Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CnjMEmbChO.exe

Overview

General Information

Sample name:CnjMEmbChO.exe
renamed because original name is a hash value
Original sample name:6B64F2CD11EC2223C9818E0F752C649E.exe
Analysis ID:1581089
MD5:6b64f2cd11ec2223c9818e0f752c649e
SHA1:99948f90acbcf025a4462f1fe49c2f6f75817fbb
SHA256:b43c39baeb60972d82f592e681f4d20aac4c4063676f34d43b10cda806d08ac6
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CnjMEmbChO.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\CnjMEmbChO.exe" MD5: 6B64F2CD11EC2223C9818E0F752C649E)
    • cmd.exe (PID: 6396 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RuntimeBrokers.exe (PID: 2200 cmdline: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe MD5: 30A274E00DA842B09E9763F19777ADED)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, NewProcessName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, OriginalFileName: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe, ProcessId: 2200, ProcessName: RuntimeBrokers.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Bilite\Axialis\libcurl.dllReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: CnjMEmbChO.exeReversingLabs: Detection: 50%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F832B1 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,4_2_00F832B1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F82AF0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,CertNameToStrW,CertNameToStrW,CertNameToStrW,4_2_00F82AF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F82CE0 lstrcmpA,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime,4_2_00F82CE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F82DB0 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,4_2_00F82DB0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F82EE0 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertFindCertificateInStore,4_2_00F82EE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C940200 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,4_2_6C940200
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C941340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,4_2_6C941340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C93FF50 CryptStringToBinaryA,CryptStringToBinaryA,4_2_6C93FF50
Source: CnjMEmbChO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: \YSS\Release\libcurl.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmp, libcurl.dll.0.dr
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source: Binary string: c:\workspace\GTChecker\plutus\main\dev\target\win\Release\GTCheck.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr
Source: Binary string: C:\Users\ymishra\Documents\GitHub\Dev\target\win\Release\Adobe Download Manager.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F6BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,4_2_00F6BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FCF4E8 FindFirstFileExA,4_2_00FCF4E8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9A82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,4_2_6C9A82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CABF2EC FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_6CABF2EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CABF23B FindFirstFileExW,4_2_6CABF23B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9580D0 WSAStartup,getaddrinfo,WSACleanup,socket,WSACleanup,connect,closesocket,freeaddrinfo,WSACleanup,recv,closesocket,WSACleanup,VirtualAlloc,4_2_6C9580D0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RuntimeBrokers.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: CnjMEmbChO.exe, 00000000.00000003.2063149440.0000000004CFB000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2063024937.0000000000678000.00000004.00001000.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000033DC000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr, RuntimeBrokers.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://api.flash.cn/config/getCdnValue?key=zero_dayzero_day
Source: flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://flash.2144.com/cdm/icons/chn100.png
Source: flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://flash.2144.com/cdm/icons/ten100.png
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://help.2144.cn/about/duty.htm
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check
Source: RuntimeBrokers.exe, 00000004.00000002.4496708892.00000000009B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check50-B8D
Source: RuntimeBrokers.exe, 00000004.00000002.4496708892.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drString found in binary or memory: https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://www.flash.cn/
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drString found in binary or memory: https://www.flash.cn/cdm/
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9E41CD __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_6C9E41CD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9A2720 GetAsyncKeyState,SendMessageW,GetClientRect,SetScrollPos,4_2_6C9A2720
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C984517 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_6C984517
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C96D25E GetKeyState,GetKeyState,GetKeyState,SendMessageW,4_2_6C96D25E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C941340 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptSetKeyParam,CryptDestroyKey,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,CryptDestroyKey,CryptReleaseContext,4_2_6C941340
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess Stats: CPU usage > 49%
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F96520: CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,4_2_00F96520
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00404FAA0_2_00404FAA
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0041206B0_2_0041206B
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0041022D0_2_0041022D
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00411F910_2_00411F91
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F5245C4_2_00F5245C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F546D04_2_00F546D0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F88A704_2_00F88A70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F5B0104_2_00F5B010
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F6F1704_2_00F6F170
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FCB10C4_2_00FCB10C
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F922A04_2_00F922A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F972804_2_00F97280
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FBF5204_2_00FBF520
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9F6C44_2_00F9F6C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FA264E4_2_00FA264E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB37DD4_2_00FB37DD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB37304_2_00FB3730
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FD38684_2_00FD3868
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F7A9A04_2_00F7A9A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB99304_2_00FB9930
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F79AC04_2_00F79AC0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FA4A4E4_2_00FA4A4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F68BE04_2_00F68BE0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB9B5F4_2_00FB9B5F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FCDC994_2_00FCDC99
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB9D8E4_2_00FB9D8E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9FEAA4_2_00F9FEAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C95ECF04_2_6C95ECF0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAA2C004_2_6CAA2C00
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAAA8244_2_6CAAA824
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9548304_2_6C954830
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAC6AA24_2_6CAC6AA2
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9684BD4_2_6C9684BD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAB06C64_2_6CAB06C6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAA66714_2_6CAA6671
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C96478E4_2_6C96478E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C99A1A14_2_6C99A1A1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C99230B4_2_6C99230B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C96DC9F4_2_6C96DC9F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C98BDDD4_2_6C98BDDD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAA9EA04_2_6CAA9EA0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C953F404_2_6C953F40
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C95B8804_2_6C95B880
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C97D4554_2_6C97D455
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C99B5AF4_2_6C99B5AF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C95F0B04_2_6C95F0B0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9790AD4_2_6C9790AD
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9551104_2_6C955110
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe 9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: String function: 0040243B appears 37 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C95D970 appears 37 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00F9BF08 appears 67 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C97F6DE appears 69 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00F9C7A0 appears 50 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C97F675 appears 207 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C97F77F appears 44 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00FB2860 appears 72 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00F5E9E0 appears 45 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C97D8B0 appears 75 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 00F62450 appears 44 times
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: String function: 6C96068B appears 63 times
Source: flashcenter_pp_ax_install_cn.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: flashcenter_pp_ax_install_cn.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Source: CnjMEmbChO.exe, 00000000.00000003.2027711950.00000000009A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamensdksetupJ vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXZCalendarServer.exe* vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000003.2061562693.00000000031AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdobe Download ManagerN vs CnjMEmbChO.exe
