2615 2635 e7792b-e77947 call e7bb94 call e7b5dd 2625->2635 2626->2613 2634 e77827-e77829 2626->2634 2629->2609 2632 e778d7 2629->2632 2638 e779ba-e779bc call e77d60 2631->2638 2632->2606 2634->2613 2641 e7782b-e77843 2634->2641 2636->2638 2637->2615 2648 e779c1-e779c7 call e7bb94 2638->2648 2641->2613 2653 e77845-e7786b 2641->2653 2644->2648 2648->2645 2658 e77894-e778d2 call e7bb8b call e75590 2653->2658 2659 e7786d 2653->2659 2658->2638 2659->2613
                                            APIs
                                              • Part of subcall function 00E77280: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?), ref: 00E772B7
                                              • Part of subcall function 00E77280: GetProcAddress.KERNEL32(00000000), ref: 00E772BE
                                              • Part of subcall function 00E77280: GetCurrentProcess.KERNEL32(00E7771E), ref: 00E772CE
                                              • Part of subcall function 00E77280: LoadLibraryW.KERNEL32(ntdll.dll,?), ref: 00E77304
                                              • Part of subcall function 00E77280: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00E7731A
                                              • Part of subcall function 00E77280: FreeLibrary.KERNEL32(00000000), ref: 00E77338
                                            • GetProcAddress.KERNEL32(00000000), ref: 00E77740
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E76B13,00000003), ref: 00E7774D
                                            • LoadLibraryA.KERNEL32(?,?,ntdll.dll), ref: 00E777D2
                                            • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00E777E8
                                            • GetProcAddress.KERNEL32(00000000,ZwMapViewOfSection), ref: 00E777F4
                                            • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 00E77800
                                            • GetProcAddress.KERNEL32(00000000,ZwClose), ref: 00E7780C
                                            • GetProcAddress.KERNEL32(00000000), ref: 00E778E9
                                            • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00E77953
                                            • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00E7796F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AddressProc$Library$CurrentFirmwareLoadProcessSystemTable$FreeHandleModule
                                            • String ID: ,$@$GetSystemFirmwareTable$IsWow64Process$ZwClose$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$kernel32$kernel32.dll$ntdll.dll
                                            • API String ID: 461479394-3246421382
                                            • Opcode ID: 210324b9f40cc9b23c4eecdd3cc1db714426351e1a506c115c9466eb56e52384
                                            • Instruction ID: 33e1eab93cd86911cda364c821580e143181663b84b61573c6278eb1f6e7b09c
                                            • Opcode Fuzzy Hash: 210324b9f40cc9b23c4eecdd3cc1db714426351e1a506c115c9466eb56e52384
                                            • Instruction Fuzzy Hash: 36819E71608341AFD710DFA4CC45B5BBBE8EF84304F00992EFA99A7291DB71D909CB92
                                            Function 00E73300 Relevance: 27.1, APIs: 11, Strings: 4, Instructions: 822COMMON
                                            Download Yara Rule
                                            APIs
                                            • curl_easy_init.LIBCURL(AC2C577A,00000000,?), ref: 00E73350
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000029,00000001,00000000,?), ref: 00E74A0E
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000040,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A1E
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000051,00000000,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A25
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D5,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A32
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D6,00000078,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A3C
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,000000D7,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A46
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000063,00000001,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A4D
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000000D,00000708,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A57
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000004E,0000003C,?,?,?,00000000,00ECD748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00E74A5E
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00002722,Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36), ref: 00E74A6E
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,0000002B,00000000), ref: 00E74A75
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00000034,00000001), ref: 00E74A7C
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00002749), ref: 00E74A85
                                              • Part of subcall function 00E749F0: curl_easy_setopt.LIBCURL(00ECE204,00004E58,00E75270), ref: 00E74A92
                                            • _strrchr.LIBCMT ref: 00E73405
                                            • _strrchr.LIBCMT ref: 00E73418
                                            • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,00000000,?,?), ref: 00E737B8
                                            • curl_easy_setopt.LIBCURL(?,00004E2B,00E74E10), ref: 00E737C9
                                            • curl_easy_setopt.LIBCURL(?,00002711), ref: 00E737D6
                                            • curl_easy_setopt.LIBCURL(?,00002727,?), ref: 00E737EA
                                            • curl_easy_perform.LIBCURL ref: 00E737F1
                                            • _strrchr.LIBCMT ref: 00E738AE
                                            • _strrchr.LIBCMT ref: 00E738C1
                                            • curl_easy_cleanup.LIBCURL(?), ref: 00E73B90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: curl_easy_setopt$_strrchr$curl_easy_cleanupcurl_easy_initcurl_easy_perform
                                            • String ID: Get$curl init failed$curl_easy_perform failed,{}$g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp
                                            • API String ID: 3504152425-2287032363
                                            • Opcode ID: 015325e5bba4d0228ae9bcb22390fda619245f10de850676d9f73ca54d9fa5a1
                                            • Instruction ID: 1a533045afbd9c89e45d10d50aafdc516e9ebcd4ffebdecbaa7b33ca6f35e5f3
                                            • Opcode Fuzzy Hash: 015325e5bba4d0228ae9bcb22390fda619245f10de850676d9f73ca54d9fa5a1
                                            • Instruction Fuzzy Hash: E862CF30A002059FDB14DFB8C889B9EBBF1AF84304F14916CE519BB392E775AE45DB91
                                            Function 00EB55B6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3645 eb55b6-eb55e6 call eb5319 3648 eb55e8-eb55f3 call e967ef 3645->3648 3649 eb5601-eb560d call eb0714 3645->3649 3654 eb55f5-eb55fc call e96802 3648->3654 3655 eb560f-eb5624 call e967ef call e96802 3649->3655 3656 eb5626-eb566f call eb5284 3649->3656 3665 eb58d8-eb58de 3654->3665 3655->3654 3663 eb56dc-eb56e5 GetFileType 3656->3663 3664 eb5671-eb567a 3656->3664 3669 eb572e-eb5731 3663->3669 3670 eb56e7-eb5718 GetLastError call e967cc CloseHandle 3663->3670 3667 eb567c-eb5680 3664->3667 3668 eb56b1-eb56d7 GetLastError call e967cc 3664->3668 3667->3668 3674 eb5682-eb56af call eb5284 3667->3674 3668->3654 3672 eb573a-eb5740 3669->3672 3673 eb5733-eb5738 3669->3673 3670->3654 3684 eb571e-eb5729 call e96802 3670->3684 3677 eb5744-eb5792 call eb065d 3672->3677 3678 eb5742 3672->3678 3673->3677 3674->3663 3674->3668 3687 eb57a2-eb57c6 call eb5037 3677->3687 3688 eb5794-eb57a0 call eb5495 3677->3688 3678->3677 3684->3654 3695 eb57d9-eb581c 3687->3695 3696 eb57c8 3687->3696 3688->3687 3694 eb57ca-eb57d4 call ea9e9c 3688->3694 3694->3665 3697 eb581e-eb5822 3695->3697 3698 eb583d-eb584b 3695->3698 3696->3694 3697->3698 3701 eb5824-eb5838 3697->3701 3702 eb5851-eb5855 3698->3702 3703 eb58d6 3698->3703 3701->3698 3702->3703 3704 eb5857-eb588a CloseHandle call eb5284 3702->3704 3703->3665 3707 eb58be-eb58d2 3704->3707 3708 eb588c-eb58b8 GetLastError call e967cc call eb0826 3704->3708 3707->3703 3708->3707
                                            APIs
                                              • Part of subcall function 00EB5284: CreateFileW.KERNEL32(00000000,?,?,_V,?,?,00000000,?,00EB565F,00000000,0000000C), ref: 00EB52A1
                                            • GetLastError.KERNEL32 ref: 00EB56CA
                                            • __dosmaperr.LIBCMT ref: 00EB56D1
                                            • GetFileType.KERNEL32(00000000), ref: 00EB56DD
                                            • GetLastError.KERNEL32 ref: 00EB56E7
                                            • __dosmaperr.LIBCMT ref: 00EB56F0
                                            • CloseHandle.KERNEL32(00000000), ref: 00EB5710
                                            • CloseHandle.KERNEL32(?), ref: 00EB585A
                                            • GetLastError.KERNEL32 ref: 00EB588C
                                            • __dosmaperr.LIBCMT ref: 00EB5893
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                            • String ID: H
                                            • API String ID: 4237864984-2852464175
                                            • Opcode ID: fd4953e4aaa021f1cc9901a246d649232f82118e177f5a9b7456a57e611d8472
                                            • Instruction ID: b0f82aad6c82d8d0cd715949f2a2a0dddd792a6838b233f77246508bb6a258c7
                                            • Opcode Fuzzy Hash: fd4953e4aaa021f1cc9901a246d649232f82118e177f5a9b7456a57e611d8472
                                            • Instruction Fuzzy Hash: 51A12433A005588FDF19AF68D8917EE7BE1AB06328F14115AF811BF2A1DA319C16CB51
                                            Function 00E75630 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 862COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3713 e75630-e756b6 call e935c0 SetupDiGetClassDevsW 3716 e756bc-e756df SetupDiEnumDeviceInfo 3713->3716 3717 e7586a-e758aa call e76390 3713->3717 3719 e75807-e75828 SetupDiDestroyDeviceInfoList 3716->3719 3720 e756e5 3716->3720 3724 e758b1-e758f4 3717->3724 3719->3717 3721 e7582a-e75868 3719->3721 3723 e756f0-e75713 SetupDiGetDeviceInstanceIdW 3720->3723 3721->3724 3723->3719 3725 e75719-e75731 call ea423c 3723->3725 3726 e758f6-e75901 call e96802 3724->3726 3727 e75903-e75906 3724->3727 3736 e75733-e7574b call ea423c 3725->3736 3737 e75751-e75757 call e76520 3725->3737 3742 e7592b call e96729 3726->3742 3730 e75914-e75925 call e935c0 call e96802 3727->3730 3731 e75908-e75912 3727->3731 3730->3742 3734 e75930-e7596c 3731->3734 3740 e7596e-e75979 call e96802 3734->3740 3741 e7597b-e7597e 3734->3741 3736->3737 3752 e757e4-e75801 SetupDiEnumDeviceInfo 3736->3752 3747 e7575c-e7575e 3737->3747 3760 e759a1 call e96729 3740->3760 3749 e75980-e75988 3741->3749 3750 e7598a-e7599b call e935c0 call e96802 3741->3750 3742->3734 3747->3752 3753 e75764-e75766 3747->3753 3755 e759a6-e759fc call e75590 3749->3755 3750->3760 3752->3719 3752->3723 3758 e757cb-e757d9 3753->3758 3759 e75768 3753->3759 3767 e759fe-e75a09 call e96802 3755->3767 3768 e75a0b-e75a0e 3755->3768 3762 e757dd-e757e3 3758->3762 3759->3762 3765 e7576a-e75780 3759->3765 3760->3755 3762->3752 3769 e75792-e7579a 3765->3769 3770 e75782-e7578f 3765->3770 3782 e75a33 call e96729 3767->3782 3773 e75a10-e75a1a 3768->3773 3774 e75a1c-e75a2d call e935c0 call e96802 3768->3774 3775 e757c7-e757c9 3769->3775 3776 e7579c-e757a6 3769->3776 3770->3769 3778 e75a38-e75b78 call e76aa0 3773->3778 3774->3782 3775->3758 3775->3762 3776->3775 3780 e757a8-e757af 3776->3780 3789 e762a4-e76346 call e76740 call e721e0 call e72040 call e75590 call e7b5dd 3778->3789 3790 e75b7e-e75baf 3778->3790 3780->3775 3784 e757b1-e757bb 3780->3784 3782->3778 3784->3775 3787 e757bd-e757c5 3784->3787 3787->3775 3792 e75bb2-e75bb7 3790->3792 3792->3792 3794 e75bb9-e75bfd call e41ee0 3792->3794 3801 e75c00-e75c05 3794->3801 3801->3801 3803 e75c07-e75c39 call e41ee0 call e42180 3801->3803 3812 e75c3b-e75c4a 3803->3812 3813 e75c6a-e75c9e 3803->3813 3815 e75c60-e75c67 call e7bb3f 3812->3815 3816 e75c4c-e75c5a 3812->3816 3814 e75ca0-e75ca5 3813->3814 3814->3814 3819 e75ca7-e75cd9 call e41ee0 call e42180 3814->3819 3815->3813 3816->3815 3817 e76349-e76380 call e96739 3816->3817 3827 e75cdb-e75cea 3819->3827 3828 e75d0a-e75d3f 3819->3828 3830 e75d00-e75d07 call e7bb3f 3827->3830 3831 e75cec-e75cfa 3827->3831 3829 e75d40-e75d45 3828->3829 3829->3829 3832 e75d47-e75d79 call e41ee0 call e42180 3829->3832 3830->3828 3831->3830 3839 e75d7b-e75d8a 3832->3839 3840 e75daa-e75ddf 3832->3840 3841 e75da0-e75da7 call e7bb3f 3839->3841 3842 e75d8c-e75d9a 3839->3842 3843 e75de0-e75de5 3840->3843 3841->3840 3842->3841 3843->3843 3845 e75de7-e75e19 call e41ee0 call e42180 3843->3845 3851 e75e1b-e75e2a 3845->3851 3852 e75e4a-e75e7f 3845->3852 3853 e75e40-e75e47 call e7bb3f 3851->3853 3854 e75e2c-e75e3a 3851->3854 3855 e75e80-e75e85 3852->3855 3853->3852 3854->3853 3855->3855 3857 e75e87-e75eb9 call e41ee0 call e42180 3855->3857 3863 e75ebb-e75eca 3857->3863 3864 e75eea-e75f1f 3857->3864 3866 e75ee0-e75ee7 call e7bb3f 3863->3866 3867 e75ecc-e75eda 3863->3867 3865 e75f20-e75f25 3864->3865 3865->3865 3869 e75f27-e75f59 call e41ee0 call e42180 3865->3869 3866->3864 3867->3866 3875 e75f5b-e75f6a 3869->3875 3876 e75f8a-e75fbf 3869->3876 3878 e75f80-e75f87 call e7bb3f 3875->3878 3879 e75f6c-e75f7a 3875->3879 3877 e75fc0-e75fc5 3876->3877 3877->3877 3880 e75fc7-e75ff9 call e41ee0 call e42180 3877->3880 3878->3876 3879->3878 3887 e75ffb-e7600a 3880->3887 3888 e7602a-e7605f 3880->3888 3889 e76020-e76027 call e7bb3f 3887->3889 3890 e7600c-e7601a 3887->3890 3891 e76060-e76065 3888->3891 3889->3888 3890->3889 3891->3891 3893 e76067-e76099 call e41ee0 call e42180 3891->3893 3899 e7609b-e760aa 3893->3899 3900 e760ca-e760ff 3893->3900 3901 e760c0-e760c7 call e7bb3f 3899->3901 3902 e760ac-e760ba 3899->3902 3903 e76100-e76105 3900->3903 3901->3900 3902->3901 3903->3903 3905 e76107-e76139 call e41ee0 call e42180 3903->3905 3911 e7613b-e7614a 3905->3911 3912 e7616a-e7619f 3905->3912 3914 e76160-e76167 call e7bb3f 3911->3914 3915 e7614c-e7615a 3911->3915 3913 e761a0-e761a5 3912->3913 3913->3913 3917 e761a7-e761d5 call e41ee0 call e42180 3913->3917 3914->3912 3915->3914 3923 e761d7-e761e6 3917->3923 3924 e76206-e7621b 3917->3924 3927 e761fc-e76203 call e7bb3f 3923->3927 3928 e761e8-e761f6 3923->3928 3925 e76245-e76265 call e75590 3924->3925 3926 e7621d-e76243 call e75590 3924->3926 3935 e7626a-e76273 3925->3935 3926->3935 3927->3924 3928->3927 3935->3789 3936 e76275-e76284 3935->3936 3937 e76286-e76294 3936->3937 3938 e7629a-e762a1 call e7bb3f 3936->3938 3937->3938 3938->3789
                                            APIs
                                            • SetupDiGetClassDevsW.SETUPAPI(00ECF610,00000000,00000000,00000002), ref: 00E756A7
                                            • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00E756D7
                                            • SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00E7570B
                                            • SetupDiEnumDeviceInfo.SETUPAPI(?,00000001,0000001C), ref: 00E757F9
                                            • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00E7580D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Setup$Device$Info$Enum$ClassDestroyDevsInstanceList
                                            • String ID: "$0]$PCI${1A3E09BE-1E45-494B-9174-D7385B45BBF5}
                                            • API String ID: 2459852064-3227047338
                                            • Opcode ID: 8808a3662db4b79ee1dc6381584f6c4342077794a7ff8bf195255329a6357115
                                            • Instruction ID: 9ecc20c8ed5d70593f20890e5e4c1aec3f8b65209a69f3f41cbc6c2026ec5ee4
                                            • Opcode Fuzzy Hash: 8808a3662db4b79ee1dc6381584f6c4342077794a7ff8bf195255329a6357115
                                            • Instruction Fuzzy Hash: 3C72CCB19006588ADB28CF24CC94BEEBBB5AF45308F5092D9E50DB7282D7755BC8CF54
                                            Function 00E652D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 381stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3941 e652d0-e65328 IsWindow 3942 e6532a-e65336 SetWindowLongW 3941->3942 3943 e6533b-e6539a call e935c0 lstrcpynW PathAddBackslashW 3941->3943 3944 e6575a-e6576e 3942->3944 3951 e65416-e6541f 3943->3951 3952 e6539c-e653ac 3943->3952 3946 e65770-e65773 3944->3946 3947 e65778-e6578c 3944->3947 3946->3947 3949 e65796-e657aa 3947->3949 3950 e6578e-e65791 3947->3950 3956 e657b4-e657c9 3949->3956 3957 e657ac-e657af 3949->3957 3950->3949 3953 e65425-e6542e 3951->3953 3954 e65407-e65411 call e41470 3952->3954 3955 e653ae-e653b3 3952->3955 3953->3953 3958 e65430-e65468 call e41470 3953->3958 3954->3951 3955->3954 3959 e653b5-e653d9 call e416a0 3955->3959 3960 e657d3-e657f2 call e7b5dd 3956->3960 3961 e657cb-e657ce 3956->3961 3957->3956 3969 e654e4-e65501 3958->3969 3970 e6546a-e6547a 3958->3970 3971 e653db-e653f2 3959->3971 3972 e653f8-e65405 3959->3972 3961->3960 3973 e65503-e65513 3969->3973 3974 e6557d-e655f8 call e61a30 call e614c0 3969->3974 3975 e654d5-e654df call e41470 3970->3975 3976 e6547c-e65481 3970->3976 3971->3972 3972->3951 3977 e65515-e6551a 3973->3977 3978 e6556e-e65578 call e41470 3973->3978 3994 e6562f-e656e2 GetModuleHandleW RegisterClassW CreateWindowExW 3974->3994 3995 e655fa-e6560f 3974->3995 3975->3969 3976->3975 3979 e65483-e654a7 call e416a0 3976->3979 3977->3978 3983 e6551c-e65540 call e416a0 3977->3983 3978->3974 3992 e654c6-e654d3 3979->3992 3993 e654a9-e654c0 3979->3993 3996 e65542-e65559 3983->3996 3997 e6555f-e6556c 3983->3997 3992->3969 3993->3992 4000 e656e4-e656e8 SetWindowLongW 3994->4000 4001 e656ee-e65706 call e68980 3994->4001 3998 e65625-e6562c call e7bb3f 3995->3998 3999 e65611-e6561f 3995->3999 3996->3997 3997->3974 3998->3994 3999->3998 4003 e657f5 call e96739 3999->4003 4000->4001 4011 e6573d-e65753 4001->4011 4012 e65708-e6571d 4001->4012 4010 e657fa-e65821 call e96739 call e72ad0 * 2 4003->4010 4011->3944 4014 e65733-e6573a call e7bb3f 4012->4014 4015 e6571f-e6572d 4012->4015 4014->4011 4015->4010 4015->4014
                                            APIs
                                            • IsWindow.USER32(?), ref: 00E6531D
                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 00E65330
                                              • Part of subcall function 00E72AD0: _strrchr.LIBCMT ref: 00E72BAD
                                              • Part of subcall function 00E72AD0: _strrchr.LIBCMT ref: 00E72BC0
                                            • lstrcpynW.KERNEL32(?,00000003,00000103), ref: 00E65360
                                            • PathAddBackslashW.SHLWAPI(?), ref: 00E6536D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window_strrchr$BackslashLongPathlstrcpyn
                                            • String ID: CXZUpdateModule
                                            • API String ID: 1126664090-2850203272
                                            • Opcode ID: 3a06533d057bd7a87d883b0bed54b90d9548a3d481996416b56e27419bd3de8a
                                            • Instruction ID: eaf466c8f50f0d6181199976ec8bcf18c78d203020b9626bb25d477fd9a421bf
                                            • Opcode Fuzzy Hash: 3a06533d057bd7a87d883b0bed54b90d9548a3d481996416b56e27419bd3de8a
                                            • Instruction Fuzzy Hash: 50F1AF31A056059FDB24DF28DC88B9AB7B1FF45314F1482DDE45AAB2A1DB31AE84CF50
                                            Function 6C9A53FD Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4173 6c9a53fd-6c9a541f EnterCriticalSection 4174 6c9a5421-6c9a5425 4173->4174 4175 6c9a5435-6c9a5438 4173->4175 4176 6c9a553a 4174->4176 4177 6c9a542b-6c9a542f 4174->4177 4178 6c9a543a-6c9a543d 4175->4178 4179 6c9a5465-6c9a5467 4175->4179 4182 6c9a553d-6c9a5548 LeaveCriticalSection call 6c997866 4176->4182 4177->4175 4183 6c9a54f6-6c9a54fc 4177->4183 4178->4176 4180 6c9a5443-6c9a5448 4178->4180 4181 6c9a5468-6c9a5471 4179->4181 4184 6c9a544b-6c9a544e 4180->4184 4187 6c9a5488-6c9a5495 GlobalHandle 4181->4187 4188 6c9a5473-6c9a5486 call 6c9972c2 GlobalAlloc 4181->4188 4185 6c9a54fe 4183->4185 4186 6c9a5501-6c9a551b LeaveCriticalSection 4183->4186 4190 6c9a5458-6c9a545a 4184->4190 4191 6c9a5450-6c9a5456 4184->4191 4185->4186 4193 6c9a549b-6c9a54b7 GlobalUnlock call 6c9972c2 GlobalReAlloc 4187->4193 4194 6c9a551c-6c9a551f 4187->4194 4202 6c9a54bd-6c9a54bf 4188->4202 4190->4183 4196 6c9a5460-6c9a5463 4190->4196 4191->4184 4191->4190 4193->4202 4197 6c9a5521-6c9a552b GlobalHandle 4194->4197 4198 6c9a5534-6c9a5538 4194->4198 4196->4181 4197->4198 4201 6c9a552d-6c9a552e GlobalLock 4197->4201 4198->4182 4201->4198 4202->4194 4204 6c9a54c1-6c9a54cf GlobalLock 4202->4204 4204->4198 4205 6c9a54d1-6c9a54f4 call 6cac4600 4204->4205 4205->4183
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C951B28,?,6C994930,6C951B28,6C9894A5,6C951B28,6C993DF0), ref: 6C9A540E
                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,6C951B28,?,6C994930,6C951B28,6C9894A5,6C951B28,6C993DF0), ref: 6C9A5480
                                            • GlobalHandle.KERNEL32(?), ref: 6C9A548A
                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C9A549C
                                            • GlobalReAlloc.KERNEL32(?,00000000), ref: 6C9A54B7
                                            • GlobalLock.KERNEL32(00000000), ref: 6C9A54C2
                                            • LeaveCriticalSection.KERNEL32(?), ref: 6C9A550F
                                            • GlobalHandle.KERNEL32(?), ref: 6C9A5523
                                            • GlobalLock.KERNEL32(00000000), ref: 6C9A552E
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,6C951B28,?,6C994930,6C951B28,6C9894A5,6C951B28,6C993DF0,B073DD17), ref: 6C9A553D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                            • String ID:
                                            • API String ID: 2667261700-0
                                            • Opcode ID: c9de516c0ac49bce0d4ea132f178b7aa595f6e03020827def6ec5a87c538d2a3
                                            • Instruction ID: 0b357e4963958665f012bfd34d37991a14215d1d2174ddbb5277515a6db4ba0b
                                            • Opcode Fuzzy Hash: c9de516c0ac49bce0d4ea132f178b7aa595f6e03020827def6ec5a87c538d2a3
                                            • Instruction Fuzzy Hash: 3D418C71700A25AFDB14DFE8C888B99BBF9FF11355F108269E815D7A40DB30E946CB90
                                            Function 6CAE8E1E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4208 6cae8e1e-6cae8e4e call 6cae92b8 4211 6cae8e69-6cae8e75 call 6cad126d 4208->4211 4212 6cae8e50-6cae8e5b call 6cac5649 4208->4212 4218 6cae8e8e-6cae8ed7 call 6cae9223 4211->4218 4219 6cae8e77-6cae8e8c call 6cac5649 call 6cac5636 4211->4219 4217 6cae8e5d-6cae8e64 call 6cac5636 4212->4217 4228 6cae9143-6cae9147 4217->4228 4226 6cae8ed9-6cae8ee2 4218->4226 4227 6cae8f44-6cae8f4d GetFileType 4218->4227 4219->4217 4230 6cae8f19-6cae8f3f GetLastError call 6cac565c 4226->4230 4231 6cae8ee4-6cae8ee8 4226->4231 4232 6cae8f4f-6cae8f80 GetLastError call 6cac565c CloseHandle 4227->4232 4233 6cae8f96-6cae8f99 4227->4233 4230->4217 4231->4230 4237 6cae8eea-6cae8f17 call 6cae9223 4231->4237 4232->4217 4247 6cae8f86-6cae8f91 call 6cac5636 4232->4247 4235 6cae8f9b-6cae8fa0 4233->4235 4236 6cae8fa2-6cae8fa8 4233->4236 4240 6cae8fac-6cae8ffa call 6cad1411 4235->4240 4236->4240 4241 6cae8faa 4236->4241 4237->4227 4237->4230 4250 6cae8ffc-6cae9008 call 6cae9432 4240->4250 4251 6cae9019-6cae9041 call 6cae94dc 4240->4251 4241->4240 4247->4217 4250->4251 4259 6cae900a 4250->4259 4257 6cae9046-6cae9087 4251->4257 4258 6cae9043-6cae9044 4251->4258 4260 6cae90a8-6cae90b6 4257->4260 4261 6cae9089-6cae908d 4257->4261 4262 6cae900c-6cae9014 call 6cae1790 4258->4262 4259->4262 4264 6cae90bc-6cae90c0 4260->4264 4265 6cae9141 4260->4265 4261->4260 4263 6cae908f-6cae90a3 4261->4263 4262->4228 4263->4260 4264->4265 4267 6cae90c2-6cae90f5 CloseHandle call 6cae9223 4264->4267 4265->4228 4271 6cae9129-6cae913d 4267->4271 4272 6cae90f7-6cae9123 GetLastError call 6cac565c call 6cad1380 4267->4272 4271->4265 4272->4271
                                            APIs
                                              • Part of subcall function 6CAE9223: CreateFileW.KERNEL32(6C96A8D0,00000000,?,6CAE8EC7,?,?,00000000,?,6CAE8EC7,6C96A8D0,0000000C), ref: 6CAE9240
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAE8F32
                                            • __dosmaperr.LIBCMT ref: 6CAE8F39
                                            • GetFileType.KERNEL32(00000000), ref: 6CAE8F45
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAE8F4F
                                            • __dosmaperr.LIBCMT ref: 6CAE8F58
                                            • CloseHandle.KERNEL32(00000000), ref: 6CAE8F78
                                            • CloseHandle.KERNEL32(6CADFF1C), ref: 6CAE90C5
                                            • GetLastError.KERNEL32 ref: 6CAE90F7
                                            • __dosmaperr.LIBCMT ref: 6CAE90FE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                            • String ID:
                                            • API String ID: 4237864984-0
                                            • Opcode ID: 7b11bd0e6cce38bc844c83b635e0ca9bb9f1fac2cdc5ba06d3d7f6824fea7db1
                                            • Instruction ID: 5e2e95c2e0d7b2950c94d06addc152ca739a58af7313f3aabef599aae50756f3
                                            • Opcode Fuzzy Hash: 7b11bd0e6cce38bc844c83b635e0ca9bb9f1fac2cdc5ba06d3d7f6824fea7db1
                                            • Instruction Fuzzy Hash: 88A13931B042549FCF099F7CD951BED3BB1AB0B328F18025AE811AB391D735C89ADB91
                                            Function 00E6CEF0 Relevance: 13.6, APIs: 9, Instructions: 77comsleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4277 e6cef0-e6cf34 call e7a660 4280 e6cf36-e6cf3c call e79e53 4277->4280 4281 e6cf3f-e6cf50 call e7a2cc 4277->4281 4280->4281 4286 e6cf52-e6cf58 call e79e53 4281->4286 4287 e6cf5b-e6cf68 call e7a685 4281->4287 4286->4287 4292 e6cf73-e6cf99 CoInitialize OleInitialize GetTickCount 4287->4292 4293 e6cf6a-e6cf70 call e79e53 4287->4293 4295 e6cfb5-e6cfe1 CoUninitialize OleUninitialize call e7b175 call e7bb3f 4292->4295 4296 e6cf9b 4292->4296 4293->4292 4298 e6cfa1-e6cfb3 call e6be20 Sleep 4296->4298 4298->4295
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Cnd_signal.LIBCPMT ref: 00E6CF46
                                            • __Mtx_unlock.LIBCPMT ref: 00E6CF5E
                                            • CoInitialize.OLE32(00000000), ref: 00E6CF75
                                            • OleInitialize.OLE32(00000000), ref: 00E6CF7D
                                            • GetTickCount.KERNEL32 ref: 00E6CF83
                                            • Sleep.KERNEL32(00000001), ref: 00E6CFA8
                                            • CoUninitialize.OLE32 ref: 00E6CFB5
                                            • OleUninitialize.OLE32 ref: 00E6CFBB
                                            • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00E6CFC1
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: InitializeUninitialize$Cnd_do_broadcast_at_thread_exitCnd_signalCountMtx_unlockSleepTickmtx_do_lock
                                            • String ID:
                                            • API String ID: 2787760673-0
                                            • Opcode ID: 995ed34762e0b1c413367891ba9db9ef148a8980db25eb230a597ec47f52471d
                                            • Instruction ID: 5c74f1781cadc449e0379c2c3acc13cf085c0786b7e8b0d311f95ce59dc56157
                                            • Opcode Fuzzy Hash: 995ed34762e0b1c413367891ba9db9ef148a8980db25eb230a597ec47f52471d
                                            • Instruction Fuzzy Hash: B621B2B1A00200AFD301AF65EC06B1ABBE5FF04314F189579F949B73A2DB72E854CA91
                                            Function 00EAC5D4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4305 eac5d4-eac5fc call eac03e call eac09c 4310 eac602-eac60e call eac044 4305->4310 4311 eac724-eac780 call e96756 call eb4d71 4305->4311 4310->4311 4316 eac614-eac620 call eac070 4310->4316 4323 eac78a-eac78d 4311->4323 4324 eac782-eac788 4311->4324 4316->4311 4322 eac626-eac647 call ea79ef GetTimeZoneInformation 4316->4322 4333 eac64d-eac66e 4322->4333 4334 eac700-eac723 call eac038 call eac02c call eac032 4322->4334 4325 eac78f-eac79f call ea7a29 4323->4325 4326 eac7d0-eac7e2 4323->4326 4324->4326 4343 eac7a9-eac7c2 call eb4d71 4325->4343 4344 eac7a1 4325->4344 4329 eac7f2 4326->4329 4330 eac7e4-eac7e7 4326->4330 4336 eac7f7-eac80e call ea79ef call e7b5dd 4329->4336 4337 eac7f2 call eac5d4 4329->4337 4330->4329 4332 eac7e9-eac7f0 call eac3ff 4330->4332 4332->4336 4339 eac678-eac67f 4333->4339 4340 eac670-eac675 4333->4340 4337->4336 4347 eac681-eac688 4339->4347 4348 eac697-eac69a 4339->4348 4340->4339 4362 eac7c7-eac7cd call ea79ef 4343->4362 4363 eac7c4-eac7c5 4343->4363 4350 eac7a2-eac7a7 call ea79ef 4344->4350 4347->4348 4353 eac68a-eac695 4347->4353 4354 eac69d-eac6be call e9c636 WideCharToMultiByte 4348->4354 4367 eac7cf 4350->4367 4353->4354 4370 eac6cc-eac6ce 4354->4370 4371 eac6c0-eac6c3 4354->4371 4362->4367 4363->4350 4367->4326 4373 eac6d0-eac6ec WideCharToMultiByte 4370->4373 4371->4370 4372 eac6c5-eac6ca 4371->4372 4372->4373 4374 eac6fb-eac6fe 4373->4374 4375 eac6ee-eac6f1 4373->4375 4374->4334 4375->4374 4376 eac6f3-eac6f9 4375->4376 4376->4334
                                            APIs
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                                            • _free.LIBCMT ref: 00EAC62C
                                              • Part of subcall function 00EA79EF: HeapFree.KERNEL32(00000000,00000000,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?), ref: 00EA7A05
                                              • Part of subcall function 00EA79EF: GetLastError.KERNEL32(?,?,00EB108E,?,00000000,?,00000000,?,00EB1332,?,00000007,?,?,00EB1726,?,?), ref: 00EA7A17
                                            • _free.LIBCMT ref: 00EAC7F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                            • API String ID: 1286116820-239921721
                                            • Opcode ID: 22e386314eddbb6f63e9b8737f06e957d44bc78664417f30e4d37e7f5dfb8f0c
                                            • Instruction ID: 7b6d74665cfac682fcb2e764faa9141fb239007db7381e6968f64ea1ecf3b571
                                            • Opcode Fuzzy Hash: 22e386314eddbb6f63e9b8737f06e957d44bc78664417f30e4d37e7f5dfb8f0c
                                            • Instruction Fuzzy Hash: 9951D672900219EFCB10EF759CC19AA77F8EF4A754F20226AF455BF191EB30AD458B50
                                            Function 00E40760 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4411 e40760-e407b0 call e935c0 SHGetSpecialFolderPathW 4414 e407b2-e407c6 SHGetSpecialFolderPathW 4411->4414 4415 e407da-e407de 4411->4415 4414->4415 4416 e407c8-e407d4 GetTempPathW 4414->4416 4417 e407f6-e40814 PathAddBackslashW PathFileExistsW 4415->4417 4418 e407e0-e407e4 4415->4418 4416->4415 4421 e40826-e4084b PathFileExistsW 4417->4421 4422 e40816-e40820 SHCreateDirectoryExW 4417->4422 4419 e407e6 4418->4419 4420 e407e8-e407f0 PathAppendW 4418->4420 4419->4420 4420->4417 4423 e40850-e40859 4421->4423 4422->4421 4423->4423 4424 e4085b-e4087f call e40d30 call e7b5dd 4423->4424
                                            APIs
                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00E407A8
                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00E407BE
                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00E407D4
                                            • PathAppendW.SHLWAPI(?), ref: 00E407F0
                                            • PathAddBackslashW.SHLWAPI(?), ref: 00E407FD
                                            • PathFileExistsW.SHLWAPI(?), ref: 00E40810
                                            • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E40820
                                            • PathFileExistsW.SHLWAPI(?), ref: 00E4082D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Path$ExistsFileFolderSpecial$AppendBackslashCreateDirectoryTemp
                                            • String ID:
                                            • API String ID: 3243460205-0
                                            • Opcode ID: 9c6a80c64676fb6999b7ece60ff21b77c5f32624c5937c7bfac7558abe0461f6
                                            • Instruction ID: d3dcf1762f012f25ed92a6ed7d92309449886369c1d7cb763b7d09e9ea733f46
                                            • Opcode Fuzzy Hash: 9c6a80c64676fb6999b7ece60ff21b77c5f32624c5937c7bfac7558abe0461f6
                                            • Instruction Fuzzy Hash: 1231807194021CAFDB20DF60DC89BEA77BCFB54704F0405AAE909E6140D770AA88CFA1
                                            Function 00E6F8E0 Relevance: 10.8, APIs: 7, Instructions: 344comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                              • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                              • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                                            • __Mtx_unlock.LIBCPMT ref: 00E6F9B8
                                              • Part of subcall function 00E97BA1: _abort.LIBCMT ref: 00E97BD7
                                            • CoInitialize.OLE32(00000000), ref: 00E6FA8F
                                            • OleInitialize.OLE32(00000000), ref: 00E6FA97
                                            • __Mtx_unlock.LIBCPMT ref: 00E6FAF2
                                            • __Mtx_unlock.LIBCPMT ref: 00E6FB62
                                            • __Mtx_unlock.LIBCPMT ref: 00E6FC08
                                              • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                                            • __Mtx_unlock.LIBCPMT ref: 00E6FCAC
                                            • OleUninitialize.OLE32 ref: 00E6FCFC
                                            • CoUninitialize.OLE32 ref: 00E6FD02
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlock$InitializeUninitialize$Cnd_initCpp_errorMtx_initThrd_startThrow__abortmtx_do_lockstd::_
                                            • String ID:
                                            • API String ID: 4031439783-0
                                            • Opcode ID: bec940f850d21dd7655df1be6c4294c099e5ad23e8ef229580f1fa82cabf679d
                                            • Instruction ID: 25007c884d419c2e34ca1f902a95a3ba2515e84c8d1c00807dcd126bc1240b12
                                            • Opcode Fuzzy Hash: bec940f850d21dd7655df1be6c4294c099e5ad23e8ef229580f1fa82cabf679d
                                            • Instruction Fuzzy Hash: A3D1A2B1D00248DFDB00DFA8E945B9EBBF4AF05354F189169E819B7382E731E904CBA1
                                            Function 00E680F9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32 ref: 00E687BB
                                            • PostMessageW.USER32(00000BC6,00000BC5,00000000,00000000), ref: 00E687D3
                                            • __Mtx_unlock.LIBCPMT ref: 00E687DE
                                            • __Mtx_unlock.LIBCPMT ref: 00E68843
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageMtx_unlockPost
                                            • String ID: ($[
                                            • API String ID: 545632012-3293489040
                                            • Opcode ID: 1b22517fd2f3dd7b0c1f83f3de75818c13480c22e70239576be561e46d597c0c
                                            • Instruction ID: 7cd14299e0521bbc4d0bda67b8e46fb785a3d6ecd8bfdaf6fed1e72bca9dd589
                                            • Opcode Fuzzy Hash: 1b22517fd2f3dd7b0c1f83f3de75818c13480c22e70239576be561e46d597c0c
                                            • Instruction Fuzzy Hash: 6151A370A01604CBEB10DB68DD45B8EB7F0AF44359F18C2A9E809B7392DB35AE44CF91
                                            Function 00E68126 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 154windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32 ref: 00E687BB
                                            • PostMessageW.USER32(00000BC6,00000BC5,00000000,00000000), ref: 00E687D3
                                            • __Mtx_unlock.LIBCPMT ref: 00E687DE
                                            • __Mtx_unlock.LIBCPMT ref: 00E68843
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageMtx_unlockPost
                                            • String ID: ($[
                                            • API String ID: 545632012-3293489040
                                            • Opcode ID: a0ba7807803e1be53d90784c44034c8f0bd4ace1873aee832bba189eb8b75d30
                                            • Instruction ID: 2869f7356377da05b5c808e7dbd908e7702839a3a6825fad413055cf21ed5d78
                                            • Opcode Fuzzy Hash: a0ba7807803e1be53d90784c44034c8f0bd4ace1873aee832bba189eb8b75d30
                                            • Instruction Fuzzy Hash: 8351B370A01604DBEB10DB68DD45B8EB7F0AF44359F18C2A9E809B7392DB35AE44CF91
                                            Function 00E6DD40 Relevance: 10.6, APIs: 7, Instructions: 110comsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00E6DD82
                                            • OleInitialize.OLE32(00000000), ref: 00E6DD8A
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E6DDB7
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 00E6DE17
                                            • __Mtx_unlock.LIBCPMT ref: 00E6DE63
                                            • CoUninitialize.OLE32(?,?,?,?,?,?,?,00EBCB48,000000FF), ref: 00E6DE78
                                            • OleUninitialize.OLE32(?,?,?,?,?,?,?,00EBCB48,000000FF), ref: 00E6DE7E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: InitializeMtx_unlockUninitialize$ObjectSingleWaitmtx_do_lock
                                            • String ID:
                                            • API String ID: 546947117-0
                                            • Opcode ID: 7f6956078e6bba7fbdfbebe14a4f7b77747209d76c3e2095046b879e0f0ed6d4
                                            • Instruction ID: 10a7052a62b5110b1ff4689e387e5afb6ba5d27f3c65e7d0d9daa67f60c4d6c5
                                            • Opcode Fuzzy Hash: 7f6956078e6bba7fbdfbebe14a4f7b77747209d76c3e2095046b879e0f0ed6d4
                                            • Instruction Fuzzy Hash: 6D31CAB1D44205AFDB00AFA4DD06B9EB7E8EF14314F589335E819732D2EB31A558C7A2
                                            Function 00E66040 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • PostMessageW.USER32(?,00000BC6,00000000,00000000), ref: 00E660E1
                                            • __Mtx_unlock.LIBCPMT ref: 00E660EF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageMtx_unlockPostmtx_do_lock
                                            • String ID: C:\Windows\System32\kernel32.dll$invalid stoul argument$stoul argument out of range
                                            • API String ID: 3577143850-474098362
                                            • Opcode ID: df6306176638604051c787f0d25cdf013b853f0d86d62c06bb992a6e91472d12
                                            • Instruction ID: b1c463b3715d922598031917f9e26cad36dcff4922eedde28fd77039d86eb198