Source: CnjMEmbChO.exe, 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exeBinary or memory string: OriginalFilenameV vs CnjMEmbChO.exe
Source: CnjMEmbChO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RuntimeBrokers.exe.0.drBinary string: @rb-%c%cIsWow64Processkernel32ntdll.dllRtlGetNtVersionNumbersg:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cppStopUnInitcurl init failedcurl_easy_perform failed,{}GetDownloadDownLoadFinish:{}, Size:{}Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36write_data_get_postwrite_data_get_post StopABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}NoteBookDesktopkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClose
Source: classification engineClassification label: mal48.evad.winEXE@6/9@0/0
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00407776
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,0_2_0040118A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F90420 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetLastError,CloseHandle,CloseHandle,OpenProcess,CloseHandle,OpenProcessToken,DuplicateTokenEx,CreateProcessWithTokenW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetModuleFileNameW,PathRemoveFileSpecW,LoadLibraryW,4_2_00F90420
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_004034C1
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_00401BDF
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\BiliteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: CnjMEmbChO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: CnjMEmbChO.exeReversingLabs: Detection: 50%
Source: RuntimeBrokers.exeString found in binary or memory: --StartTask
Source: RuntimeBrokers.exeString found in binary or memory: --InstallTask
Source: RuntimeBrokers.exeString found in binary or memory: --stop
Source: RuntimeBrokers.exeString found in binary or memory: --start
Source: RuntimeBrokers.exeString found in binary or memory: --install
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile read: C:\Users\user\Desktop\CnjMEmbChO.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CnjMEmbChO.exe "C:\Users\user\Desktop\CnjMEmbChO.exe"
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: flashcenter_pp_ax_install_cn.exe.lnk.4.drLNK file: ..\..\Public\Bilite\flashcenter_pp_ax_install_cn.exe
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: CnjMEmbChO.exeStatic file information: File size 23595283 > 1048576
Source: Binary string: \YSS\Release\libcurl.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmp, libcurl.dll.0.dr
Source: Binary string: G:\ZCSD\XZRecordAlone\xzrecordalone\Release\XZCalendarServer.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.dr
Source: Binary string: c:\workspace\GTChecker\plutus\main\dev\target\win\Release\GTCheck.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr
Source: Binary string: C:\Users\ymishra\Documents\GitHub\Dev\target\win\Release\Adobe Download Manager.pdb source: CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.dr
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: libcurl.dll.0.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00411C20 push eax; ret 0_2_00411C4E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F655E9 push ebx; retf 4_2_00F655EA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9C7E6 push ecx; ret 4_2_00F9C7F9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9BEE2 push ecx; ret 4_2_00F9BEF5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C95F770 push eax; mov dword ptr [esp], 8007000Eh4_2_6C95F774
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9A0E84 pushfd ; retf 4_2_6C9A0E85
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C96FDC3 push esi; ret 4_2_6C96FDC5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C97F74D push ecx; ret 4_2_6C97F760
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exeJump to dropped file
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to dropped file
Source: C:\Users\user\Desktop\CnjMEmbChO.exeFile created: C:\Users\Public\Bilite\Axialis\libcurl.dllJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C96E96E IsIconic,4_2_6C96E96E
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9987C4 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,4_2_6C9987C4
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C98307D GetParent,IsIconic,GetParent,__EH_prolog3,4_2_6C98307D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9672DF IsIconic,IsWindowVisible,4_2_6C9672DF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9732E4 IsWindowVisible,IsIconic,4_2_6C9732E4
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,4_2_00F96390
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 978Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3844Jump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWindow / User API: threadDelayed 3268Jump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeDropped PE file which has not been started: C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exeJump to dropped file
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-115827
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_4-115349
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeAPI coverage: 6.0 %
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 5448Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 5416Thread sleep time: -2934000s >= -30000sJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe TID: 5416Thread sleep time: -9804000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040301A
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00402B79
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F6BE70 GetLocalTime,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,__Mtx_destroy_in_situ,__Mtx_destroy_in_situ,4_2_00F6BE70
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FCF4E8 FindFirstFileExA,4_2_00FCF4E8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9A82CF __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,4_2_6C9A82CF
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CABF2EC FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_6CABF2EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CABF23B FindFirstFileExW,4_2_6CABF23B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeThread delayed: delay time: 73000Jump to behavior
Source: yxhxvpke.png.0.drBinary or memory string: bfQeMU|
Source: flashcenter_pp_ax_install_cn.exe.0.drBinary or memory string: >QeMu
Source: yxhxvpke.png.0.drBinary or memory string: %hgFs[n
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9B4C5 IsDebuggerPresent,OutputDebugStringW,4_2_00F9B4C5
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C961028 OutputDebugStringA,GetLastError,4_2_6C961028
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,0_2_00406D5D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FC46B3 mov eax, dword ptr fs:[00000030h]4_2_00FC46B3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F61AD0 GetProcessHeap,4_2_00F61AD0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9C128 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00F9C128
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F9C411 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00F9C411
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FB655F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00FB655F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C9D87A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C9D87A6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6CAB1F38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6CAB1F38
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_6C97D796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C97D796
Source: C:\Users\user\Desktop\CnjMEmbChO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00F5245C _strrchr,_strrchr,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateEventW,_strrchr,_strrchr,GetModuleHandleW,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,WaitForSingleObject,PeekMessageW,TranslateMessage,DispatchMessageW,WaitForSingleObject,WaitForSingleObject,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,_strrchr,curl_global_cleanup,MoveFileExW,_strrchr,_strrchr,4_2_00F5245C
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_0040D72E cpuid 0_2_0040D72E
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,0_2_00401F9D
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00FD216F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00FD22FE
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00FC92B6
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00FD2263
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_00FD2218
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00FD238B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00FD25DB
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00FC979F
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00FD2704
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00FD28D8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_00FD280B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,4_2_6C9860F1
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6CAC60D3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6CAC6074
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6CAC61A8
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6CAC61F3
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6CAC629A
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6CAC63A0
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6CAC5D86
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: EnumSystemLocalesW,4_2_6CABBD0B
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_6CAC5E21
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6CAC5B35
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: GetLocaleInfoW,4_2_6CABB6EC
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00401626
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FCC3FF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00FCC3FF
Source: C:\Users\user\Desktop\CnjMEmbChO.exeCode function: 0_2_00404FAA KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,0_2_00404FAA
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FAD8C9 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,4_2_00FAD8C9
Source: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeCode function: 4_2_00FACBF3 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,4_2_00FACBF3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		LSASS Memory231
Security Software Discovery		Remote Desktop Protocol11
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets11
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem35
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CnjMEmbChO.exe50%ReversingLabsWin32.Adware.FlashHelper

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe4%ReversingLabs
C:\Users\Public\Bilite\Axialis\libcurl.dll65%ReversingLabsWin32.Trojan.DllHijack
C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe11%ReversingLabsWin32.Adware.FlashHelper

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.log0%Avira URL Cloudsafe
https://www.flash.cn/0%Avira URL Cloudsafe
https://flash.2144.com/cdm/icons/chn100.png0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/check50-B8D0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/check0%Avira URL Cloudsafe
https://help.2144.cn/about/duty.htm0%Avira URL Cloudsafe
https://www.flash.cn/cdm/0%Avira URL Cloudsafe
https://flash.2144.com/cdm/icons/ten100.png0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.0%Avira URL Cloudsafe
https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModule0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
    		high
    http://dump.mgr.xzdesktop.cqttech.com/api/DumpInfoStat%s_%d-%02d-%02d.logCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://flash.2144.com/cdm/icons/chn100.pngflashcenter_pp_ax_install_cn.exe.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://sectigo.com/CPS0CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
      		high
      https://www.flash.cn/CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
        		high
        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
          		high
          http://ocsp.sectigo.com0CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
            		high
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
              		high
              https://flash.2144.com/cdm/icons/ten100.pngflashcenter_pp_ax_install_cn.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.flash.cn/cdm/CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://update-xztodolist.cqttech.com/api/v1/update/check50-B8DRuntimeBrokers.exe, 00000004.00000002.4496708892.00000000009B3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://update-xztodolist.cqttech.com/api/v1/update/checkXZDesktopCalendarCXZUpdateModuleCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                		high
                https://update-xztodolist.cqttech.com/api/v1/update/checkCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, RuntimeBrokers.exe, RuntimeBrokers.exe, 00000004.00000000.2064804065.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe, 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmp, RuntimeBrokers.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://update-xztodolist.cqttech.com/api/v1/update/check?version=3.2.7.32&union=4003&os=10.0.19041.RuntimeBrokers.exe, 00000004.00000002.4496708892.0000000000A1A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#CnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, libcurl.dll.0.drfalse
                  		high
                  https://help.2144.cn/about/duty.htmCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.flash.cn/config/getCdnValue?key=zero_dayzero_dayCnjMEmbChO.exe, 00000000.00000003.2061562693.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, flashcenter_pp_ax_install_cn.exe.0.drfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1581089
                    Start date and time:2024-12-26 23:01:12 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:CnjMEmbChO.exe
                    renamed because original name is a hash value
                    Original Sample Name:6B64F2CD11EC2223C9818E0F752C649E.exe
                    Detection:MAL
                    Classification:mal48.evad.winEXE@6/9@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 93%
                    • Number of executed functions: 123
                    • Number of non-executed functions: 257
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: CnjMEmbChO.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:02:05API Interceptor33183x Sleep call for process: RuntimeBrokers.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exeWiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                      WiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                        Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse
                          Fqae7BLq4m.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Users\Public\Bilite\Axialis\IiViS

                            Download File
                            Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                            File Type:openssl enc'd data with salted password, base64 encoded
                            Category:dropped
                            Size (bytes):76
                            Entropy (8bit):5.471354487013932
                            Encrypted:false
                            SSDEEP:3:iqkmK2DEMpoClM+saTPyRyMHRY:ilm5YMAaTPyu
                            MD5:E0BAD9CEBCCDC9699E01E13A5116F071
                            SHA1:5A21864E5C390623A6B52054178F67611B52951D
                            SHA-256:6D91853D9E6DCA611D9A374D0C31A7248349F5526CE51D6A03B1BD2FB41FD513
                            SHA-512:809DFC6EE8AE4173FE011F19FBD6F5C6516EAEEE04DC77FE1581304B141948D989FA5C7BE02E993727E2137AFC9FFA22C0F59EBC84AD17F73F59048D34D52742
                            Malicious:false
                            Reputation:low
                            Preview:U2FsdGVkX1+lTUHhfuKX513xdE7Qcgfgl3aMIFY+heLEFnJIOMsX588ejlBtuz4vIRkFb9yW/ck=

                            C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe

                            Download File
                            Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):777816
                            Entropy (8bit):6.621348016864403
                            Encrypted:false
                            SSDEEP:12288:hEj1aAa/zgWDTuE8jegvwIDMuecTenORuFjBw7oHOSgmskduZnTKVrdMujyE3e+0:ooBCoH3BdoTKxdLyAZXdOEvnBzLRUFgi
                            MD5:30A274E00DA842B09E9763F19777ADED
                            SHA1:848C6A9348020EAEEC1A5674990683A1D9977B80
                            SHA-256:9E65D0E8A1BE49EDE20AD53EE1CF57696C99A28D1B058A185818B58B7FD83F66
                            SHA-512:81DED3C48D3FFDCF82952922C4B70D5F0945B1B0D5E178A1B552C7D5E8F39D00D3E007D161A7AFBA4502CC5CB2E92DF973902D94C28DF2DE5176FD2F50DE036A
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 4%
                            Joe Sandbox View:
                            • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                            • Filename: WiezmDFd6L.exe, Detection: malicious, Browse
                            • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                            • Filename: Fqae7BLq4m.exe, Detection: malicious, Browse
                            Reputation:low
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........a............b......b.......b.................................,.................................................Rich............................PE..L.....Wg.........................................@.................................l.....@..........................................p..0...............X(.......{.. (..p...................0).......(..@............................................text............................... ..`.rdata..............................@..@.data....P.......:..................@....rsrc...0....p.......4..............@..@.reloc...{.......|...:..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\Public\Bilite\Axialis\libcurl.dll

                            Download File
                            Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2290968
                            Entropy (8bit):6.60547019861942
                            Encrypted:false
                            SSDEEP:49152:AWc2Dj3hktNUysuFDbfes+p9bZuR6c3ne3EQBSeMyWF2:Vc2Dj3hkHRsuFP2s+pvuR6c3nKEQBSef
                            MD5:E7E4AAF65906C66EEEA75F7AC2DF131B
                            SHA1:73BE791833FBB819298115C6F636C3A246C19FFD
                            SHA-256:C7AE0C27783E10E920CB7B0364D0990C1030584613BB96FBA95EB0FD40F52D5E
                            SHA-512:0F8CF7111850629BA6FAF9DFBE79389BE590EF18EFF47E78EC4322C2B2F82291BCB781F4F5C2854C603C3E74F2B7931BC30E0EA0A38A4EB505A8AEB35939E5FE
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 65%
                            Reputation:low
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....eg...........!.........<.......!.......................................`#...........@............................0.......h..... ..H............"..)... !..0...........................b......P................................................text...m........................... ..`.rdata..._.......`..................@..@.data...@..... ..^..................@....00cfg........ ......N .............@..@.tls.......... ......P .............@....rsrc....H.... ..H...R .............@..@.reloc...0... !..2.... .............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\Public\Bilite\Axialis\yxhxvpke.png