                                            • Opcode Fuzzy Hash: df6306176638604051c787f0d25cdf013b853f0d86d62c06bb992a6e91472d12
                                            • Instruction Fuzzy Hash: 4B31D7B0C40309ABDF20AFA5AD45BDDB6F4EF05740F0451AAB81CB6391EB705A84CF51
                                            Function 6CA01042 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA01049
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(6CB58410,?,?,0000007C,?,6C98F878,00000001), ref: 6C9A34F1
                                              • Part of subcall function 6C9A34C0: InitializeCriticalSection.KERNEL32(00000000,?,6C98F878,00000001), ref: 6C9A3507
                                              • Part of subcall function 6C9A34C0: LeaveCriticalSection.KERNEL32(6CB58410,?,6C98F878,00000001), ref: 6C9A3515
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C98F878,00000001), ref: 6C9A3522
                                            • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CA0109C
                                            • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CA010B2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                                            • String ID: DragDelay$DragMinDist$windows
                                            • API String ID: 3965097884-2101198082
                                            • Opcode ID: aa4697caa84d37190933f10ee2baa074d068bcfb6e953f239891bc20c2d90d51
                                            • Instruction ID: 16e914ec04ae363e1462704f96e59e5326e2098002a95a586f12f78340982309
                                            • Opcode Fuzzy Hash: aa4697caa84d37190933f10ee2baa074d068bcfb6e953f239891bc20c2d90d51
                                            • Instruction Fuzzy Hash: A70125F0E017909FDBA1DFB88505769BAF0BB18718F401A1EE14A97A80E7B4E545CF44
                                            Function 6CAE2B82 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 276449c9a311381b3ae15b8549676b8b614e028a30504d6e3d7632784efeb24e
                                            • Instruction ID: 1b9c857d44f4e4802701f5d16ab446a3666f5f55d41495cd9b84b1958adc62ec
                                            • Opcode Fuzzy Hash: 276449c9a311381b3ae15b8549676b8b614e028a30504d6e3d7632784efeb24e
                                            • Instruction Fuzzy Hash: 51B1F270B04256AFDB01CFA9C984BED7FB0BF4A318F184359E510AB781CB709985DBA1
                                            Function 00E9B6D7 Relevance: 9.3, APIs: 6, Instructions: 264COMMON
                                            Download Yara Rule
                                            APIs
                                            • __allrem.LIBCMT ref: 00E9B864
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B880
                                            • __allrem.LIBCMT ref: 00E9B897
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B8B5
                                            • __allrem.LIBCMT ref: 00E9B8CC
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9B8EA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 1992179935-0
                                            • Opcode ID: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                                            • Instruction ID: 4aeb23315875e0c0aa705601efbe318f4f5597b3d511d976b3e99e8dd2bb6410
                                            • Opcode Fuzzy Hash: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                                            • Instruction Fuzzy Hash: 5B812C71A007069BEF249F68ED81B6B73E9AF85724F24662EF550FB681E770ED008750
                                            Function 6C979BF0 Relevance: 9.2, APIs: 6, Instructions: 240COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesA.KERNEL32 ref: 6C979C9B
                                            • SHGetFolderPathA.SHELL32 ref: 6C979CE4
                                            • GetFileAttributesA.KERNEL32 ref: 6C979DDF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AttributesFile$FolderPath
                                            • String ID:
                                            • API String ID: 1382956649-0
                                            • Opcode ID: b259b6bd834690a220a232ecdbef9e47b031abbf6c27e143020596c558c56c32
                                            • Instruction ID: a0efa8271698c738d392bc24957b083d25d625f2a43b4796471b0ee8dc808f66
                                            • Opcode Fuzzy Hash: b259b6bd834690a220a232ecdbef9e47b031abbf6c27e143020596c558c56c32
                                            • Instruction Fuzzy Hash: C7B115B0911314CFCB24EF68C984B9DBBB0FB59304F4181AAD8199B790DB74DA89CF91
                                            Function 6C9796B0 Relevance: 9.1, APIs: 6, Instructions: 135processCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
                                            • String ID:
                                            • API String ID: 4013288513-0
                                            • Opcode ID: 328ff8027bd09c8c556c99a9cae90dc83df96772fc9f59b2dd9f9290c09c3c79
                                            • Instruction ID: 1f2d3029ad17b53fdd66686799c1f1b7e9a92269ade0828c34c8ba3904311ec1
                                            • Opcode Fuzzy Hash: 328ff8027bd09c8c556c99a9cae90dc83df96772fc9f59b2dd9f9290c09c3c79
                                            • Instruction Fuzzy Hash: 82510AB4E093489FCB14EFB8D5456ADBFF0EF49304F004559E894A7340D7349949CBA2
                                            Function 00E61190 Relevance: 9.1, APIs: 6, Instructions: 122registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(?), ref: 00E611AB
                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00E611BB
                                            • GetModuleHandleW.KERNEL32(00000000,00000000,-00000002), ref: 00E6123C
                                            • RegisterClassW.USER32(?), ref: 00E61265
                                            • CreateWindowExW.USER32(00000000,?,00ECEA54,00000000,00000000,00000000,00000001,00000001,000000FD,00000000,00000000,00000000), ref: 00E61292
                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E612A3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Long$ClassCreateHandleModuleRegister
                                            • String ID:
                                            • API String ID: 354519829-0
                                            • Opcode ID: 4359d24bf3535600086311630c5456a510240dd0899b2a27699cf5aaa25f6d03
                                            • Instruction ID: f25768896aa5dbf3f33b47f83bf4b8e8e10400eb2d9c94df8b4bdee5d347fea5
                                            • Opcode Fuzzy Hash: 4359d24bf3535600086311630c5456a510240dd0899b2a27699cf5aaa25f6d03
                                            • Instruction Fuzzy Hash: 4C41FE30208300AFD7109F28DC5AB5FBBE5EF89714F505A2DF955A62E0EB71E844CB82
                                            Function 00EA6EC4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_free$_abort
                                            • String ID:
                                            • API String ID: 3160817290-0
                                            • Opcode ID: 7d01832e229ec98773d31fc01aa8287a492baee46adccfc24ce39ba50ab05981
                                            • Instruction ID: 0c926d29c522f572f2d4751901eb81f0dafbeca3ad8b657f226bd59d39daa664
                                            • Opcode Fuzzy Hash: 7d01832e229ec98773d31fc01aa8287a492baee46adccfc24ce39ba50ab05981
                                            • Instruction Fuzzy Hash: 07F0F93E6486012FC6217739BC16A5F25958FDF7A4F292125F614BE1B2EE20A9014020
                                            Function 00E61700 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 254COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,AC2C577A,00000000,?), ref: 00E617AA
                                            • GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,?), ref: 00E61803
                                            • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 00E61867
                                            • VerQueryValueW.VERSION(00000000,00ECEA50,?,00000034), ref: 00E61885
                                              • Part of subcall function 00E417D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00E417E6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: File$InfoVersion$Exception@8ModuleNameQuerySizeThrowValue
                                            • String ID: %d.%d.%d.%d
                                            • API String ID: 4009888614-3491811756
                                            • Opcode ID: ba62ea89234366d123d8f12366b45d2ef3fcb9407a0f6e58cf9c7f49e821ddf7
                                            • Instruction ID: fe7b80247d11d300126ab09f01a807964be35931a2889eac8307100b0f7fa443
                                            • Opcode Fuzzy Hash: ba62ea89234366d123d8f12366b45d2ef3fcb9407a0f6e58cf9c7f49e821ddf7
                                            • Instruction Fuzzy Hash: 309182719002599FDB10DF69DD89BAEB7F8FF49304F1442A9E809F7281E774AA84CB50
                                            Function 6C97A620 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 215threadsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C97A150: GetModuleFileNameA.KERNEL32 ref: 6C97A1AC
                                            • CreateThread.KERNEL32 ref: 6C97A7DD
                                            • CreateThread.KERNEL32 ref: 6C97A819
                                            • WaitForSingleObject.KERNEL32 ref: 6C97A846
                                              • Part of subcall function 6C97A320: GetModuleFileNameA.KERNEL32 ref: 6C97A37C
                                              • Part of subcall function 6C97A0E0: GetModuleFileNameA.KERNEL32 ref: 6C97A113
                                              • Part of subcall function 6C97A520: GetModuleHandleA.KERNEL32 ref: 6C97A568
                                              • Part of subcall function 6C979520: GetModuleHandleA.KERNEL32 ref: 6C97952F
                                              • Part of subcall function 6C979520: FindResourceW.KERNEL32 ref: 6C979594
                                              • Part of subcall function 6C979520: LoadResource.KERNEL32 ref: 6C9795BD
                                              • Part of subcall function 6C979520: SizeofResource.KERNEL32 ref: 6C9795D6
                                              • Part of subcall function 6C979520: LockResource.KERNEL32 ref: 6C9795E8
                                              • Part of subcall function 6C9780D0: WSAStartup.WS2_32 ref: 6C9780FF
                                              • Part of subcall function 6C9780D0: getaddrinfo.WS2_32 ref: 6C9781F9
                                              • Part of subcall function 6C9780D0: WSACleanup.WS2_32 ref: 6C978215
                                              • Part of subcall function 6C9780D0: freeaddrinfo.WS2_32 ref: 6C9783B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Module$Resource$FileName$CreateHandleThread$CleanupFindLoadLockObjectSingleSizeofStartupWaitfreeaddrinfogetaddrinfo
                                            • String ID: IiViS$libcurl.dll
                                            • API String ID: 1047316345-1299199552
                                            • Opcode ID: d88d9aea4677ea2e3031158208df36911771429f1cff6f4d279c2dc33ca3e7c9
                                            • Instruction ID: 8d0a5e0bfd8f4d8caecf90188b22ef70c26d754f2ddcd90e9164a01234133534
                                            • Opcode Fuzzy Hash: d88d9aea4677ea2e3031158208df36911771429f1cff6f4d279c2dc33ca3e7c9
                                            • Instruction Fuzzy Hash: 56A147B0901208CFDB28EF64D8557DDBBB0FB21304F418599D44A9BB90EB74DA48CFA2
                                            Function 00E4B850 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleWindow.KERNEL32(AC2C577A,00000000,?), ref: 00E4B897
                                            • ShowWindow.USER32(00000000,00000000), ref: 00E4B8A0
                                            • CoInitializeEx.COMBASE(00000000,00000000), ref: 00E4B8AA
                                              • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00E407A8
                                              • Part of subcall function 00E40760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00E407BE
                                              • Part of subcall function 00E40760: GetTempPathW.KERNEL32(00000104,?), ref: 00E407D4
                                              • Part of subcall function 00E40760: PathAppendW.SHLWAPI(?), ref: 00E407F0
                                              • Part of subcall function 00E40760: PathAddBackslashW.SHLWAPI(?), ref: 00E407FD
                                              • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E40810
                                              • Part of subcall function 00E40760: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00E40820
                                              • Part of subcall function 00E40760: PathFileExistsW.SHLWAPI(?), ref: 00E4082D
                                            Strings
                                            • Cqttech\XZDesktopCalendar\crash\log, xrefs: 00E4B8BB
                                            • XZCalendarServer.log, xrefs: 00E4B8E0
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Path$ExistsFileFolderSpecialWindow$AppendBackslashConsoleCreateDirectoryInitializeShowTemp
                                            • String ID: Cqttech\XZDesktopCalendar\crash\log$XZCalendarServer.log
                                            • API String ID: 1254034182-2812334885
                                            • Opcode ID: 9ae510ff2598b0dae83e00fea5d64c88680a9fcc2211c7fdc4e752beca8858eb
                                            • Instruction ID: be52e8b556e75e4f83aeb433c6ddaa452f5e41b9f3a3c2057fc0010dd9c20cef
                                            • Opcode Fuzzy Hash: 9ae510ff2598b0dae83e00fea5d64c88680a9fcc2211c7fdc4e752beca8858eb
                                            • Instruction Fuzzy Hash: DF418C70D003489FDB14DFA5D899BDEBBB4EF48304F108159E515BB291DB74A589CFA0
                                            Function 00E416A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00E41729
                                            • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00E41754
                                            • RegCloseKey.ADVAPI32(?), ref: 00E4175F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                                            • API String ID: 3677997916-378819227
                                            • Opcode ID: 2f993fa4aff4f5f49f140a33cc2c2de54600e2c9e7827664a4d247ee7f0d54aa
                                            • Instruction ID: c24d5ae89feea267e1690a4e7f36f0b9e937a09ca973d4383fabf49042b1d6b0
                                            • Opcode Fuzzy Hash: 2f993fa4aff4f5f49f140a33cc2c2de54600e2c9e7827664a4d247ee7f0d54aa
                                            • Instruction Fuzzy Hash: 6F21B075600308AFDB10DF68EC45EAAB7F8EF84714F0444AAF916E7251DB30ED488B90
                                            Function 00E41700 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00E41729
                                            • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00E41754
                                            • RegCloseKey.ADVAPI32(?), ref: 00E4175F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                                            • API String ID: 3677997916-378819227
                                            • Opcode ID: d11227e01720da24a962d9599ca2ef7172c02a5cec982ea51e6cc1d288553f4f
                                            • Instruction ID: 1658ae69f969dd470838bcf63e0a035549fae892d7e95dc87d78cb6d17b577af
                                            • Opcode Fuzzy Hash: d11227e01720da24a962d9599ca2ef7172c02a5cec982ea51e6cc1d288553f4f
                                            • Instruction Fuzzy Hash: 79013174A0031DBFEF10AF95DC85FAEB7BCEB08714F0041AAF914B7291D6715A489B90
                                            Function 6CAC20A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                            • String ID:
                                            • API String ID: 3136044242-0
                                            • Opcode ID: 08fddb8ef298f1a58caa81ccbf9dfc0a84bedee819dac9fc45821ae474ff27cb
                                            • Instruction ID: a0532aff84683dcafa9944d9298009117579038effdf99fa0000299822f95ebb
                                            • Opcode Fuzzy Hash: 08fddb8ef298f1a58caa81ccbf9dfc0a84bedee819dac9fc45821ae474ff27cb
                                            • Instruction Fuzzy Hash: 0021D372F41225ABDB119F15CD48AAF3A79EB80BA8F095216F91467B10C7318DC9CBE1
                                            Function 00E4D740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                                            Download Yara Rule
                                            APIs
                                            • __Mtx_init_in_situ.LIBCPMT ref: 00E4D79E
                                              • Part of subcall function 00E7A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00E7A64A
                                            • __Xtime_get_ticks.LIBCPMT ref: 00E4D844
                                              • Part of subcall function 00E7939B: ___crtFlsFree.LIBCPMT ref: 00E793A4
                                              • Part of subcall function 00E4D5F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4D611
                                              • Part of subcall function 00E4CCF0: Sleep.KERNEL32(?,?,00000010), ref: 00E4CE07
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4D939
                                            Strings
                                            • daily_file_sink: Invalid rotation time in ctor, xrefs: 00E4D91F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Concurrency::details::create_stl_critical_sectionException@8FreeMtx_init_in_situSleepThrowUnothrow_t@std@@@Xtime_get_ticks___crt__ehfuncinfo$??2@
                                            • String ID: daily_file_sink: Invalid rotation time in ctor
                                            • API String ID: 4188573093-2939006100
                                            • Opcode ID: 21e9f9c250be0ae4d311e63d9c117e9cf5edabef967dc5602480c1c6b9792638
                                            • Instruction ID: f3ef5e5756a900dd2400c8fb2d58819d41647f5c61470100c14fcfe24f8de8e6
                                            • Opcode Fuzzy Hash: 21e9f9c250be0ae4d311e63d9c117e9cf5edabef967dc5602480c1c6b9792638
                                            • Instruction Fuzzy Hash: B65122B09007449BDB14DF28D985B9FBBF4EF48300F10861DE885AB782EB75E944CBA0
                                            Function 00E4CCF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(?,?,00000010), ref: 00E4CE07
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4CE93
                                              • Part of subcall function 00E92A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00E92AAA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ExceptionException@8RaiseSleepThrow
                                            • String ID: for writing$Failed opening file
                                            • API String ID: 38309065-807226085
                                            • Opcode ID: 35eb3c547f3bfd9aad607b664d813605ba879b57711ee9e96d7715c7560bf894
                                            • Instruction ID: 4b2ec5aef3bb0d3e12b6a74ffde42e32c438b737f18ae963777e2bc2cfa44c6f
                                            • Opcode Fuzzy Hash: 35eb3c547f3bfd9aad607b664d813605ba879b57711ee9e96d7715c7560bf894
                                            • Instruction Fuzzy Hash: 5051DF71A002089FDF14DFA8E881FAEBBB5FF44304F245529E815B7391EB35AA44CB90
                                            Function 00E70750 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E7078F
                                            • PathRemoveFileSpecW.SHLWAPI(?), ref: 00E7079C
                                            • LoadLibraryW.KERNEL32(?), ref: 00E707C2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: File$LibraryLoadModuleNamePathRemoveSpec
                                            • String ID: \CrashCatch.dll
                                            • API String ID: 2928287391-2884410699
                                            • Opcode ID: 758ed48e530ab0437db166d37422bc04bf152799d5e2344d19f409dd6adee213
                                            • Instruction ID: d5310d0245d7ce9aef2e7185a3c2e4cf09766f74341f1eb39b2e63e0884955fd
                                            • Opcode Fuzzy Hash: 758ed48e530ab0437db166d37422bc04bf152799d5e2344d19f409dd6adee213
                                            • Instruction Fuzzy Hash: 4B0136F590130CAFDB10DFB5EC89F9A73BCAB18704F5042A5F619F7181E6709A488B90
                                            Function 6C99A7D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Shell32,00000000,?,6C97CF8A), ref: 6C99A7DC
                                            • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C99A7ED
                                            Strings
                                            • Shell32, xrefs: 6C99A7D5
                                            • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C99A7E7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                                            • API String ID: 1646373207-2658420654
                                            • Opcode ID: 46770f19e739e7d0810be80aa0802809a01658efd6486044592581b118728c31
                                            • Instruction ID: fed50fba40761a3f3883c9ee3f7593c673af2195a9b549ef2dbc7d1a74fc9325
                                            • Opcode Fuzzy Hash: 46770f19e739e7d0810be80aa0802809a01658efd6486044592581b118728c31
                                            • Instruction Fuzzy Hash: 6BE08635B02678678B262B66DC1C85F7B6CEE856613550539F919D7700DE30D802C6E8
                                            Function 6C9895E5 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9895EF
                                              • Part of subcall function 6C998400: __EH_prolog3.LIBCMT ref: 6C998407
                                            • GetCurrentThread.KERNEL32 ref: 6C98964E
                                            • GetCurrentThreadId.KERNEL32 ref: 6C989657
                                            • GetVersionExW.KERNEL32 ref: 6C9896F3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CurrentThread$H_prolog3H_prolog3_Version
                                            • String ID:
                                            • API String ID: 786120064-0
                                            • Opcode ID: cff148618ae9e8d2060dc6f7ad0ec1b07d4eb5f1939286b3590c9aa2234c2d1a
                                            • Instruction ID: 787899fe96c12c0e3d44d6553a620347169552d41b694edcc8a7da41471e8643
                                            • Opcode Fuzzy Hash: cff148618ae9e8d2060dc6f7ad0ec1b07d4eb5f1939286b3590c9aa2234c2d1a
                                            • Instruction Fuzzy Hash: 9F5137B0A02B14CFDB258F2A858469AFBF5BF59704F914A6ED4AEC7B00DB30A445CF40
                                            Function 6C99E417 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C99E474
                                            • VerSetConditionMask.KERNEL32(00000000), ref: 6C99E47C
                                            • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C99E48D
                                            • GetSystemMetrics.USER32(00001000), ref: 6C99E49E
                                              • Part of subcall function 6C99E4D4: __EH_prolog3.LIBCMT ref: 6C99E4DB
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000016), ref: 6C99E4E4
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000F), ref: 6C99E4F7
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000015), ref: 6C99E50E
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000F), ref: 6C99E51A
                                              • Part of subcall function 6C99E4D4: GetDeviceCaps.GDI32(?,0000000C), ref: 6C99E542
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000F), ref: 6C99E550
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000010), ref: 6C99E55E
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000015), ref: 6C99E56C
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000016), ref: 6C99E57A
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000014), ref: 6C99E588
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000012), ref: 6C99E596
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000011), ref: 6C99E5A4
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000006), ref: 6C99E5AF
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000D), ref: 6C99E5BA
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000E), ref: 6C99E5C5
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000005), ref: 6C99E5D0
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000008), ref: 6C99E5DE
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000009), ref: 6C99E5E9
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000007), ref: 6C99E5F4
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000002), ref: 6C99E5FF
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(00000003), ref: 6C99E60A
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000001B), ref: 6C99E618
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000001C), ref: 6C99E626
                                              • Part of subcall function 6C99E4D4: GetSysColor.USER32(0000000A), ref: 6C99E634
                                              • Part of subcall function 6C99E8F2: __EH_prolog3_GS.LIBCMT ref: 6C99E8FC
                                              • Part of subcall function 6C99E8F2: GetDeviceCaps.GDI32(?,00000058), ref: 6C99E91C
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99E978
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99E996
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99E9B4
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99E9D2
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99E9F0
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99EA0E
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99EA2C
                                              • Part of subcall function 6C99E8F2: DeleteObject.GDI32(00000000), ref: 6C99EA4A
                                              • Part of subcall function 6C99EE11: GetSystemMetrics.USER32(00000031), ref: 6C99EE1F
                                              • Part of subcall function 6C99EE11: GetSystemMetrics.USER32(00000032), ref: 6C99EE2D
                                              • Part of subcall function 6C99EE11: SetRectEmpty.USER32(?), ref: 6C99EE40
                                              • Part of subcall function 6C99EE11: EnumDisplayMonitors.USER32(00000000,00000000,6C99F5E9,?,?,?), ref: 6C99EE50
                                              • Part of subcall function 6C99EE11: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C99EE5F
                                              • Part of subcall function 6C99EE11: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C99EE8C
                                              • Part of subcall function 6C99EE11: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C99EEA0
                                              • Part of subcall function 6C99EE11: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C99EEC6
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                                            • String ID:
                                            • API String ID: 2442922003-0
                                            • Opcode ID: 1922103b93f973c44567261a0a41d4074f3aef6e1404715435374ef2bf61d685
                                            • Instruction ID: 36b1b0355343db8278016b2ec62f9e51a8e14626d474c7c82c347304c22f6aa3
                                            • Opcode Fuzzy Hash: 1922103b93f973c44567261a0a41d4074f3aef6e1404715435374ef2bf61d685
                                            • Instruction Fuzzy Hash: B911C6B1B00318ABDB219FB59C4AFEFB7BCFB99708F00455DA24597280DBB44A448BD0
                                            Function 00E4C6A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4C70B
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00E4C8FD
                                            Strings
                                            • Failed writing to file , xrefs: 00E4C8C9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Exception@8ThrowUnothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: Failed writing to file
                                            • API String ID: 110933538-3481382570
                                            • Opcode ID: aa4dfb42773601ee149bcc03b36a843ccd19453d2b149f15d99b589cabdf1beb
                                            • Instruction ID: a0160c3dbec3d9be2751d60b1c4221fe4f40e744b360db690a696d77ea0b4b40
                                            • Opcode Fuzzy Hash: aa4dfb42773601ee149bcc03b36a843ccd19453d2b149f15d99b589cabdf1beb
                                            • Instruction Fuzzy Hash: E861B171901219ABDF14DF64DC89BDDB7B5FF44304F20929AE808B7291DB31AA85CF90
                                            Function 00E6DEB0 Relevance: 4.7, APIs: 3, Instructions: 248COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E6DFC6
                                            • __Mtx_unlock.LIBCPMT ref: 00E6DFF6
                                              • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                                            • __Mtx_unlock.LIBCPMT ref: 00E6E177
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlock$Cpp_errorThrow_mtx_do_lockstd::_
                                            • String ID:
                                            • API String ID: 994104373-0
                                            • Opcode ID: ddd7d1d6f3b4cf2d2776ca7784ec5f70028da285712fb837f3c2babf31521584
                                            • Instruction ID: bf863ce44cf3c3047030a09686396bbedbdcd0d964830b9f77d6f915b24e432c
                                            • Opcode Fuzzy Hash: ddd7d1d6f3b4cf2d2776ca7784ec5f70028da285712fb837f3c2babf31521584
                                            • Instruction Fuzzy Hash: 17A17BB4A002058FDB20CF58D850BAEBBF4BF59344F259469E859BB381E775ED41CB90
                                            Function 00E385A0 Relevance: 4.7, APIs: 3, Instructions: 208COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E3F140: __Xtime_get_ticks.LIBCPMT ref: 00E3F152
                                              • Part of subcall function 00E3F140: GetCurrentThreadId.KERNEL32 ref: 00E3F178
                                            • __Mtx_init_in_situ.LIBCPMT ref: 00E388B3
                                            • __Mtx_init_in_situ.LIBCPMT ref: 00E388E3
                                            • __Mtx_init_in_situ.LIBCPMT ref: 00E388EE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_init_in_situ$CurrentThreadXtime_get_ticks
                                            • String ID:
                                            • API String ID: 2135877135-0
                                            • Opcode ID: 4141126d31e58232543e6820d2a38491b2488a35b87d2d1dc0739e27135a64a5
                                            • Instruction ID: 51a46c42f5272ca1271c3554707e0874cb1ca5131801e6d8a7efeb65b3342720
                                            • Opcode Fuzzy Hash: 4141126d31e58232543e6820d2a38491b2488a35b87d2d1dc0739e27135a64a5
                                            • Instruction Fuzzy Hash: 7281AFB19007489FDB20DF64CD89B9EBBF4EB44314F14859EE419AB380DB75AA48CF91
                                            Function 00EA77BD Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2460df373da613bccbb835f297f29a5eafba00e9e5b759ef4a09708923f05460
                                            • Instruction ID: 42fccf4642879e656e4f9ccffd3af29ec5d04e6e2628a32f830b22ca30b8a2fa
                                            • Opcode Fuzzy Hash: 2460df373da613bccbb835f297f29a5eafba00e9e5b759ef4a09708923f05460
                                            • Instruction Fuzzy Hash: 8251AF71D082199BDF15DFA8CC49AEF7BB4AF8A318F11215AE484BF291D774A900C761
                                            Function 00E6E810 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • __Mtx_unlock.LIBCPMT ref: 00E6E90F
                                            • SetEvent.KERNEL32(?), ref: 00E6EA2C
                                            • __Mtx_unlock.LIBCPMT ref: 00E6EA36
                                              • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                              • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                              • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlock$Cnd_initEventMtx_initThrd_start
                                            • String ID:
                                            • API String ID: 3085764595-0
                                            • Opcode ID: a1a81a660b01a7cb588ca6ad04076d6619ad27ca4c4ca41685adfc5ef177e81d
                                            • Instruction ID: 2518c3218cf276622c4be004d14b61c8fa17e63e4e08b7f6994cf2ad10a11e75
                                            • Opcode Fuzzy Hash: a1a81a660b01a7cb588ca6ad04076d6619ad27ca4c4ca41685adfc5ef177e81d
                                            • Instruction Fuzzy Hash: CA616FB1D00248EFDB00DFA4E845B9EBBF4EF05314F189169E819B7391E771A944CBA1
                                            Function 00EAC72F Relevance: 4.6, APIs: 3, Instructions: 80COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00EAC7A2
                                            • _free.LIBCMT ref: 00EAC7F8
                                              • Part of subcall function 00EAC5D4: _free.LIBCMT ref: 00EAC62C
                                              • Part of subcall function 00EAC5D4: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00EC5EB4), ref: 00EAC63E
                                              • Part of subcall function 00EAC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00EAC6B6
                                              • Part of subcall function 00EAC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00EAC6E3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                            • String ID:
                                            • API String ID: 314583886-0
                                            • Opcode ID: 2c40f99ddbb861ed71117b06c1bdefd5074f701fa14151b8ab8f3599f2b83e86
                                            • Instruction ID: 2c25a6149614bf209e534c7932a13b796f144edbbb37553b9d3f810c354a6177
                                            • Opcode Fuzzy Hash: 2c40f99ddbb861ed71117b06c1bdefd5074f701fa14151b8ab8f3599f2b83e86
                                            • Instruction Fuzzy Hash: AC21FC7280421956D731A6359CC1AEA77B8CF8F764F212297F494BE181EF307DC58E90
                                            Function 00E6F2F0 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Cnd_signal.LIBCPMT ref: 00E6F346
                                            • __Mtx_unlock.LIBCPMT ref: 00E6F35E
                                            • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00E6F37A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalMtx_unlockmtx_do_lock
                                            • String ID:
                                            • API String ID: 33673554-0
                                            • Opcode ID: d4d3ffff88b392c14fd021dcce33e99fcd564b3e4b0b6d8b71ee46c7e3eecec2
                                            • Instruction ID: 7544bb723efcc8c6f78c80a508c1b400cdd1dc8cd6f9c32f3cfe32c1284b6405
                                            • Opcode Fuzzy Hash: d4d3ffff88b392c14fd021dcce33e99fcd564b3e4b0b6d8b71ee46c7e3eecec2
                                            • Instruction Fuzzy Hash: E011C6B2D40740ABD711AB61EC02B5BB7E8EF40714F089539F81EB3752EB36F9148692
                                            Function 00E9CBE2 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNEL32(?,?,Function_0006CA8E,00000000,?,?), ref: 00E9CC2B
                                            • GetLastError.KERNEL32(?,?,?,?,?,00E79F7D,00000000,00000000,?,?,00000000,?,?,?,00E61104,?), ref: 00E9CC37
                                            • __dosmaperr.LIBCMT ref: 00E9CC3E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CreateErrorLastThread__dosmaperr
                                            • String ID:
                                            • API String ID: 2744730728-0
                                            • Opcode ID: c0db53bb98662f469ba5b0f0ec564e26e928e9856a1cb70d9627a18c9f1c8c71
                                            • Instruction ID: 1638a53c4bb6d123a3ec9753ec03c29cb528bea7892a51fb0d65fa2fcb289cc0
                                            • Opcode Fuzzy Hash: c0db53bb98662f469ba5b0f0ec564e26e928e9856a1cb70d9627a18c9f1c8c71
                                            • Instruction Fuzzy Hash: EF01B17650410AAFCF15FFA6DC059EFBFA9EF84764F24512AF809B2250DB718811D7A0
                                            Function 00EA8102 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00EA81B1,?,?,00000002,00000000), ref: 00EA813B
                                            • GetLastError.KERNEL32(?,00EA81B1,?,?,00000002,00000000,?,00EA7875,?,00000000,00000000,00000002,?,?,?,?), ref: 00EA8145
                                            • __dosmaperr.LIBCMT ref: 00EA814C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer__dosmaperr
                                            • String ID:
                                            • API String ID: 2336955059-0
                                            • Opcode ID: 415c8b2633aa72191fe0a2900b778e071713f1d743650c52a7fe25fb5271225c
                                            • Instruction ID: b6ffb04d1ffa94536a05503b647f8b2e850047529e6f0ee5c9cae009a40bd68d
                                            • Opcode Fuzzy Hash: 415c8b2633aa72191fe0a2900b778e071713f1d743650c52a7fe25fb5271225c
                                            • Instruction Fuzzy Hash: D2016D33610114AFCF098F59DC01CEF3B59EB89334B241255F801AF190EA31AC018790
                                            Function 6CAE33E9 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileW.KERNEL32(6CAD6361,?,6CAD6361,?), ref: 6CAE33F1
                                            • GetLastError.KERNEL32(?,6CAD6361,?), ref: 6CAE33FB
                                            • __dosmaperr.LIBCMT ref: 6CAE3402
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: DeleteErrorFileLast__dosmaperr
                                            • String ID:
                                            • API String ID: 1545401867-0
                                            • Opcode ID: 121fce213944b1bf325705520a009197ab43c9d70930d457576b34bafc3decc7
                                            • Instruction ID: 9a11caa3d545cb3819e9340b14cbdfc781cb82a0b385f2acf281e8230dfd6bc4
                                            • Opcode Fuzzy Hash: 121fce213944b1bf325705520a009197ab43c9d70930d457576b34bafc3decc7
                                            • Instruction Fuzzy Hash: DED0C932245208679E112AF6AC0845A3BAC9B827793180716F42DC65A0DE21C4959551
                                            Function 00E6B9A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E61020: __Cnd_init.LIBCPMT ref: 00E61050
                                              • Part of subcall function 00E61020: __Mtx_init.LIBCPMT ref: 00E61083
                                              • Part of subcall function 00E610F0: __Thrd_start.LIBCPMT ref: 00E610FF
                                            • __Mtx_unlock.LIBCPMT ref: 00E6BA5B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cnd_initMtx_initMtx_unlockThrd_start
                                            • String ID: l!