                            Download File
                            Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):19985008
                            Entropy (8bit):7.999989782543077
                            Encrypted:true
                            SSDEEP:393216:N7Zqa2Z/TasZct6podJSPp7nf+QaXnA77T1BIfBmqZi3:DqPVTlcVShnf+QrgBmWQ
                            MD5:5FE2323F984A1F33A8FBC32DB8937202
                            SHA1:9D20C4664CB7D9AEE6429794C8ECE4420DEB4CE3
                            SHA-256:34B0DB3361AE9ADD45631CB88274277CE088E589332F4F6EF491EC51913BE6E9
                            SHA-512:98A19F12EA7BF3889FE789EBDCE2AF5C681B2F46FD595B01AE41316782A7A5B62AD23FCD7600E8FF128F55489A4B2E76F2A2C660474BE349FD70518CD3A39EAE
                            Malicious:false
                            Reputation:low
                            Preview:..>.....x...@...qyPc5....<..r...MY..?D~YV.^.(O.=...p0../q"2'\.~..G&.8."N.E..........B...NQ.[.9@.C.3.F..B...j...0@..!....I.R.P.y..M4P.....n..n..uTu..1.r-....;..4.....eC)D......./.....}.'...D..@.t.?.}+.........<.....1...$=.t.A;6Lzh..3.=hb.9p...[s......W..._..`._Y...V..c..b..nq...;.s.....T......?O[r\.o......=q.....@......i.5...;..9...;...s.T]......66. ...1|.l..]]X.H....4......%m....z.....K..7...~.....+Jq.."..c.`w[.Z'.Dg;.".|. .....[..lN..~!.VNp..i....L.;......2c+...e{.F.r..4....i......4..[..bL....L .h]"/....Xo...b/.V.vy.M.UW.....Z......R....Yt......w4~.2NV......2..r.....P..d..{H.[...*.W...I.....}...ox.;&.q.......~...^.N."yh\...4...v.L.....|k.f5q.h.......D...P.o0..k.f.t.....b.5.a.H.p..a.'...E-g~..qp.,...8au...+..T....9.GO....+...lVk.."....qf..d^.F.iV..>P.....N.n..\.>U_...vU...`Q....<...%..i._..p.e.X|....,.1...Q.!....vx........11.c.'.+J...+.XE..4.l....a.*t{.GB.......nQ?:.2W...R..ar.7......E.Z.2....HK../.8V.U...?!.. (.7...S...?.#|7.A......h

                            C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe

                            Download File
                            Process:C:\Users\user\Desktop\CnjMEmbChO.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6678240
                            Entropy (8bit):6.624932879315099
                            Encrypted:false
                            SSDEEP:98304:qbC9JeQIeYxZWf6JA7UY4zbANqv8GD8Gb/+E258QvZwQw6:qeJCq6Govv8GD8GbPYCh6
                            MD5:7424FE053510D978F05F464EF34DD045
                            SHA1:BBC9BB0BEEDC025CED722CB7D3217DB129F1A75F
                            SHA-256:C2BCFCD1BAA8CC96AA6674AE8C2275ADFC1BFDEBED22BD537D44CC1C11406CA9
                            SHA-512:CF2DB00FB044A8049B427F193A8E6090240B0614820768AF96CF2FACDC0D62D3DC1E46B1673BFB23E84B2AE351505684A953C920B27D297A0315611EDA746509
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 11%
                            Reputation:low
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......e..!..!..!..(.T. ..(.S.5...... ...k......k.....k.....!..#..GC.."..(.C.4..GC..6..!.....GC.....GC.. ..GC.. ..GC.. ..Rich!..........................PE..L.....)g..................#...B...............#...@..........................`f.......f...@...........................,.i... h,.......-.h.1...........e.......^....@.#.8.............................).@.............#......I,......................text...N.#.......#................. ..`.rdata..i.....#.......#.............@..@.data...D.....,..~...~,.............@....rsrc...h.1...-...1...,.............@..@.reloc........^.......^.............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-26.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1177
                            Entropy (8bit):5.123023479174324
                            Encrypted:false
                            SSDEEP:24:oV1zfHfOfoKI2DRUhaUC1RCVYMArTA1FW2j1PD:obj/GgmKhpQrMA48YPD
                            MD5:F6EF1759B0102945A7094E28762D5C3B
                            SHA1:3716FC9CFB288ABCB8D7B63C91FCF079DA0EF052
                            SHA-256:C1949BAC046C2DF0ACB01F3B8D2BDC62EFB28573D829EE950E84F9B26C6459E9
                            SHA-512:025FE3CD3999E747759F0FD775347B7A80C26E3D65D36C879DEAFA32608DD473E84AC1217373ADD6333225BAB0B2DAE4452617FE7CAC11A74ECACBBAF3550DBD
                            Malicious:false
                            Preview:[2024-12-26 18:49:18.710] [info] [5828] [application.cpp Run: 51] curl init res:2..[2024-12-26 18:49:18.712] [info] [5828] [application.cpp Run: 64] CreateEvent [628]..[2024-12-26 18:49:18.712] [info] [5828] [application.cpp Run: 76] CXZShellExecute init..[2024-12-26 18:49:18.712] [info] [5828] [application.cpp Run: 78] CXZUpdateModule init..[2024-12-26 18:49:18.716] [info] [5828] [application.cpp Run: 80] Timer init..[2024-12-26 18:49:18.734] [info] [5828] [application.cpp Run: 82] ServiceMgr Run..[2024-12-26 18:49:18.764] [info] [5828] [application.cpp Run: 84] ThreadPoolMgr Run..[2024-12-26 18:49:18.764] [info] [5828] [application.cpp Run: 87] Running m_hWndAsy:328776..[2024-12-26 18:49:18.765] [info] [5828] [application.cpp Run: 107] Message Loop..[2024-12-26 18:49:29.260] [info] [6000] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-26 18:49:32.089] [error] [6000] [mmcurl.cpp Get: 128] curl init failed..[2024-12-26 18:49:35.171] [info] [6000] [xzupd

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-27.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1245
                            Entropy (8bit):5.157217857163627
                            Encrypted:false
                            SSDEEP:24:oVidArCCKFW2jCKPWqEsUArvaWUFW2jWUPWHAr/dgFW2jdgPD:o4dAbK85KPrUAbdU8zUP8Ai83PD
                            MD5:D9C1BED8907080328AF9AA0A77125FD8
                            SHA1:DDEF82279CFBCBB775A3BDF1E5F1705BFF68CCFE
                            SHA-256:4749AC5C6B60A94526A5344186E830D1606673279701329F08D61839AF3010D5
                            SHA-512:2A866D6B07ECAF2C7747FE75D2D1787FEA3CC89662E65A3545931BCE4A31E6F9D680758159699DCEDD086BD31C4F50DC0993DEAC31764F28B06C9DD2EBECDE93
                            Malicious:false
                            Preview:[2024-12-27 01:29:25.789] [info] [5652] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-27 02:25:46.866] [error] [5652] [mmcurl.cpp Get: 128] curl init failed..[2024-12-27 03:14:49.744] [info] [5652] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-27 03:14:49.744] [info] [5652] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-27 09:51:15.693] [info] [1536] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-27 11:17:08.570] [error] [1536] [mmcurl.cpp Get: 128] curl init failed..[2024-12-27 12:08:59.459] [info] [1536] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-27 12:08:59.459] [info] [1536] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-27 18:47:32.058] [info] [3276] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-27 19:48:11.415] [error] [3276] [mmcurl.cpp Get: 1