                                            • API String ID: 2901745279-4133310417
                                            • Opcode ID: 6aa8840a926660472dfdc84cd2779c89b3c9bc7e8be60ea5653079795504c788
                                            • Instruction ID: deacb0f622bec20390940c6b37c2d873b13132310110adf5d07e353ee01cbfe9
                                            • Opcode Fuzzy Hash: 6aa8840a926660472dfdc84cd2779c89b3c9bc7e8be60ea5653079795504c788
                                            • Instruction Fuzzy Hash: 3B31C2B1C04248AFDB10EFA8D842B9EBBF4EF14714F145169E905B7381E775A984CBA2
                                            Function 6C97AC10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID: curl_slist_free_all
                                            • API String ID: 2030045667-2048950981
                                            • Opcode ID: 3d0788404e696d3328cbac9d2f9c0e1fe37454c1a33cded56abd55bb06ecf68e
                                            • Instruction ID: 38535e63fc8e0df64ac2230f2cd7a54d3d836f41a8393b4cd919739029ffdca2
                                            • Opcode Fuzzy Hash: 3d0788404e696d3328cbac9d2f9c0e1fe37454c1a33cded56abd55bb06ecf68e
                                            • Instruction Fuzzy Hash: 80D017705082049BE740BFB8C51A36A7BF4A740200F40896AE49C83241E6B980598BC2
                                            Function 6C97AC50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID: curl_slist_append
                                            • API String ID: 2030045667-3558798127
                                            • Opcode ID: c947e50f353291f6384f2cfd5805e919e6ab06a22902ad137c45976af9b4b586
                                            • Instruction ID: 91e6f06e416f9b1744465ecbafca4e258419bdeaff8ac5dfc4fecf0d44dac94d
                                            • Opcode Fuzzy Hash: c947e50f353291f6384f2cfd5805e919e6ab06a22902ad137c45976af9b4b586
                                            • Instruction Fuzzy Hash: 41D017705082049BE340BFB8C60A32B7FF4A740211F408D5AE49C83241E6B980558B83
                                            Function 6C97AB10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message
                                            • String ID: curl_easy_init
                                            • API String ID: 2030045667-4195830768
                                            • Opcode ID: 387a850a8c0660da88f8d6c558aa1737ec440591539364b5ac0ab1faf3236e1f
                                            • Instruction ID: 2afc6c8bd62560cbd2dae71fb806727b0b15b73c92ad5cd2561c407f84c3427e
                                            • Opcode Fuzzy Hash: 387a850a8c0660da88f8d6c558aa1737ec440591539364b5ac0ab1faf3236e1f
                                            • Instruction Fuzzy Hash: 68D017705083149BE340BFB8C50A32A7BF4A740205F408D6AE49C87241E6B984558BC2
                                            Function 00EB5284 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,?,?,_V,?,?,00000000,?,00EB565F,00000000,0000000C), ref: 00EB52A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: _V
                                            • API String ID: 823142352-3862173090
                                            • Opcode ID: 5d929cccfceaeeb14a0129485fc44ef1b7c91b5a1cf6a5512dc8b8969e0ad416
                                            • Instruction ID: 16ce8307b6d46418aaab3e58b325c1788fa961d281616bedb4b06b906a9b4221
                                            • Opcode Fuzzy Hash: 5d929cccfceaeeb14a0129485fc44ef1b7c91b5a1cf6a5512dc8b8969e0ad416
                                            • Instruction Fuzzy Hash: C4D06C3200014DBFDF028F85DC06EDA3BAAFB88715F014110FA1866020C772E861AB90
                                            Function 00E63736 Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                            • __Mtx_destroy_in_situ.LIBCPMT ref: 00E638CE
                                            • __Mtx_destroy_in_situ.LIBCPMT ref: 00E638D7
                                              • Part of subcall function 00E70A40: __Mtx_destroy_in_situ.LIBCPMT ref: 00E70A5D
                                              • Part of subcall function 00E70A40: __Mtx_destroy_in_situ.LIBCPMT ref: 00E70A63
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_destroy_in_situ
                                            • String ID:
                                            • API String ID: 3543493169-0
                                            • Opcode ID: fcd102d9c28ff6e1e9aeb41a1e69cce028b214b3f5ae284a177e1e53d7e4e6f2
                                            • Instruction ID: 6ab4e9cb9c3c62e7286f5ee4e11b00db2002ee97c68e3beb65f739fdb8c7ddc0
                                            • Opcode Fuzzy Hash: fcd102d9c28ff6e1e9aeb41a1e69cce028b214b3f5ae284a177e1e53d7e4e6f2
                                            • Instruction Fuzzy Hash: 0F91E5716016048FE714CF38D945B5EBBE5EF80354F14855DE85AEB391DB74AE44CB80
                                            Function 6C967170 Relevance: 3.2, APIs: 2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                                            • Instruction ID: ce27125effedebb261fc618c70a0b69925d9967595b3c925b790a11bbff5fcb3
                                            • Opcode Fuzzy Hash: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                                            • Instruction Fuzzy Hash: 3AC138B8A093818FD364CF29C590B9ABBE1BF99354F10892EE9D987751D730E944CB43
                                            Function 6CAC1E75 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __RTC_Initialize.LIBCMT ref: 6CAC1EC2
                                              • Part of subcall function 6CAC226E: InitializeSListHead.KERNEL32(6CB5A058,6CAC1ECC,6CB4F718,00000010,6CAC2065,?,00000000,?,00000007,6CB4F738,00000010,6CAC2078,?,?,6CAC2101,?), ref: 6CAC2273
                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CAC1F2C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                            • String ID:
                                            • API String ID: 3231365870-0
                                            • Opcode ID: fff86d901b2b853466d291c6e61c63b16a678c49c4d368be12446aa53509f281
                                            • Instruction ID: 169af12b856649caec02ed39952972f6f297e7262cbddd4a52bdaed5ad63b527
                                            • Opcode Fuzzy Hash: fff86d901b2b853466d291c6e61c63b16a678c49c4d368be12446aa53509f281
                                            • Instruction Fuzzy Hash: 1421353670A2819EDB009FB4D9007ED33B1AF2236DF58095AD64267FC0DF66C08CC696
                                            Function 6CAC1F7C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __RTC_Initialize.LIBCMT ref: 6CAC1FC3
                                            • ___scrt_uninitialize_crt.LIBCMT ref: 6CAC1FDD
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Initialize___scrt_uninitialize_crt
                                            • String ID:
                                            • API String ID: 2442719207-0
                                            • Opcode ID: 92843f472add02302a865ee2cdfd94712eddbe73999039b66ce9e6fe64a969e3
                                            • Instruction ID: 922324087709bed7f19e3598c253bdc12b25ef8e54cad7e928041cc23d528e17
                                            • Opcode Fuzzy Hash: 92843f472add02302a865ee2cdfd94712eddbe73999039b66ce9e6fe64a969e3
                                            • Instruction Fuzzy Hash: 5A210572B4A249DBDB009FB8C9087ED37B4AB16729F14562BD10193F80CB75C989CA56
                                            Function 6CADFE4F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,?,00008000,6CADFF1C,?,?,?,6CADFCD7,6CADFF1C,?,00000000,?,?), ref: 6CADFE8B
                                            • GetLastError.KERNEL32(00000000,?,?,?,6CADFCD7,6CADFF1C,?,00000000,?,?,00000000,00008000,6CADFF1C,?,?,6CAE8E3B), ref: 6CADFE98
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID:
                                            • API String ID: 2976181284-0
                                            • Opcode ID: a4ed5b5b751a4c7a30c5f7382ce6929f350f9e02b42e27cb39e374b8e947faa0
                                            • Instruction ID: a014e434b1d8cbb72bdac96ff981546b2968f8b679d42401cb5aefbab9f86ac2
                                            • Opcode Fuzzy Hash: a4ed5b5b751a4c7a30c5f7382ce6929f350f9e02b42e27cb39e374b8e947faa0
                                            • Instruction Fuzzy Hash: 7001D632714215AFCB058F59DC05C9F3B79DB86374B290209F8119B6A1EB71E991CB90
                                            Function 00E61440 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 00E61457
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00E614A0
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$LongProc
                                            • String ID:
                                            • API String ID: 2275667008-0
                                            • Opcode ID: 9935aa2d21c5c4377e36d850cf23a58120aff6e83c9755ffb73108ba0fae83e7
                                            • Instruction ID: 575b4d4c652970d0187e1e66c0d70d5f50fbf2ec5aa6a77f8dfbf0167d818f5a
                                            • Opcode Fuzzy Hash: 9935aa2d21c5c4377e36d850cf23a58120aff6e83c9755ffb73108ba0fae83e7
                                            • Instruction Fuzzy Hash: C3017C3160010DAFCF01DF94EC50AEE7BB5EF49310F408699FD166B290DB329A24DB90
                                            Function 00E9CA8E Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00EDEEC0,00000010,00000003,00EA6F47), ref: 00E9CAA1
                                            • ExitThread.KERNEL32 ref: 00E9CAA8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorExitLastThread
                                            • String ID:
                                            • API String ID: 1611280651-0
                                            • Opcode ID: e4b5094a2bf5b72495c315cfcc6b990e0766a681d0b2e269d978df3ed77de720
                                            • Instruction ID: acace0639ee0228faf0757f67e590206785625464a2d010701a76e9a71ca7d91
                                            • Opcode Fuzzy Hash: e4b5094a2bf5b72495c315cfcc6b990e0766a681d0b2e269d978df3ed77de720
                                            • Instruction Fuzzy Hash: 1EF08C71500204AFDF00FBB0C90AAAE7BB1EF49700F205559F4027B2A2CB716905DBA0
                                            Function 6CAD9894 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,6CAC563B,6CADC85A,?,?,6CAD9790,00000001,00000364,?,00000006,000000FF,?,?,6CAD6292), ref: 6CAD9898
                                            • SetLastError.KERNEL32(00000000,?,6C955557), ref: 6CAD993A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID:
                                            • API String ID: 1452528299-0
                                            • Opcode ID: 3070ae324e3d00530bf452830763bb8e36c58b718056388557f3011858bebaa5
                                            • Instruction ID: d48fad6fa08263e41b131a7a78407e3095c898f64cb33c1e93cfbc257d4eb5b0
                                            • Opcode Fuzzy Hash: 3070ae324e3d00530bf452830763bb8e36c58b718056388557f3011858bebaa5
                                            • Instruction Fuzzy Hash: 2911A935749210BEDB015EF59FE8EDA366CAF426EDB5A0321F51492AA0FF60ECCC9150
                                            Function 6CAE17C0 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6CAE17AF,6CAE9011,?,00000000,00000000), ref: 6CAE1816
                                            • GetLastError.KERNEL32(?,00000000,?,6CAE17AF,6CAE9011,?,00000000,00000000), ref: 6CAE1820
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CloseErrorHandleLast
                                            • String ID:
                                            • API String ID: 918212764-0
                                            • Opcode ID: db6585943b39a3c98d463b3601fd37933429248bd10f0540bcfa7b3103a5d722
                                            • Instruction ID: b859db23c53bccbd0230d4cfc7d2dfff072384b166a7f11a518f768b1e575acf
                                            • Opcode Fuzzy Hash: db6585943b39a3c98d463b3601fd37933429248bd10f0540bcfa7b3103a5d722
                                            • Instruction Fuzzy Hash: 8D115932B082341AD31017769404BFE37A58B8BB3DF2D0319EB2897EC2EB21D4C496D0
                                            Function 00E70F50 Relevance: 1.8, APIs: 1, Instructions: 295COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E7110F
                                              • Part of subcall function 00E79E53: std::_Throw_Cpp_error.LIBCPMT ref: 00E79E7A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cpp_errorMtx_unlockThrow_mtx_do_lockstd::_
                                            • String ID:
                                            • API String ID: 3771319283-0
                                            • Opcode ID: 4fc641722d5401d06966a9c067c62ca2c56576c53b3e1ee9e294490954a19689
                                            • Instruction ID: a23176dddeebb280d6416afeb9d2f1925cf41ddeb1066c8f87d05213d2a63051
                                            • Opcode Fuzzy Hash: 4fc641722d5401d06966a9c067c62ca2c56576c53b3e1ee9e294490954a19689
                                            • Instruction Fuzzy Hash: BCB16871A012449FCB14CF68C991BAABBF4FF09714F19D1A9E919AB391D734ED00CB90
                                            Function 6CAD5AFD Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 500627cf87e849012d23c39d954c98772b15a7cca693386c94ca79432d557b64
                                            • Instruction ID: d82220b9e95c3da649f9ea8e1a02a4ba091e15a9d6d1834cda8755cd870d2713
                                            • Opcode Fuzzy Hash: 500627cf87e849012d23c39d954c98772b15a7cca693386c94ca79432d557b64
                                            • Instruction Fuzzy Hash: AE5194B0A00244AFDF04CF58D984E997FB1EF4A328F2A8159E8599B751D372ED85CB90
                                            Function 00E6E1B0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlock
                                            • String ID:
                                            • API String ID: 1418687624-0
                                            • Opcode ID: e14539eb5e6876a0b6faf9880abf2c98f5b7cecc64aba6696da0a0fbaf1634c8
                                            • Instruction ID: 0948d59c6b3b6d334a5c9fc80b1c4fa30510a532dd9e51e0ffe28eb8cb6635f3
                                            • Opcode Fuzzy Hash: e14539eb5e6876a0b6faf9880abf2c98f5b7cecc64aba6696da0a0fbaf1634c8
                                            • Instruction Fuzzy Hash: 3641BEB6A40610DFDB10DF18E945B5AB7E9FB44748F0991A9EC09EB392E731ED01CB90
                                            Function 6C99E0BB Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C99E0C2
                                              • Part of subcall function 6C99E417: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C99E474
                                              • Part of subcall function 6C99E417: VerSetConditionMask.KERNEL32(00000000), ref: 6C99E47C
                                              • Part of subcall function 6C99E417: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C99E48D
                                              • Part of subcall function 6C99E417: GetSystemMetrics.USER32(00001000), ref: 6C99E49E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                                            • String ID:
                                            • API String ID: 2710481357-0
                                            • Opcode ID: 2a22e34f749a31e83d54cf195bdc52aba25d1f790b9caa1af9730005a51ec294
                                            • Instruction ID: 9726b9fe73914e828f8d5687cd6204e604b4dbc8c57257a7f0f885c6917ec5da
                                            • Opcode Fuzzy Hash: 2a22e34f749a31e83d54cf195bdc52aba25d1f790b9caa1af9730005a51ec294
                                            • Instruction Fuzzy Hash: 8851DEB0905F418FD3A9CF3A85417C6FAE0BF99304F108A2E91AED6660EB706184CF55
                                            Function 6CADFED2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: __wsopen_s
                                            • String ID:
                                            • API String ID: 3347428461-0
                                            • Opcode ID: e37091fe55dc3518e53e42d534c3c53808ed2f19a2fd75c380dd9e262ed86154
                                            • Instruction ID: cf4877b2d415600424b9d742662f6d0751035e75f5ea688923d7b205f0eb7be9
                                            • Opcode Fuzzy Hash: e37091fe55dc3518e53e42d534c3c53808ed2f19a2fd75c380dd9e262ed86154
                                            • Instruction Fuzzy Hash: 38116671A0420AAFCB05CF58E94099B7BF9EF49308F054069F809EB301D770E915CBA5
                                            Function 00EACDA5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: __wsopen_s
                                            • String ID:
                                            • API String ID: 3347428461-0
                                            • Opcode ID: 8160085448fc8e63b2a4653f6980b75f5eab9216a6e180daa8f0702bfc91b7e8
                                            • Instruction ID: 4f576ee9deda0a02ab1987e58e59a1c2c196b3cb3ceb6871019a8bf152ef7ba1
                                            • Opcode Fuzzy Hash: 8160085448fc8e63b2a4653f6980b75f5eab9216a6e180daa8f0702bfc91b7e8
                                            • Instruction Fuzzy Hash: 2A11187690420AAFCF15DF58E941A9B7BF8EF49314F104069F809AB351D631E9218B65
                                            Function 00EACD20 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: __wsopen_s
                                            • String ID:
                                            • API String ID: 3347428461-0
                                            • Opcode ID: 06b1167324aa920a479f46d28c334bdd05624e042fa91e407c45516a7deccf61
                                            • Instruction ID: 564d7c8c0ae0718b38b78f7eee24cb358b210bbfe7f019540b465295f7f6821a
                                            • Opcode Fuzzy Hash: 06b1167324aa920a479f46d28c334bdd05624e042fa91e407c45516a7deccf61
                                            • Instruction Fuzzy Hash: 10114572A0420AAFCF15DF58E9419DA7BF8EF49304F1040A9F809AB311D631EA218BA5
                                            Function 00E4C450 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E7A660: mtx_do_lock.LIBCPMT ref: 00E7A668
                                            • __Mtx_unlock.LIBCPMT ref: 00E4C4AC
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Mtx_unlockmtx_do_lock
                                            • String ID:
                                            • API String ID: 147572093-0
                                            • Opcode ID: 27c8cd6246756503efc87a569b78a81cbfa11713e01ec2bf587fee988fa1b89c
                                            • Instruction ID: dec5e9973293862c9c017fc2b835163eb68a069973d1a1afa632d5b396859c6f
                                            • Opcode Fuzzy Hash: 27c8cd6246756503efc87a569b78a81cbfa11713e01ec2bf587fee988fa1b89c
                                            • Instruction Fuzzy Hash: 180184B2900214ABDB00DF95ED05B9BB7ECEF45710F058136F819A3651EB75EA1486A2
                                            Function 6CADC808 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000008,6CAD6292,?,?,6CAD9790,00000001,00000364,?,00000006,000000FF,?,?,6CAD6292,?,6C955557), ref: 6CADC849
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 6695c62ba0d19bde0ab4398dfe698e345abfd3daf42efb57c3925dc8b633d332
                                            • Instruction ID: 82f4682a76f58276ff3a234c4de9b4f7b9f8d8cb113b25457076b95891c34663
                                            • Opcode Fuzzy Hash: 6695c62ba0d19bde0ab4398dfe698e345abfd3daf42efb57c3925dc8b633d332
                                            • Instruction Fuzzy Hash: E9F02B3120512457EB116E76980CF4F3758AB4177CB568125E814A7D80DB30F4C442E0
                                            Function 00EA9213 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00EA6EF2,00000001,00000364,?,00E9CAB3,00EDEEC0,00000010), ref: 00EA9254
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: fc0813e7bd675331e1abeb998d293cfe16374feca3cdfce6db5e65a04983025e
                                            • Instruction ID: 75ea244eefd7d4d7fba73de3c6e133cd9cc4cb6dc7bdcf8a09084f0c6db9c8fd
                                            • Opcode Fuzzy Hash: fc0813e7bd675331e1abeb998d293cfe16374feca3cdfce6db5e65a04983025e
                                            • Instruction Fuzzy Hash: ADF0B432645528B69F215A26BC05B9B378CEF8B774B186152F804BE4A2CB20F80096F0
                                            Function 00EB5545 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                                            • Instruction ID: c3b25b299e96d39e56181f34ab71141ad043a3edd6e4a7ccfc7ff471a5a181c5
                                            • Opcode Fuzzy Hash: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                                            • Instruction Fuzzy Hash: 94F0BE3351110CBBCF209E95DC02DDF3BAEEF89371F144112FD18A2060DA36CA21A7A0
                                            Function 00E4D5F0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4D611
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 885266447-0
                                            • Opcode ID: 644df985b829d9658f02dc5c088a3cd2b7d65694d3e42f1e706eb162c194ec91
                                            • Instruction ID: 2d85f9768ad61c60fa7cf64f5feab87ae0304145b6581e205c3beba39b15a7fb
                                            • Opcode Fuzzy Hash: 644df985b829d9658f02dc5c088a3cd2b7d65694d3e42f1e706eb162c194ec91
                                            • Instruction Fuzzy Hash: 29016D31D1434CABCB01DFA8DC019EEB7B8FF58314F00961AF94576201EB7066D48B84
                                            Function 00E610F0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Thrd_start
                                            • String ID:
                                            • API String ID: 2176944979-0
                                            • Opcode ID: 216e343ed53ad991c7a664a30b41c02b96641873a79f7490143f30788b692bbe
                                            • Instruction ID: 98fc2b031c9409010bf95a7261da98ad00e58fc26e039b398277ea8b7e47c5e7
                                            • Opcode Fuzzy Hash: 216e343ed53ad991c7a664a30b41c02b96641873a79f7490143f30788b692bbe
                                            • Instruction Fuzzy Hash: 77F0A7B194130166EF361115AC06B977AC88F11794F0CE479FA0FB0152E556EC948692
                                            Function 00EA7A29 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,00EAA0DD,?,?,?,?,?,00E9CAEB,00000000), ref: 00EA7A5B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: b8c8fa2bd15034aa2f412c5fdabe2c02cd43d934ce0cf6080a66e62c3ba9e04b
                                            • Instruction ID: 69ad7a2720f97f51a156dd88349876c975a6633eb9c8d94821093d3bf2b70d7c
                                            • Opcode Fuzzy Hash: b8c8fa2bd15034aa2f412c5fdabe2c02cd43d934ce0cf6080a66e62c3ba9e04b
                                            • Instruction Fuzzy Hash: B8E0E53211D520BBDA20A6659C00BAF37899F0B3B4F152161FCC9BE1D0DF20FE0081E0
                                            Function 00E7BB4D Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00E7C845
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4132099812.0000000000E31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00E30000, based on PE: true
                                            • Associated: 00000003.00000002.4132087245.0000000000E30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132139215.0000000000EBF000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132159102.0000000000EE1000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132171336.0000000000EE2000.00000008.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132184039.0000000000EE4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000003.00000002.4132196391.0000000000EE7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e30000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw
                                            • String ID:
                                            • API String ID: 2005118841-0
                                            • Opcode ID: 641a06c2fe3b68c4df8a70d5659489225add09981280737ea7508b09f2fe9fe4
                                            • Instruction ID: e9156a759ca760db3b2f7fffea60ffcf8cda9d5fce8a5b257913b2da263b2501
                                            • Opcode Fuzzy Hash: 641a06c2fe3b68c4df8a70d5659489225add09981280737ea7508b09f2fe9fe4
                                            • Instruction Fuzzy Hash: 05E0923580060DB7CF147AA8EC06AAD77AC5F01364B20E125FD1CB54F6EF70E95591D1
                                            Function 6CAE9223 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(6C96A8D0,00000000,?,6CAE8EC7,?,?,00000000,?,6CAE8EC7,6C96A8D0,0000000C), ref: 6CAE9240
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: fe4e2c5fecf70f82df643802a94e0030c854aea61ab14ef9b13d017d7e069d28
                                            • Instruction ID: 60682e38ac6364f0f223acb17001e43ab18df23d7c5bd2c6d56ecd866e737d95
                                            • Opcode Fuzzy Hash: fe4e2c5fecf70f82df643802a94e0030c854aea61ab14ef9b13d017d7e069d28
                                            • Instruction Fuzzy Hash: 48D06C3210010DBFDF129E84DC06EDA3BAAFB48714F014100BE1C56020C732E921EB90
                                            Function 6C9832BA Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 6C9832C9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: DeleteObject
                                            • String ID:
                                            • API String ID: 1531683806-0
                                            • Opcode ID: b1c5fddb94e1b6057c3446fb5a31343bf13e02e22a76f8c4c483eaeb1a52178a
                                            • Instruction ID: 03187d390b61aeccf895e129ccfa5c604e612da8f79d2ec048bdc3453b4d640a
                                            • Opcode Fuzzy Hash: b1c5fddb94e1b6057c3446fb5a31343bf13e02e22a76f8c4c483eaeb1a52178a
                                            • Instruction Fuzzy Hash: 7FB09270D26244AACF00AB708A0CB4A36687B5131AF148D94A00983804DB39C00AD540
                                            Function 6C955510 Relevance: 1.3, APIs: 1, Instructions: 86sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: c05013a983fbc95dfdd5e0344425b0d9e84b74a26988f192421a0fc94a7c6491
                                            • Instruction ID: b928487b54feba24e853ee52c350db84db52821a68dba103c6d5e7a338906d41
                                            • Opcode Fuzzy Hash: c05013a983fbc95dfdd5e0344425b0d9e84b74a26988f192421a0fc94a7c6491
                                            • Instruction Fuzzy Hash: 4A314DB5E14388CFCB04DFE8D94169DBBB1BF19714F804529D4069BB54D734E82ACB92
                                            Function 6C979AC0 Relevance: 1.3, APIs: 1, Instructions: 67sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9796B0: CreateToolhelp32Snapshot.KERNEL32 ref: 6C979702
                                            • Sleep.KERNEL32 ref: 6C979B9F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CreateSleepSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 684154974-0
                                            • Opcode ID: 907e603996eab54792622130dd9e537ad34ad72cce7fe6fbff485d5ab7e52801
                                            • Instruction ID: cc4ce46e821aa8600c361b887c291657e72fa6f4fe8850b72e40f7a70bb9e16e
                                            • Opcode Fuzzy Hash: 907e603996eab54792622130dd9e537ad34ad72cce7fe6fbff485d5ab7e52801
                                            • Instruction Fuzzy Hash: 462119B5E11359CFCB14EFA8C8416EEBBB4FB15720F400629D8216BB84D775A509CBA1
                                            Function 6C979680 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 77e38ec477464cb352a8975cef6aeb69650ecd6df61a13380746e2ea4a7b33ec
                                            • Instruction ID: 92dff23c933d2051916ff7ad81f7fb22bdd985f8a92d33cc0c773ab7f3c72eec
                                            • Opcode Fuzzy Hash: 77e38ec477464cb352a8975cef6aeb69650ecd6df61a13380746e2ea4a7b33ec
                                            • Instruction Fuzzy Hash: C6D09E75D002089FC740FFFCE54549EBFF4AB44210F004175E989D7304E6749694DB96

                                            Non-executed Functions

                                            Function 6C9780D0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 276networkmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cleanup$closesocket$AllocStartupVirtualconnectfreeaddrinfogetaddrinforecvsocket
                                            • String ID: $@
                                            • API String ID: 1138076629-1077428164
                                            • Opcode ID: c693db90c5cf22ed707a9af2f38ea179873b7734cdf501a175a300a7f9595fa8
                                            • Instruction ID: 8d443d7859ad9ca93d9abdc66e4cbbcc6b2371904b14618a295f8b9247152285
                                            • Opcode Fuzzy Hash: c693db90c5cf22ed707a9af2f38ea179873b7734cdf501a175a300a7f9595fa8
                                            • Instruction Fuzzy Hash: 23E1E5B4A15219CFCB24EF28D98879DBBF0BB0A315F4085EAD44DA7740E7349A88CF55
                                            Function 6C9B87C4 Relevance: 21.3, APIs: 14, Instructions: 309windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetRectEmpty.USER32(?), ref: 6C9B8859
                                            • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C9B8877
                                            • ReleaseCapture.USER32 ref: 6C9B887D
                                            • SetCapture.USER32(?), ref: 6C9B8890
                                            • ReleaseCapture.USER32 ref: 6C9B891D
                                            • SetCapture.USER32(?), ref: 6C9B8930
                                            • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C9B8A24
                                            • UpdateWindow.USER32(?), ref: 6C9B8AB0
                                            • SendMessageW.USER32(?,00000111,00000000,00000000), ref: 6C9B8AFF
                                            • IsWindow.USER32(?), ref: 6C9B8B0B
                                            • IsIconic.USER32(?), ref: 6C9B8B16
                                            • IsZoomed.USER32(?), ref: 6C9B8B21
                                            • IsWindow.USER32(?), ref: 6C9B8B3F
                                            • UpdateWindow.USER32(?), ref: 6C9B8B9B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
                                            • String ID:
                                            • API String ID: 2500574155-0
                                            • Opcode ID: 74c2b3bdf95037e565505dc9f4853713b2c83bde8d79529fa22a0b68a0e25fc6
                                            • Instruction ID: dbe1d7fbee57715a517967bf35f06582a827aa8a63b71ed1d51310a766a0a973
                                            • Opcode Fuzzy Hash: 74c2b3bdf95037e565505dc9f4853713b2c83bde8d79529fa22a0b68a0e25fc6
                                            • Instruction Fuzzy Hash: B9C17131700629AFCF059F65C894AAE3B79FF49714F1442BAEC29AB791DB30D901CB94
                                            Function 6C9A4517 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C98AD88: GetParent.USER32(?), ref: 6C98AD92
                                            • ScreenToClient.USER32(?,?), ref: 6C9A45A4
                                            • GetKeyState.USER32(00000001), ref: 6C9A4615
                                            • GetKeyState.USER32(00000001), ref: 6C9A4670
                                            • IsWindow.USER32(?), ref: 6C9A4731
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: State$ClientParentScreenWindow
                                            • String ID: 0
                                            • API String ID: 1527269598-4108050209
                                            • Opcode ID: ed20c00187201e40b3029b27e6c2e71313c05c24d436048dbb1c846bf1165a83
                                            • Instruction ID: a779a9fd6495445c7c03cbe0055c3696bf5967a14459098e39cfff27f18a6912
                                            • Opcode Fuzzy Hash: ed20c00187201e40b3029b27e6c2e71313c05c24d436048dbb1c846bf1165a83
                                            • Instruction Fuzzy Hash: 8C617E34B013199BDF159FE4C894BAD7BB9BF49718F14112AE811A7BA1EF71D8028F81
                                            Function 6C9A60F1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C98A4DC,6C989565,00000003,?,00000004,6C989565), ref: 6C9A6103
                                            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C9A6113
                                            • EncodePointer.KERNEL32(00000000,?,6C98A4DC,6C989565,00000003,?,00000004,6C989565), ref: 6C9A611C
                                            • DecodePointer.KERNEL32(00000000,?,?,6C98A4DC,6C989565,00000003,?,00000004,6C989565), ref: 6C9A612A
                                            • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6C98A4DC,6C989565,00000003,?,00000004,6C989565), ref: 6C9A6161
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
                                            • String ID: GetLocaleInfoEx$kernel32.dll
                                            • API String ID: 1461536855-1547310189
                                            • Opcode ID: 9213462794ffeb312e95bc24834b06e7393e441c68c1485aa16510dfadf8f934
                                            • Instruction ID: 633feb136515c2582905f07699d9137c10fb49d3bf231c8d0b2823e14c6a0b7c
                                            • Opcode Fuzzy Hash: 9213462794ffeb312e95bc24834b06e7393e441c68c1485aa16510dfadf8f934
                                            • Instruction Fuzzy Hash: EF016D7A601629EBCF122FE9DC088AE3F79FB0A3557014514FC19D3550EB31C921CB90
                                            Function 6CA041CD Relevance: 12.1, APIs: 8, Instructions: 135clipboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch_GS.LIBCMT ref: 6CA041D4
                                              • Part of subcall function 6C983F98: __EH_prolog3.LIBCMT ref: 6C983F9F
                                              • Part of subcall function 6C983F98: GetWindowDC.USER32(00000000,00000004,6C99E53A,00000000), ref: 6C983FCB
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA041FA
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CA04220
                                              • Part of subcall function 6C983D86: SelectObject.GDI32(6C98F82B,?), ref: 6C983D8F
                                            • FillRect.USER32(?,?,00000000), ref: 6CA04272
                                            • OpenClipboard.USER32(?), ref: 6CA042CC
                                            • EmptyClipboard.USER32 ref: 6CA0430C
                                            • SetClipboardData.USER32(00000002,00000000), ref: 6CA04330
                                            • CloseClipboard.USER32 ref: 6CA0434A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
                                            • String ID:
                                            • API String ID: 2940850299-0
                                            • Opcode ID: b0844169d6c83ff61e5a604abe0ecdbbd995c40ce3ae743ecd925dcda1dcb06b
                                            • Instruction ID: 83d0c4b93f03a62c82fee01ac13c56f24ad6b0dfd7adf406338d41119fc88d5b
                                            • Opcode Fuzzy Hash: b0844169d6c83ff61e5a604abe0ecdbbd995c40ce3ae743ecd925dcda1dcb06b
                                            • Instruction Fuzzy Hash: 9C418F71A01255ABCF10DFF9DC489DEBB78BF29358B148619F415A7A90DF30D948CBA0
                                            Function 6C9C82CF Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9C82D9
                                            • PathIsUNCW.SHLWAPI(?,?,?,?,6C9FA152,00000024,?,?,?), ref: 6C9C8389
                                            • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6C9FA152,00000024,?,?,?), ref: 6C9C83AD
                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C9C814B,?,?,00000000,?,6C9FA152,00000024,?,?,?), ref: 6C9C830C
                                              • Part of subcall function 6C9C828D: GetLastError.KERNEL32(?,?,?,6C9C83BE,?,?,?,6C9FA152,00000024,?,?,?), ref: 6C9C8299
                                              • Part of subcall function 6C9C81C2: PathStripToRootW.SHLWAPI(00000000,?,?,6C9FA152,00000024,?,?,?), ref: 6C9C81F6
                                            • CharUpperW.USER32(?,?,6C9FA152,00000024,?,?,?), ref: 6C9C83DB
                                            • FindFirstFileW.KERNEL32(?,?,?,6C9FA152,00000024,?,?,?), ref: 6C9C83F3
                                            • FindClose.KERNEL32(00000000,?,6C9FA152,00000024,?,?,?), ref: 6C9C83FF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
                                            • String ID:
                                            • API String ID: 2323451338-0
                                            • Opcode ID: f0aff53425f9e1f6b49e648a224d986fa0b9f473f57cae82aceb8c88b8344985
                                            • Instruction ID: 9c964a8b6c9fd83edf56bc7a44b3b9086235c5d7c996eafcd57a025c72138b86
                                            • Opcode Fuzzy Hash: f0aff53425f9e1f6b49e648a224d986fa0b9f473f57cae82aceb8c88b8344985
                                            • Instruction Fuzzy Hash: C9418771605115AFDB189B64CC8CEFE737CFF15308F10069AE429D2A90EB35DE49CA26
                                            Function 6CAE629A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoW.KERNEL32(?,2000000B,6CAE5C6B,00000002,00000000,?,?,?,6CAE5C6B,?,00000000), ref: 6CAE6333
                                            • GetLocaleInfoW.KERNEL32(?,20001004,6CAE5C6B,00000002,00000000,?,?,?,6CAE5C6B,?,00000000), ref: 6CAE635C
                                            • GetACP.KERNEL32(?,?,6CAE5C6B,?,00000000), ref: 6CAE6371
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: InfoLocale
                                            • String ID: ACP$OCP
                                            • API String ID: 2299586839-711371036
                                            • Opcode ID: 20362a42c3f1852a0e1b59ac6c5170026c8f282235560a8f735c7c0b944d00b8
                                            • Instruction ID: bcd852171de273afadedaa33ae52518a32b9bb9d47b50650e1b90e1c12877cdc
                                            • Opcode Fuzzy Hash: 20362a42c3f1852a0e1b59ac6c5170026c8f282235560a8f735c7c0b944d00b8
                                            • Instruction Fuzzy Hash: E221B87270510AA6D7218B55C901BCB77B6EB4DF58B5E4D64EA0AD7B00E732D9C0E3D0
                                            Function 6C98478E Relevance: 7.8, APIs: 5, Instructions: 266COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 6C9847B1
                                            • InflateRect.USER32(?,?,?), ref: 6C9847CD
                                            • BeginDeferWindowPos.USER32(?), ref: 6C984841
                                            • InvalidateRect.USER32(?,00000000,00000001,00000018,00000008,00000000,0000EA20), ref: 6C9848B0
                                            • EndDeferWindowPos.USER32(00000000), ref: 6C984AAE
                                              • Part of subcall function 6C99BD57: GetDlgItem.USER32(?,?), ref: 6C99BD68
                                              • Part of subcall function 6C9864AB: GetClientRect.USER32(?,?), ref: 6C9864CD
                                              • Part of subcall function 6C9864AB: GetParent.USER32(?), ref: 6C9864E6
                                              • Part of subcall function 6C9864AB: GetClientRect.USER32(?,?), ref: 6C986515
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
                                            • String ID:
                                            • API String ID: 939197390-0
                                            • Opcode ID: 9910ab59d74f1cb79b362a73513f9536d2928b1053bc32459bb98e1b40278f9d
                                            • Instruction ID: d96c340cb4b5e361fd76bda3090728cd4bd9eecc01aca37f7875401fa3d9e2d1
                                            • Opcode Fuzzy Hash: 9910ab59d74f1cb79b362a73513f9536d2928b1053bc32459bb98e1b40278f9d
                                            • Instruction Fuzzy Hash: B1B14571E00649AFDB19CFA8C890BEDFBBAFF58304F144229E419AB250D731A855CF90
                                            Function 6C9884BD Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 6C9887C4
                                              • Part of subcall function 6C99BF38: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6C9995CB,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C99BF60
                                            • SetRectEmpty.USER32(?), ref: 6C988852
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: RectWindow$Empty
                                            • String ID: @
                                            • API String ID: 650961088-2766056989
                                            • Opcode ID: 08a0b4707104e5d20929b2e1271878b5c984d26ba30ba0952647f48c6951a0c3
                                            • Instruction ID: f2d2ec35df26d09f184b8126792bdfe04751f46f0b8629a3c39f822bf58e784a
                                            • Opcode Fuzzy Hash: 08a0b4707104e5d20929b2e1271878b5c984d26ba30ba0952647f48c6951a0c3
                                            • Instruction Fuzzy Hash: 31E12671E02219AFDF09CFA8C994AEEBBB5FF49314F14455AE815B7380DB30A941CB64
                                            Function 6C9C2720 Relevance: 6.3, APIs: 4, Instructions: 339keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C99BC0C: GetWindowLongW.USER32(?,000000EC), ref: 6C99BC19
                                            • GetAsyncKeyState.USER32(00000011), ref: 6C9C282A
                                            • GetClientRect.USER32(?,?), ref: 6C9C29CC
                                            • SetScrollPos.USER32(00000000,00000002,?,00000001), ref: 6C9C2ABA
                                              • Part of subcall function 6C9BF295: GetClientRect.USER32(?,?), ref: 6C9BF2CF
                                              • Part of subcall function 6C9BF295: InflateRect.USER32(?,00000000,00000000), ref: 6C9BF309
                                              • Part of subcall function 6C9BF295: SetRectEmpty.USER32(?), ref: 6C9BF3AD
                                              • Part of subcall function 6C9BF295: SetRectEmpty.USER32(?), ref: 6C9BF3BA
                                              • Part of subcall function 6C9BF295: GetSystemMetrics.USER32(00000002), ref: 6C9BF3DF
                                              • Part of subcall function 6C9BF295: EqualRect.USER32(?,?), ref: 6C9BF4AC
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$ClientEmpty$AsyncEqualInflateLongMetricsScrollStateSystemWindow
                                            • String ID:
                                            • API String ID: 3234605627-0
                                            • Opcode ID: 17e8baf95ddadd44fe3d5238deca5bfb659bb1115fd82ff247922ffaa71d105d
                                            • Instruction ID: b81d7ec45339db9b66c043cff870e8ac0e0312faf238ca490bd708290c3dbe27
                                            • Opcode Fuzzy Hash: 17e8baf95ddadd44fe3d5238deca5bfb659bb1115fd82ff247922ffaa71d105d
                                            • Instruction Fuzzy Hash: 7AC1F030701A1A8BDF059F2484AC7BE77BAAF59308F141169D816ABB94DF74EC45CB83
                                            Function 6C98E96E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Iconic
                                            • String ID:
                                            • API String ID: 110040809-0
                                            • Opcode ID: 112511600606a08642748e8c2c0ddfd4df045cdbd2f867f6be7b889d618700b2
                                            • Instruction ID: 5dc4e6239c19045a6ff6bd297d22dcd12a799b001b66743203705de8d79b8e88
                                            • Opcode Fuzzy Hash: 112511600606a08642748e8c2c0ddfd4df045cdbd2f867f6be7b889d618700b2
                                            • Instruction Fuzzy Hash: F9D01235155B70CBC7615E6AE4547C6B7BDBB49319B000A2ED08647D70DBE1D880CBC0
                                            Function 6CA02393 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6CA0239D
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CB37B2C,00000000,6CB37F04,00000000,6CB352FC,00000000,?,?,00000A88,6CA04849,?,00000000,00000038), ref: 6CA0243C
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CB352FC,00000000,?,?,00000A88,6CA04849,?,00000000,00000038), ref: 6CA024EF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: File$CreateH_prolog3_ModuleName
                                            • String ID:
                                            • API String ID: 3408945735-3916222277
                                            • Opcode ID: 448b7d49ab0027a558e13bbb98fba3ac371e9424ea3bc50efaa4a7f2c5d07924
                                            • Instruction ID: eab818ee9543d74de5c428e3e2d40d7e496df85f56181870726875645b0bbb65
                                            • Opcode Fuzzy Hash: 448b7d49ab0027a558e13bbb98fba3ac371e9424ea3bc50efaa4a7f2c5d07924
                                            • Instruction Fuzzy Hash: 38C18072A00324ABDF219F60DC58FEE7778BB5A359F1406A4F909A3940DB749AC4CF61