                            C:\Users\user\AppData\Local\Cqttech\XZDesktopCalendar\crash\log\XZCalendarServer_2024-12-28.log

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1241
                            Entropy (8bit):5.147745411413675
                            Encrypted:false
                            SSDEEP:24:oVpNznRArBSJ7RFW2jJYRPWCVArZRy+dFW2jRYPW/ArrWFW2jWPD:onrAtu8BPLAxd87PQAm8nPD
                            MD5:9320F151889B84DA68FA19A89F00D3F8
                            SHA1:B64B30766711D5A08FEE427A93AA7FED67B3589D
                            SHA-256:A42DD03431AD9A2A55EAA7897C14733D31D82C0E08B86B173AAF5E2988B833E5
                            SHA-512:468C8DFF3007A14302E7AE73F6C99069A67E882D11B49BD91F3997746C55527A799B629B10D4301781B29931B948EAF2EEE9D29FDBD90F8F2250B2D1A2268289
                            Malicious:false
                            Preview:[2024-12-28 03:29:54.522] [info] [764] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-28 04:38:52.298] [error] [764] [mmcurl.cpp Get: 128] curl init failed..[2024-12-28 05:21:01.058] [info] [764] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-28 05:21:01.059] [info] [764] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-28 12:05:46.134] [info] [6556] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-28 13:05:37.257] [error] [6556] [mmcurl.cpp Get: 128] curl init failed..[2024-12-28 14:08:40.628] [info] [6556] [xzupdatemodule.cpp PerformCheckUpdateSync: 319] CheckUpdate Res:2-strRes:..[2024-12-28 14:08:40.629] [info] [6556] [xzupdatemodule.cpp PerformCheckUpdateSync: 330] updatecheck fail..[2024-12-28 21:34:52.918] [info] [6460] [xzupdatemodule.cpp PerformCheckUpdateSync: 316] CheckUpdate getstart..[2024-12-28 22:36:02.350] [error] [6460] [mmcurl.cpp Get: 128]

                            C:\Users\user\Desktop\flashcenter_pp_ax_install_cn.exe.lnk

                            Download File
                            Process:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 26 21:02:04 2024, mtime=Thu Dec 26 21:02:04 2024, atime=Sat Nov 23 08:44:47 2024, length=6678240, window=hide
                            Category:dropped
                            Size (bytes):1141
                            Entropy (8bit):4.67881657414848
                            Encrypted:false
                            SSDEEP:12:8Gvwu1SUYRiCECHqXJHx/XVACmqXsHcdT+8KVElljA6X8ZpGNKVEl0avj1b1K+4C:8Mwi5sss8w8K+jA4RK+/vj1b1Kiqygm
                            MD5:EC3A4057342FC37399E9FD4FC2802004
                            SHA1:9105744EF3F906BC190790E1A9FFFAF768D2B17C
                            SHA-256:62F9162E0A44750F2C8A808928CF412130604550C47E6C55D09CA47671FE2DD1
                            SHA-512:6157C89A01A580F95CA71B3D9579B4694B1E04B65B5EF1AE84CEA3D020CB3E9B8E55FF8BC6479D42F94E701F6801FAFB23D3CD5447E59645F0EFDDFDF1B27BF2
                            Malicious:false
                            Preview:L..................F.... ....GR..W..b.j..W....cU.=....e..........................P.O. .:i.....+00.../C:\...................x.1.....DW(m..Users.d......OwH.Y@.....................:.....NvM.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......YA...Public..f......O.I.YC.....+...............<.......T.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......YC...Bilite..>......YA..YC..... ......................{..B.i.l.i.t.e.......2...e.wY.M .FLASHC~1.EXE..r......YC..YC.....).....................$.N.f.l.a.s.h.c.e.n.t.e.r._.p.p._.a.x._.i.n.s.t.a.l.l._.c.n...e.x.e.......f...............-.......e..................C:\Users\Public\Bilite\flashcenter_pp_ax_install_cn.exe..4.....\.....\.P.u.b.l.i.c.\.B.i.l.i.t.e.\.f.l.a.s.h.c.e.n.t.e.r._.p.p._.a.x._.i.n.s.t.a.l.l._.c.n...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......128757...........hT..CrF.f4... .r{2=.b...,...W..hT..CrF.f4... .r{2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.999911659386662
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:CnjMEmbChO.exe
                            File size:23'595'283 bytes
                            MD5:6b64f2cd11ec2223c9818e0f752c649e
                            SHA1:99948f90acbcf025a4462f1fe49c2f6f75817fbb
                            SHA256:b43c39baeb60972d82f592e681f4d20aac4c4063676f34d43b10cda806d08ac6
                            SHA512:303338334002d22305630daea16469ed88b16a69e272f391a4c92b2353a798cb3f477f79a500a36629b1c41abcf68e0d118a72b9d5b91153a9663db0e55464a3
                            SSDEEP:393216:JpGdaDB9jrufnkq4MZdNHCRIKo6HQcRudv0SO2iywSQLGfVfSWun8L:XFDB9jCfnTXHCSKhHQFWSO29QsfF1
                            TLSH:4D373350B51352BCC78C9C3C6F5DE546A2EDAF67032A0E3B67E435ABF98068F024D466
                            File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................N...............0....@..........................................................................P.............................