                                            Function 6C98052D Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 43registryclipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegisterClipboardFormatW.USER32(Native), ref: 6CAC1716
                                            • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6CAC1723
                                            • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6CAC1731
                                            • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6CAC173F
                                            • RegisterClipboardFormatW.USER32(Embed Source), ref: 6CAC174D
                                            • RegisterClipboardFormatW.USER32(Link Source), ref: 6CAC175B
                                            • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6CAC1769
                                            • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6CAC1777
                                            • RegisterClipboardFormatW.USER32(FileName), ref: 6CAC1785
                                            • RegisterClipboardFormatW.USER32(FileNameW), ref: 6CAC1793
                                            • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6CAC17A1
                                            • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6CAC17AF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClipboardFormatRegister
                                            • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                            • API String ID: 1228543026-2889995556
                                            • Opcode ID: ee3733dd8d68d41790b7bfb5a559b77ef21c366da6d882f845be2d8ba2b73a16
                                            • Instruction ID: 35cd028734c07fa2fd2f68a41e1a212d2d4c1a8dc5a7d21e35e9963a208d9a51
                                            • Opcode Fuzzy Hash: ee3733dd8d68d41790b7bfb5a559b77ef21c366da6d882f845be2d8ba2b73a16
                                            • Instruction Fuzzy Hash: 11114A75A407B09BCB316FF9980C41A7EB0BA062513445E1DB15EC7A00E735E644DF95
                                            Function 6C982ED4 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C982EDB
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C982F30
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C982F48
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C982F60
                                            • GetObjectW.GDI32(00000004,00000018,?), ref: 6C982F80
                                            • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C982FA6
                                            • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6CAFDA40), ref: 6C982FC9
                                            • CreatePatternBrush.GDI32(?), ref: 6C982FDB
                                            • DeleteObject.GDI32(?), ref: 6C98300A
                                            • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C98301B
                                            • GetPixel.GDI32(?,00000000,00000000), ref: 6C983063
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C983089
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C9830B1
                                            • FillRect.USER32(?,?,?), ref: 6C983113
                                              • Part of subcall function 6C984160: __EH_prolog3.LIBCMT ref: 6C984167
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C983141
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C98315C
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C983173
                                            • DeleteDC.GDI32(00000000), ref: 6C9831E0
                                            • DeleteDC.GDI32(00000000), ref: 6C9831FC
                                            • DeleteDC.GDI32(00000000), ref: 6C98321B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
                                            • String ID:
                                            • API String ID: 308707564-0
                                            • Opcode ID: a5e719f55340011d01f949e5a64b99a22a6e495ea98902a66259b6a22cbc9556
                                            • Instruction ID: 59cc158731da8089205383d420dd53da2d22400e5e43ca155482b0b313e6504a
                                            • Opcode Fuzzy Hash: a5e719f55340011d01f949e5a64b99a22a6e495ea98902a66259b6a22cbc9556
                                            • Instruction Fuzzy Hash: 5CB1F3B2D02218AFDF219FE4CD849EEBB79FF28348F204528F515A7650DB319A45DB60
                                            Function 6CA04387 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 254COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6CA04391
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA043D9
                                            • GetObjectW.GDI32(?,00000018,?), ref: 6CA043FA
                                            • SelectObject.GDI32(?,?), ref: 6CA04435
                                            • CreateCompatibleDC.GDI32(?), ref: 6CA04462
                                            • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CA044CA
                                            • SelectObject.GDI32(?,00000000), ref: 6CA044E1
                                            • SelectObject.GDI32(?,00000000), ref: 6CA044F3
                                            • SelectObject.GDI32(?,00000000), ref: 6CA0450A
                                            • DeleteObject.GDI32(?), ref: 6CA04516
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$Select$Create$Compatible$DeleteH_prolog3_Section
                                            • String ID: $(
                                            • API String ID: 1429849173-55695022
                                            • Opcode ID: 1d96dd847d63db75bdd5f84f062bf017cc781738a116c328ae649e6b9ffe8894
                                            • Instruction ID: 62971cbe057f810f911325f173ebada1b2d4c89c4dbb52bdede1fd4e2a0e78ff
                                            • Opcode Fuzzy Hash: 1d96dd847d63db75bdd5f84f062bf017cc781738a116c328ae649e6b9ffe8894
                                            • Instruction Fuzzy Hash: 0DB13A30A01268DFDF21DF65CC94B9EBBB5BF56345F1482EAE449A7251DB309A84CF20
                                            Function 6C9A0A95 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9A0A9C
                                            • CreateRectRgnIndirect.GDI32(?), ref: 6C9A0AD4
                                            • CopyRect.USER32(?,?), ref: 6C9A0AE8
                                            • InflateRect.USER32(?,?,?), ref: 6C9A0AFE
                                            • IntersectRect.USER32(?,?,?), ref: 6C9A0B0A
                                            • CreateRectRgnIndirect.GDI32(?), ref: 6C9A0B14
                                            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9A0B29
                                            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C9A0B43
                                            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9A0B8A
                                            • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C9A0BA7
                                            • CopyRect.USER32(?,?), ref: 6C9A0BB2
                                            • InflateRect.USER32(?,?,?), ref: 6C9A0BC8
                                            • IntersectRect.USER32(?,?,?), ref: 6C9A0BD4
                                            • SetRectRgn.GDI32(?,?,?,?,?), ref: 6C9A0BE9
                                            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C9A0BFA
                                            • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9A0C0E
                                            • CombineRgn.GDI32(?,?,?,00000003), ref: 6C9A0C28
                                              • Part of subcall function 6C9A09F1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C9A0A38
                                              • Part of subcall function 6C9A09F1: CreatePatternBrush.GDI32(00000000), ref: 6C9A0A45
                                              • Part of subcall function 6C9A09F1: DeleteObject.GDI32(00000000), ref: 6C9A0A51
                                            • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C9A0C86
                                              • Part of subcall function 6C9835E3: SelectObject.GDI32(?,00000000), ref: 6C983603
                                              • Part of subcall function 6C9835E3: SelectObject.GDI32(?,00000000), ref: 6C983619
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A5A
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A70
                                            • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C9A0CE9
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
                                            • String ID:
                                            • API String ID: 770706554-0
                                            • Opcode ID: aeb75fc9b46f5dde13a5ffaeea7ef2251a2a0ba5572ecde9f26da0368a0a8c63
                                            • Instruction ID: 5676cb413ed9732121c0c070b7784f0c5169c92f326d80e05fc7e19a176900b1
                                            • Opcode Fuzzy Hash: aeb75fc9b46f5dde13a5ffaeea7ef2251a2a0ba5572ecde9f26da0368a0a8c63
                                            • Instruction Fuzzy Hash: 4D9104B2A01228AFCF15DFE4CC98DEEBBB9FF59304B144519F906A3650DB34A905CB60
                                            Function 6C9E6A6A Relevance: 27.3, APIs: 18, Instructions: 337windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InflateRect.USER32(?,00000004,00000004), ref: 6C9E6AC3
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9E6AD5
                                            • UpdateWindow.USER32(?), ref: 6C9E6ADE
                                            • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9E6B1F
                                            • DispatchMessageW.USER32(?), ref: 6C9E6B31
                                            • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9E6B41
                                            • GetCapture.USER32 ref: 6C9E6B4B
                                            • SetCapture.USER32(?), ref: 6C9E6B5C
                                            • GetCapture.USER32 ref: 6C9E6B68
                                            • GetWindowRect.USER32(?,?), ref: 6C9E6B90
                                            • SetCursorPos.USER32(?,?), ref: 6C9E6BB7
                                            • GetCapture.USER32 ref: 6C9E6BBD
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9E6BD6
                                            • DispatchMessageW.USER32(?), ref: 6C9E6C00
                                            • ReleaseCapture.USER32 ref: 6C9E6C40
                                            • IsWindow.USER32(?), ref: 6C9E6C49
                                            • SendMessageW.USER32(8589084D,00000010,00000000,00000000), ref: 6C9E6C62
                                            • SetTimer.USER32(?,0000EC05,00000000), ref: 6C9EA71C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendTimerUpdate
                                            • String ID:
                                            • API String ID: 3094444671-0
                                            • Opcode ID: bb5688b06fe0b9a69dec71a2fd37f4d1858d5a8eecb0cdab13fa640e33c8d044
                                            • Instruction ID: 8a884641a1486fa271537015dc903a868accf88dec718272f18ba9077c87f8f7
                                            • Opcode Fuzzy Hash: bb5688b06fe0b9a69dec71a2fd37f4d1858d5a8eecb0cdab13fa640e33c8d044
                                            • Instruction Fuzzy Hash: 12B19231B05229ABDF159FA5DC48AAE7BB9FF69314F140529FA05E7A80DF30E844CB50
                                            Function 6CA06290 Relevance: 24.2, APIs: 16, Instructions: 155windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA06297
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA062C5
                                            • GetObjectW.GDI32(?,00000018,?), ref: 6CA062DE
                                            • SelectObject.GDI32(?,?), ref: 6CA062FA
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CA0631B
                                            • SelectObject.GDI32(?,00000000), ref: 6CA0632C
                                            • CreateCompatibleDC.GDI32(?), ref: 6CA06346
                                            • SelectObject.GDI32(?,?), ref: 6CA0635B
                                            • SelectObject.GDI32(?,00000000), ref: 6CA0636C
                                            • DeleteObject.GDI32(?), ref: 6CA06375
                                            • BitBlt.GDI32(?,00000000,00000000,000000FF,?,?,00000000,00000000,00CC0020), ref: 6CA06395
                                            • GetPixel.GDI32(?,?,00000000), ref: 6CA063BB
                                            • SetPixel.GDI32(?,?,00000000,00000000), ref: 6CA06402
                                            • SelectObject.GDI32(?,?), ref: 6CA06429
                                            • SelectObject.GDI32(?,00000000), ref: 6CA06433
                                            • DeleteObject.GDI32(?), ref: 6CA0643B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
                                            • String ID:
                                            • API String ID: 3639146769-0
                                            • Opcode ID: 9368423fcb035888865673ca0e97f300a3e7faaeeb3e3e7fe72f66d48860a7a9
                                            • Instruction ID: aab4db0d80a5ed912c4b8f863f72c504d889b3e5fac362f6e716ff1e65c165d5
                                            • Opcode Fuzzy Hash: 9368423fcb035888865673ca0e97f300a3e7faaeeb3e3e7fe72f66d48860a7a9
                                            • Instruction Fuzzy Hash: 33517931A1122AEFCF119FA0DD54AEEBB79FF0934CB140129F815E3650DB319995CBA0
                                            Function 6C9A4ABE Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyState.USER32(00000001), ref: 6C9A4AC9
                                            • GetCursorPos.USER32(?), ref: 6C9A4AEE
                                            • ScreenToClient.USER32(?,?), ref: 6C9A4AFB
                                            • GetCapture.USER32 ref: 6C9A4B6D
                                            • ClientToScreen.USER32(?,?), ref: 6C9A4BB0
                                            • WindowFromPoint.USER32(?,?), ref: 6C9A4BBC
                                            • IsChild.USER32(?,?), ref: 6C9A4BD4
                                            • KillTimer.USER32(?,0000EC0A), ref: 6C9A4C14
                                            • KillTimer.USER32(?,0000EC09), ref: 6C9A4C3D
                                              • Part of subcall function 6C98ED80: GetForegroundWindow.USER32 ref: 6C98ED8D
                                              • Part of subcall function 6C98ED80: GetLastActivePopup.USER32(?), ref: 6C98ED9E
                                            • GetParent.USER32(?), ref: 6C9A4C94
                                            • IsAppThemed.UXTHEME ref: 6C9A4CEE
                                            • OpenThemeData.UXTHEME(?,REBAR), ref: 6C9A4D00
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
                                            • String ID: REBAR
                                            • API String ID: 214255902-925029515
                                            • Opcode ID: b95b0f9d8eecaf471e78a10fc073650f5811f081fe55b86e7cadd3f8aa19d8dd
                                            • Instruction ID: fc03c902196140fa357a103892468ac8244e994ed94dae8bc3dfb44148cc9964
                                            • Opcode Fuzzy Hash: b95b0f9d8eecaf471e78a10fc073650f5811f081fe55b86e7cadd3f8aa19d8dd
                                            • Instruction Fuzzy Hash: E761A131B00219AFDF059FE4C894AAEBB79BF54318B140669E816D7A90EF30DD02CF91
                                            Function 6C9A616A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C9A619D
                                            • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C9A61AD
                                            • EncodePointer.KERNEL32(00000000,?,?), ref: 6C9A61B6
                                            • DecodePointer.KERNEL32(00000000,?,?), ref: 6C9A61C4
                                            • GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C9A61EB
                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9A61FB
                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9A622F
                                            • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9A6262
                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9A6272
                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9A62AF
                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9A62EA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
                                            • String ID: GetThreadPreferredUILanguages$kernel32.dll
                                            • API String ID: 404278886-1646127487
                                            • Opcode ID: 0566f9a4b5595733911984a74849605238acbf3326fdc7a261fa4ef8de72d6d9
                                            • Instruction ID: a10a67258ed825568c2e0f83e7bfc6fb2c5759fef6390efc1ef4bcf4533a2369
                                            • Opcode Fuzzy Hash: 0566f9a4b5595733911984a74849605238acbf3326fdc7a261fa4ef8de72d6d9
                                            • Instruction Fuzzy Hash: 5A5109B2A0021AAFCB15DFA8C984DFE77BDEF49308F110155E506E7650DB34EA09CBA1
                                            Function 6C994BE8 Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9A0207: GetFocus.USER32 ref: 6C9A020B
                                              • Part of subcall function 6C9A0207: GetParent.USER32(00000000), ref: 6C9A022C
                                              • Part of subcall function 6C9A0207: GetWindowLongW.USER32(00000000,000000F0), ref: 6C9A024B
                                              • Part of subcall function 6C9A0207: GetParent.USER32(00000000), ref: 6C9A0259
                                              • Part of subcall function 6C9A0207: GetDesktopWindow.USER32 ref: 6C9A0261
                                              • Part of subcall function 6C9A0207: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C9A0275
                                            • GetMenu.USER32(?), ref: 6C994C69
                                            • GetMenuItemCount.USER32(?), ref: 6C994CA7
                                            • GetSubMenu.USER32(?,00000000), ref: 6C994CBD
                                            • GetMenuItemCount.USER32(?), ref: 6C994CE2
                                            • GetMenuItemID.USER32(?,00000000), ref: 6C994CFC
                                            • GetSubMenu.USER32(?,?), ref: 6C994D18
                                            • GetMenuItemID.USER32(?,00000000), ref: 6C994D30
                                            • GetMenuItemCount.USER32(?), ref: 6C994D51
                                            • GetMenuItemID.USER32(?,?), ref: 6C994D87
                                            • SendMessageW.USER32(?,00000362,-0000E001,00000000), ref: 6C994E43
                                            • UpdateWindow.USER32(?), ref: 6C994E64
                                            • GetKeyState.USER32(00000079), ref: 6C994E82
                                            • GetKeyState.USER32(00000012), ref: 6C994E93
                                            • GetParent.USER32(?), ref: 6C994F55
                                            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C994F6F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountMessageParentWindow$SendState$DesktopFocusLongPostUpdate
                                            • String ID:
                                            • API String ID: 1315724587-0
                                            • Opcode ID: 62bcef8026c9ac6c6c8bd2afd882305603ac7da8bdeb0eef7ddc7974729890a0
                                            • Instruction ID: 005e48eaf5fd847ea590955b41ec8e1a19008405079af4981214f19298f718d6
                                            • Opcode Fuzzy Hash: 62bcef8026c9ac6c6c8bd2afd882305603ac7da8bdeb0eef7ddc7974729890a0
                                            • Instruction Fuzzy Hash: 25C19435B0161AEFDF069F65C844BADBBB9BF45314F188169E825A7A50DB30E850CF90
                                            Function 6C982C1F Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C982C26
                                            • GetSysColor.USER32(00000014), ref: 6C982C5D
                                              • Part of subcall function 6C983367: __EH_prolog3.LIBCMT ref: 6C98336E
                                              • Part of subcall function 6C983367: CreateSolidBrush.GDI32(6C98F82B), ref: 6C983389
                                            • GetSysColor.USER32(00000010), ref: 6C982C72
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C982C86
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C982C9E
                                            • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6C982CC1
                                            • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C982CE2
                                            • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C982D03
                                              • Part of subcall function 6C983D86: SelectObject.GDI32(6C98F82B,?), ref: 6C983D8F
                                            • GetPixel.GDI32(?,00000000,00000000), ref: 6C982D4B
                                              • Part of subcall function 6C983696: SetBkColor.GDI32(?,6C98F82B), ref: 6C9836AB
                                              • Part of subcall function 6C983696: SetBkColor.GDI32(?,6C98F82B), ref: 6C9836BD
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C982D74
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C982D9E
                                            • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C982E09
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C982E32
                                            • DeleteDC.GDI32(00000000), ref: 6C982EA7
                                            • DeleteDC.GDI32(00000000), ref: 6C982EC6
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
                                            • String ID:
                                            • API String ID: 2254850417-0
                                            • Opcode ID: 93e5ffce0e5b51a8f94f45c034748be75afb0ffd700ba56252f348331ddbbab9
                                            • Instruction ID: af703db34fb64d7345ff1da4ba2144afa914cb83b07b19c7e202c98f93f4672c
                                            • Opcode Fuzzy Hash: 93e5ffce0e5b51a8f94f45c034748be75afb0ffd700ba56252f348331ddbbab9
                                            • Instruction Fuzzy Hash: 36814872902218AFDF129FE4CD45AEEBB79BF28304F100528F515B76A0DB719A49DB60
                                            Function 6C9BEE4B Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9BEE55
                                            • GetClientRect.USER32(?,?), ref: 6C9BEE73
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C9BEEAC
                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9BEF01
                                            • CreateDIBSection.GDI32(?,?), ref: 6C9BEF73
                                            • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C9BEFAC
                                            • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C9BEFDF
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C9BF047
                                            • GetWindowRect.USER32(?,?), ref: 6C9BF0B6
                                            • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C9BF206
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                                            • String ID: (
                                            • API String ID: 2918208214-3887548279
                                            • Opcode ID: e9e79fd07e7a1f7dd166a42e04f1e514be90cd33373c4c216539cc13874c7468
                                            • Instruction ID: 133f78b59d1bf5d7931dafe5f00593f18f2f66b0f10bae862ccd5d56ddc537b8
                                            • Opcode Fuzzy Hash: e9e79fd07e7a1f7dd166a42e04f1e514be90cd33373c4c216539cc13874c7468
                                            • Instruction Fuzzy Hash: 91D13979A01659EFDF15CFA8C984AEEBBB9FF08308F104229E519A7610D730AD55CF50
                                            Function 6CA0CECE Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA0CED5
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                            • GetWindowRect.USER32(?,?), ref: 6CA0CFBB
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                              • Part of subcall function 6CA0EBDB: GetWindowRect.USER32(?,?), ref: 6CA0EBE9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3RectWindow$Ctrl
                                            • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                            • API String ID: 2598721110-2628993547
                                            • Opcode ID: 7ad5ab516860c719889cba0afa43d70a9834aede94fe3430b45f28386e91af9a
                                            • Instruction ID: b89be159ef58ba3704d1a6424655d48000465a173e66c8a4871ccc13bd7cb002
                                            • Opcode Fuzzy Hash: 7ad5ab516860c719889cba0afa43d70a9834aede94fe3430b45f28386e91af9a
                                            • Instruction Fuzzy Hash: 4B814935A00219DFCF05DFA4C8949FEBB76BF99314F590468E926AB3A1DB31A805CF50
                                            Function 6C9E810A Relevance: 19.9, APIs: 13, Instructions: 412windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9E8114
                                            • GetWindowRect.USER32(?,?), ref: 6C9E81A8
                                            • SetRect.USER32(?,00000000,00000000,?,?), ref: 6C9E81C9
                                            • CreateCompatibleDC.GDI32(?), ref: 6C9E81D5
                                            • CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6C9E81FF
                                            • GetWindowRect.USER32(?,?), ref: 6C9E8254
                                            • GetClientRect.USER32(?,?), ref: 6C9E8261
                                            • OffsetRect.USER32(?,?,?), ref: 6C9E8282
                                            • IsRectEmpty.USER32(?), ref: 6C9E82B2
                                            • SetRectEmpty.USER32(?), ref: 6C9E8345
                                            • InflateRect.USER32(?,000000FE,00000000), ref: 6C9E85C5
                                            • CreateRectRgnIndirect.GDI32(?), ref: 6C9E82BD
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A5A
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A70
                                            • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6C9E86A7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Create$ClipCompatibleEmptySelectWindow$BitmapClientH_prolog3_IndirectInflateOffset
                                            • String ID:
                                            • API String ID: 3231449308-0
                                            • Opcode ID: 7d7b0f3ffd2159693814a929a424a4352aeb9ce05e00f79ee3efe82c67fe0b7b
                                            • Instruction ID: d86ecdd50e746b8dbe42fd8a9c183230c5348524b9dd71240478d2683563c3cf
                                            • Opcode Fuzzy Hash: 7d7b0f3ffd2159693814a929a424a4352aeb9ce05e00f79ee3efe82c67fe0b7b
                                            • Instruction Fuzzy Hash: 8102F831A001299FCF26DFA4CC54BEDB7B9BF59304F14429AE51AA7650EB30AE85CF50
                                            Function 6C9C065F Relevance: 19.8, APIs: 13, Instructions: 273windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9C0692
                                            • DispatchMessageW.USER32(?), ref: 6C9C06A0
                                            • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9C06AE
                                            • GetCapture.USER32 ref: 6C9C06B8
                                            • SetCapture.USER32(?), ref: 6C9C06CC
                                            • GetWindowRect.USER32(?,?), ref: 6C9C06E9
                                            • GetCapture.USER32 ref: 6C9C075C
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9C0779
                                            • DispatchMessageW.USER32(?), ref: 6C9C079F
                                            • GetScrollPos.USER32(00000000,00000002), ref: 6C9C08BC
                                            • RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 6C9C08D9
                                            • ReleaseCapture.USER32 ref: 6C9C097B
                                            • IsWindow.USER32(?), ref: 6C9C0984
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message$Capture$Window$Dispatch$PeekRectRedrawReleaseScroll
                                            • String ID:
                                            • API String ID: 1873598099-0
                                            • Opcode ID: e3ff41709609cd94de3b88d931e6c25be8fcb6fc90d26a5bbeafbf0366a71fec
                                            • Instruction ID: cbdfc6dc761a8e980d8de7f7e38188052f5f8afd1438278d564b50f9d0234282
                                            • Opcode Fuzzy Hash: e3ff41709609cd94de3b88d931e6c25be8fcb6fc90d26a5bbeafbf0366a71fec
                                            • Instruction Fuzzy Hash: EBA18071B012648FDF049F64C898BEE7BB9BF49704F145179E80AAB685CB30D844CF92
                                            Function 6CA0CCD1 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA0CCD8
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                              • Part of subcall function 6CA0A024: __EH_prolog3.LIBCMT ref: 6CA0A02B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3$Ctrl
                                            • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                                            • API String ID: 3879667756-2628993547
                                            • Opcode ID: e26b0b10249b4527ecbb86e4630e3b6d3174e107a02acaf7de6e30427968cc37
                                            • Instruction ID: 45738044578489e4fa9817f5745c92c26b8395d82567ccf229994d45f19de68b
                                            • Opcode Fuzzy Hash: e26b0b10249b4527ecbb86e4630e3b6d3174e107a02acaf7de6e30427968cc37
                                            • Instruction Fuzzy Hash: 38519135B0022DABCF05DF64C8949FEBB7ABF59318B180459E816AB381DB35AD05CB91
                                            Function 6CA36FF3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA36FFA
                                            • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6CA37011
                                              • Part of subcall function 6CA36F50: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6CA36FC7
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA37091
                                            • SelectObject.GDI32(?,00000018), ref: 6CA370A4
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA370C2
                                            • SelectObject.GDI32(?,?), ref: 6CA370D7
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CA370F6
                                            • SelectObject.GDI32(?,00000000), ref: 6CA37104
                                            • SelectObject.GDI32(?,00000000), ref: 6CA3710E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$Select$Create$Compatible$H_prolog3Section
                                            • String ID:
                                            • API String ID: 2431383920-3916222277
                                            • Opcode ID: cfb240b79d4f64d2ebe957dd869cd527c44127b975622b7d25e26ae78078cc87
                                            • Instruction ID: 8255cca1e13400efd1e3d18a428bd393a5904980b98cb49014a9f81f53fd0784
                                            • Opcode Fuzzy Hash: cfb240b79d4f64d2ebe957dd869cd527c44127b975622b7d25e26ae78078cc87
                                            • Instruction Fuzzy Hash: FC419D32E00128EBDB11DFF4CD64AEEBB79EF55308F144128E519E76A0DB758949CBA0
                                            Function 6C9BE8AB Relevance: 17.0, APIs: 11, Instructions: 497windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9BE8B2
                                            • GetClientRect.USER32(?,?), ref: 6C9BE8D0
                                            • SetRectEmpty.USER32(?), ref: 6C9BE924
                                            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BE96F
                                            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BE9F8
                                            • GetWindowRect.USER32(?,?), ref: 6C9BEA1D
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C9BEA49
                                            • OffsetRect.USER32(?,00000000,00000000), ref: 6C9BEAF7
                                            • InflateRect.USER32(?,00000000,00000000), ref: 6C9BEB55
                                            • IsRectEmpty.USER32(?), ref: 6C9BEC53
                                            • IsRectEmpty.USER32(?), ref: 6C9BEDE3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$EmptyWindow$Points$ClientH_prolog3_InflateOffset
                                            • String ID:
                                            • API String ID: 302641110-0
                                            • Opcode ID: 01b1ed787320b3921d44e12771921ae5375a6ce606f1699ab2f80ce509d54e04
                                            • Instruction ID: 5a3d7b033f94cd4c9b61a2c23278ab6065c2b4671b74dd99efdeff427f4fa5e3
                                            • Opcode Fuzzy Hash: 01b1ed787320b3921d44e12771921ae5375a6ce606f1699ab2f80ce509d54e04
                                            • Instruction Fuzzy Hash: BF127C31E01629EFDF05DFA4C844AEEBBBAFF49314F140169E816BB644DB71A945CB80
                                            Function 6C9B617E Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnableMenuItem.USER32(?,0000420F,00000001), ref: 6C9B61DC
                                            • EnableMenuItem.USER32(?,0000420E,00000001), ref: 6C9B61F7
                                            • CheckMenuItem.USER32(?,00004214,00000008), ref: 6C9B622B
                                            • CheckMenuItem.USER32(?,00004212,00000008), ref: 6C9B623D
                                            • CheckMenuItem.USER32(?,00004213,00000008), ref: 6C9B6250
                                            • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9B6272
                                            • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9B62A1
                                            • EnableMenuItem.USER32(?,00004213,00000001), ref: 6C9B62B0
                                            • EnableMenuItem.USER32(?,00004214,00000001), ref: 6C9B62BF
                                            • EnableMenuItem.USER32(?,00004215,00000001), ref: 6C9B6311
                                            • CheckMenuItem.USER32(?,00004215,00000008), ref: 6C9B6329
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Enable$Check
                                            • String ID:
                                            • API String ID: 1852492618-0
                                            • Opcode ID: 84294e5791949dc34a1d2612b474f5c6c3f2d7d5d03f63da5c8877843c2d9490
                                            • Instruction ID: b2e15f78245814e114f8288810b441427c814e246054bb060bf87764f7cf9bb4
                                            • Opcode Fuzzy Hash: 84294e5791949dc34a1d2612b474f5c6c3f2d7d5d03f63da5c8877843c2d9490
                                            • Instruction Fuzzy Hash: CA518930B41629FBEB159F94C944A9EBB74FF05B04F408269F918EB6A1D770E940CB90
                                            Function 6C9A8023 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9A802D
                                            • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C9A8205
                                            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C9A83CD
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C9A83F3
                                            • UpdateWindow.USER32(?), ref: 6C9A8415
                                            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C9A84D2
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C9A84F8
                                            • UpdateWindow.USER32(?), ref: 6C9A851A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
                                            • String ID: :/\
                                            • API String ID: 2009545923-2793184486
                                            • Opcode ID: c4d8769e9dc9439ef82e0a507c3c5a4a2afa45e5243a0b37cdbf61e3d57820de
                                            • Instruction ID: c4482f4175ac745a413d274ad0b5959f08788fd4add61ac29f4fef522fa83daf
                                            • Opcode Fuzzy Hash: c4d8769e9dc9439ef82e0a507c3c5a4a2afa45e5243a0b37cdbf61e3d57820de
                                            • Instruction Fuzzy Hash: 79F128316002588FCF14EB60CC98BAD77B9BFA9308F140199E516AB7A1DB74EE49CF54
                                            Function 6C9FC86E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9A583D: __EH_prolog3_catch.LIBCMT ref: 6C9A5844
                                            • GetModuleHandleW.KERNEL32(comctl32.dll,6C9FC9ED,?,00000000,?,?,6C9AC8E4,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC8A1
                                            • GetUserDefaultUILanguage.KERNEL32(?,?,6C9AC8E4,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC8B1
                                            • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6C9AC8E4,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC8EF
                                            • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6C9AC8E4,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC90E
                                            • LoadResource.KERNEL32(00000000,00000000,?,?,6C9AC8E4,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC91A
                                              • Part of subcall function 6C9FCA2B: GetDC.USER32(00000000), ref: 6C9FCA7E
                                              • Part of subcall function 6C9FCA2B: EnumFontFamiliesExW.GDI32(00000000,?,6C9FCA15,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C9FCA99
                                              • Part of subcall function 6C9FCA2B: ReleaseDC.USER32(00000000,00000000), ref: 6C9FCAA1
                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6C9AB741,?,?), ref: 6C9FC94A
                                            • GlobalFree.KERNEL32(00000001), ref: 6C9FC9C2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
                                            • String ID: MS UI Gothic$comctl32.dll
                                            • API String ID: 1488066090-3248924666
                                            • Opcode ID: 811ffe0a40079124cf0f3ae9efc3c897d75278c38da4a1efc2daee58733800c3
                                            • Instruction ID: 7eb90a752ccf1bb21726c20a6aa455b52fcca025ad657efd65dc60353f0e8369
                                            • Opcode Fuzzy Hash: 811ffe0a40079124cf0f3ae9efc3c897d75278c38da4a1efc2daee58733800c3
                                            • Instruction Fuzzy Hash: 42410435301615ABE7247B64CC49BBE37ACDF91728F108129F82ADBB80DB30D882C761
                                            Function 6C990168 Relevance: 15.5, APIs: 10, Instructions: 482COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 897a50ba3f0ffe777757cfb467e6fbe01e8dd4bba30d2c498f39f0037d0de33c
                                            • Instruction ID: 2431d016e88fb6144cc2bd20fa5a8c78afe203969866adead007725219ea4784
                                            • Opcode Fuzzy Hash: 897a50ba3f0ffe777757cfb467e6fbe01e8dd4bba30d2c498f39f0037d0de33c
                                            • Instruction Fuzzy Hash: 6D02CD35A00659DFCB11CFA9C88499EB7BAFF4E714F189258E925AB710D731ED80CB90
                                            Function 6C9C2B50 Relevance: 15.2, APIs: 10, Instructions: 224timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 6C9C2B97
                                            • ScreenToClient.USER32(?,?), ref: 6C9C2BA4
                                            • PtInRect.USER32(?,?,?), ref: 6C9C2BE3
                                            • PtInRect.USER32(?,?,?), ref: 6C9C2C08
                                            • KillTimer.USER32(0000EC16,0000EC16), ref: 6C9C2C3B
                                            • InvalidateRect.USER32(00000001,?,00000001), ref: 6C9C2C53
                                            • InvalidateRect.USER32(00000001,?,00000001), ref: 6C9C2C65
                                            • KillTimer.USER32(00000000,0000EC15), ref: 6C9C2DCC
                                            • ValidateRect.USER32(00000000,00000000), ref: 6C9C2DF9
                                            • RedrawWindow.USER32(00000000,00000000,00000000,00000185,00000000,00000000,00000000), ref: 6C9C2E36
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
                                            • String ID:
                                            • API String ID: 1459077570-0
                                            • Opcode ID: 5395e14ae541c61a437b0925d0c37f3dbaf46f86738370dc70a08a3b8cd02b0a
                                            • Instruction ID: ef8bfcba508270d033e292c37e701c6910eb12ad7cbcb163e8b94266a7bdeca2
                                            • Opcode Fuzzy Hash: 5395e14ae541c61a437b0925d0c37f3dbaf46f86738370dc70a08a3b8cd02b0a
                                            • Instruction Fuzzy Hash: 73917E71B00A1AAFCB15DF74C988AADFBB9FF19304F140265E419E3A50DB30E951CB82
                                            Function 6C9A2A3E Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                                            • String ID:
                                            • API String ID: 2135910768-0
                                            • Opcode ID: bb06ae6df358e9f5847685f026b07de5e807e407a92c83905139968707ef6638
                                            • Instruction ID: 49db027d70e7c58ac7b2641f0dadce41fa74b656f145e336b20a9a32d8b3d74f
                                            • Opcode Fuzzy Hash: bb06ae6df358e9f5847685f026b07de5e807e407a92c83905139968707ef6638
                                            • Instruction Fuzzy Hash: 3971B331F0462A9FDF149FE5C888BAEB779FF49304F554565E809A7A80DB34EC428B90
                                            Function 6CA32881 Relevance: 15.2, APIs: 10, Instructions: 211windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C98B928: __EH_prolog3_catch.LIBCMT ref: 6C98B92F
                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 6CA328E4
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6CA32919
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6CA32944
                                            • LoadIconW.USER32(?,00000000), ref: 6CA32979
                                            • LoadIconW.USER32(00000000,00007F00), ref: 6CA3298C
                                            • GetClassLongW.USER32(?,000000F2), ref: 6CA329BB
                                            • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CA32A44
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6CA32A06
                                              • Part of subcall function 6C9D162E: __EH_prolog3_catch.LIBCMT ref: 6C9D1638
                                              • Part of subcall function 6C9D162E: CloseHandle.KERNEL32(00000000,?,00000000,00000080,6CA33131,?,00000000,?,?,00000000), ref: 6C9D1673
                                              • Part of subcall function 6C9D162E: GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6CA33131,?,00000000,?,?,00000000), ref: 6C9D1694
                                              • Part of subcall function 6C9D162E: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6C9D16E9
                                            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CA32AFB
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CA32B15
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$H_prolog3_catchIconLoad$ClassCloseCreateFileHandleLongPathTemp
                                            • String ID:
                                            • API String ID: 2083023585-0
                                            • Opcode ID: a99b2de0b4bc770a1443174127ba8368bee43d140ab5630adf67ccd970bc84e7
                                            • Instruction ID: 3e776bec88a24b1232c23091574fce7ff9027a48a0e32298bf097db8eb211ebd
                                            • Opcode Fuzzy Hash: a99b2de0b4bc770a1443174127ba8368bee43d140ab5630adf67ccd970bc84e7
                                            • Instruction Fuzzy Hash: 3B719C35701624AFDF259F50CC98BAE3B75EF45725F18027AE919AB391CB71A840CFA0
                                            Function 6CA04CB4 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6CA04CBE
                                            • GetObjectW.GDI32(?,00000018,?), ref: 6CA04CE3
                                            • GetObjectW.GDI32(?,00000054,?), ref: 6CA04D28
                                            • CreateCompatibleDC.GDI32(00000000), ref: 6CA04E14
                                            • SelectObject.GDI32(?,?), ref: 6CA04E36
                                            • GetPixel.GDI32(?,00000000,00000000), ref: 6CA04E95
                                            • GetPixel.GDI32(?,?,00000000), ref: 6CA04EA7
                                            • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6CA04EB6
                                            • SetPixel.GDI32(?,?,00000000,00000000), ref: 6CA04EC8
                                            • SelectObject.GDI32(?,00000000), ref: 6CA04F16
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                                            • String ID:
                                            • API String ID: 1266819874-0
                                            • Opcode ID: c3fabc3a87d03c451eed7f157588b42db5c31ecfc85acf7510e181acce0a3d6e
                                            • Instruction ID: 22a0cb1c62834ef3c083b78520b9b7b31671093a175a13c991e8e3ac62225994
                                            • Opcode Fuzzy Hash: c3fabc3a87d03c451eed7f157588b42db5c31ecfc85acf7510e181acce0a3d6e
                                            • Instruction Fuzzy Hash: 80811771E002288BDF21CFA9DC84A9DBBB5FF59748F248169E858A7701DB30AD85CF50
                                            Function 6C9BCA95 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 6C9BCAB8
                                            • ScreenToClient.USER32(?,?), ref: 6C9BCAC5
                                            • KillTimer.USER32(?,0000EC17), ref: 6C9BCADD
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCB0C
                                            • KillTimer.USER32(?,0000EC18), ref: 6C9BCB9B
                                            • GetParent.USER32(?), ref: 6C9BCBB0
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCBDC
                                            • KillTimer.USER32(?,0000EC07), ref: 6C9BCC3B
                                            • GetClientRect.USER32(?,?), ref: 6C9BCC4F
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCC5F
                                              • Part of subcall function 6C99BF95: ShowWindow.USER32(?,00000000,?,?,6C99977A,00000000), ref: 6C99BFA6
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$KillTimer$Client$CursorParentScreenShowWindow
                                            • String ID:
                                            • API String ID: 966434589-0
                                            • Opcode ID: 22e32a0a3a3dc0b8af5e02e5b978c9bcde6fc638eaea24bf491a82119e6d37fe
                                            • Instruction ID: c8854759fd133c65966b594086b41a82fb2b74cf3e5b29d0a63bf5f672002c68
                                            • Opcode Fuzzy Hash: 22e32a0a3a3dc0b8af5e02e5b978c9bcde6fc638eaea24bf491a82119e6d37fe
                                            • Instruction Fuzzy Hash: D151A431B0062AEFDF05AFA4C848AAEBB79FF55309F14021AF815B7650DB34E851CB90
                                            Function 6C9A4E40 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C9A4E5F
                                            • GetWindowRect.USER32(?,?), ref: 6C9A4E7E
                                            • SetRect.USER32(?,?,00000000,?,?), ref: 6C9A4EBD
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9A4ECC
                                            • SetRect.USER32(?,?,00000000,?,?), ref: 6C9A4EE4
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9A4EF3
                                            • SetRect.USER32(?,00000000,?,?,?), ref: 6C9A4F1B
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9A4F2A
                                            • SetRect.USER32(?,00000000,?,00000001,?), ref: 6C9A4F41
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9A4F50
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Invalidate$Window$Proc
                                            • String ID:
                                            • API String ID: 570070710-0
                                            • Opcode ID: 32add838232e0d72e50078ba04d3323d9c87d76ae93605c7e6e25311951232bb
                                            • Instruction ID: 23c056f61e7eeadf9437f5756f4f7c8a5d508974d93a548e9fea1653b396f535
                                            • Opcode Fuzzy Hash: 32add838232e0d72e50078ba04d3323d9c87d76ae93605c7e6e25311951232bb
                                            • Instruction Fuzzy Hash: EB411A72A00219AFDB21DFE4CD49FAFBBB9FB09304F200219F645A3190DB71A940CB61
                                            Function 6C9A279C Relevance: 15.1, APIs: 10, Instructions: 100timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C9A27A3
                                            • ClientToScreen.USER32(?,?), ref: 6C9A27C2
                                            • GetSystemMetrics.USER32(00000025), ref: 6C9A27CA
                                            • GetSystemMetrics.USER32(00000025), ref: 6C9A27E0
                                            • GetSystemMetrics.USER32(00000024), ref: 6C9A27F4
                                            • GetSystemMetrics.USER32(00000024), ref: 6C9A2808
                                            • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020,?,00007921,?,?,?,?,00000010), ref: 6C9A2881
                                            • SetWindowRgn.USER32(?,?,00000001), ref: 6C9A2898
                                            • SetCapture.USER32(?,?,00007921,?,?,?,?,00000010), ref: 6C9A28A1
                                            • SetTimer.USER32(?,0000EC08,00000032,00000000), ref: 6C9A28BA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MetricsSystem$CaptureClientCreateEllipticH_prolog3ScreenTimerWindow
                                            • String ID:
                                            • API String ID: 3001615190-0
                                            • Opcode ID: 53cbcb384f3add66b45e7b49e40877c3aa953886a139db27dc654e76c794f457
                                            • Instruction ID: 50bb7ba689c7dd7f596b72e46026c5ab57cad80dab49868e962ae511a67028e5
                                            • Opcode Fuzzy Hash: 53cbcb384f3add66b45e7b49e40877c3aa953886a139db27dc654e76c794f457
                                            • Instruction Fuzzy Hash: 6A317A71700711AFEB189FB8CC49FAEBB79FF48705F104619B649AB281DB70A810CB90
                                            Function 6C98AA64 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                            • EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • DecodePointer.KERNEL32(00000000), ref: 6C98AAB1
                                            • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C98AAD9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                                            • String ID: SetDefaultDllDirectories$\$kernel32.dll
                                            • API String ID: 2101061299-3881611067
                                            • Opcode ID: 91b35070120c4b11c64bcaed4938cb9ca90ef7f8248eed49e3e121aef2051f2f
                                            • Instruction ID: 75e3d12259b034bf90066f8ad5a6ab57b0923c18a9dc9b35011dd425ca0d6f7e
                                            • Opcode Fuzzy Hash: 91b35070120c4b11c64bcaed4938cb9ca90ef7f8248eed49e3e121aef2051f2f
                                            • Instruction Fuzzy Hash: 0521C675A42128A7DB20DEB68D48F9F3BFDAF15718F040965E809E3980EF68D6448691
                                            Function 6C9ACDB4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStockObject.GDI32(00000011), ref: 6C9ACDD6
                                            • GetStockObject.GDI32(0000000D), ref: 6C9ACDE2
                                            • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C9ACDF3
                                            • GetDC.USER32(00000000), ref: 6C9ACE02
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C9ACE19
                                            • MulDiv.KERNEL32(?,00000048,00000000), ref: 6C9ACE25
                                            • ReleaseDC.USER32(00000000,00000000), ref: 6C9ACE31
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$Stock$CapsDeviceRelease
                                            • String ID: System
                                            • API String ID: 46613423-3470857405
                                            • Opcode ID: d37289fab199c1e77a472009e84b79c45c62f6e7e7696a6e1ddddd9a5a5d6d9f
                                            • Instruction ID: 9a72fef8c1a12ca426385185eb28c992fc3efa05f9ab217cd2cfc3aa9b9b1836
                                            • Opcode Fuzzy Hash: d37289fab199c1e77a472009e84b79c45c62f6e7e7696a6e1ddddd9a5a5d6d9f
                                            • Instruction Fuzzy Hash: AC114F75700328ABEF14AFE58C49BAE7BB9FB55745F204119F60ADB280DB61DC058660
                                            Function 6C98ECC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$ActiveFocus$MessageSend
                                            • String ID: u
                                            • API String ID: 1556911595-4067256894
                                            • Opcode ID: 5903c382a5d9313f1da26233ceb02c10b3a6c3533145853f97e2b43b9c014d75
                                            • Instruction ID: be367e8aa9833754388ff89538e5339df83bec469f85fc64e68ee1886b40ce09
                                            • Opcode Fuzzy Hash: 5903c382a5d9313f1da26233ceb02c10b3a6c3533145853f97e2b43b9c014d75
                                            • Instruction Fuzzy Hash: AF11E63B6036346BDB212BB4CC58A6E3B7CEB45309B248A24F916C7995CB74C40897C0
                                            Function 6CA9C7E9 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA9C7F0
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(6CB58410,?,?,0000007C,?,6C98F878,00000001), ref: 6C9A34F1
                                              • Part of subcall function 6C9A34C0: InitializeCriticalSection.KERNEL32(00000000,?,6C98F878,00000001), ref: 6C9A3507
                                              • Part of subcall function 6C9A34C0: LeaveCriticalSection.KERNEL32(6CB58410,?,6C98F878,00000001), ref: 6C9A3515
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C98F878,00000001), ref: 6C9A3522
                                            • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6CA9C83B
                                            • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6CA9C84E
                                            • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6CA9C861
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
                                            • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
                                            • API String ID: 4229786687-1024936294
                                            • Opcode ID: 8fe1174f8b16155e0d1ded70f23c6fb681eec1db1e314ddd7195927b1e13ebb2
                                            • Instruction ID: af5d8d6446736e446d517fa6ed594efbaea73236d6d4d7518d1c01252850c526
                                            • Opcode Fuzzy Hash: 8fe1174f8b16155e0d1ded70f23c6fb681eec1db1e314ddd7195927b1e13ebb2
                                            • Instruction Fuzzy Hash: 30015EF1E053809EDF219FB4880975D7AF8BB15B18F45161DE249D7E80C7B69146CB08
                                            Function 6C99A308 Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C99A30F
                                              • Part of subcall function 6C9C5F29: LoadCursorW.USER32(?,00007F00), ref: 6C9C5F8B
                                            • GetSystemMenu.USER32(?,00000000,00000000,00000000,6CB38060,?,6CB509DC), ref: 6C99A380
                                            • DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 6C99A3A3
                                            • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C99A3B3
                                            • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C99A3C3
                                            • DeleteMenu.USER32(?,0000F120,00000000), ref: 6C99A3D3
                                            • DeleteMenu.USER32(00000000,0000F060,00000000,0000F011), ref: 6C99A406
                                            • AppendMenuW.USER32(00000000,00000000,0000F060,?), ref: 6C99A41A
                                            • SetParent.USER32(?,?), ref: 6C99A467
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Menu$Delete$AppendCursorH_prolog3LoadParentSystem
                                            • String ID:
                                            • API String ID: 2353656248-0
                                            • Opcode ID: 0b7f7bd3fb9f5f8cfe36ac53010164905d4328b6953d9b3d03faedb6c896c9be
                                            • Instruction ID: 1f93333f1766d1e42adcfbf9c337a860ee52de76317b4c04b11b595fed9f6bdb
                                            • Opcode Fuzzy Hash: 0b7f7bd3fb9f5f8cfe36ac53010164905d4328b6953d9b3d03faedb6c896c9be
                                            • Instruction Fuzzy Hash: A441F931B40716AFEB209FA0CD49FAE7778FF14708F144524B655A75D1DB70A900DB94
                                            Function 6C9AC1E4 Relevance: 13.6, APIs: 9, Instructions: 77windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPropW.USER32(?,?), ref: 6C9AC202
                                            • GlobalLock.KERNEL32(00000000), ref: 6C9AC20F
                                            • SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6C9AC22A
                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C9AC235
                                            • RemovePropW.USER32(?), ref: 6C9AC244
                                            • GlobalFree.KERNEL32(00000000), ref: 6C9AC24F
                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C9AC271
                                            • GetAsyncKeyState.USER32(00000011), ref: 6C9AC282
                                            • SendMessageW.USER32(?,00000475,00000000,?), ref: 6C9AC2AA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
                                            • String ID:
                                            • API String ID: 723318029-0
                                            • Opcode ID: e9bc90b91deff1408280dd5680bbd499e2d5413fb17a3f4e17b3efbcd9054286
                                            • Instruction ID: 45a8b43a86c6c0bb5e11e95fbb9070f0ed515e3b56ee5775a110d38e12d331f6
                                            • Opcode Fuzzy Hash: e9bc90b91deff1408280dd5680bbd499e2d5413fb17a3f4e17b3efbcd9054286
                                            • Instruction Fuzzy Hash: CA21CF323042A5ABDF217FE1CC88B5A3B7DFF46749F144229F90A9B950DB72D442CA94
                                            Function 6C9AC70A Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,?), ref: 6C9AC725
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C9AC734
                                            • IsWindowEnabled.USER32(00000000), ref: 6C9AC742
                                            • GetDlgItem.USER32(?,00003024), ref: 6C9AC759
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C9AC765
                                            • IsWindowEnabled.USER32(?), ref: 6C9AC775
                                            • GetFocus.USER32 ref: 6C9AC796
                                            • IsWindowEnabled.USER32(00000000), ref: 6C9AC79D
                                            • SetFocus.USER32(?), ref: 6C9AC7AA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Enabled$FocusItemLong
                                            • String ID:
                                            • API String ID: 1558694495-0
                                            • Opcode ID: 2f8cf604bca66bb791b423b5dfa27c9b85af52b8360236edf8233296ee487ed1
                                            • Instruction ID: d25a5fe741417b613d2b3ac5c6c6544cf7b10ee2ab8b5e54b108d2afebf4913b
                                            • Opcode Fuzzy Hash: 2f8cf604bca66bb791b423b5dfa27c9b85af52b8360236edf8233296ee487ed1
                                            • Instruction Fuzzy Hash: CE11AE32700135ABDF023FE9CC48B5E7B79BB46B54B140225F919972A0DB32D812CB80
                                            Function 6C9B0A97 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 6C9B0AA1
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                            • IsWindow.USER32(?), ref: 6C9B0BD4
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CtrlH_prolog3H_prolog3_catchWindow
                                            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
                                            • API String ID: 1537839037-190999575
                                            • Opcode ID: 2a7c7ac7b0dbbb5442eb16f4730bbd37f132e8aad06d8ab2928cde03b608e175
                                            • Instruction ID: e10a64adbae0af69e4ebb899eae28bd511e253cd05020ae9a13dbbc47d2942bd
                                            • Opcode Fuzzy Hash: 2a7c7ac7b0dbbb5442eb16f4730bbd37f132e8aad06d8ab2928cde03b608e175
                                            • Instruction Fuzzy Hash: 1271AC75E00219EFCF01CFA4C950AEEBBB9AF69318F140059E815B7790DB30AE05CBA1
                                            Function 6C9A6626 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C99F323,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C9A6638
                                            • GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C9A6648
                                            • EncodePointer.KERNEL32(00000000,?,?,6C99F323,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C9A6651
                                            • DecodePointer.KERNEL32(00000000,?,?,6C99F323,?,00000000,?,?,?,000000FF,?,?,00000040), ref: 6C9A665F
                                            • DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?,?,?,6C99F323,?,00000000,?,?), ref: 6C9A66AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
                                            • String ID: DrawThemeTextEx$uxtheme.dll
                                            • API String ID: 1727381832-3035683158
                                            • Opcode ID: ae19a8d243794997370a866d4cf585cee61c34b7a0ee719e61e29e0e5c72ff32
                                            • Instruction ID: 76d07a6f4492ed8a0abff0db63b0adfba69fe939a02a4e0734f329edcce7f7fe
                                            • Opcode Fuzzy Hash: ae19a8d243794997370a866d4cf585cee61c34b7a0ee719e61e29e0e5c72ff32
                                            • Instruction Fuzzy Hash: F411B336641269EBCF125FE4DC08DEE3FBABB0D355B454110FE19A6120D732D861EB94
                                            Function 6C9BC520 Relevance: 12.3, APIs: 8, Instructions: 253windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(000000FF), ref: 6C9BC541
                                            • SendMessageW.USER32(000000FF,00000362,0000E001,00000000), ref: 6C9BC57D
                                              • Part of subcall function 6C9BC832: GetParent.USER32(000000FF), ref: 6C9BC842
                                            • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C9BC59C
                                            • GetParent.USER32(000000FF), ref: 6C9BC655
                                            • PostMessageW.USER32(?,?,?,00000000), ref: 6C9BC709
                                            • GetParent.USER32(000000FF), ref: 6C9BC773
                                            • InvalidateRect.USER32(000000FF,000000FF,00000001,000000FF,?,?), ref: 6C9BC7EC
                                            • UpdateWindow.USER32(000000FF), ref: 6C9BC7F8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Parent$Message$Send$InvalidatePostRectUpdateWindow
                                            • String ID:
                                            • API String ID: 4048132615-0
                                            • Opcode ID: ab903fe1e92ece1fcac0c155b79e3559a578d3536d4c818e2fdb9996cc35e5be
                                            • Instruction ID: d8f64ab8a757b04a71add87758038b898ace7753967db966c075fedc5ef11234
                                            • Opcode Fuzzy Hash: ab903fe1e92ece1fcac0c155b79e3559a578d3536d4c818e2fdb9996cc35e5be
                                            • Instruction Fuzzy Hash: B2917131A0121AAFDF04AF69C994EAF7BB9BF59718B140169E805F7790DF70D841CB90
                                            Function 6CA0E60B Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
                                            • String ID:
                                            • API String ID: 3509494761-0
                                            • Opcode ID: a0fbd36e4a4acb37e670caf00dd1e922928ad6aa2c61069b869bc7a55073d376
                                            • Instruction ID: 4bcb22ecb493cf1f03b441fa931b45eba4ccd9f9ddb5866aca5e69cdafe1348e
                                            • Opcode Fuzzy Hash: a0fbd36e4a4acb37e670caf00dd1e922928ad6aa2c61069b869bc7a55073d376
                                            • Instruction Fuzzy Hash: 3E51A0317002299BDF069F64D898BAE3BB9BF05749F0800B9EC469F691DB719C48CBD0
                                            Function 6CA065E1 Relevance: 12.1, APIs: 8, Instructions: 101memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6CA065D6,00000000,00000000,?,6CB07E5C,?,6CA048B3,?,?,?), ref: 6CA065F2
                                            • GlobalLock.KERNEL32(00000000), ref: 6CA065FF
                                            • GlobalUnlock.KERNEL32(00000000), ref: 6CA0660A
                                            • GlobalFree.KERNEL32(00000000), ref: 6CA06611
                                            • GlobalUnlock.KERNEL32(00000000), ref: 6CA0662F
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6CA0663C
                                            • EnterCriticalSection.KERNEL32(6CB59B70,00000000), ref: 6CA06655
                                            • LeaveCriticalSection.KERNEL32(6CB59B70,00000000), ref: 6CA066BC
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
                                            • String ID:
                                            • API String ID: 295443201-0
                                            • Opcode ID: 4624890cbe66865a6339d0b195a214d128bdeec584ad595ec979ecd8a4efda95
                                            • Instruction ID: 1e3074ef9329b9cab596739b39115ee2a9e1e69d29f861dbe160402755f43f60
                                            • Opcode Fuzzy Hash: 4624890cbe66865a6339d0b195a214d128bdeec584ad595ec979ecd8a4efda95
                                            • Instruction Fuzzy Hash: 11310D72B01624EBEF05AFA4D818BAE37BDAF4639DF080114E906D7740EB34D982CB55
                                            Function 6C9BA972 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • ScreenToClient.USER32(?,?), ref: 6C9BA98E
                                            • GetParent.USER32(?), ref: 6C9BA99E
                                            • GetClientRect.USER32(?,?), ref: 6C9BA9E2
                                            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BA9F4
                                            • PtInRect.USER32(?,?,?), ref: 6C9BAA04
                                            • GetClientRect.USER32(?,?), ref: 6C9BAA31
                                            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BAA43
                                            • PtInRect.USER32(?,?,?), ref: 6C9BAA53
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Client$PointsWindow$ParentScreen
                                            • String ID:
                                            • API String ID: 1944725958-0
                                            • Opcode ID: d7a9697d3dc2a50e8b98f4c9cddc4440b4b1e69415d8e6d6a340e519a3aff882
                                            • Instruction ID: a91077e94673241fe11234d741a994d75b7774ed11586fdb81447fccbaf1a2c9
                                            • Opcode Fuzzy Hash: d7a9697d3dc2a50e8b98f4c9cddc4440b4b1e69415d8e6d6a340e519a3aff882
                                            • Instruction Fuzzy Hash: A1319333A40129AFCF129FA4C9448AF7B7AFF49704B104229F946E7650EF31DE048B90
                                            Function 6C99EE11 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemMetrics.USER32(00000031), ref: 6C99EE1F
                                            • GetSystemMetrics.USER32(00000032), ref: 6C99EE2D
                                            • SetRectEmpty.USER32(?), ref: 6C99EE40
                                            • EnumDisplayMonitors.USER32(00000000,00000000,6C99F5E9,?,?,?), ref: 6C99EE50
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C99EE5F
                                            • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C99EE8C
                                            • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C99EEA0
                                            • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C99EEC6
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                                            • String ID:
                                            • API String ID: 2614369430-0
                                            • Opcode ID: 548170ad2033624c023df1e7009c2a8f6438e566f6a4376869a160a1d8415795
                                            • Instruction ID: 8cf3144d646a92f5c92cc0ff0ee6bc96f319aff2277ee3170ef3fee5a9f3b907
                                            • Opcode Fuzzy Hash: 548170ad2033624c023df1e7009c2a8f6438e566f6a4376869a160a1d8415795
                                            • Instruction Fuzzy Hash: 332158B2301225BFE7105FB48848AE7BAACFF0A355F104229A949C7140D7B0A8558BA0
                                            Function 6C998247 Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalSize.KERNEL32(?), ref: 6C998250
                                            • GlobalAlloc.KERNEL32(00002002,00000000,?,?,6C9981C3,?,?,00000054), ref: 6C998268
                                            • GlobalLock.KERNEL32(?), ref: 6C998278
                                            • GlobalLock.KERNEL32(?), ref: 6C998281
                                            • GlobalSize.KERNEL32(?), ref: 6C99828E
                                            • GlobalUnlock.KERNEL32(?), ref: 6C99829F
                                            • GlobalUnlock.KERNEL32(?), ref: 6C9982A8
                                            • GlobalSize.KERNEL32(?), ref: 6C9982B8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Global$Size$LockUnlock$Alloc
                                            • String ID:
                                            • API String ID: 2344174106-0
                                            • Opcode ID: e39026fead8094bf04816ada2157b5b113c6631b28488c4847d9323a1f488d3f
                                            • Instruction ID: 71b6b1e4efac2844250d903d32ce1732d7dd93d7204a9c8c94aa5fa6a2f6383b
                                            • Opcode Fuzzy Hash: e39026fead8094bf04816ada2157b5b113c6631b28488c4847d9323a1f488d3f
                                            • Instruction Fuzzy Hash: 91012C76601274BBDB606BE58C8C8AE7F7CEB1A2E5B044625F90A93605DB31C9009765
                                            Function 6C986557 Relevance: 10.8, APIs: 7, Instructions: 347COMMON
                                            Download Yara Rule
                                            APIs
                                            • OffsetRect.USER32(?,00000000,?), ref: 6C986670
                                            • OffsetRect.USER32(?,?,00000000), ref: 6C986690
                                            • SetCapture.USER32(?), ref: 6C986703
                                            • RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6C986722
                                            • ReleaseCapture.USER32 ref: 6C9867B0
                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C986826
                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 6C986837
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: OffsetRect$Capture$RedrawReleaseWindow
                                            • String ID:
                                            • API String ID: 1110970518-0
                                            • Opcode ID: 75221f56bd0c04f10a17c78ad80ec4207bbdf1c1f183212514e38e4ac479a1ca
                                            • Instruction ID: 7ab3bd61c9b179676a91d46ff97fc5c2ad6506b4440631f9a2bc742ddb61eda1
                                            • Opcode Fuzzy Hash: 75221f56bd0c04f10a17c78ad80ec4207bbdf1c1f183212514e38e4ac479a1ca
                                            • Instruction Fuzzy Hash: 8CD14D357012289FCF059F64C8A8BAD3BB9BB49310F5805B9ED0ADF395DB70A805CB95
                                            Function 6CADE405 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: _strrchr
                                            • String ID:
                                            • API String ID: 3213747228-0
                                            • Opcode ID: 5190b319bde8bdb40870973bd59ec0e1e05736a5c04f87247dd0c88a7e395357
                                            • Instruction ID: aff6e6061dcff66ffbfe4c9634a02b6bbda4a6a221d2d76934ed578ea81357a9
                                            • Opcode Fuzzy Hash: 5190b319bde8bdb40870973bd59ec0e1e05736a5c04f87247dd0c88a7e395357
                                            • Instruction Fuzzy Hash: F1B17772A012559FDB018F68CC80BEEFBB5EF05358F1A4155E904AB781E774B985CBE0
                                            Function 6CA9C4E7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 6CA9C4EE
                                              • Part of subcall function 6CA9C7B1: OleGetClipboard.OLE32(00000000), ref: 6CA9C7C7
                                            • ReleaseStgMedium.OLE32(?), ref: 6CA9C572
                                            • ReleaseStgMedium.OLE32(?), ref: 6CA9C5B9
                                            • ReleaseStgMedium.OLE32(?), ref: 6CA9C5C8
                                            • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,6CA0729C,?,00000000,00000000,0000005C), ref: 6CA9C678
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
                                            • String ID: '
                                            • API String ID: 3213536121-1997036262
                                            • Opcode ID: f4e724fc5ecc7daff17c6459f5fea81da8becfe6b6eecffda5b30e4425b90743
                                            • Instruction ID: d243076d2ba9d161af9e0b0c0ebcf1eb33c1447a87b8d3e68a21ac3af3fc8f01
                                            • Opcode Fuzzy Hash: f4e724fc5ecc7daff17c6459f5fea81da8becfe6b6eecffda5b30e4425b90743
                                            • Instruction Fuzzy Hash: E951BD31A516099BDF00EFB8C845AEDBBF5AF5931CF185019EA10E7780EB70DA84CB60
                                            Function 6C992427 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9BD7A9: IsWindow.USER32(?), ref: 6C9BD7B5
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9925EB
                                              • Part of subcall function 6C9BDE27: GetClientRect.USER32(?,?), ref: 6C9BDE4F
                                              • Part of subcall function 6C9BDE27: PtInRect.USER32(?,00000000,?), ref: 6C9BDE69
                                            • ScreenToClient.USER32(?,?), ref: 6C9924B8
                                            • PtInRect.USER32(?,?,?), ref: 6C9924CB
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9924FD
                                            • GetParent.USER32(?), ref: 6C99252D
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9925AB
                                            • GetFocus.USER32 ref: 6C9925B1
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageRectSend$Client$FocusParentScreenWindow
                                            • String ID:
                                            • API String ID: 1639644240-0
                                            • Opcode ID: 100cec110658bb083d044d43db9ef0bc7ffefe7b9ef66413cdaeab46ee4be18f
                                            • Instruction ID: cdbf4cebd9d451997e2a462c1410d618d8e20e0dad7129cee345c8441797e30e
                                            • Opcode Fuzzy Hash: 100cec110658bb083d044d43db9ef0bc7ffefe7b9ef66413cdaeab46ee4be18f
                                            • Instruction Fuzzy Hash: F4519F71A00619AFDF10DFA5C858AAE7BB8FF49308F18415AE815E7750DB30D901CF91
                                            Function 6C9B4535 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6CA07254: __EH_prolog3_catch.LIBCMT ref: 6CA0725B
                                            • UpdateWindow.USER32(?), ref: 6C9B45E2
                                            • EqualRect.USER32(?,?), ref: 6C9B4622
                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C9B463A
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9B4649
                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C9B4660
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9B4672
                                            • UpdateWindow.USER32(?), ref: 6C9B467B
                                              • Part of subcall function 6C9B2D5A: InvalidateRect.USER32(?,?,00000001,?), ref: 6C9B2DD1
                                              • Part of subcall function 6C9B2D5A: InflateRect.USER32(?,00000000,?), ref: 6C9B2E17
                                              • Part of subcall function 6C9B2D5A: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C9B2E2B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
                                            • String ID:
                                            • API String ID: 1041772997-0
                                            • Opcode ID: 1a659935084fee0aacdad68fee9b00a2e7d2e985dc6368f6e59a3a03170e58db
                                            • Instruction ID: 2ffd23511921990d4ca43df17d08bccad1e2bb901d027d45831207d944e95fdf
                                            • Opcode Fuzzy Hash: 1a659935084fee0aacdad68fee9b00a2e7d2e985dc6368f6e59a3a03170e58db
                                            • Instruction Fuzzy Hash: A8514E7560021AEFCF01DF64C894BAE3BB9BF49314F140279EC19AB295DBB19911CFA0
                                            Function 6CAC2A70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            • _ValidateLocalCookies.LIBCMT ref: 6CAC2AA7
                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CAC2AAF
                                            • _ValidateLocalCookies.LIBCMT ref: 6CAC2B38
                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6CAC2B63
                                            • _ValidateLocalCookies.LIBCMT ref: 6CAC2BB8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 1170836740-1018135373
                                            • Opcode ID: 064bb0b72a30499219811ad4327f216d9def6f30aa0b3bfecd6b8dbb23e05bdd
                                            • Instruction ID: d3520d2031e846b1a0f02ba6a4f34a2bc64769a7b64fbda8ded537cddf4a1bda
                                            • Opcode Fuzzy Hash: 064bb0b72a30499219811ad4327f216d9def6f30aa0b3bfecd6b8dbb23e05bdd
                                            • Instruction Fuzzy Hash: 3A41DB34B0111A9BCF01CF68C898ADEBBB5FF4532CF148255E8149B751DB31EA99CB92
                                            Function 6C99A118 Relevance: 10.6, APIs: 7, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 6C99A145
                                            • IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000), ref: 6C99A160
                                            • DrawThemeParentBackground.UXTHEME(?,?,?), ref: 6C99A174
                                            • SetRectEmpty.USER32(?), ref: 6C99A185
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C99A193
                                            • DrawThemeBackground.UXTHEME(?,?,00000006,00000000,?,00000000), ref: 6C99A1C9
                                            • CopyRect.USER32(?,?), ref: 6C99A22E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: BackgroundRectTheme$Draw$ClientCopyEmptyInfoParametersParentPartiallySystemTransparent
                                            • String ID:
                                            • API String ID: 2388076383-0
                                            • Opcode ID: 36ab345cb9848e3adfa72f2460737777372a62213290c8ec0f11de1efddba0da
                                            • Instruction ID: cd622defcb2a200be6d7325e5d9e8bcc0c426e2dbbe5be55c74f47c63008a431
                                            • Opcode Fuzzy Hash: 36ab345cb9848e3adfa72f2460737777372a62213290c8ec0f11de1efddba0da
                                            • Instruction Fuzzy Hash: 9D416076E00609EFDB11DFA4C984AEFB7B9FF19344F104529E906A7500DB71AE45CBA0
                                            Function 6C9A225E Relevance: 10.6, APIs: 7, Instructions: 121windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9A2265
                                            • CreateCompatibleDC.GDI32(?), ref: 6C9A2294
                                            • GetClientRect.USER32(?,?), ref: 6C9A22B1
                                            • SelectObject.GDI32(?,?), ref: 6C9A22EA
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C9A2311
                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C9A2397
                                            • SelectObject.GDI32(?,00000000), ref: 6C9A23A5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
                                            • String ID:
                                            • API String ID: 1651110115-0
                                            • Opcode ID: 68561b6c180eec79435ded076441cf4ecc443ebc8b2a82672fe67ab6d118446e
                                            • Instruction ID: 99a7549438c7e74b4ec12fb383f37181d8891b590e04d2bd39f43390c7bcddb6
                                            • Opcode Fuzzy Hash: 68561b6c180eec79435ded076441cf4ecc443ebc8b2a82672fe67ab6d118446e
                                            • Instruction Fuzzy Hash: 3A41E371A10119AFDF14DFA4CD99EEEBBBAFF68704F104129B509A7690DB70AD04CB60
                                            Function 6C980DF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C980DFC
                                            • GetClassNameW.USER32(?,?,000000FF), ref: 6C980E56
                                            • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C980EE7
                                            • GetStockObject.GDI32(00000005), ref: 6C980EF8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClassH_prolog3_NameObjectStockThemed
                                            • String ID: Button$Static
                                            • API String ID: 2434646892-2498952662
                                            • Opcode ID: e5b063203540b463e4ab004870c6df6d8544bd2663c9308b0b05da3111145f04
                                            • Instruction ID: 3421fef1722977e379e790b882f356c27e771230377c3cf8f461928d911e54cc
                                            • Opcode Fuzzy Hash: e5b063203540b463e4ab004870c6df6d8544bd2663c9308b0b05da3111145f04
                                            • Instruction Fuzzy Hash: DD31D632983659DBCB24CF54C858BDB7378AF24318F101999D41DA7A81DB30E984CB71
                                            Function 6C99AE4D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6C99AE88
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C99AEB4
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C99AEE0
                                            • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C99AEF2
                                            • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C99AF01
                                              • Part of subcall function 6C99A71A: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C99A72B
                                              • Part of subcall function 6C99A71A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C99A73B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CloseCreate$AddressHandleModuleOpenProc
                                            • String ID: software
                                            • API String ID: 550756860-2010147023
                                            • Opcode ID: 4cff1e0c35a0928937ae08cf1ad1f090703bdedbd745b3f75fb96762f6923355
                                            • Instruction ID: b4b7a1aa015b3302420f1e8f13fd103581cec416e9ea2a5f4b8ec2378de7005e
                                            • Opcode Fuzzy Hash: 4cff1e0c35a0928937ae08cf1ad1f090703bdedbd745b3f75fb96762f6923355
                                            • Instruction Fuzzy Hash: 73213572E00118FBEB11DBE4D844EAF7B7EEB55B08F14406AF905E2600DB30CA418BA4
                                            Function 6CA00F51 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6CA00F58
                                              • Part of subcall function 6CA01042: __EH_prolog3.LIBCMT ref: 6CA01049
                                              • Part of subcall function 6CA01042: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CA0109C
                                              • Part of subcall function 6CA01042: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CA010B2
                                            • CopyRect.USER32(?,?), ref: 6CA00F8D
                                            • GetCursorPos.USER32(?), ref: 6CA00F9F
                                            • SetRect.USER32(?,?,?,?,?), ref: 6CA00FB2
                                            • IsRectEmpty.USER32(?), ref: 6CA00FCD
                                            • InflateRect.USER32(?,00000002,00000002), ref: 6CA00FDF
                                            • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6CA01027
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                                            • String ID:
                                            • API String ID: 1837043813-0
                                            • Opcode ID: 613ce6d49d499c5c595a52f6c9ac3026588928340f70d89812e3de826d79f8e6
                                            • Instruction ID: 56b7df0f50c1f1100f860c0b323910541f30f270033b636103559f288f982062
                                            • Opcode Fuzzy Hash: 613ce6d49d499c5c595a52f6c9ac3026588928340f70d89812e3de826d79f8e6
                                            • Instruction Fuzzy Hash: 49314B71B016689BDF01EFE4C9489EE7BB9BF59348B500005F809AB644DB34D94ADB61
                                            Function 6C9A03E6 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • RealChildWindowFromPoint.USER32(?,?,?,?,?,?,6C987F38,?,?,?), ref: 6C9A040A
                                            • ClientToScreen.USER32(?,?), ref: 6C9A0424
                                            • GetWindow.USER32(?,00000005), ref: 6C9A0476
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$ChildClientFromPointRealScreen
                                            • String ID:
                                            • API String ID: 2518355518-0
                                            • Opcode ID: e0d54139bf336bdfaf84fb90120963baca10804dc872314f605158c422256d8a
                                            • Instruction ID: 5fe7f25ef083c49beb6141b88e7a9bb2bcc5911f485cceec4fb2f5dd515c57a9
                                            • Opcode Fuzzy Hash: e0d54139bf336bdfaf84fb90120963baca10804dc872314f605158c422256d8a
                                            • Instruction Fuzzy Hash: 27117531A01639AFCB11DFE8CC08AAF7BF9AF4A314F514215F515E3140EB34DA468794
                                            Function 6C98EABD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 6C98EAD4
                                            • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C98EAFC
                                            • SizeofResource.KERNEL32(?,00000000), ref: 6C98EB0E
                                            • LoadResource.KERNEL32(?,00000000), ref: 6C98EB1A
                                            • LockResource.KERNEL32(00000000), ref: 6C98EB25
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoadLockSizeofWindow
                                            • String ID: AFX_DIALOG_LAYOUT
                                            • API String ID: 2582447065-2436846380
                                            • Opcode ID: 9b1d79049fa4a31ff5f8f285d772c747350ff1c7d0b5eeb6b7f420a882c59001
                                            • Instruction ID: 5296ca733e3fe9401cdef0b2f3cba58430e00c3a882c0e317d0ecfd459372ad8
                                            • Opcode Fuzzy Hash: 9b1d79049fa4a31ff5f8f285d772c747350ff1c7d0b5eeb6b7f420a882c59001
                                            • Instruction Fuzzy Hash: A311E97A202715ABDB115BB5CC58E6FB7BDEF45658B140924B806D3640DB70D900C7E0
                                            Function 6C9A675F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C99DEC6,00000001,?,00000002,00000000,?), ref: 6C9A6771
                                            • GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C9A6781
                                            • EncodePointer.KERNEL32(00000000,?,6C99DEC6,00000001,?,00000002,00000000,?), ref: 6C9A678A
                                            • DecodePointer.KERNEL32(00000000,?,?,6C99DEC6,00000001,?,00000002,00000000,?), ref: 6C9A6798