                            File Icon

                            Icon Hash:878fd7f3b9353593

                            Static PE Info

                            General

                            Entrypoint:0x411def
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:b5a014d7eeb4c2042897567e1288a095

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            push FFFFFFFFh
                            push 00414C50h
                            push 00411F80h
                            mov eax, dword ptr fs:[00000000h]
                            push eax
                            mov dword ptr fs:[00000000h], esp
                            sub esp, 68h
                            push ebx
                            push esi
                            push edi
                            mov dword ptr [ebp-18h], esp
                            xor ebx, ebx
                            mov dword ptr [ebp-04h], ebx
                            push 00000002h
                            call dword ptr [00413184h]
                            pop ecx
                            or dword ptr [00419924h], FFFFFFFFh
                            or dword ptr [00419928h], FFFFFFFFh
                            call dword ptr [00413188h]
                            mov ecx, dword ptr [0041791Ch]
                            mov dword ptr [eax], ecx
                            call dword ptr [0041318Ch]
                            mov ecx, dword ptr [00417918h]
                            mov dword ptr [eax], ecx
                            mov eax, dword ptr [00413190h]
                            mov eax, dword ptr [eax]
                            mov dword ptr [00419920h], eax
                            call 00007FD7085309F2h
                            cmp dword ptr [00417710h], ebx
                            jne 00007FD7085308DEh
                            push 00411F78h
                            call dword ptr [00413194h]
                            pop ecx
                            call 00007FD7085309C4h
                            push 00417048h
                            push 00417044h
                            call 00007FD7085309AFh
                            mov eax, dword ptr [00417914h]
                            mov dword ptr [ebp-6Ch], eax
                            lea eax, dword ptr [ebp-6Ch]
                            push eax
                            push dword ptr [00417910h]
                            lea eax, dword ptr [ebp-64h]
                            push eax
                            lea eax, dword ptr [ebp-70h]
                            push eax
                            lea eax, dword ptr [ebp-60h]
                            push eax
                            call dword ptr [0041319Ch]
                            push 00417040h
                            push 00417000h
                            call 00007FD70853097Ch

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x13c0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x1a0000x13c00x14005293a0fb2c46166ce21247d17e837639False0.3568359375data4.96958597460067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x1a2500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3709677419354839
                            RT_ICON0x1a5380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6081081081081081
                            RT_MENU0x1a6600x4adataEnglishUnited States0.8648648648648649
                            RT_DIALOG0x1a6ac0xf2dataEnglishUnited States0.7148760330578512
                            RT_STRING0x1a7a00x40dataEnglishUnited States0.59375
                            RT_GROUP_ICON0x1a7e00x22dataEnglishUnited States1.0
                            RT_VERSION0x1a8040x314dataEnglishUnited States0.44416243654822335
                            RT_MANIFEST0x1ab180x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                            RT_MANIFEST0x1b1280x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                            Imports