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: BeginBufferedPaint$uxtheme.dll
                                            • API String ID: 2061474489-1632326970
                                            • Opcode ID: d78bc51268ab60b5e7d92aa4eac926e1d08e3b4249f36a7dc0eb5c1742437846
                                            • Instruction ID: 75b13ffc193ab881644e003419b1d06e238e8422764653263985982e0d7baaed
                                            • Opcode Fuzzy Hash: d78bc51268ab60b5e7d92aa4eac926e1d08e3b4249f36a7dc0eb5c1742437846
                                            • Instruction Fuzzy Hash: 98F03075652329AFCF126FE8DC4886E3FB8BB1AB957440521FC1AD3610DB31C811CBA0
                                            Function 6C9A6ABA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C9A6ACC
                                            • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C9A6ADC
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6AE5
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6AF3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: TaskDialogIndirect$comctl32.dll
                                            • API String ID: 2061474489-2809879075
                                            • Opcode ID: 692341add246e7399fbb65d0065bdd6ba7067699277c6c0fa5669ac9fd7f2d46
                                            • Instruction ID: f34d375dedd84ae90f4126cd5650bf0784c614f14552ae9a59ccec22f85b7241
                                            • Opcode Fuzzy Hash: 692341add246e7399fbb65d0065bdd6ba7067699277c6c0fa5669ac9fd7f2d46
                                            • Instruction Fuzzy Hash: 6BF09A7674526ABBCF126FEC8C0896E3BBCAB0A3557404520FC1AD3A00DB31CC01CAA0
                                            Function 6C9A650A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C9A651C
                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C9A652C
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6535
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6543
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                            • API String ID: 2061474489-2320870614
                                            • Opcode ID: 77b1c9606cfa52a173c02f346dea3192f8461c89316421a60b01dc35076e31d6
                                            • Instruction ID: 8771a09c224ca1accbb520b9ba018559e65e03b519c8a8cbea8ad3f6c1108cf5
                                            • Opcode Fuzzy Hash: 77b1c9606cfa52a173c02f346dea3192f8461c89316421a60b01dc35076e31d6
                                            • Instruction Fuzzy Hash: F4F0907A605225ABCF126FE89C0886E3FB9AB0A7557055110FC19D3604D731CE02CFA0
                                            Function 6C9A656F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C9A6581
                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C9A6591
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A659A
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A65A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                            • API String ID: 2061474489-2936008475
                                            • Opcode ID: 7866c37d609f2ac791d875b4a80a1450bfeb0af3e9d782ed445d647aa0ee4332
                                            • Instruction ID: 56c26e6356005653b17f59341e0a924bf579a03d157d21f4991736e64cf1c3eb
                                            • Opcode Fuzzy Hash: 7866c37d609f2ac791d875b4a80a1450bfeb0af3e9d782ed445d647aa0ee4332
                                            • Instruction Fuzzy Hash: 9EF05E7564222AABCF126FE8DC0C96E3FB8BF0A7557051211FC1AD7614EB31C911CBA4
                                            Function 6C9A6398 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C989B1F,?,?,?,?), ref: 6C9A63AA
                                            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6C9A63BA
                                            • EncodePointer.KERNEL32(00000000,?,?,6C989B1F,?,?,?,?), ref: 6C9A63C3
                                            • DecodePointer.KERNEL32(00000000,?,?,6C989B1F,?,?,?,?), ref: 6C9A63D1
                                            Strings
                                            • kernel32.dll, xrefs: 6C9A63A5
                                            • RegisterApplicationRecoveryCallback, xrefs: 6C9A63B4
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
                                            • API String ID: 2061474489-202725706
                                            • Opcode ID: f3b4259fb33817f5bbf9420b44bb6be9d75ce033dc33c2e2b827a0adda9e09eb
                                            • Instruction ID: 2a32dc318c761bb1392766cbf0e8d731f4c6d555214bfd8f6412980188c4e3e9
                                            • Opcode Fuzzy Hash: f3b4259fb33817f5bbf9420b44bb6be9d75ce033dc33c2e2b827a0adda9e09eb
                                            • Instruction Fuzzy Hash: 3FF03079642236EBCF122FED9C0895E3BB8EB1A7557014525FD1AD7A10EF31D812CB90
                                            Function 6C9A64AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C9A64C0
                                            • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C9A64D0
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A64D9
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A64E7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                            • API String ID: 2061474489-2498399450
                                            • Opcode ID: b19a717ebe4739449362bc48213503d94ca33558cc8f7f6613721fffc9c2f2cc
                                            • Instruction ID: e68299196f5544c122dbb86ae291c070d68cf6c9512fa06719ef77b12772dacc
                                            • Opcode Fuzzy Hash: b19a717ebe4739449362bc48213503d94ca33558cc8f7f6613721fffc9c2f2cc
                                            • Instruction Fuzzy Hash: 2BF01275745225AFDF222FF9891C89E7BBCAB0B6593425621FD19D3604EB30D901C690
                                            Function 6C9A67C4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,?,6C99DFAD,?,00000001,B073DD17), ref: 6C9A67D6
                                            • GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C9A67E6
                                            • EncodePointer.KERNEL32(00000000,?,?,6C99DFAD,?,00000001,B073DD17), ref: 6C9A67EF
                                            • DecodePointer.KERNEL32(00000000,?,?,6C99DFAD,?,00000001,B073DD17), ref: 6C9A67FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: EndBufferedPaint$uxtheme.dll
                                            • API String ID: 2061474489-2993015961
                                            • Opcode ID: 9cc60efa4b8cc8fdc1717e11c77f752308b3bd35c487f34e3ea78f294d6c4a34
                                            • Instruction ID: 3b456e01e1697dc618feddabbea1f0180c76f7ef445da52524e8da66dae358c4
                                            • Opcode Fuzzy Hash: 9cc60efa4b8cc8fdc1717e11c77f752308b3bd35c487f34e3ea78f294d6c4a34
                                            • Instruction Fuzzy Hash: BEF05E75641225ABCF152FBC980885A3BBCAB0A7953014561FC1DE7610EB30C802CA90
                                            Function 6C9A6339 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C989B03,?,?), ref: 6C9A634B
                                            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6C9A635B
                                            • EncodePointer.KERNEL32(00000000,?,?,6C989B03,?,?), ref: 6C9A6364
                                            • DecodePointer.KERNEL32(00000000,?,?,6C989B03,?,?), ref: 6C9A6372
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: RegisterApplicationRestart$kernel32.dll
                                            • API String ID: 2061474489-1259503209
                                            • Opcode ID: 8f2a76ee8f5c534e187f4124a7792f04c6ff3da1d15738bb9b3c12b88da1095e
                                            • Instruction ID: 659dafb3de1d3c254f94a722de3ac285c1061ea06a34b88d54d7d3ef85a45198
                                            • Opcode Fuzzy Hash: 8f2a76ee8f5c534e187f4124a7792f04c6ff3da1d15738bb9b3c12b88da1095e
                                            • Instruction Fuzzy Hash: 7EF08276642235ABCF126FF98C1895E3BBCAB067553414115FC1ED7A00EF30D802CA90
                                            Function 6C9A63FD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C989B3E,00000000), ref: 6C9A640F
                                            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C9A641F
                                            • EncodePointer.KERNEL32(00000000,?,?,6C989B3E,00000000), ref: 6C9A6428
                                            • DecodePointer.KERNEL32(00000000,?,?,6C989B3E,00000000), ref: 6C9A6436
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: ApplicationRecoveryInProgress$kernel32.dll
                                            • API String ID: 2061474489-2899047487
                                            • Opcode ID: 36b49cc85c35c59dec56e16985c4077d6f45a05bcb58edda3d68f875dfe86a6e
                                            • Instruction ID: d71efa1d9e67cf183d0706917d7724b313aca42f31d00144a39ef706009abfaa
                                            • Opcode Fuzzy Hash: 36b49cc85c35c59dec56e16985c4077d6f45a05bcb58edda3d68f875dfe86a6e
                                            • Instruction Fuzzy Hash: BCF03075742239AFDF122FF8891C92E3BFCBB0A7553454615FD2AE7640EB24CD028A94
                                            Function 6C9A6459 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C989B81,00000001), ref: 6C9A646B
                                            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C9A647B
                                            • EncodePointer.KERNEL32(00000000,?,6C989B81,00000001), ref: 6C9A6484
                                            • DecodePointer.KERNEL32(00000000,?,?,6C989B81,00000001), ref: 6C9A6492
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: ApplicationRecoveryFinished$kernel32.dll
                                            • API String ID: 2061474489-1962646049
                                            • Opcode ID: 1f302aa56eee0ec87e0544cfa31071fd14b399ac226b83aa0307d64a0eb0fd27
                                            • Instruction ID: 643e7ef9a331ccb858d133be54959a06dbe32abb11b92d2e243b27199517a1ab
                                            • Opcode Fuzzy Hash: 1f302aa56eee0ec87e0544cfa31071fd14b399ac226b83aa0307d64a0eb0fd27
                                            • Instruction Fuzzy Hash: 9BF03075742335AFDF126BF9981881E3BFCAA0666A3415611FC1AD3600EB20D90186A1
                                            Function 6C9A65D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(shell32.dll,?,6C98FFEC,?,?,6C9916A2,000FC000,00000010,00000048,6C991881,?,?,?,?,00000000), ref: 6C9A65E3
                                            • GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6C9A65F3
                                            • EncodePointer.KERNEL32(00000000,?,?,6C9916A2,000FC000,00000010,00000048,6C991881,?,?,?,?,00000000,?,6C991B31,?), ref: 6C9A65FC
                                            • DecodePointer.KERNEL32(00000000,?,6C98FFEC,?,?,6C9916A2,000FC000,00000010,00000048,6C991881,?,?,?,?,00000000), ref: 6C9A660A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: InitNetworkAddressControl$shell32.dll
                                            • API String ID: 2061474489-1950653938
                                            • Opcode ID: ffb60445e48bfe50174e689fab00c894d5c921ccdcdc8e7115dc91cd38bd2031
                                            • Instruction ID: 4c8b2f81cd86ce743568ee1f195b2353c38af89119f891b18cf5841101a955ca
                                            • Opcode Fuzzy Hash: ffb60445e48bfe50174e689fab00c894d5c921ccdcdc8e7115dc91cd38bd2031
                                            • Instruction Fuzzy Hash: 31E06D35B06531DBDF622BF8A81885E3ABCBB0A3563461621F81AD3604EB24CC028694
                                            Function 6C9A66B5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C99DE98,?,?,?,?,?,?,?,?,00000008), ref: 6C9A66C4
                                            • GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C9A66D4
                                            • EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000008), ref: 6C9A66DD
                                            • DecodePointer.KERNEL32(00000000,?,6C99DE98,?,?,?,?,?,?,?,?,00000008), ref: 6C9A66EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: BufferedPaintInit$uxtheme.dll
                                            • API String ID: 2061474489-1331937065
                                            • Opcode ID: eb612830494c510876d99267abd851b0fcc3ae8afe71e9ee5e03037be8e45011
                                            • Instruction ID: 1cd18edeb25f26b2dc9f1c9ae6a5b1e0b51f431aa23b4cd1c073c0c8013a1eae
                                            • Opcode Fuzzy Hash: eb612830494c510876d99267abd851b0fcc3ae8afe71e9ee5e03037be8e45011
                                            • Instruction Fuzzy Hash: 99E09B75B166329BDF113BF8A80C95D37B8BB0A7563060611FC1BD7604DF24CD028EA4
                                            Function 6C9A670A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C99F04A,?,?,6C99E2E3,B073DD17,?,?,?,Function_0019C030,000000FF), ref: 6C9A6719
                                            • GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C9A6729
                                            • EncodePointer.KERNEL32(00000000,?,6C99F04A,?,?,6C99E2E3,B073DD17,?,?,?,Function_0019C030,000000FF), ref: 6C9A6732
                                            • DecodePointer.KERNEL32(00000000,?,6C99F04A,?,?,6C99E2E3,B073DD17,?,?,?,Function_0019C030,000000FF), ref: 6C9A6740
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: BufferedPaintUnInit$uxtheme.dll
                                            • API String ID: 2061474489-1501038116
                                            • Opcode ID: d68665c80a0f348cf5834adbc7dd15cef266d490a3f76c13645e8a76b36497eb
                                            • Instruction ID: 3e2ecfe6245097e122a7c23cf1f5d2d729dfdeb2dbfdbc292fa49d0d1ce3e3df
                                            • Opcode Fuzzy Hash: d68665c80a0f348cf5834adbc7dd15cef266d490a3f76c13645e8a76b36497eb
                                            • Instruction Fuzzy Hash: 92E065757527359BDF113FB8684C56E37F8BB06A963460255FC1AD7604EB24CC028690
                                            Function 6C9A6A6F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C9A6A7E
                                            • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C9A6A8E
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6A97
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6AA9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                            • String ID: TaskDialogIndirect$comctl32.dll
                                            • API String ID: 2061474489-2809879075
                                            • Opcode ID: 139de2429e5685411453f944b49e8c4bc9723870b55df767c37e2ff443327d23
                                            • Instruction ID: e8fd8cbe2eefecb7afcea26a6567cb6994430a5abd6d5fbd4cbc83355d142349
                                            • Opcode Fuzzy Hash: 139de2429e5685411453f944b49e8c4bc9723870b55df767c37e2ff443327d23
                                            • Instruction Fuzzy Hash: 42E04875B862319FDF11AFFD990C95E37B8AF162973064A51FC05D7644D734CC018690
                                            Function 6CAD22BE Relevance: 9.3, APIs: 6, Instructions: 295COMMON
                                            Download Yara Rule
                                            APIs
                                            • __allrem.LIBCMT ref: 6CAD2451
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAD246D
                                            • __allrem.LIBCMT ref: 6CAD2484
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAD24A2
                                            • __allrem.LIBCMT ref: 6CAD24B9
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAD24D7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 1992179935-0
                                            • Opcode ID: ac69f672fc1e1c429154b05bb47a3944657c14319291d5b94ac717d084c786b3
                                            • Instruction ID: e45a699073cfb5c204535acbe026147d38a9c2398ea2d3e8011f77c103c16dcd
                                            • Opcode Fuzzy Hash: ac69f672fc1e1c429154b05bb47a3944657c14319291d5b94ac717d084c786b3
                                            • Instruction Fuzzy Hash: FD9148B1A407029BE7208E69CD44B9AB3F89F45728F1A4329E410D7B90EB74FD89C790
                                            Function 6C9C23A0 Relevance: 9.3, APIs: 6, Instructions: 293windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 6C9C24D0
                                            • GetWindowRect.USER32(?,?), ref: 6C9C24E4
                                            • PtInRect.USER32(?,?,?), ref: 6C9C250D
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9C2521
                                              • Part of subcall function 6C98AD88: GetParent.USER32(?), ref: 6C98AD92
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9C2583
                                            • GetFocus.USER32 ref: 6C9C26AA
                                              • Part of subcall function 6C9E810A: __EH_prolog3_GS.LIBCMT ref: 6C9E8114
                                              • Part of subcall function 6C9E810A: GetWindowRect.USER32(?,?), ref: 6C9E81A8
                                              • Part of subcall function 6C9E810A: SetRect.USER32(?,00000000,00000000,?,?), ref: 6C9E81C9
                                              • Part of subcall function 6C9E810A: CreateCompatibleDC.GDI32(?), ref: 6C9E81D5
                                              • Part of subcall function 6C9E810A: CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6C9E81FF
                                              • Part of subcall function 6C9E810A: GetWindowRect.USER32(?,?), ref: 6C9E8254
                                              • Part of subcall function 6C9E810A: GetClientRect.USER32(?,?), ref: 6C9E8261
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
                                            • String ID:
                                            • API String ID: 2914356772-0
                                            • Opcode ID: d31af7e8e5ad77a73a3b23a2e69f752576fbdc5a08f4a27a5a278dbd720bd190
                                            • Instruction ID: 90819a1ce33fd453d341e8c97635abdf141b9762a40a048feb8365b4d5374f12
                                            • Opcode Fuzzy Hash: d31af7e8e5ad77a73a3b23a2e69f752576fbdc5a08f4a27a5a278dbd720bd190
                                            • Instruction Fuzzy Hash: 5BA1C575B01A16DFDF059F65C898AAE77B8BF49318B14106EE815ABB41DF30E801CB92
                                            Function 6C9C0A44 Relevance: 9.2, APIs: 6, Instructions: 229windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 6C9C0A53
                                              • Part of subcall function 6C9809A7: __EH_prolog3.LIBCMT ref: 6C9809AE
                                            • GetClientRect.USER32(?,?), ref: 6C9C0A95
                                              • Part of subcall function 6C984071: ClientToScreen.USER32(?,6C9BDE60), ref: 6C984080
                                              • Part of subcall function 6C984071: ClientToScreen.USER32(?,6C9BDE68), ref: 6C98408D
                                            • IsWindowVisible.USER32(?), ref: 6C9C0CCE
                                            • SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C9C0CF1
                                            • InvalidateRect.USER32(?,00000000,00000001,6CB57B18,00000000,00000000,00000000,00000000,00000053), ref: 6C9C0D60
                                            • UpdateWindow.USER32(?), ref: 6C9C0D69
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Client$RectScreenWindow$CursorH_prolog3InvalidateLoadTimerUpdateVisible
                                            • String ID:
                                            • API String ID: 3378768144-0
                                            • Opcode ID: 3cdaa6b75b2c5a103429300f401d1f68081160679788aa3766c4d42be21b3cf2
                                            • Instruction ID: 055c3b514fa2220a155264f82149084127c941a885927f12670bf71fdbf8251f
                                            • Opcode Fuzzy Hash: 3cdaa6b75b2c5a103429300f401d1f68081160679788aa3766c4d42be21b3cf2
                                            • Instruction Fuzzy Hash: 47A177B0B012159FDF14CF64C894BAD3BB5BF58318F18017AEC19ABB95DB70A844CB92
                                            Function 6C9B41F6 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 6C9B4399
                                            • GetParent.USER32(?), ref: 6C9B43B8
                                            • GetParent.USER32(?), ref: 6C9B43C7
                                            • RedrawWindow.USER32(?,00000000,00000000,00000505,6CB0A534,00000000), ref: 6C9B442D
                                            • GetParent.USER32(?), ref: 6C9B4436
                                            • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 6C9B445D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Parent$RedrawWindow
                                            • String ID:
                                            • API String ID: 2946272266-0
                                            • Opcode ID: 12483f5e61c1e9f3d9d14c299ffc0290d191f9d7a017b1a9c0aacb3638533f4d
                                            • Instruction ID: caf671d528be9306ed7fdfad57e737ad94a8595e99dbfb0a7967ec77aca3447b
                                            • Opcode Fuzzy Hash: 12483f5e61c1e9f3d9d14c299ffc0290d191f9d7a017b1a9c0aacb3638533f4d
                                            • Instruction Fuzzy Hash: CE71B235B00619AFDF059F64C898AAE7BB9FF48318B180569E815A7790DF34ED01DF90
                                            Function 6C9C858A Relevance: 9.2, APIs: 6, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C9C85D1
                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C9C863C
                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C9C8659
                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 6C9C8698
                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C9C86F7
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6C9C871A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiStringWide
                                            • String ID:
                                            • API String ID: 2829165498-0
                                            • Opcode ID: 943a56d8740c910223773c97d86111b1342b940efae3dd5e45984d28254274ad
                                            • Instruction ID: ac3c38f9189920b7075e252bc226ad465001c3a45bd9f49e7aa8421366cdd2cd
                                            • Opcode Fuzzy Hash: 943a56d8740c910223773c97d86111b1342b940efae3dd5e45984d28254274ad
                                            • Instruction Fuzzy Hash: B051B372701215ABEF144FA4CC44FAB3BBDEF45B98F20452AF914E6690E730D9248B57
                                            Function 6C9B64F4 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CallNextHookEx.USER32(00000000,?,?), ref: 6C9B650F
                                            • WindowFromPoint.USER32(?,?), ref: 6C9B6539
                                            • ScreenToClient.USER32(00000020,00000200), ref: 6C9B656F
                                            • GetParent.USER32(00000020), ref: 6C9B65D6
                                            • UpdateWindow.USER32(?), ref: 6C9B663C
                                            • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 6C9B66BA
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$CallClientFromHookMessageNextParentPointScreenSendUpdate
                                            • String ID:
                                            • API String ID: 4074787488-0
                                            • Opcode ID: 01fb711ee6797afb717ae6db056afe97534746dbf1a1fbfdc11003bdf1b08813
                                            • Instruction ID: 8311417e09750109082ee0d5c99675b01830f6ad0dd2e19ac75c0ee004aca8f5
                                            • Opcode Fuzzy Hash: 01fb711ee6797afb717ae6db056afe97534746dbf1a1fbfdc11003bdf1b08813
                                            • Instruction Fuzzy Hash: 4E518036701206EFDF099F54C854AAE7BB9FF49318F204169E929E7690DB31E911CF90
                                            Function 6C9926AD Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C992732
                                            • IsWindow.USER32(?), ref: 6C9927AD
                                            • ClientToScreen.USER32(?,?), ref: 6C9927BE
                                            • IsWindow.USER32(?), ref: 6C9927DC
                                            • ClientToScreen.USER32(?,?), ref: 6C99280C
                                            • SendMessageW.USER32(?,0000020A,?,?), ref: 6C99286A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientMessageScreenSendWindow
                                            • String ID:
                                            • API String ID: 2093367132-0
                                            • Opcode ID: df1fdc549fdfc6eecf0fc132c194ab212fcf531830dd618cf5b3140152f8db37
                                            • Instruction ID: 180652bcf5a1792b274614fd255846737c5265449373c8ee39dbcacf4062cde6
                                            • Opcode Fuzzy Hash: df1fdc549fdfc6eecf0fc132c194ab212fcf531830dd618cf5b3140152f8db37
                                            • Instruction Fuzzy Hash: 0C410672211E05AAEF119FB5CC4CB7E7BBCEB15B48F280664F451E6EA4D731E950C610
                                            Function 6C9C2E52 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PtInRect.USER32(?,?,?), ref: 6C9C2E71
                                            • ReleaseCapture.USER32 ref: 6C9C2E7F
                                            • PtInRect.USER32(?,?,?), ref: 6C9C2ED4
                                            • InvalidateRect.USER32(?,?,00000001,?,?,?,6C9C1FCF,00000000,00000000,00000000), ref: 6C9C2F3E
                                            • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C9C2F62
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$CaptureInvalidateReleaseTimer
                                            • String ID:
                                            • API String ID: 2903485716-0
                                            • Opcode ID: 71e6a0c84c148b783e55f995a8ca93aefe59ea6b294343380f4d80629d0f71e0
                                            • Instruction ID: 4d9b06f480c5d878643970244cf828654f8499f13a7fcb4bfb8199f78bdad505
                                            • Opcode Fuzzy Hash: 71e6a0c84c148b783e55f995a8ca93aefe59ea6b294343380f4d80629d0f71e0
                                            • Instruction Fuzzy Hash: 15318C31701A2BEFDF155F60C848BAABB79FF49315F044129F92983690D770A420DB92
                                            Function 6C996197 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 6C99619E
                                            • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 6C9961D6
                                            • GlobalLock.KERNEL32(?), ref: 6C9961DE
                                            • GlobalUnlock.KERNEL32(?), ref: 6C996212
                                            • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 6C996255
                                            • PostMessageW.USER32(?,000003E4,?,00000000), ref: 6C996261
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: GlobalParam$H_prolog3_catchLockMessagePostReuseUnlockUnpack
                                            • String ID:
                                            • API String ID: 4045269880-0
                                            • Opcode ID: 76811ace7bb678b97e43c237a1c89b962cd942c02c070207450499c8831ee769
                                            • Instruction ID: 67ee2e2685d83018bc694a817fe0b7e06896c73e89f68617f61259e746781ee7
                                            • Opcode Fuzzy Hash: 76811ace7bb678b97e43c237a1c89b962cd942c02c070207450499c8831ee769
                                            • Instruction Fuzzy Hash: 39316B31A00219EFDF55DFA0C994AFEB779EF24319F180158E501B7690DB71AE09CBA1
                                            Function 6C99EEDD Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C99EEE4
                                            • CreateRectRgnIndirect.GDI32(00000000), ref: 6C99EF04
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A5A
                                              • Part of subcall function 6C983A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C983A70
                                            • GetParent.USER32(00000000), ref: 6C99EF24
                                            • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C99EF45
                                            • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C99EF79
                                            • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C99EFA5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
                                            • String ID:
                                            • API String ID: 935984306-0
                                            • Opcode ID: 025b919e3ef8981135c82681c076a3f1b29651b8b9d11682eb9467d64e838813
                                            • Instruction ID: 2fec7cbd221847eecf5a14c9e6fbc1a6adea5cb5ba0b1ee443d68dcd71d50de1
                                            • Opcode Fuzzy Hash: 025b919e3ef8981135c82681c076a3f1b29651b8b9d11682eb9467d64e838813
                                            • Instruction Fuzzy Hash: D5314C72A0021AEFCF01DFA0C844BEE7BB5BF18705F044418E505AB661DB75D914CBA0
                                            Function 6C988CAB Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9A49DD
                                              • Part of subcall function 6C983F98: __EH_prolog3.LIBCMT ref: 6C983F9F
                                              • Part of subcall function 6C983F98: GetWindowDC.USER32(00000000,00000004,6C99E53A,00000000), ref: 6C983FCB
                                            • GetClientRect.USER32(?,?), ref: 6C9A49FF
                                            • GetWindowRect.USER32(?,?), ref: 6C9A4A13
                                              • Part of subcall function 6C9840B0: ScreenToClient.USER32(?,6C999501), ref: 6C9840BF
                                              • Part of subcall function 6C9840B0: ScreenToClient.USER32(?,6C999509), ref: 6C9840CC
                                            • OffsetRect.USER32(?,?,?), ref: 6C9A4A34
                                              • Part of subcall function 6C983A7D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C983AB4
                                              • Part of subcall function 6C983A7D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C983AD1
                                            • OffsetRect.USER32(?,?,?), ref: 6C9A4A56
                                              • Part of subcall function 6C983ADE: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C983B15
                                              • Part of subcall function 6C983ADE: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C983B32
                                            • SendMessageW.USER32(?,00000014,?,00000000), ref: 6C9A4A8E
                                              • Part of subcall function 6C983FED: ReleaseDC.USER32(?,00000000), ref: 6C984021
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
                                            • String ID:
                                            • API String ID: 3860140383-0
                                            • Opcode ID: f8e22b40e2d0b48f03231310c8365a51dce579dacab761b6ca90a0263b2bc857
                                            • Instruction ID: bcf1a265c22a32cdfa3289238bf8b7797a52739ca73ba3b8d942ad1afb614583
                                            • Opcode Fuzzy Hash: f8e22b40e2d0b48f03231310c8365a51dce579dacab761b6ca90a0263b2bc857
                                            • Instruction Fuzzy Hash: 1E31F872A0012DAFDF05DBA4CC58DFEB779FF69305B140219F406A3650EB24AA59CB60
                                            Function 6CA0EF65 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0EFFA
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0F010
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0F01B
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0F026
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0F031
                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA0F03C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ContextExternal$BaseBase::~Concurrency::details::
                                            • String ID:
                                            • API String ID: 1690591649-0
                                            • Opcode ID: 0c0974ad5ea50daa8b0ad87a8d06ad2051708211df0feb8b69b4f26b2ae7b84f
                                            • Instruction ID: 414a838f7c541e10927677bb216713928223b8a155f30063f2336fb373041439
                                            • Opcode Fuzzy Hash: 0c0974ad5ea50daa8b0ad87a8d06ad2051708211df0feb8b69b4f26b2ae7b84f
                                            • Instruction Fuzzy Hash: 2F218032300955ABC708DF64C8A0BFDF766FB61218F404729D51A97B80DF24A98ACBD5
                                            Function 6CAD825C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000001,?,6CAC2A16,6C98093B,6CAC2055,?,00000007,6CB4F738,00000010,6CAC2078,?,?,6CAC2101,?,00000001,?), ref: 6CAD826A
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CAD8278
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CAD8291
                                            • SetLastError.KERNEL32(00000000,00000007,6CB4F738,00000010,6CAC2078,?,?,6CAC2101,?,00000001,?,?,00000001,?,6CB4F760,0000000C), ref: 6CAD82E3
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ErrorLastValue___vcrt_
                                            • String ID:
                                            • API String ID: 3852720340-0
                                            • Opcode ID: eeb9a87df9700280ffc9030964b95fc982903c3c9f597206f60949d503a01e1c
                                            • Instruction ID: d628ec424e3714c6a062947071c4ec924eff52c1229db92995dfec2475a731c0
                                            • Opcode Fuzzy Hash: eeb9a87df9700280ffc9030964b95fc982903c3c9f597206f60949d503a01e1c
                                            • Instruction Fuzzy Hash: 50012D3B20D7225EE6111DF55E849472779DB4677C726033BE43242DD5EF91A88851C4
                                            Function 6CAD8B4F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                                            Download Yara Rule
                                            APIs
                                            • type_info::operator==.LIBVCRUNTIME ref: 6CAD8C6E
                                            • CallUnexpected.LIBVCRUNTIME ref: 6CAD8EE7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CallUnexpectedtype_info::operator==
                                            • String ID: csm$csm$csm
                                            • API String ID: 2673424686-393685449
                                            • Opcode ID: 3a65784db471a394f44d3ecb8a59d71a05d505946b015baccbb484ff7c8668d4
                                            • Instruction ID: 2959ae8155d54842a9f5b2aea725dc438b2191c601ec7a352a86398ee22863f3
                                            • Opcode Fuzzy Hash: 3a65784db471a394f44d3ecb8a59d71a05d505946b015baccbb484ff7c8668d4
                                            • Instruction Fuzzy Hash: E5B18871801209EFCF05CFA4C980A9EB7B5BF04318B1A515BE8106BA15C734EA99CFE1
                                            Function 6C9A0207 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFocus.USER32 ref: 6C9A020B
                                              • Part of subcall function 6C9A02A7: GetWindowLongW.USER32(?,000000F0), ref: 6C9A02C2
                                              • Part of subcall function 6C9A02A7: GetClassNameW.USER32(?,?,0000000A), ref: 6C9A02D7
                                              • Part of subcall function 6C9A02A7: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,6C987B06,?,?), ref: 6C9A02EE
                                            • GetParent.USER32(00000000), ref: 6C9A022C
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C9A024B
                                            • GetParent.USER32(00000000), ref: 6C9A0259
                                            • GetDesktopWindow.USER32 ref: 6C9A0261
                                            • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C9A0275
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
                                            • String ID:
                                            • API String ID: 1233893325-0
                                            • Opcode ID: dbc68107933d538a6efc2904a27d24649ccd137ff34f9fc706aa4b69e921ee9d
                                            • Instruction ID: 95adda6c0d4c097034fcd59f66c3c21d0dfdbab5c3828592e00ab717c6750f59
                                            • Opcode Fuzzy Hash: dbc68107933d538a6efc2904a27d24649ccd137ff34f9fc706aa4b69e921ee9d
                                            • Instruction Fuzzy Hash: 4EF031322027F067DB2326B94C88B6E367CAB82F65F651224FD16A76C09F64D44345D5
                                            Function 6C9B0752 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_catch.LIBCMT ref: 6C9B075C
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CtrlH_prolog3H_prolog3_catch
                                            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
                                            • API String ID: 905329913-3577816979
                                            • Opcode ID: 59ff92fcda873ecfb617fb8e9552fd5da9e97b63420b99ed2f18b64a508e28b0
                                            • Instruction ID: 2a9142e81343db8e0c471475b6996735ee940326c32f0eb7f6a4f4f58b4aa97c
                                            • Opcode Fuzzy Hash: 59ff92fcda873ecfb617fb8e9552fd5da9e97b63420b99ed2f18b64a508e28b0
                                            • Instruction Fuzzy Hash: 1E916975A00249EFDF00DFA4C994AEEB7BABF99318F144069E415BB791DB30AD04CB61
                                            Function 6C99458F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C994599
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                            • swprintf.LIBCMT ref: 6C9945EE
                                            • swprintf.LIBCMT ref: 6C994692
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: swprintf$H_prolog3_LongWindow
                                            • String ID: - $:%d
                                            • API String ID: 524023746-2359489159
                                            • Opcode ID: 88350a46a853d879a049dc51a64705daa34e57ca75f542982635f5864880d468
                                            • Instruction ID: aba9444900b887b14e5e96c7f151dd801dcd97047b2eb0cf49d3d2cbbd370192
                                            • Opcode Fuzzy Hash: 88350a46a853d879a049dc51a64705daa34e57ca75f542982635f5864880d468
                                            • Instruction Fuzzy Hash: A33170B29015146ADB1997B0CD54FFEB36CFF24208F050456E619E7A91DB30EE4D8FA0
                                            Function 6CA0A138 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA0A13F
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3$Ctrl
                                            • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
                                            • API String ID: 3879667756-2169875744
                                            • Opcode ID: b9a369701bbeded025b7cdbf1bf4d35be84bc40550776c0a082e6a98ff0636c6
                                            • Instruction ID: c7a991017761ae79dbf2e90e353e43fa28825c92f8e90d5174fa5447d6d9ea4f
                                            • Opcode Fuzzy Hash: b9a369701bbeded025b7cdbf1bf4d35be84bc40550776c0a082e6a98ff0636c6
                                            • Instruction Fuzzy Hash: 7831A435A002199FCF00DFA4CC549FEB776BFA9318F080568E52667791DB349D05CBA1
                                            Function 6CA0A024 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA0A02B
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3$Ctrl
                                            • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
                                            • API String ID: 3879667756-2169875744
                                            • Opcode ID: 3ccbf60c059657fe3fb4fd438201e2ee9069cdd1019349f871f0e53c5bb3ddad
                                            • Instruction ID: 12a7aa4c2245cf19544b1f55f9ee8669449919462b50f122bb07991c0c836b52
                                            • Opcode Fuzzy Hash: 3ccbf60c059657fe3fb4fd438201e2ee9069cdd1019349f871f0e53c5bb3ddad
                                            • Instruction Fuzzy Hash: D2318075A002099BCF10DFA4C884AFEBBB5BF69318F180168E925B7791DB719D45CBA0
                                            Function 6C9A6DFA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll,B073DD17,?,?,?,Function_0019C030,000000FF), ref: 6C9A6E41
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6C9A6E51
                                              • Part of subcall function 6C99B7FC: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C99B80F
                                              • Part of subcall function 6C99B7FC: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C99B81F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegDeleteKeyExW
                                            • API String ID: 1646373207-2191092095
                                            • Opcode ID: ffcfb27840d89d0ca27c495d6bbb88221cc8d979ff20c20b554dbf868ecff8c1
                                            • Instruction ID: 98bf3d358a37822af95404644af711dbe6eef688e1247ce4b3141071f4f46f01
                                            • Opcode Fuzzy Hash: ffcfb27840d89d0ca27c495d6bbb88221cc8d979ff20c20b554dbf868ecff8c1
                                            • Instruction Fuzzy Hash: 0611B27A645154EFDF128F99D804B4EBF79FB0A718F60452AE819D3A50D732E821CB80
                                            Function 6C9AA22F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C9AA236
                                            • GetClassNameW.USER32(?,00000000,00000400), ref: 6C9AA267
                                            • GetWindowLongW.USER32(?,000000F0), ref: 6C9AA2A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClassH_prolog3LongNameWindow
                                            • String ID: ComboBox$ComboBoxEx32
                                            • API String ID: 297531199-1907415764
                                            • Opcode ID: 6b3864719e6c68a8b1fc51d01ce7cbd398f700192c67660494e665396894c4d8
                                            • Instruction ID: fc9424dd08304309271d13ce72d7389ed0cb3532111efbbc67d6ecbf769575e3
                                            • Opcode Fuzzy Hash: 6b3864719e6c68a8b1fc51d01ce7cbd398f700192c67660494e665396894c4d8
                                            • Instruction Fuzzy Hash: 73019236405226ABDB109B94CD58BEEB378BF3533CF540618E51072ED4DF35E829CAA4
                                            Function 6CA0657D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CB07E5C,?,6CA048B3,?,?,?,00000038,6CA01F9E), ref: 6CA0659F
                                            • LoadResource.KERNEL32(00000000,00000000,?,6CB07E5C,?,6CA048B3,?,?,?,00000038,6CA01F9E), ref: 6CA065AD
                                            • LockResource.KERNEL32(00000000,?,6CB07E5C,?,6CA048B3,?,?,?,00000038,6CA01F9E), ref: 6CA065B8
                                            • SizeofResource.KERNEL32(00000000,00000000,?,6CB07E5C,?,6CA048B3,?,?,?,00000038,6CA01F9E), ref: 6CA065C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoadLockSizeof
                                            • String ID: PNG
                                            • API String ID: 3473537107-364855578
                                            • Opcode ID: c6b1cfd77eb398006f5730ec278f92216f14cc18c92749c545365630ff7bc87c
                                            • Instruction ID: a5628aa5c4fd7e87228a9d0bacf435aed2ded7d6edf2f69d0da1f71fbfb27f8f
                                            • Opcode Fuzzy Hash: c6b1cfd77eb398006f5730ec278f92216f14cc18c92749c545365630ff7bc87c
                                            • Instruction Fuzzy Hash: 31F0AF36301620BB9B21ABA59C08C9F377CDA966ED3140115FC05E3B08DB30FA8087A0
                                            Function 6C9A6823 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A685C
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C9A6845
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A684E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmDefWindowProc$dwmapi.dll
                                            • API String ID: 1102202064-234806475
                                            • Opcode ID: ee4b1662e80652773023d6a3f673d7f743d0cfbca70471a7d4e718999e520197
                                            • Instruction ID: 56e767a6e9a38ba660d032b899cff0edcb2db464cb2f81e2e1edcf3fb4a1a6f9
                                            • Opcode Fuzzy Hash: ee4b1662e80652773023d6a3f673d7f743d0cfbca70471a7d4e718999e520197
                                            • Instruction Fuzzy Hash: 4BF0903660522AABCF062FECEC0485E3FBCAF096A43004561FD09D3A50EB31C911CF90