                            DLLImport
                            COMCTL32.dll
                            KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                            USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                            GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                            SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                            ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                            OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                            MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:17:02:01
                            Start date:26/12/2024
                            Path:C:\Users\user\Desktop\CnjMEmbChO.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\CnjMEmbChO.exe"
                            Imagebase:0x400000
                            File size:23'595'283 bytes
                            MD5 hash:6B64F2CD11EC2223C9818E0F752C649E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:17:02:05
                            Start date:26/12/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:17:02:05
                            Start date:26/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:17:02:05
                            Start date:26/12/2024
                            Path:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                            Imagebase:0xf50000
                            File size:777'816 bytes
                            MD5 hash:30A274E00DA842B09E9763F19777ADED
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 4%, ReversingLabs
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:17.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:26.9%
                              Total number of Nodes:1421
                              Total number of Limit Nodes:14
                              execution_graph 9093 410e7f 9094 410e9a 9093->9094 9095 410eb5 9094->9095 9097 40f42d 9094->9097 9098 40f445 free 9097->9098 9099 40f437 9097->9099 9100 4024e7 46 API calls 9098->9100 9099->9098 9101 40f456 9099->9101 9100->9101 9101->9095 9089 40e63c 9090 40e5d3 6 API calls 9089->9090 9091 40e644 9090->9091 8243 4024c4 8244 40245a 45 API calls 8243->8244 8245 4024cd 8244->8245 8246 4024d2 8245->8246 8247 4024d3 VirtualAlloc 8245->8247 8248 4096c7 _EH_prolog 8262 4096fa 8248->8262 8249 40971c 8250 409827 8283 40118a 8250->8283 8252 409851 8256 40985e ??2@YAPAXI 8252->8256 8253 40983c 8334 409425 8253->8334 8254 4094e0 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8254->8262 8258 409878 8256->8258 8257 40969d 8 API calls 8257->8262 8263 409925 ??2@YAPAXI 8258->8263 8264 4098c2 8258->8264 8268 409530 3 API calls 8258->8268 8270 409425 ctype 3 API calls 8258->8270 8272 4099a2 8258->8272 8277 409a65 8258->8277 8293 409fb4 8258->8293 8297 408ea4 8258->8297 8340 409c13 ??2@YAPAXI 8258->8340 8342 409f49 8258->8342 8260 40e959 VirtualFree ??3@YAXPAX free free ctype 8260->8262 8262->8249 8262->8250 8262->8254 8262->8257 8262->8260 8327 4095b7 8262->8327 8331 409403 8262->8331 8263->8258 8337 409530 8264->8337 8268->8258 8270->8258 8273 409530 3 API calls 8272->8273 8274 4099c7 8273->8274 8275 409425 ctype 3 API calls 8274->8275 8275->8249 8279 409530 3 API calls 8277->8279 8280 409a84 8279->8280 8281 409425 ctype 3 API calls 8280->8281 8281->8249 8284 401198 GetDiskFreeSpaceExW 8283->8284 8285 4011ee SendMessageW 8283->8285 8284->8285 8286 4011b0 8284->8286 8291 4011d6 8285->8291 8286->8285 8287 401f9d 19 API calls 8286->8287 8288 4011c9 8287->8288 8289 407717 25 API calls 8288->8289 8290 4011cf 8289->8290 8290->8291 8292 4011e7 8290->8292 8291->8252 8291->8253 8292->8285 8294 409fdd 8293->8294 8346 409dff 8294->8346 8620 40aef3 8297->8620 8300 408ec1 8300->8258 8302 408fd5 8638 408b7c 8302->8638 8303 408f0d ??2@YAPAXI 8312 408ef5 8303->8312 8305 408f31 ??2@YAPAXI 8305->8312 8312->8302 8312->8303 8312->8305 8680 40cdb8 ??2@YAPAXI 8312->8680 8328 4095c6 8327->8328 8330 4095cc 8327->8330 8328->8262 8329 4095e2 _CxxThrowException 8329->8328 8330->8328 8330->8329 8332 40e8e2 4 API calls 8331->8332 8333 40940b 8332->8333 8333->8262 8335 40e8da ctype 3 API calls 8334->8335 8336 409433 8335->8336 8338 408963 ctype 3 API calls 8337->8338 8339 40953b 8338->8339 8341 409c45 8340->8341 8341->8258 8345 409f4e 8342->8345 8343 409f75 8343->8258 8344 409cde 110 API calls 8344->8345 8345->8343 8345->8344 8348 409e04 8346->8348 8347 409e3a 8347->8258 8348->8347 8350 409cde 8348->8350 8351 409cf8 8350->8351 8355 401626 8351->8355 8418 40db1f 8351->8418 8352 409d2c 8352->8348 8356 401642 8355->8356 8362 401638 8355->8362 8421 40a62f _EH_prolog 8356->8421 8358 40166f 8489 40eca9 8358->8489 8359 401411 2 API calls 8361 401688 8359->8361 8363 401962 ??3@YAXPAX 8361->8363 8364 40169d 8361->8364 8362->8352 8368 40eca9 VariantClear 8363->8368 8447 401329 8364->8447 8367 4016a8 8451 401454 8367->8451 8368->8362 8371 401362 2 API calls 8372 4016c7 ??3@YAXPAX 8371->8372 8377 4016d9 8372->8377 8404 401928 ??3@YAXPAX 8372->8404 8374 40eca9 VariantClear 8374->8362 8375 4016fa 8376 40eca9 VariantClear 8375->8376 8378 401702 ??3@YAXPAX 8376->8378 8377->8375 8379 401764 8377->8379 8388 401725 8377->8388 8378->8358 8382 4017a2 8379->8382 8383 401789 8379->8383 8380 40eca9 VariantClear 8381 401737 ??3@YAXPAX 8380->8381 8381->8358 8385 4017c4 GetLocalTime SystemTimeToFileTime 8382->8385 8386 4017aa 8382->8386 8384 40eca9 VariantClear 8383->8384 8387 401791 ??3@YAXPAX 8384->8387 8385->8386 8386->8388 8389 4017e1 8386->8389 8390 4017f8 8386->8390 8387->8358 8388->8380 8456 403354 lstrlenW 8389->8456 8480 40301a GetFileAttributesW 8390->8480 8394 401934 GetLastError 8394->8404 8395 401818 ??2@YAPAXI 8397 401824 8395->8397 8396 40192a 8396->8394 8493 40db53 8397->8493 8400 40190f 8403 40eca9 VariantClear 8400->8403 8401 40185f GetLastError 8496 4012f7 8401->8496 8403->8404 8404->8374 8405 401871 8406 403354 86 API calls 8405->8406 8409 40187f ??3@YAXPAX 8405->8409 8407 4018cc 8406->8407 8407->8409 8411 40db53 2 API calls 8407->8411 8410 40189c 8409->8410 8412 40eca9 VariantClear 8410->8412 8413 4018f1 8411->8413 8414 4018aa ??3@YAXPAX 8412->8414 8415 4018f5 GetLastError 8413->8415 8416 401906 ??3@YAXPAX 8413->8416 8414->8358 8415->8409 8416->8400 8612 40da56 8418->8612 8422 40a738 8421->8422 8423 40a66a 8421->8423 8424 40a687 8422->8424 8425 40a73d 8422->8425 8423->8424 8426 40a704 8423->8426 8427 40a679 8423->8427 8434 40a6ad 8424->8434 8525 40a3b0 8424->8525 8428 40a6f2 8425->8428 8431 40a747 8425->8431 8433 40a699 8425->8433 8426->8434 8499 40e69c 8426->8499 8427->8428 8429 40a67e 8427->8429 8521 40ed34 8428->8521 8437 40a684 8429->8437 8446 40a6b2 8429->8446 8431->8428 8431->8446 8433->8434 8513 40ed59 8433->8513 8508 40ecae 8434->8508 8436 40a71a 8502 40eced 8436->8502 8437->8424 8437->8433 8443 40eca9 VariantClear 8444 