                                            Function 6C9A68E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6920
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C9A6909
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6912
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmSetWindowAttribute$dwmapi.dll
                                            • API String ID: 1102202064-3105884578
                                            • Opcode ID: 89bd134d72f06559102620ac2446760c60280a81efc01ec0a201ce71a5b46a5b
                                            • Instruction ID: 0063131c025a8d158ed23ed2f8329ece34ebee4a0cdf91492c3716ce5da22772
                                            • Opcode Fuzzy Hash: 89bd134d72f06559102620ac2446760c60280a81efc01ec0a201ce71a5b46a5b
                                            • Instruction Fuzzy Hash: C6F0B43668222AAFCF122FE89D0886E3BB8EB49B693000111FD0DD7A50DB31C801CA94
                                            Function 6C9A6A0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6A43
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C9A6A2C
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6A35
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
                                            • API String ID: 1102202064-1757063745
                                            • Opcode ID: 3a957243331595d77be1fb57a4f79ff65844d6ae7f05fce10ee77aaa5031d5ee
                                            • Instruction ID: f8b66d841265185a822eaf3ee357d7191f989cbbb4ac78e7cb923d15716d7087
                                            • Opcode Fuzzy Hash: 3a957243331595d77be1fb57a4f79ff65844d6ae7f05fce10ee77aaa5031d5ee
                                            • Instruction Fuzzy Hash: D5F0B47A685226ABCF126FE89C0896E3FB9AB057547048511FC09D3A00EB31C901CA90
                                            Function 6C9A6888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000,?,?,6C99F22E,6CB5825C,0000002C), ref: 6C9A68C1
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C9A68AA
                                            • EncodePointer.KERNEL32(00000000,?,?,6C99F22E,6CB5825C,0000002C), ref: 6C9A68B3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmIsCompositionEnabled$dwmapi.dll
                                            • API String ID: 1102202064-1198327662
                                            • Opcode ID: ac55f1bf402fb0a00b9e342b42387e9fb225acb9a68c97650fe392b500ce3fde
                                            • Instruction ID: f47a1fb16a8b796228cc6206ce0f55b4392d26c92aaf6d70e1d223edb9a23f0a
                                            • Opcode Fuzzy Hash: ac55f1bf402fb0a00b9e342b42387e9fb225acb9a68c97650fe392b500ce3fde
                                            • Instruction Fuzzy Hash: 4FF08235605235AFDF167BECD808A6E3BBCAB0676970505A2FC09D7A40EB35D901CAA4
                                            Function 6C9A694C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A6985
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C9A696E
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A6977
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmSetIconicThumbnail$dwmapi.dll
                                            • API String ID: 1102202064-2331651847
                                            • Opcode ID: 289affdec41846a2767df4d6e654027857e8813e1a5154fffe9176d5f8cd9544
                                            • Instruction ID: a75041f00a930490540ef427b450c62c2310be2e8990de6da2629bae44818dec
                                            • Opcode Fuzzy Hash: 289affdec41846a2767df4d6e654027857e8813e1a5154fffe9176d5f8cd9544
                                            • Instruction Fuzzy Hash: 2EF0E239651226AFCF222FE8CC0895E7BFCAF967A83000111FC0DD3A50DB30C842CA98
                                            Function 6C9A69AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(00000000), ref: 6C9A69E7
                                              • Part of subcall function 6C98AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C98AA8A
                                              • Part of subcall function 6C98AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C98AA9A
                                              • Part of subcall function 6C98AA64: EncodePointer.KERNEL32(00000000), ref: 6C98AAA3
                                            • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C9A69D0
                                            • EncodePointer.KERNEL32(00000000), ref: 6C9A69D9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                                            • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
                                            • API String ID: 1102202064-1901905683
                                            • Opcode ID: 39489baa3da6a3f660f14f61157a667cb877acbf80cfbb7508f5b8f0a47b5318
                                            • Instruction ID: 16fd0de251eaa7ef2f36e9b03a372648403eec888d4e0a86d283430132940794
                                            • Opcode Fuzzy Hash: 39489baa3da6a3f660f14f61157a667cb877acbf80cfbb7508f5b8f0a47b5318
                                            • Instruction Fuzzy Hash: CDF0A035685366ABDB126EE8880992E37BC6B467AD3428111FC0ED3E40EB34CC02CE94
                                            Function 6C9BAE57 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9BAE5E
                                            • IsWindow.USER32(00000000), ref: 6C9BAE72
                                            • GetClientRect.USER32(00000000,00000000), ref: 6C9BAEC7
                                            • GetCursorPos.USER32(?), ref: 6C9BB090
                                            • ScreenToClient.USER32(00000000,?), ref: 6C9BB09D
                                              • Part of subcall function 6C9B59F1: __EH_prolog3_GS.LIBCMT ref: 6C9B59FB
                                              • Part of subcall function 6C9B59F1: GetClientRect.USER32(00000000,00000000), ref: 6C9B5A55
                                              • Part of subcall function 6C9B382B: __EH_prolog3_GS.LIBCMT ref: 6C9B3835
                                              • Part of subcall function 6C9B382B: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C9B3860
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
                                            • String ID:
                                            • API String ID: 3214297127-0
                                            • Opcode ID: cc85fbb43a2159f352bd31496d0a402a89b659daa7f86ea18f878324e3c36112
                                            • Instruction ID: 1449959b628db27290edd33fc89bcd6d0039a38aa39072cf1d663e4322d5de47
                                            • Opcode Fuzzy Hash: cc85fbb43a2159f352bd31496d0a402a89b659daa7f86ea18f878324e3c36112
                                            • Instruction Fuzzy Hash: 4A915A71A012189FCF05DFA5C884AEEBBB9BF59304F14416AE805BB755DB30E949CFA0
                                            Function 6C9C6049 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                            • GetWindowRect.USER32(?,?), ref: 6C9C6076
                                            • GetSystemMetrics.USER32(00000021), ref: 6C9C607E
                                            • GetSystemMetrics.USER32(00000020), ref: 6C9C6088
                                            • GetKeyState.USER32(00000002), ref: 6C9C60AC
                                            • InflateRect.USER32(?,?,00000000), ref: 6C9C60E5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MetricsRectSystemWindow$InflateLongState
                                            • String ID:
                                            • API String ID: 2406722796-0
                                            • Opcode ID: 192cffb33fce45ed91e35acfc23f54ea180ee7e02c50a026e78e8cb05ab4f514
                                            • Instruction ID: 50c551bd7368e7748356c3cef2446be79effdf0f256b9fdccd7a1ac5308f80c5
                                            • Opcode Fuzzy Hash: 192cffb33fce45ed91e35acfc23f54ea180ee7e02c50a026e78e8cb05ab4f514
                                            • Instruction Fuzzy Hash: 5631F632B00619AFDB11DEB8C84ABBE77B9FB45715F204615E511EB581DB70CA80C783
                                            Function 6C986E67 Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(00000000), ref: 6C986E7C
                                            • GetKeyState.USER32(00000011), ref: 6C986E84
                                            • ScreenToClient.USER32(?,00000000), ref: 6C986F1C
                                            • ClientToScreen.USER32(?,00000000), ref: 6C986F69
                                            • SetCursorPos.USER32(00000000,00000000), ref: 6C986F75
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientCursorScreen$State
                                            • String ID:
                                            • API String ID: 3982492586-0
                                            • Opcode ID: 601053edb65716d11d9745af31f24662aaf2121ceab0d0ccce2daeaac014b802
                                            • Instruction ID: d173552036699aebaca54201cd457e7c3231af00eed4391ca5d3cddb674a3d5a
                                            • Opcode Fuzzy Hash: 601053edb65716d11d9745af31f24662aaf2121ceab0d0ccce2daeaac014b802
                                            • Instruction Fuzzy Hash: 6131F672622114EFCB09CFB8C454BADBBB5FB46314F204A6AE412DB990D730DE60CB50
                                            Function 6C9B8CF3 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientCursorScreen$Rect
                                            • String ID:
                                            • API String ID: 1082406499-0
                                            • Opcode ID: b6e9a00bc2a86d64e1d79a72e345c6c86fdc9aecb20821fa78c48c09f170c66b
                                            • Instruction ID: 80b0cf001609148258d00421d9c43e301b797fd27e7fb4b8653ff6cfd0bcc5d3
                                            • Opcode Fuzzy Hash: b6e9a00bc2a86d64e1d79a72e345c6c86fdc9aecb20821fa78c48c09f170c66b
                                            • Instruction Fuzzy Hash: EA316D31B0021AEFCF09DFA4C984AAEB7B9FF59308F10012BE515A7640DB31A955CB95
                                            Function 6C98278F Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C982201: GetParent.USER32(?), ref: 6C982204
                                              • Part of subcall function 6C982201: GetParent.USER32(00000000), ref: 6C98220B
                                            • GetWindowLongW.USER32(?,000000EC), ref: 6C9827EF
                                            • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 6C982843
                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 6C982852
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 6C982868
                                            • GetClientRect.USER32(?,?), ref: 6C98287C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$LongParent$ClientRectRedraw
                                            • String ID:
                                            • API String ID: 556606033-0
                                            • Opcode ID: 95957432f1f46df6a56132937271dc0313288da35891f97a6fda5ce925e6acce
                                            • Instruction ID: 81d5800cd5bfcf2104e1f04c8cf70b05a70d4ede792b4f7cea3d6f1b772dc1eb
                                            • Opcode Fuzzy Hash: 95957432f1f46df6a56132937271dc0313288da35891f97a6fda5ce925e6acce
                                            • Instruction Fuzzy Hash: 09212832702A25BBEF065BA5CC88AAE76BCFF15758F640A74E821D7690DB70DC1087D0
                                            Function 6C98248D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                              • Part of subcall function 6C982201: GetParent.USER32(?), ref: 6C982204
                                              • Part of subcall function 6C982201: GetParent.USER32(00000000), ref: 6C98220B
                                            • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C982501
                                            • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C98252A
                                            • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C982549
                                            • SendMessageW.USER32(?,00000222,?,00000000), ref: 6C982563
                                            • SendMessageW.USER32(?,00000222,00000000,?), ref: 6C98258C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$Parent$LongWindow
                                            • String ID:
                                            • API String ID: 4191550487-0
                                            • Opcode ID: da0f8b4861aec46ffd8616e32105480f5a31d61440c9fe5152a55a036903ca9d
                                            • Instruction ID: 5225b3fdd07129f358773c757c4f76347c5c0106cdcba3fb77e79f42cea0ebf0
                                            • Opcode Fuzzy Hash: da0f8b4861aec46ffd8616e32105480f5a31d61440c9fe5152a55a036903ca9d
                                            • Instruction Fuzzy Hash: A121B472301A14BFEB215BB1CC88FAEB67DFB28368F140A15E156975D0C775ED5086A0
                                            Function 6C9BCE79 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 6C9BCEC2
                                            • GetClientRect.USER32(?,?), ref: 6C9BCEEE
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCF06
                                            • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9BCF2F
                                            • SendMessageW.USER32(?,00000200,?,?), ref: 6C9BCF4E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$ClientCursorMessagePointsSendWindow
                                            • String ID:
                                            • API String ID: 1257894355-0
                                            • Opcode ID: 0cc498ffdc238dced3f8a74930ffabf48a455db2ae0ee68d6b0bac45a9df9d01
                                            • Instruction ID: babc9254bfdefcdce04f4e6d72c766f0d37a67ed9ad93370c05c6218ce7ce893
                                            • Opcode Fuzzy Hash: 0cc498ffdc238dced3f8a74930ffabf48a455db2ae0ee68d6b0bac45a9df9d01
                                            • Instruction Fuzzy Hash: D731A271A0021AFFDF119FA5C8449BFBBB9FF05314F20422AF929A2550E731E920CB90
                                            Function 6C9BE790 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 6C9BE7DC
                                              • Part of subcall function 6C99BC0C: GetWindowLongW.USER32(?,000000EC), ref: 6C99BC19
                                            • OffsetRect.USER32(?,?,00000000), ref: 6C9BE838
                                            • UnionRect.USER32(?,?,?), ref: 6C9BE851
                                            • EqualRect.USER32(?,?), ref: 6C9BE85F
                                            • UpdateWindow.USER32(?), ref: 6C9BE896
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Window$EqualLongOffsetUnionUpdate
                                            • String ID:
                                            • API String ID: 4261707372-0
                                            • Opcode ID: 224cafcf9ba439e86df84a6317d6302c7d04d26aa20f04a34b711569bdbee342
                                            • Instruction ID: a49c01da9b2cf5c566cb96035b4616407ffab26437eb4aea594916155f594a48
                                            • Opcode Fuzzy Hash: 224cafcf9ba439e86df84a6317d6302c7d04d26aa20f04a34b711569bdbee342
                                            • Instruction Fuzzy Hash: B8316075E00619ABCB04DFA8C944ADEFBBDBF59308F104366E519E3250DB70E994CB90
                                            Function 6CA320C1 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6CA320F9
                                              • Part of subcall function 6C99BFF7: EnableWindow.USER32(?,?), ref: 6C99C008
                                            • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CA32136
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6CA3214D
                                            • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CA32166
                                              • Part of subcall function 6CA330BC: GetWindowRect.USER32(?,?), ref: 6CA330E9
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 6CA321A7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$EnableRect
                                            • String ID:
                                            • API String ID: 3648841934-0
                                            • Opcode ID: 78d048ebc422cca1810f51b4bb252b592050c32c3890851b6cd9b8447179a333
                                            • Instruction ID: 515b65688ee523a85f45498cb9dabc2c516aa398238ad589863662e2392fa243
                                            • Opcode Fuzzy Hash: 78d048ebc422cca1810f51b4bb252b592050c32c3890851b6cd9b8447179a333
                                            • Instruction Fuzzy Hash: 9221B732200B246FD7319E66CC88EABB7B9EB81745F14152AF65DC2540DB70A881CFA0
                                            Function 6C9B8E2C Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9B686C: __EH_prolog3_GS.LIBCMT ref: 6C9B6873
                                              • Part of subcall function 6C9B686C: GetWindowRect.USER32(00000000,00000000), ref: 6C9B68BC
                                              • Part of subcall function 6C9B686C: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C9B68E6
                                              • Part of subcall function 6C9B686C: SetWindowRgn.USER32(00000000,?,00000000), ref: 6C9B68FC
                                            • GetSystemMenu.USER32(?,00000000), ref: 6C9B8EB6
                                            • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6C9B8ED3
                                            • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C9B8EE2
                                            • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C9B8EF1
                                            • EnableMenuItem.USER32(?,0000F060,00000001), ref: 6C9B8F19
                                              • Part of subcall function 6C9B7650: SetRectEmpty.USER32(?), ref: 6C9B767B
                                              • Part of subcall function 6C9B7650: ReleaseCapture.USER32 ref: 6C9B7681
                                              • Part of subcall function 6C9B7650: SetCapture.USER32(?,?,?,?,6C9AF5F2,?), ref: 6C9B7694
                                              • Part of subcall function 6C9B7650: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C9B7794
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
                                            • String ID:
                                            • API String ID: 4022425685-0
                                            • Opcode ID: ba045de1ba623fc9d9f7e8f1e1f38b59d850af794acdf809502b3274a652ad5c
                                            • Instruction ID: de8ec14595efe49bd87f1e8d28c69bec73e393c321a9f79edbda004be934b154
                                            • Opcode Fuzzy Hash: ba045de1ba623fc9d9f7e8f1e1f38b59d850af794acdf809502b3274a652ad5c
                                            • Instruction Fuzzy Hash: 9021E231301216EBDF152FA1CC889AE7F3AFF583587084066FA09AB791DB30D810DA94
                                            Function 6C988FB6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 6C989005
                                            • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C989019
                                            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C98902C
                                            • SetWindowLongW.USER32(?,000000F0,?), ref: 6C989063
                                            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C989078
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Long
                                            • String ID:
                                            • API String ID: 3430364388-0
                                            • Opcode ID: cff119017c67354afbffed3e6fc4a1c9c9cda1c1063ae62c4aa05c9ec3c83b3b
                                            • Instruction ID: aa80729dc6546915076ea76b2e2fe27e9e197531cba80f831c7710e757e9e63e
                                            • Opcode Fuzzy Hash: cff119017c67354afbffed3e6fc4a1c9c9cda1c1063ae62c4aa05c9ec3c83b3b
                                            • Instruction Fuzzy Hash: 1321D772202624FFEB214FA4CC84E6E7BB9FB55719F10462DB15AAB690DB71DC00C750
                                            Function 6C9863CE Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(6CB58410,?,?,0000007C,?,6C98F878,00000001), ref: 6C9A34F1
                                              • Part of subcall function 6C9A34C0: InitializeCriticalSection.KERNEL32(00000000,?,6C98F878,00000001), ref: 6C9A3507
                                              • Part of subcall function 6C9A34C0: LeaveCriticalSection.KERNEL32(6CB58410,?,6C98F878,00000001), ref: 6C9A3515
                                              • Part of subcall function 6C9A34C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C98F878,00000001), ref: 6C9A3522
                                            • SetCursor.USER32(00000009), ref: 6C986418
                                            • LoadCursorW.USER32(?,00007905), ref: 6C98645D
                                            • LoadCursorW.USER32(00000000,00007F85), ref: 6C986473
                                            • SetCursor.USER32(?,?,00000009), ref: 6C98648C
                                            • DestroyCursor.USER32(00000000), ref: 6C986497
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
                                            • String ID:
                                            • API String ID: 900973665-0
                                            • Opcode ID: 9937f4f3605763b7de2feebce1460e84652bacc8760b3fcb1ad511eba6c63926
                                            • Instruction ID: 9feaf89e94135ffad6bce4d00caa53a65fd86d600a1db736360ba3120966ea48
                                            • Opcode Fuzzy Hash: 9937f4f3605763b7de2feebce1460e84652bacc8760b3fcb1ad511eba6c63926
                                            • Instruction Fuzzy Hash: 7A11DF72B271658BDB109FB4C485E4EBAB8E752308F200D36E118CBB51C779E440C7A2
                                            Function 6C988DF1 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(00000000), ref: 6C988E40
                                            • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C988E54
                                            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C988E67
                                            • SetWindowLongW.USER32(?,000000F0,?), ref: 6C988E86
                                            • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C988E9C
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Long
                                            • String ID:
                                            • API String ID: 3430364388-0
                                            • Opcode ID: 93472456ac5e4bfc1c97cc7100dd55d8be6b47edac3185de333c1fea9e5de381
                                            • Instruction ID: 60f2e9f05089b838b5956379bd95a6d8ce18b3a808440054c90976bbcca340de
                                            • Opcode Fuzzy Hash: 93472456ac5e4bfc1c97cc7100dd55d8be6b47edac3185de333c1fea9e5de381
                                            • Instruction Fuzzy Hash: 5911D272302624BBEB206B65CC08F1F7AB9FB91B14F244619A141972A1DBB19800C774
                                            Function 6C99AA83 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C99AAA7
                                            • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C99AAC7
                                            • RegCloseKey.ADVAPI32(00000000), ref: 6C99AAF8
                                              • Part of subcall function 6C99AE4D: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C99AEF2
                                              • Part of subcall function 6C99AE4D: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C99AF01
                                            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C99AAEF
                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C99AB13
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Close$DeleteValue$PrivateProfileStringWrite
                                            • String ID:
                                            • API String ID: 222425065-0
                                            • Opcode ID: b8135b99a070bf9a03c1e5fe9faac549c94a3cd50b287198706fa52d31b063f5
                                            • Instruction ID: 8b99c08f0506c6e666338576dfe733f693ee11854a82c57ca3c7358045ce29bb
                                            • Opcode Fuzzy Hash: b8135b99a070bf9a03c1e5fe9faac549c94a3cd50b287198706fa52d31b063f5
                                            • Instruction Fuzzy Hash: 4E110233A12622BBCB221FB58C08E8F7B7FEF46764B084020F9099A910DF31C851C7A0
                                            Function 6C9BC098 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9BC0CA
                                            • EnableMenuItem.USER32(?,00004213,00000000), ref: 6C9BC0DB
                                            • EnableMenuItem.USER32(?,00004214,00000000), ref: 6C9BC10A
                                            • CheckMenuItem.USER32(?,00004213,00000008), ref: 6C9BC130
                                            • CheckMenuItem.USER32(?,00004214,00000000), ref: 6C9BC13C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Enable$Check
                                            • String ID:
                                            • API String ID: 1852492618-0
                                            • Opcode ID: 04b6c194d63c6d20e4b978f89a1db497ce794742c6b3f29d4ac6abe61887b561
                                            • Instruction ID: bc58fbe8116cca9f09734ebfc335cb89bcb73f9334ba758b2049e0d2657c8920
                                            • Opcode Fuzzy Hash: 04b6c194d63c6d20e4b978f89a1db497ce794742c6b3f29d4ac6abe61887b561
                                            • Instruction Fuzzy Hash: E8119D71380609BFEB10AEA8CD85A17B7BDFB16758F408529F209E6860D770EC60CA90
                                            Function 6C9960B2 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C996127
                                            • GlobalAddAtomW.KERNEL32(?), ref: 6C996134
                                            • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C99614E
                                            • GlobalAddAtomW.KERNEL32(?), ref: 6C99615B
                                            • SendMessageW.USER32(00000000,000003E4,00000000,?), ref: 6C996180
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AtomGlobal$Name$MessageSend
                                            • String ID:
                                            • API String ID: 1515195355-0
                                            • Opcode ID: d8535b78f95741972ba077773d6e01bccead169d00f86be8f1e009f4bd168eab
                                            • Instruction ID: 20f12ac7bc5d44c9c2e932cfa8802e6c2737c0b4898ee142f0792a539b679ad6
                                            • Opcode Fuzzy Hash: d8535b78f95741972ba077773d6e01bccead169d00f86be8f1e009f4bd168eab
                                            • Instruction Fuzzy Hash: A121C371601618ABDB609FB4C908BBE73BCFB05709F15425AF86AD3481D774EA84CBD0
                                            Function 6C9B686C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9B6873
                                            • GetWindowRect.USER32(00000000,00000000), ref: 6C9B68BC
                                            • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C9B68E6
                                            • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C9B68FC
                                            • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C9B6914
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Rect$CreateH_prolog3_Round
                                            • String ID:
                                            • API String ID: 2502471913-0
                                            • Opcode ID: 4387d8b175243f43802ae17edfc6c27c821093e88af82effb9117622036bf9d1
                                            • Instruction ID: 8bafa1e572a2c4202ea5dfbd03d0b3cfe7feb268780c948a7a919c0a981225df
                                            • Opcode Fuzzy Hash: 4387d8b175243f43802ae17edfc6c27c821093e88af82effb9117622036bf9d1
                                            • Instruction Fuzzy Hash: 3F113A71A0162DAFDF099FA4C894AEEBB79BF19708F240219E545B3A50DB30AD50CB64
                                            Function 6C994511 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6C994536
                                            • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6C994546
                                            • GetCapture.USER32 ref: 6C99454C
                                            • ReleaseCapture.USER32 ref: 6C994558
                                            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C99457F
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Message$CapturePost$PeekRelease
                                            • String ID:
                                            • API String ID: 1125932295-0
                                            • Opcode ID: a314ab9efec741ea5762988da799af245a202a708500abef93c604c61f10fe87
                                            • Instruction ID: b264ff51a58809f86cbbb7f16dff2c846dc55d96e03266b5d996c051365fa6fa
                                            • Opcode Fuzzy Hash: a314ab9efec741ea5762988da799af245a202a708500abef93c604c61f10fe87
                                            • Instruction Fuzzy Hash: E001A772200624BFE7222BB5CC49D6B7EBCFBC5709F040619F55A82551EB20D801CA61
                                            Function 6C984BCF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 6C984BDA
                                              • Part of subcall function 6C9A09F1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C9A0A38
                                              • Part of subcall function 6C9A09F1: CreatePatternBrush.GDI32(00000000), ref: 6C9A0A45
                                              • Part of subcall function 6C9A09F1: DeleteObject.GDI32(00000000), ref: 6C9A0A51
                                            • SelectObject.GDI32(?,?), ref: 6C984BF9
                                            • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6C984C1E
                                            • SelectObject.GDI32(?,00000000), ref: 6C984C2C
                                            • ReleaseDC.USER32(?,?), ref: 6C984C38
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
                                            • String ID:
                                            • API String ID: 2474928807-0
                                            • Opcode ID: 5ebcbff80d9a9f3af144986e7b0e2b9deae90682f282976e1097345f6f490dda
                                            • Instruction ID: 0d2fec106c56c0b8beab2cf2b3ff454b826bc6165a8a99d6af60f74f705eaf00
                                            • Opcode Fuzzy Hash: 5ebcbff80d9a9f3af144986e7b0e2b9deae90682f282976e1097345f6f490dda
                                            • Instruction Fuzzy Hash: 0A01E236200200AF8B119BA9CD48C9ABFBEEF8A7043108569B61987521CB33D8129B60
                                            Function 6C99C6EA Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C99C6F1
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C99C6FC
                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C99C76A
                                              • Part of subcall function 6C99C5F3: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C99C60B
                                            • std::locale::_Setgloballocale.LIBCPMT ref: 6C99C717
                                            • _Yarn.LIBCPMT ref: 6C99C72D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                            • String ID:
                                            • API String ID: 1088826258-0
                                            • Opcode ID: 50529b0da5cf5c812f8446b58acff54b55c910bc522faf81b347bf1d7295c278
                                            • Instruction ID: 2e3982686b5a2b229938b02ec9a145feec605c45fa18d68315e30b56c85fb8b9
                                            • Opcode Fuzzy Hash: 50529b0da5cf5c812f8446b58acff54b55c910bc522faf81b347bf1d7295c278
                                            • Instruction Fuzzy Hash: EC01F735B002659BDB06EF60CC50ABD7B79BFA6648B5C4049D81167780DF74EE05CBC5
                                            Function 6C9B0D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C9B0D09
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                              • Part of subcall function 6C99BCF3: GetDlgCtrlID.USER32(?), ref: 6C99BCFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3$Ctrl
                                            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                                            • API String ID: 3879667756-2016111687
                                            • Opcode ID: fb237cce73c58bb9fa0b500bbf937703103243e9d968a9d512430787b97b348c
                                            • Instruction ID: cb1f0e7f0f8fb04a90ef081e6ed97bd3352d842c4ec4c88e1db6effba7140253
                                            • Opcode Fuzzy Hash: fb237cce73c58bb9fa0b500bbf937703103243e9d968a9d512430787b97b348c
                                            • Instruction Fuzzy Hash: 0121AD75A00219ABCF10DFA4C894AFEB739BF65318F140568E82177781DB70EE05CBA1
                                            Function 6C9BCF77 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CursorH_prolog3
                                            • String ID: Control Panel\Desktop$MenuShowDelay
                                            • API String ID: 634316419-702829638
                                            • Opcode ID: 015a71989a7a7afb7e77896bd46d23a6409bd505c78055a4b91ffbe54cb4c512
                                            • Instruction ID: c160a96c052d69f57411c3a3bae15b34c2cf0997d92784d973beb1df0bb6552e
                                            • Opcode Fuzzy Hash: 015a71989a7a7afb7e77896bd46d23a6409bd505c78055a4b91ffbe54cb4c512
                                            • Instruction Fuzzy Hash: 63218C31B0120ADFCF04CFA4C894AFE7BB5AB58318F140529E925EB780EB35E905CB90
                                            Function 6C9B0DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C9B0DE7
                                              • Part of subcall function 6C9FE380: __EH_prolog3.LIBCMT ref: 6C9FE387
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3
                                            • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
                                            • API String ID: 431132790-953485693
                                            • Opcode ID: 2ac4be83774ad7e9b9892b65bde7bacdc4319fb28398997f06e00b4cd8a4a93d
                                            • Instruction ID: 7ff2dea834360a54662a1b90f12a3508afac47ab7ab0d7933b0b8801700a32e2
                                            • Opcode Fuzzy Hash: 2ac4be83774ad7e9b9892b65bde7bacdc4319fb28398997f06e00b4cd8a4a93d
                                            • Instruction Fuzzy Hash: 77215975A0020A9BCF04DFA4C894AEEB775BF68308F140468E4117B781EB34E909CBA1
                                            Function 6C9A0519 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C98A6DB: LoadLibraryW.KERNEL32(00000000,6CB42500,00000010,6C9A0544,comctl32.dll,?), ref: 6C98A71C
                                            • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C9A0558
                                            • FreeLibrary.KERNEL32(00000000), ref: 6C9A05A4
                                              • Part of subcall function 6C9A0157: GetLastError.KERNEL32(6C9A054F,comctl32.dll,?,?,00001000,?,?,?), ref: 6C9A0157
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Library$AddressErrorFreeLastLoadProc
                                            • String ID: DllGetVersion$comctl32.dll
                                            • API String ID: 2540614322-3857068685
                                            • Opcode ID: 01f6cba69471128c880798a0f807c29afde3c6bed9261246ba98da1d62e3b549
                                            • Instruction ID: 59be66254a1ed1223457df4247637f02c7294d2dd3aaf95aa531b4e6e9585650
                                            • Opcode Fuzzy Hash: 01f6cba69471128c880798a0f807c29afde3c6bed9261246ba98da1d62e3b549
                                            • Instruction Fuzzy Hash: 3011E3B5E0061D9BCB019FA9C854BDE7BB9BF85314F111018E5169B340DB34D9058BA5
                                            Function 6C99A6AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,80070057), ref: 6C99A6BB
                                            • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6C99A6CB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                            • API String ID: 1646373207-2994018265
                                            • Opcode ID: a442dd4b17e8f60a6c255b25e00f00a26d7576afc5c2010bad200b7c2cf2d183
                                            • Instruction ID: 431335f8625dc64141a7e1088c3fddaa0a9458a6bb30f8bbefd1141fe48146de
                                            • Opcode Fuzzy Hash: a442dd4b17e8f60a6c255b25e00f00a26d7576afc5c2010bad200b7c2cf2d183
                                            • Instruction Fuzzy Hash: C9018136601119EBCF121FA4DC05FEE3BBAFF99755F254129FA2896420DB32C4A1DB50
                                            Function 6C9A02A7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000F0), ref: 6C9A02C2
                                            • GetClassNameW.USER32(?,?,0000000A), ref: 6C9A02D7
                                            • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,6C987B06,?,?), ref: 6C9A02EE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClassCompareLongNameStringWindow
                                            • String ID: combobox
                                            • API String ID: 1414938635-2240613097
                                            • Opcode ID: 9182d7605474f2b606cce212f9813d467284514ea99b36121525611118f448c7
                                            • Instruction ID: abbdda7f205abe7623d2c6a969c8dbd8fe3206fa5c295e99b167907fc6592e2c
                                            • Opcode Fuzzy Hash: 9182d7605474f2b606cce212f9813d467284514ea99b36121525611118f448c7
                                            • Instruction Fuzzy Hash: BBF0C232655269BBDF01EFAC8C46EAE77B8EB06724F500315F926E71C0DE20E5018791
                                            Function 6C99A71A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C99A72B
                                            • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C99A73B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                            • API String ID: 1646373207-3913318428
                                            • Opcode ID: 5bbba88f331666fa2cf0c684442c4d4665a342ac75e7918be5cfcc55900a3642
                                            • Instruction ID: de17675d9cba972b7651899acaa511a74cd88eebed0f233280cc9013d67dc474
                                            • Opcode Fuzzy Hash: 5bbba88f331666fa2cf0c684442c4d4665a342ac75e7918be5cfcc55900a3642
                                            • Instruction Fuzzy Hash: 61F0F636A01109FFCF122FA4DC09B9A3BBDFB85B52F154035F52582410EB31C851DB60
                                            Function 6C9F8A2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            • swprintf.LIBCMT ref: 6C9F8A58
                                            • GetFileAttributesW.KERNEL32(00000104,AFX,00000000,00000104,00000104,000000FF), ref: 6C9F8A63
                                            • GetTempFileNameW.KERNEL32(000000FF,00000104,00000000,00000104,?,?,6C9D16C9,?,AFX,00000000,00000104,00000104,000000FF), ref: 6C9F8A7B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: File$AttributesNameTempswprintf
                                            • String ID: %s%s%X.tmp
                                            • API String ID: 2659213859-596088238
                                            • Opcode ID: acdf860cf5e503eee70eedd4a91697608a5f28e2a67cd8decc2241e4db2653dc
                                            • Instruction ID: 596423a35318b725d17cf4a98978b670a0eab6cbb77979d27f4c179072873484
                                            • Opcode Fuzzy Hash: acdf860cf5e503eee70eedd4a91697608a5f28e2a67cd8decc2241e4db2653dc
                                            • Instruction Fuzzy Hash: BEF01C3650020AFBCF029FA5DC05ECE3B7AFF05369F104651FA25A55A0D732D664BB54
                                            Function 6CAE4143 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CAE41DF,00000000,?,6CB5A3BC,?,?,?,6CAE4116,00000004,InitializeCriticalSectionEx,6CB23994,6CB2399C), ref: 6CAE4150
                                            • GetLastError.KERNEL32(?,6CAE41DF,00000000,?,6CB5A3BC,?,?,?,6CAE4116,00000004,InitializeCriticalSectionEx,6CB23994,6CB2399C,00000000,?,6CAD919C), ref: 6CAE415A
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CAE4182
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: LibraryLoad$ErrorLast
                                            • String ID: api-ms-
                                            • API String ID: 3177248105-2084034818
                                            • Opcode ID: 2f53188e65b88725bdfb2e7f2efded62751591b6f8fbe452869d4e1e6990b1c6
                                            • Instruction ID: d4f29afdf13b89c07f97da84c01004fffa2ff1918c3c13b3cb05b9a4c2253d3b
                                            • Opcode Fuzzy Hash: 2f53188e65b88725bdfb2e7f2efded62751591b6f8fbe452869d4e1e6990b1c6
                                            • Instruction Fuzzy Hash: DDE04831344204B7EF101EE1DC05B5D7B6DBB19B99F144120F90DE5CD4D7629855EBC5
                                            Function 6C99C245 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C951EE0: GetLastError.KERNEL32 ref: 6C951F22
                                            • IsDebuggerPresent.KERNEL32(?,?,?,6C97FA33), ref: 6C99C278
                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C97FA33), ref: 6C99C287
                                            Strings
                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C99C282
                                            • MZx, xrefs: 6C99C24D
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: DebugDebuggerErrorLastOutputPresentString
                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
                                            • API String ID: 389471666-1466369552
                                            • Opcode ID: f81bc4e6e90dc83b5b9724449d8b92a2ffeec4faa3c0b570be59ac6bc3c3f0b7
                                            • Instruction ID: f40b9a09392665c3ddaa76073668fcdc39dd9164f21cd37101614344f2b2983b
                                            • Opcode Fuzzy Hash: f81bc4e6e90dc83b5b9724449d8b92a2ffeec4faa3c0b570be59ac6bc3c3f0b7
                                            • Instruction Fuzzy Hash: 3EE039712007918BD760EFB8D90478ABBE4AB11299F448A1DD895C7B40EB70E048CB62
                                            Function 6C9C025C Relevance: 6.2, APIs: 4, Instructions: 250windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9C0266
                                            • GetMenuItemCount.USER32(?), ref: 6C9C0326
                                            • GetMenuItemID.USER32(?,00000000), ref: 6C9C0346
                                            • GetSubMenu.USER32(?,00000000), ref: 6C9C0465
                                              • Part of subcall function 6C9ADD9B: __EH_prolog3.LIBCMT ref: 6C9ADDA2
                                              • Part of subcall function 6C9ADD9B: SetRectEmpty.USER32(?), ref: 6C9ADF5B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountEmptyH_prolog3H_prolog3_Rect
                                            • String ID:
                                            • API String ID: 2186202558-0
                                            • Opcode ID: 9ec816c15085d64bdde55c41e3c4f72bdbf1f171a48435414c538288252cfe41
                                            • Instruction ID: bbb8ec26306fee922df4e1776de11c6fc103dcefe16a161c15cd566678a17bbf
                                            • Opcode Fuzzy Hash: 9ec816c15085d64bdde55c41e3c4f72bdbf1f171a48435414c538288252cfe41
                                            • Instruction Fuzzy Hash: 74A18F71B002689BDF119F64CC94BEEB7B9AF55318F1402A9E429AB790DB30EE45CF41
                                            Function 6CA04799 Relevance: 6.2, APIs: 4, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA047A0
                                            • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6CA048F6
                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 6CA04908
                                            • DeleteObject.GDI32(00000000), ref: 6CA04960
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Object$DeleteH_prolog3ImageLoad
                                            • String ID:
                                            • API String ID: 91933946-0
                                            • Opcode ID: c58f5e6a5ae7bfb7d82d506a429ed93383df5c7bc47ad9586b9394d05ddf3fc6
                                            • Instruction ID: ac8ba5cea236ee7adaa7d18a7385e8114787e9e284ff14c5cdd70911cba897dc
                                            • Opcode Fuzzy Hash: c58f5e6a5ae7bfb7d82d506a429ed93383df5c7bc47ad9586b9394d05ddf3fc6
                                            • Instruction Fuzzy Hash: 1F61C231A01A14CBDF01CFA4C8807EE77B5BF65398F248279EC656F695C7709989CBA0
                                            Function 6CAD8876 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: AdjustPointer
                                            • String ID:
                                            • API String ID: 1740715915-0
                                            • Opcode ID: 2e9d637d68148b2448a2ebf50b59eb2e9e5082f3cdb3f44a093de72ba3fd0dff
                                            • Instruction ID: 6e555f0a0aa1df185d829b6f5a20a1e57acf2055b26ae1e2176ab448bfea03df
                                            • Opcode Fuzzy Hash: 2e9d637d68148b2448a2ebf50b59eb2e9e5082f3cdb3f44a093de72ba3fd0dff
                                            • Instruction Fuzzy Hash: F551E672605206AFEB158F91C940BAE73B4FF00718F2A552ED99157AA0E731F9C4CBD2
                                            Function 6C9C202B Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3InvalidateParentRectUpdateWindow
                                            • String ID:
                                            • API String ID: 1954703720-0
                                            • Opcode ID: 5d246f1ee06367b77c53e45d4833232320cf7ddd5a97b48f0d7a67b10bd53da0
                                            • Instruction ID: 2b974289ed21e1d004c5b6930e14bb4e74375c3d3f5f736ede474c99f913ec02
                                            • Opcode Fuzzy Hash: 5d246f1ee06367b77c53e45d4833232320cf7ddd5a97b48f0d7a67b10bd53da0
                                            • Instruction Fuzzy Hash: 3A519034700A16DFDB048F78C888BAAB7B5BB49315F14467AE929CB790DB74E844CF52
                                            Function 6CAE061C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c010ce549d18279a0483bd36b0b7846a8545834f120660df9c7e1e37853b2c6b
                                            • Instruction ID: 981a496788b2483e849b855b3952c961b031f2166e3ea9bc792e66ba8bf0e3e2
                                            • Opcode Fuzzy Hash: c010ce549d18279a0483bd36b0b7846a8545834f120660df9c7e1e37853b2c6b
                                            • Instruction Fuzzy Hash: 82412A71A00784AFD7109F7DCD40B9ABFA9EB8C724F144529E105DBB80DB71A989EBC0
                                            Function 6C9BE440 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: EmptyRect
                                            • String ID:
                                            • API String ID: 2270935405-0
                                            • Opcode ID: 08eb224fe800456aa7ca1eb25110422f3b3b895d390f51ce13b8eddc11c55503
                                            • Instruction ID: 349aa894aa08b487cdc22d2a80ab8f15095b57fde3a96567114219b55661a5a1
                                            • Opcode Fuzzy Hash: 08eb224fe800456aa7ca1eb25110422f3b3b895d390f51ce13b8eddc11c55503
                                            • Instruction Fuzzy Hash: B751EAB09112659FCB24CF19C5C46EA3BA8BB09B54F1842BBED0C8F64AC7B05545DFE1
                                            Function 6C99A904 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileStringW.KERNEL32(?,?,6CB38060,?,00001000,?), ref: 6C99AA51
                                              • Part of subcall function 6C99ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C99A828,?,00000000), ref: 6C99AE3E
                                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,B073DD17,?,?,?,?,6CAEC0C1,000000FF), ref: 6C99A99F
                                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6CAEC0C1,000000FF), ref: 6C99A9DB
                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6CAEC0C1,000000FF), ref: 6C99A9F5
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue$PrivateProfileString
                                            • String ID:
                                            • API String ID: 2114517702-0
                                            • Opcode ID: 25e52402372f6c8ce0d74bf730bed702753be2f01213e6bca8ff748bdaeeed78
                                            • Instruction ID: 97eb8170207bfa96c4f0754a6c82676b2326f1d1971ca766c00b92dbf7bba028
                                            • Opcode Fuzzy Hash: 25e52402372f6c8ce0d74bf730bed702753be2f01213e6bca8ff748bdaeeed78
                                            • Instruction Fuzzy Hash: D0417C71A01228AFDB25CB14CC48AEEB7B9FB14314F0001AAE419A3681DB34DE55CF61
                                            Function 6C9BAD18 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 6C9BADB1
                                            • ScreenToClient.USER32(000000FF,?), ref: 6C9BADC1
                                            • PtInRect.USER32(000000D8,?,?), ref: 6C9BADD4
                                            • PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C9BADEF
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ClientCursorMessagePostRectScreen
                                            • String ID:
                                            • API String ID: 1913696736-0
                                            • Opcode ID: b85ea9debb3e69a2dd06594b21d93916a20530bc15670964677931fb56cf0044
                                            • Instruction ID: 3eeb2db8ae67e6ac37c1a3d5cbe523adc1167bb79164952b4fa0ae9f5d952f9f
                                            • Opcode Fuzzy Hash: b85ea9debb3e69a2dd06594b21d93916a20530bc15670964677931fb56cf0044
                                            • Instruction Fuzzy Hash: 4B316135B00219FFDF019F65C844AAF7B79FF89359B2441A9F92AA7650EF30D9018B90
                                            Function 6CA1E32A Relevance: 6.1, APIs: 4, Instructions: 109windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6CA1E331
                                            • SendMessageW.USER32(?,00000421,00000001,?), ref: 6CA1E3C8
                                            • SendMessageW.USER32(?,00000421,00000001,?), ref: 6CA1E3DD
                                            • lstrcpyW.KERNEL32(00000000,00000010,00000000,00000010,6C9B5351,00000000,?,00000002,?,?), ref: 6CA1E40C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$H_prolog3lstrcpy
                                            • String ID:
                                            • API String ID: 3361160815-0
                                            • Opcode ID: bcbdb200aac8916273a48c196742859dd831b3268e60996b5eb08db3898a639c
                                            • Instruction ID: 33bdcb369349891b7b6c6d0aefaa884ea9a3bb8fe487f5bb9ec05b115fb813f7
                                            • Opcode Fuzzy Hash: bcbdb200aac8916273a48c196742859dd831b3268e60996b5eb08db3898a639c
                                            • Instruction Fuzzy Hash: C441BF72A0520ADBDF04CFA4C889BEE77B5FF24318F140418E425ABAD0CB31D985CB91
                                            Function 6C98E98F Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C99BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C99BBEF
                                            • GetClientRect.USER32(?,?), ref: 6C98E9F7
                                            • IsMenu.USER32(00000000), ref: 6C98EA33
                                            • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C98EA4B
                                            • GetClientRect.USER32(?,?), ref: 6C98EA93
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$ClientWindow$AdjustLongMenu
                                            • String ID:
                                            • API String ID: 3435883281-0
                                            • Opcode ID: c2830ba206595af848fefbd66cfabc54ab3e70a894e4f1c0bae0da2cc8ab6ee9
                                            • Instruction ID: c7a0653162131f26ab71fafe41efbdc764750dcce9925b089bef327ca0f14481
                                            • Opcode Fuzzy Hash: c2830ba206595af848fefbd66cfabc54ab3e70a894e4f1c0bae0da2cc8ab6ee9
                                            • Instruction Fuzzy Hash: 7231C335B00209AFDB14DFA5C994EBFBBBDFF65208F144559F801A7640EB34E9448B90
                                            Function 6CA8AC09 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6CA8AC13
                                            • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6CA0729C,?,00000000,00000000,0000005C), ref: 6CA8ACB7
                                            • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6CA0729C,?,00000000,00000000,0000005C), ref: 6CA8ACF7
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6CA0729C,?,00000000,00000000), ref: 6CA8AD15
                                              • Part of subcall function 6C9809A7: __EH_prolog3.LIBCMT ref: 6C9809AE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
                                            • String ID:
                                            • API String ID: 655328227-0
                                            • Opcode ID: 99972ba23cffa451da6873e5c6b3ddfb7000c0068d56e48b995b0481c2cba8c5
                                            • Instruction ID: b51c6d54596106c84725527d02c1450e7c615e411ad7c22edc0cccde479677fc
                                            • Opcode Fuzzy Hash: 99972ba23cffa451da6873e5c6b3ddfb7000c0068d56e48b995b0481c2cba8c5
                                            • Instruction Fuzzy Hash: 8831A471A0621DABDF10AF64CC48BEEB779BF20718F100195E50997B90CB719E84CFA1
                                            Function 6CA1C623 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 6CA1C68C
                                            • EqualRect.USER32(?,?), ref: 6CA1C6B2
                                            • BeginDeferWindowPos.USER32(?), ref: 6CA1C6BF
                                            • EndDeferWindowPos.USER32(00000000), ref: 6CA1C6E5
                                              • Part of subcall function 6CA0BE25: GetWindowRect.USER32(?,?), ref: 6CA0BE39
                                              • Part of subcall function 6CA0BE25: GetParent.USER32(?), ref: 6CA0BE8F
                                              • Part of subcall function 6CA0BE25: GetParent.USER32(?), ref: 6CA0BEA2
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Rect$DeferParent$BeginEqual
                                            • String ID:
                                            • API String ID: 2054780619-0
                                            • Opcode ID: 64ffbe81e0b884eab8145a2e6536e6317ec438239c49c6225d7f34ee10df52ee
                                            • Instruction ID: e21435f5727bb33cbc09270343cfc3ac5ccc7a8abcb6db5b9e957629bf743423
                                            • Opcode Fuzzy Hash: 64ffbe81e0b884eab8145a2e6536e6317ec438239c49c6225d7f34ee10df52ee
                                            • Instruction Fuzzy Hash: 96318231E042199BCF01EFB5C9949DEB7F9BF19308B54522AE415B7A00EB30E985CBA1
                                            Function 6C9BCCB7 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32(?,?), ref: 6C9BCCD9
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCD03
                                              • Part of subcall function 6C9BA972: ScreenToClient.USER32(?,?), ref: 6C9BA98E
                                              • Part of subcall function 6C9BA972: GetParent.USER32(?), ref: 6C9BA99E
                                              • Part of subcall function 6C9BA972: GetClientRect.USER32(?,?), ref: 6C9BAA31
                                              • Part of subcall function 6C9BA972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BAA43
                                              • Part of subcall function 6C9BA972: PtInRect.USER32(?,?,?), ref: 6C9BAA53
                                            • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9BCD2C
                                            • SendMessageW.USER32(?,00000202,?,?), ref: 6C9BCD4B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                            • String ID:
                                            • API String ID: 2689702638-0
                                            • Opcode ID: 0e79375ed0c7a8171333f0536925cea9d8d3ba4d4b337f296152f79b87a8e41b
                                            • Instruction ID: b13ddda6af394ba9ee99e4007e6b47a562fcbfaa1020ef030b7716b4c3147b11
                                            • Opcode Fuzzy Hash: 0e79375ed0c7a8171333f0536925cea9d8d3ba4d4b337f296152f79b87a8e41b
                                            • Instruction Fuzzy Hash: 26318F35600629EBDF12AF65C8049AF7FBAFF89714B10422AF859A7550EB31E910DF90
                                            Function 6C984ADF Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • RedrawWindow.USER32(00000041,?,?,00000041), ref: 6C984B02
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 6C984B45
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: InflateRectRedrawWindow
                                            • String ID:
                                            • API String ID: 3190756164-0
                                            • Opcode ID: 1d2f196b8bfebeee6c64b573120d84f8a11d50b5110ec9ff4f8aced33f1c9d21
                                            • Instruction ID: c2ac46385c6000849db7657ebda9d34df4b9e762c8e3d0d7a9b2c1af95d0f83f
                                            • Opcode Fuzzy Hash: 1d2f196b8bfebeee6c64b573120d84f8a11d50b5110ec9ff4f8aced33f1c9d21
                                            • Instruction Fuzzy Hash: FC215E7164021EABCF01DFD4CC84DAE77BEEB06328B604629F925A7190DB36D909CF60
                                            Function 6CAC4D4D Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a2ff65d0cf8f3163369e419dad5831aca67dbbccac336d6f710d7336746086a
                                            • Instruction ID: bf22353f582425f085dc910df7a5dee6dd38ce3c3da09e2e9ce54a2f6d43ce71
                                            • Opcode Fuzzy Hash: 3a2ff65d0cf8f3163369e419dad5831aca67dbbccac336d6f710d7336746086a
                                            • Instruction Fuzzy Hash: D121A771304205AFDB11AFA5CD809EB7BB8AF413687098615F82997A50E730DCD49796
                                            Function 6CAD09B7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: baa9a1c55fa0eb677c9299c3449b8a8509b465acaa807066571f92954b32194b
                                            • Instruction ID: 903fe52cc16a73e6d93cd172dd990ec315f973d0bd8a193bb6a235fa1b63d6ef
                                            • Opcode Fuzzy Hash: baa9a1c55fa0eb677c9299c3449b8a8509b465acaa807066571f92954b32194b
                                            • Instruction Fuzzy Hash: 29112C71700298BFDB205FA59C04F9B7B78EB827A4F5A0256F910E75A0E770AC80C761
                                            Function 6C9BC9C1 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • KillTimer.USER32(?,0000EC17), ref: 6C9BC9D5
                                            • KillTimer.USER32(?,0000EC18), ref: 6C9BC9E3
                                            • IsWindow.USER32(?), ref: 6C9BCA53
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9BCA7A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: KillTimer$MessagePostWindow
                                            • String ID:
                                            • API String ID: 3970157719-0
                                            • Opcode ID: e9884daca99b15180da2d666752ae9452092c6bb0229df801b8b3c13a2685fdf
                                            • Instruction ID: d11ae9a973fa417e88a18366a717ce585ff41f0956a8df8d1cb462a4c5caff36
                                            • Opcode Fuzzy Hash: e9884daca99b15180da2d666752ae9452092c6bb0229df801b8b3c13a2685fdf
                                            • Instruction Fuzzy Hash: F821CF32700215BFEF05AFA1C894B9E7BB9BF45354F5001A9E906BB291DB70E811CB90
                                            Function 6C9BCDB3 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClientRect.USER32 ref: 6C9BCDE5
                                            • PtInRect.USER32(?,?,?), ref: 6C9BCDFE
                                              • Part of subcall function 6C9BA972: ScreenToClient.USER32(?,?), ref: 6C9BA98E
                                              • Part of subcall function 6C9BA972: GetParent.USER32(?), ref: 6C9BA99E
                                              • Part of subcall function 6C9BA972: GetClientRect.USER32(?,?), ref: 6C9BAA31
                                              • Part of subcall function 6C9BA972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9BAA43
                                              • Part of subcall function 6C9BA972: PtInRect.USER32(?,?,?), ref: 6C9BAA53
                                            • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9BCE34
                                            • SendMessageW.USER32(?,00000201,?,?), ref: 6C9BCE53
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                                            • String ID:
                                            • API String ID: 2689702638-0
                                            • Opcode ID: bd2c4f367dec55310df5420a6424bce23a046a62eeff81de5c1cf2babaa230b0
                                            • Instruction ID: 334f123072cfb65efa3b88f7531a5efb333f8a64d685e33cf1aeef6be122f0a4
                                            • Opcode Fuzzy Hash: bd2c4f367dec55310df5420a6424bce23a046a62eeff81de5c1cf2babaa230b0
                                            • Instruction Fuzzy Hash: 76215031A00219EBDF159FA5C804AFF7BB6FF48714F10821AF85962250E771E954DF90
                                            Function 6C9AA00A Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • BeginDeferWindowPos.USER32(?), ref: 6C9AA028
                                            • IsWindow.USER32(?), ref: 6C9AA043
                                            • DeferWindowPos.USER32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 6C9AA08C
                                            • EndDeferWindowPos.USER32(00000000), ref: 6C9AA097
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Defer$Begin
                                            • String ID:
                                            • API String ID: 2880567340-0
                                            • Opcode ID: 9c241b5de7ab99fbf17f1ccb96b8dcaf9edbc5b2ed97ddc9d7f8c7d9131a9077
                                            • Instruction ID: 84c6db4737e03c1c917bc5066567dda55cb2db10cf2c32de67dee90aeb7eb724
                                            • Opcode Fuzzy Hash: 9c241b5de7ab99fbf17f1ccb96b8dcaf9edbc5b2ed97ddc9d7f8c7d9131a9077
                                            • Instruction Fuzzy Hash: 6F113A71A00229EFCB11DFEAC944AAEBBF9EF19304F144119E505E3650DB30A9518FA1
                                            Function 6C98EFE2 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C98F01C
                                            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C98F046
                                            • GetCapture.USER32 ref: 6C98F05C
                                            • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C98F06B
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: MessageSend$Capture
                                            • String ID:
                                            • API String ID: 1665607226-0
                                            • Opcode ID: ea88710e0080f226dba2ca543376efc97b6b8dbd5066f855194e3bded2658ed1
                                            • Instruction ID: bb5d706e5075dc6062e5923af779165b99f3bf771640deff5b5637d2ebc690c1
                                            • Opcode Fuzzy Hash: ea88710e0080f226dba2ca543376efc97b6b8dbd5066f855194e3bded2658ed1
                                            • Instruction Fuzzy Hash: 7D118E76301629BFEE212B608C88FBE366EFB48789F040460F605576D1DBA19C0096A0
                                            Function 6C992316 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(00000000), ref: 6C992363
                                            • GetWindowRect.USER32(?,?), ref: 6C99237F
                                            • PtInRect.USER32(?,00000000,00000000), ref: 6C99238F
                                            • CallNextHookEx.USER32(?,?,?), ref: 6C9923B7
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$CallCursorHookNextWindow
                                            • String ID:
                                            • API String ID: 3719484595-0
                                            • Opcode ID: 61356b0646d329103237834a1cf27a7a2a5b59e36712b986faa41c8ccd2513d8
                                            • Instruction ID: b67f62afed5cc5a4cdf64b258f404f772d0c15072bfc471d257602d0206b7f44
                                            • Opcode Fuzzy Hash: 61356b0646d329103237834a1cf27a7a2a5b59e36712b986faa41c8ccd2513d8
                                            • Instruction Fuzzy Hash: 05219032B1021A9BCF05DFA4C90DFAE7BB8EF1A309F148218E118A3960D735DA458B40
                                            Function 6C98EC3E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetObjectW.GDI32(?,0000000C,?), ref: 6C98EC89
                                            • SetBkColor.GDI32(?,?), ref: 6C98EC93
                                            • GetSysColor.USER32(00000008), ref: 6C98ECA3
                                            • SetTextColor.GDI32(?,?), ref: 6C98ECAB
                                              • Part of subcall function 6C9A02A7: GetWindowLongW.USER32(?,000000F0), ref: 6C9A02C2
                                              • Part of subcall function 6C9A02A7: GetClassNameW.USER32(?,?,0000000A), ref: 6C9A02D7
                                              • Part of subcall function 6C9A02A7: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,6C987B06,?,?), ref: 6C9A02EE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Color$ClassCompareLongNameObjectStringTextWindow
                                            • String ID:
                                            • API String ID: 3274569906-0
                                            • Opcode ID: aaa52c4e1e6fbb936ba23012c7c9922c2111fb99b7a1601be49639fef34d08c4
                                            • Instruction ID: 220fa9a064228e844400d567699167a32fce6e7ae5f55fbed562c66f96c1c703
                                            • Opcode Fuzzy Hash: aaa52c4e1e6fbb936ba23012c7c9922c2111fb99b7a1601be49639fef34d08c4
                                            • Instruction Fuzzy Hash: 33016D79A02118AB9B21DF78C9549AE73BDAF8A618F608A14F925D36C0DB34D90186E1
                                            Function 6C99A87B Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C99A8B6
                                            • RegCloseKey.ADVAPI32(00000000), ref: 6C99A8BF
                                            • swprintf.LIBCMT ref: 6C99A8DC
                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C99A8ED
                                              • Part of subcall function 6C99ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C99A828,?,00000000), ref: 6C99AE3E
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Close$PrivateProfileStringValueWriteswprintf
                                            • String ID:
                                            • API String ID: 581541481-0
                                            • Opcode ID: 72fe5252ac9f5e63f7c7b94808765a96f2ffff2d27215a215d187d7d50656966
                                            • Instruction ID: 1bff896fd32621c0cd05ddfcd6410f8ee9be42c747762a4e27ad4972168db29d
                                            • Opcode Fuzzy Hash: 72fe5252ac9f5e63f7c7b94808765a96f2ffff2d27215a215d187d7d50656966
                                            • Instruction Fuzzy Hash: FD01C432A00309BBDB119EA5CC45FAE73BCEF59618F150429F611A7580DB75ED458760
                                            Function 6C986FD7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgCtrlID.USER32(?), ref: 6C986FE7
                                            • GetScrollPos.USER32(?,00000002), ref: 6C986FFA
                                            • SendMessageW.USER32(?,00000114,?,?), ref: 6C987034
                                            • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C987052
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Scroll$CtrlMessageSend
                                            • String ID:
                                            • API String ID: 1219558039-0
                                            • Opcode ID: 89a541328fe43cdbcce1f22599085563c0332f086a48509432b87b8f5182b75e
                                            • Instruction ID: 39f9d90ff4c62bbec83621d4faa8b3fbbe6b04af9e5c2a7e80d5908719033d8d
                                            • Opcode Fuzzy Hash: 89a541328fe43cdbcce1f22599085563c0332f086a48509432b87b8f5182b75e
                                            • Instruction Fuzzy Hash: 5A11C232700224EFDF119FA8CC49EAE7B75FF49741F010969F945AB151D6709C10DBA0
                                            Function 6C9B44B0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C9B44EF
                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C9B4503
                                            • UpdateWindow.USER32(?), ref: 6C9B450C
                                            • SetRectEmpty.USER32(?), ref: 6C9B4513
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Rect$EmptyInflateInvalidateUpdateWindow
                                            • String ID:
                                            • API String ID: 3040190709-0
                                            • Opcode ID: 16e2043752b40eec49566885e861490677604b50650c93fa70ac94c0493650bc
                                            • Instruction ID: 4a6c506cc69bb3e5f3e918bb36a5bf93b5fe9292af202c5801aa2a630491da7e
                                            • Opcode Fuzzy Hash: 16e2043752b40eec49566885e861490677604b50650c93fa70ac94c0493650bc
                                            • Instruction Fuzzy Hash: D2018431600619DFDB10DFA8C849E9F7BF8FB4A314F510669F55AA7190DB705904CB50
                                            Function 6C9823A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C9823C0
                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C9823CF
                                            • IsWindow.USER32(00000000), ref: 6C9823E0
                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 6C9823F0
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Long
                                            • String ID:
                                            • API String ID: 847901565-0
                                            • Opcode ID: dfc61c778e4dcb7f4a4008566143df569d2d4b1feeacbaffb510a2af4edab897
                                            • Instruction ID: c3afca5a1b1812b83e84b04ad1826bb205db20028b841bfa96c2177d88a8b8da
                                            • Opcode Fuzzy Hash: dfc61c778e4dcb7f4a4008566143df569d2d4b1feeacbaffb510a2af4edab897
                                            • Instruction Fuzzy Hash: 26016231315638AFDF056BB48C88A7E3678AB86725B240729F822D73C1DB75E8019665
                                            Function 6C98EECE Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTopWindow.USER32(?), ref: 6C98EED5
                                            • GetTopWindow.USER32(00000000), ref: 6C98EF18
                                            • GetWindow.USER32(00000000,00000002), ref: 6C98EF3A
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window
                                            • String ID:
                                            • API String ID: 2353593579-0
                                            • Opcode ID: 25d415c2afc9a0f7e3fb44756c1a4ba90328ba52468e2b360fcfde5de7daf2b7
                                            • Instruction ID: 765a8690a81e0ba297543727c4b7b84801b98b1529c6a40eaa3adb47aa83684b
                                            • Opcode Fuzzy Hash: 25d415c2afc9a0f7e3fb44756c1a4ba90328ba52468e2b360fcfde5de7daf2b7
                                            • Instruction Fuzzy Hash: D501E53610612AABCF136F958C14EDF3B2AAF16354F004914FE14A2460CB36C571EBE1
                                            Function 6C98EE57 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,00000001), ref: 6C98EE61
                                            • GetTopWindow.USER32(00000000), ref: 6C98EE6E
                                              • Part of subcall function 6C98EE57: GetWindow.USER32(00000000,00000002), ref: 6C98EEBD
                                            • GetTopWindow.USER32(?), ref: 6C98EEA2
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Window$Item
                                            • String ID:
                                            • API String ID: 369458955-0
                                            • Opcode ID: 275eef6a5ecf88656f56573f1de83f454f844daa9cfccab355b0fa6f986b82d1
                                            • Instruction ID: ca69307b99013549fdaa948c3f8574a329fd09bfeca4170d2b47ce807b6f9cf0
                                            • Opcode Fuzzy Hash: 275eef6a5ecf88656f56573f1de83f454f844daa9cfccab355b0fa6f986b82d1
                                            • Instruction Fuzzy Hash: 4701623A107626EBCF226F658C24A8F3B7CAF12799F044A10FC1497515DB31C52197F1
                                            Function 6C99C02E Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(6C99519F), ref: 6C99C03C
                                            • GetParent.USER32(6C99519F), ref: 6C99C04F
                                            • GetParent.USER32(6C99519F), ref: 6C99C069
                                            • SetFocus.USER32(6C99519F,00000000,?,?,6C99519F,?,6C9519B0,?), ref: 6C99C082
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Parent$Focus
                                            • String ID:
                                            • API String ID: 384096180-0
                                            • Opcode ID: 6e2ee84218a06195b94908507c010a5ed2bef190dcd78afa1bd0f9768d290f6c
                                            • Instruction ID: ab0d86410a84e73d0939b678c9f2231910d8203ce34c5047f4a8243b0e11ca42
                                            • Opcode Fuzzy Hash: 6e2ee84218a06195b94908507c010a5ed2bef190dcd78afa1bd0f9768d290f6c
                                            • Instruction Fuzzy Hash: F1F03133701610DBCF257BB48C0899F76BDBFA93067040969E94AC7B60DF34E8028B90
                                            Function 6CAEA769 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • WriteConsoleW.KERNEL32(00000000,6CADFF1C,00000000,00000000,00000000,?,6CAE9750,00000000,00000001,00000000,?,?,6CAE2286,?,00000000,00000000), ref: 6CAEA780
                                            • GetLastError.KERNEL32(?,6CAE9750,00000000,00000001,00000000,?,?,6CAE2286,?,00000000,00000000,?,?,?,6CAE1BCC,?), ref: 6CAEA78C
                                              • Part of subcall function 6CAEA7DD: CloseHandle.KERNEL32(FFFFFFFE,6CAEA79C,?,6CAE9750,00000000,00000001,00000000,?,?,6CAE2286,?,00000000,00000000,?,?), ref: 6CAEA7ED
                                            • ___initconout.LIBCMT ref: 6CAEA79C
                                              • Part of subcall function 6CAEA7BE: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CAEA75A,6CAE973D,?,?,6CAE2286,?,00000000,00000000,?), ref: 6CAEA7D1
                                            • WriteConsoleW.KERNEL32(00000000,6CADFF1C,00000000,00000000,?,6CAE9750,00000000,00000001,00000000,?,?,6CAE2286,?,00000000,00000000,?), ref: 6CAEA7B1
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                            • String ID:
                                            • API String ID: 2744216297-0
                                            • Opcode ID: 3a35ef56ceada30111ef81ac7fefc23659171fd6f8a84fdd9c87cbcf783ba9d3
                                            • Instruction ID: c520dd5c5b3439c2231e3cac22f005fa98b2eddd8f439c4d15ddca6496d6d759
                                            • Opcode Fuzzy Hash: 3a35ef56ceada30111ef81ac7fefc23659171fd6f8a84fdd9c87cbcf783ba9d3
                                            • Instruction Fuzzy Hash: 8DF01276201128BBCF225FD2CC0899D3F37EB093A4B084610FE1996560D7318C60ABD1
                                            Function 6CAE001D Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekConsoleInputA.KERNEL32(?,?,6CB4F8E0,00000000,?,6CAD19AA,00000000,0000000C,6CB4F8E0,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE0032
                                            • GetLastError.KERNEL32(?,6CAD19AA,00000000,0000000C,6CB4F8E0,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE003E
                                              • Part of subcall function 6CAE011A: CloseHandle.KERNEL32(FFFFFFFF,6CAE0002,?,?,6CAD1940,0000000C,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE012A
                                            • ___initconin.LIBCMT ref: 6CAE004E
                                              • Part of subcall function 6CAE00FB: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CADFF76,6CAD192F,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE010E
                                            • PeekConsoleInputA.KERNEL32(?,?,6CB4F8E0,?,6CAD19AA,00000000,0000000C,6CB4F8E0,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE0062
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
                                            • String ID:
                                            • API String ID: 1545762386-0
                                            • Opcode ID: 01b42f00f702df4852ca702547e4aecc0984f85e353b8df225aa36439d62069f
                                            • Instruction ID: 515b3b509fbfdb1a0d9f47f95d15d38b929048df18f937b7b68ebb2e5d66313e
                                            • Opcode Fuzzy Hash: 01b42f00f702df4852ca702547e4aecc0984f85e353b8df225aa36439d62069f
                                            • Instruction Fuzzy Hash: 7DF0C036501169BB8F226FD5DC0889D3F36FB4E3E5B494220F91D96520CB328961BBD1
                                            Function 6CAC2221 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6CAC2233
                                            • GetCurrentThreadId.KERNEL32 ref: 6CAC2242
                                            • GetCurrentProcessId.KERNEL32 ref: 6CAC224B
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 6CAC2258
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 3dbee18ec2ace7324681dbe6b27084d783bce59844c0a9f5996d6f6cb57234c0
                                            • Instruction ID: ab8a2602526357cffb283114f29f5d76ca437be36d0186d810d9d071b1894824
                                            • Opcode Fuzzy Hash: 3dbee18ec2ace7324681dbe6b27084d783bce59844c0a9f5996d6f6cb57234c0
                                            • Instruction Fuzzy Hash: B3F0B230E1121DEBCF01EBF4C64999EBBF4FF1D304B928696A412E7100E730AB049B50
                                            Function 6CAE00B5 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetConsoleMode.KERNEL32(0000000C,00000000,?,6CAD1713,00000000,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE00C4
                                            • GetLastError.KERNEL32(?,6CAD1713,00000000,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE00D0
                                              • Part of subcall function 6CAE011A: CloseHandle.KERNEL32(FFFFFFFF,6CAE0002,?,?,6CAD1940,0000000C,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE012A
                                            • ___initconin.LIBCMT ref: 6CAE00E0
                                              • Part of subcall function 6CAE00FB: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CADFF76,6CAD192F,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE010E
                                            • SetConsoleMode.KERNEL32(0000000C,?,6CAD1713,00000000,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE00EE
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                            • String ID:
                                            • API String ID: 3067319862-0
                                            • Opcode ID: 2e05eb361a43e4173113413de9ceab53ebff29541be0f1d0cd468e21548022cb
                                            • Instruction ID: cb55fff6cf2a9ba8fb3105c698f128e154478bcd3189b6519a34a12ca2fcdb07
                                            • Opcode Fuzzy Hash: 2e05eb361a43e4173113413de9ceab53ebff29541be0f1d0cd468e21548022cb
                                            • Instruction Fuzzy Hash: 7BE04F36641165AB8F226FE5C90849E3F75EB4E3F53490260F90AD3660CE228C90BBD6
                                            Function 6CAE006F Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleMode.KERNEL32(0000000C,?,?,6CAD170B,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE007E
                                            • GetLastError.KERNEL32(?,?,6CAD170B,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE008A
                                              • Part of subcall function 6CAE011A: CloseHandle.KERNEL32(FFFFFFFF,6CAE0002,?,?,6CAD1940,0000000C,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE012A
                                            • ___initconin.LIBCMT ref: 6CAE009A
                                              • Part of subcall function 6CAE00FB: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CADFF76,6CAD192F,?,?,?,6CAD1658,6CB4F8E0,0000000C,6C954D93), ref: 6CAE010E
                                            • GetConsoleMode.KERNEL32(0000000C,?,?,6CAD170B,6C954DA1,6CB4F920,00000038,6CAD16A8,6CB4F900,0000000C,6C954DA1), ref: 6CAE00A8
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
                                            • String ID:
                                            • API String ID: 3067319862-0
                                            • Opcode ID: 01e80d956bfd435d809bd92ccdf88b49cd53800805ed63724e2c2ec962c41a10
                                            • Instruction ID: a4377ccd24ad6c001a21a81bc92c46c471eb29b6a9a491a4cbac15ae0e55516e
                                            • Opcode Fuzzy Hash: 01e80d956bfd435d809bd92ccdf88b49cd53800805ed63724e2c2ec962c41a10
                                            • Instruction Fuzzy Hash: CDE04F36641178ABCF322FE5CD0849D3EB5EB4E3A57490320F94A93610CF228950BFD2
                                            Function 6C99CDF3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: __aulldiv
                                            • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                            • API String ID: 3732870572-1956417402
                                            • Opcode ID: 52e7b1fb432b514fba5cafa6e5ca7c22781456b8f38a2281090cb2f4a9cd2aa3
                                            • Instruction ID: df92e465b88f7a28e0f3be57e84198cb0484c6858fcaf32ee7cbeea0d1aa5de2
                                            • Opcode Fuzzy Hash: 52e7b1fb432b514fba5cafa6e5ca7c22781456b8f38a2281090cb2f4a9cd2aa3
                                            • Instruction Fuzzy Hash: D261E470E442499FDB11EEA98C807AEBBF9AF49304F284059E892E7B40D374D985CB61
                                            Function 6C9A8680 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3_GS.LIBCMT ref: 6C9A8687
                                            • CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 6C9A86E2
                                            Strings
                                            • %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 6C9A872C
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: CreateGuidH_prolog3_
                                            • String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
                                            • API String ID: 2971167768-1017209998
                                            • Opcode ID: dd57a21b248f4946a94b2b7278bd9c9eaf03fe822b82f21f1aabcc2cd787d262
                                            • Instruction ID: 7bd136b240ce22eca8489a7def01027a978319d52319150cef4e3034793508bb
                                            • Opcode Fuzzy Hash: dd57a21b248f4946a94b2b7278bd9c9eaf03fe822b82f21f1aabcc2cd787d262
                                            • Instruction Fuzzy Hash: 0441B272901159AFCF11CBA8C854AFEBBB9AF69218F080459E441F7781CB38DE09CB70
                                            Function 6C9FE380 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog3.LIBCMT ref: 6C9FE387
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000008,6C9B0777,?,MFCToolBars,?,000000A8), ref: 6C9FE4D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: H_prolog3QueryValue
                                            • String ID: SOFTWARE\
                                            • API String ID: 2373586757-3302998844
                                            • Opcode ID: 202761f8ff564057b467c7f4aa877c12f484cde0d5482e6c1489930129ae1075
                                            • Instruction ID: c52056810cae7eee4100eb2f9e212508650424b4552a4b65667ff8a41e17fe9f
                                            • Opcode Fuzzy Hash: 202761f8ff564057b467c7f4aa877c12f484cde0d5482e6c1489930129ae1075
                                            • Instruction Fuzzy Hash: 29319371602204AFDB099B60CC84DBE776AFFA021CB14841AF925ABF90CB74DD49DB95
                                            Function 6CAD8F73 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6CAD8E74,?,?,00000000,00000000,00000000,?), ref: 6CAD8F98
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID: MOC$RCC
                                            • API String ID: 2118026453-2084237596
                                            • Opcode ID: dab1a7297db9606636f4c5d90e6d73842b627e7729974a2024af1300605ae659
                                            • Instruction ID: 7f0741d7aba42bd2d1a7ed971e7043955ab8e104d1bcf4f7dcdddae1c1fbc7b9
                                            • Opcode Fuzzy Hash: dab1a7297db9606636f4c5d90e6d73842b627e7729974a2024af1300605ae659
                                            • Instruction Fuzzy Hash: 63419071A00209AFCF01DFA4DE40AEE7BB5FF48308F194159F91467651D736E990DB91
                                            Function 6CAD87DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CAD8A56
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: ___except_validate_context_record
                                            • String ID: csm$csm
                                            • API String ID: 3493665558-3733052814
                                            • Opcode ID: e8b84d38e163f45746416eec9f26408c16b12a2077cf0bcc903d8f44dfc4a764
                                            • Instruction ID: 25ed67362cc40abd26525ca8797a8f0e8cc81454a070b0bda7c2d7a6f15c73cd
                                            • Opcode Fuzzy Hash: e8b84d38e163f45746416eec9f26408c16b12a2077cf0bcc903d8f44dfc4a764
                                            • Instruction Fuzzy Hash: 1531BEB250031DDFCF129F55C8419AE7B66FB09719B1B529BF95449620C332E8E1CBC1
                                            Function 6C99AC56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 6C99ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C99A828,?,00000000), ref: 6C99AE3E
                                            • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C99AC88
                                            • RegCloseKey.ADVAPI32(00000000), ref: 6C99AC91
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: Close$Value
                                            • String ID: A
                                            • API String ID: 299128501-3554254475
                                            • Opcode ID: 3c429ed1ff01426e238a4e5af5101ba4cec6c08985ef5b5f684a87a74c54fb6f
                                            • Instruction ID: 9a9161ed5f593a775e35dd5095f032210148cd86fa9b4a18cb1f668a439275db
                                            • Opcode Fuzzy Hash: 3c429ed1ff01426e238a4e5af5101ba4cec6c08985ef5b5f684a87a74c54fb6f
                                            • Instruction Fuzzy Hash: B5212536A00224ABCF158F69D845AEE7BB9EF49764F244059F908DB290EB35CD42D760
                                            Function 6C9AE158 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.4133096737.000000006C951000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C950000, based on PE: true
                                            • Associated: 00000003.00000002.4133084542.000000006C950000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133195724.000000006CAFA000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133225943.000000006CB50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133238223.000000006CB53000.00000008.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB55000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133249753.000000006CB57000.00000004.00000001.01000000.00000006.sdmpDownload File
                                            • Associated: 00000003.00000002.4133274344.000000006CB5D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6c950000_RuntimeBrokers.jbxd
                                            Similarity
                                            • API ID: EmptyH_prolog3_Rect
                                            • String ID: Afx:ToolBar
                                            • API String ID: 2941628838-177727192
                                            • Opcode ID: fb51fe14a8eb9d82293e78c6d33ddbf4ee9d371bab74e486608bfb0d3756f9c6
                                            • Instruction ID: c2502338c5b8296afbfa66e5e9892abb63136bb44eeea52b6cc0dd6d32218afc
                                            • Opcode Fuzzy Hash: fb51fe14a8eb9d82293e78c6d33ddbf4ee9d371bab74e486608bfb0d3756f9c6
                                            • Instruction Fuzzy Hash: 24218E31A006189BCF09CFA8D995AED7AA1BF58318F15022DF809E7780DB74ED548BA4