40166b 8443->8444 8444->8358 8444->8359 8446->8434 8517 40ed79 8446->8517 8448 401340 8447->8448 8449 40112b 2 API calls 8448->8449 8450 40134b 8449->8450 8450->8367 8452 4012f7 2 API calls 8451->8452 8453 401462 8452->8453 8540 4013e2 8453->8540 8455 40146d 8455->8371 8457 4024fc 2 API calls 8456->8457 8458 403375 8457->8458 8459 40112b 2 API calls 8458->8459 8462 403385 8458->8462 8459->8462 8461 4033d3 GetSystemTimeAsFileTime GetFileAttributesW 8463 4033e8 8461->8463 8464 4033f2 8461->8464 8462->8461 8472 403477 8462->8472 8543 401986 CreateDirectoryW 8462->8543 8465 40301a 22 API calls 8463->8465 8466 401986 4 API calls 8464->8466 8469 4033f8 ??3@YAXPAX 8464->8469 8465->8464 8478 403405 8466->8478 8467 4034a7 8468 407776 55 API calls 8467->8468 8475 4034b1 ??3@YAXPAX 8468->8475 8477 4034bc 8469->8477 8470 40340a 8549 407776 8470->8549 8472->8467 8472->8469 8473 40346b ??3@YAXPAX 8473->8477 8474 40341d memcpy 8474->8478 8475->8477 8477->8388 8478->8470 8478->8473 8478->8474 8479 401986 4 API calls 8478->8479 8479->8478 8481 403037 8480->8481 8487 401804 8480->8487 8482 403048 8481->8482 8483 40303b SetLastError 8481->8483 8484 403051 8482->8484 8486 40305f FindFirstFileW 8482->8486 8482->8487 8483->8487 8568 402fed 8484->8568 8486->8484 8488 403072 FindClose CompareFileTime 8486->8488 8487->8394 8487->8395 8487->8396 8488->8484 8488->8487 8490 40ec65 8489->8490 8491 40ec86 VariantClear 8490->8491 8492 40ec9d 8490->8492 8491->8362 8492->8362 8609 40db3c 8493->8609 8497 40112b 2 API calls 8496->8497 8498 401311 8497->8498 8498->8405 8500 4012f7 2 API calls 8499->8500 8501 40e6a9 8500->8501 8501->8436 8529 40ecd7 8502->8529 8505 40ed12 8506 40a726 ??3@YAXPAX 8505->8506 8507 40ed17 _CxxThrowException 8505->8507 8506->8434 8507->8506 8532 40ec65 8508->8532 8510 40ecba 8511 40a7b2 8510->8511 8512 40ecbe memcpy 8510->8512 8511->8443 8512->8511 8514 40ed62 8513->8514 8515 40ed67 8513->8515 8516 40ecd7 VariantClear 8514->8516 8515->8434 8516->8515 8518 40ed82 8517->8518 8519 40ed87 8517->8519 8520 40ecd7 VariantClear 8518->8520 8519->8434 8520->8519 8522 40ed42 8521->8522 8523 40ed3d 8521->8523 8522->8434 8524 40ecd7 VariantClear 8523->8524 8524->8522 8526 40a3c2 8525->8526 8527 40a3de 8526->8527 8536 40eda0 8526->8536 8527->8434 8530 40eca9 VariantClear 8529->8530 8531 40ecdf SysAllocString 8530->8531 8531->8505 8531->8506 8533 40ec6d 8532->8533 8534 40ec86 VariantClear 8533->8534 8535 40ec9d 8533->8535 8534->8510 8535->8510 8537 40edae 8536->8537 8538 40eda9 8536->8538 8537->8527 8539 40ecd7 VariantClear 8538->8539 8539->8537 8541 401398 2 API calls 8540->8541 8542 4013f2 8541->8542 8542->8455 8544 4019c7 8543->8544 8545 401997 GetLastError 8543->8545 8544->8462 8546 4019b1 GetFileAttributesW 8545->8546 8548 4019a6 8545->8548 8546->8544 8546->8548 8547 4019a7 SetLastError 8547->8462 8548->8544 8548->8547 8550 401f9d 19 API calls 8549->8550 8551 40778a wvsprintfW 8550->8551 8552 407859 8551->8552 8553 4077ab GetLastError FormatMessageW 8551->8553 8556 4076a8 25 API calls 8552->8556 8554 4077d9 FormatMessageW 8553->8554 8555 4077ee lstrlenW lstrlenW ??2@YAPAXI lstrcpyW lstrcpyW 8553->8555 8554->8552 8554->8555 8560 4076a8 8555->8560 8558 407865 8556->8558 8558->8469 8561 407715 ??3@YAXPAX LocalFree 8560->8561 8562 4076b7 8560->8562 8561->8558 8563 40661a 2 API calls 8562->8563 8564 4076c6 IsWindow 8563->8564 8565 4076ef 8564->8565 8566 4076dd IsBadReadPtr 8564->8566 8567 4073d1 21 API calls 8565->8567 8566->8565 8567->8561 8574 402c86 8568->8574 8570 402ff6 8571 403017 8570->8571 8572 402ffb GetLastError 8570->8572 8571->8487 8573 403006 8572->8573 8573->8487 8575 402c93 GetFileAttributesW 8574->8575 8576 402c8f 8574->8576 8577 402ca4 8575->8577 8578 402ca9 8575->8578 8576->8570 8577->8570 8579 402cc7 8578->8579 8580 402cad SetFileAttributesW 8578->8580 8585 402b79 8579->8585 8582 402cc3 8580->8582 8583 402cba DeleteFileW 8580->8583 8582->8570 8583->8570 8586 4024fc 2 API calls 8585->8586 8587 402b90 8586->8587 8588 40254d 2 API calls 8587->8588 8589 402b9d FindFirstFileW 8588->8589 8590 402c55 SetFileAttributesW 8589->8590 8603 402bbf 8589->8603 8592 402c60 RemoveDirectoryW 8590->8592 8593 402c78 ??3@YAXPAX 8590->8593 8591 401329 2 API calls 8591->8603 8592->8593 8594 402c6d ??3@YAXPAX 8592->8594 8595 402c80 8593->8595 8594->8595 8595->8570 8597 40254d 2 API calls 8597->8603 8598 402c24 SetFileAttributesW 8598->8593 8602 402c2d DeleteFileW 8598->8602 8599 402bef lstrcmpW 8600 402c05 lstrcmpW 8599->8600 8601 402c38 FindNextFileW 8599->8601 8600->8601 8600->8603 8601->8603 8604 402c4e FindClose 8601->8604 8602->8603 8603->8591 8603->8593 8603->8597 8603->8598 8603->8599 8603->8601 8605 402b79 2 API calls 8603->8605 8606 401429 8603->8606 8604->8590 8605->8603 8607 401398 2 API calls 8606->8607 8608 401433 8607->8608 8608->8603 8610 40db1f 2 API calls 8609->8610 8611 401857 8610->8611 8611->8400 8611->8401 8617 40d985 8612->8617 8615 40da65 CreateFileW 8616 40da8a 8615->8616 8616->8352 8618 40d98f CloseHandle 8617->8618 8619 40d99a 8617->8619 8618->8619 8619->8615 8619->8616 8621 40af0c 8620->8621 8636 408ebd 8620->8636 8621->8636 8713 40ac7a 8621->8713 8623 40af3f 8624 40ac7a 7 API calls 8623->8624 8625 40b0cb 8623->8625 8629 40af96 8624->8629 8627 40e959 ctype 4 API calls 8625->8627 8626 40afbd 8720 40e959 8626->8720 8627->8636 8629->8625 8629->8626 8630 40b043 8631 40e959 ctype 4 API calls 8630->8631 8634 40b07f 8631->8634 8632 408761 _CxxThrowException ??2@YAPAXI memcpy ??3@YAXPAX 8633 40afc6 8632->8633 8633->8630 8633->8632 8635 40e959 ctype 4 API calls 8634->8635 8635->8636 8636->8300 8637 4065ea InitializeCriticalSection 8636->8637 8637->8312 8732 4086f0 8638->8732 8681 40cdc7 8680->8681 8682 408761 4 API calls 8681->8682 8683 40cdde 8682->8683 8683->8312 8714 40e8da ctype 3 API calls 8713->8714 8715 40ac86 8714->8715 8724 40e811 8715->8724 8717 40aca2 8717->8623 8718 409403 4 API calls 8719 40ac90 8718->8719 8719->8717 8719->8718 8721 40e93b 8720->8721 8722 40e8da ctype 3 API calls 8721->8722 8723 40e943 ??3@YAXPAX 8722->8723 8723->8633 8725 40e8a5 8724->8725 8726 40e824 8724->8726 8725->8719 8727 40e833 _CxxThrowException 8726->8727 8728 40e863 ??2@YAPAXI 8726->8728 8729 40e895 ??3@YAXPAX 8726->8729 8727->8726 8728->8726 8730 40e879 memcpy 8728->8730 8729->8725 8730->8729 8733 40e8da ctype 3 API calls 8732->8733 8734 4086f8 8733->8734 8735 40e8da ctype 3 API calls 8734->8735 8736 408700 8735->8736 8737 40e8da ctype 3 API calls 8736->8737 8738 408708 8737->8738 9102 40dace 9105 40daac 9102->9105 9108 40da8f 9105->9108 9109 40da56 2 API calls 9108->9109 9110 40daa9 9109->9110 9092 40dadc ReadFile 9111 411def __set_app_type __p__fmode __p__commode 9112 411e5e 9111->9112 9113 411e72 9112->9113 9114 411e66 __setusermatherr 9112->9114 9123 411f66 _controlfp 9113->9123 9114->9113 9116 411e77 _initterm __getmainargs _initterm 9117 411ecb GetStartupInfoA 9116->9117 9119 411eff GetModuleHandleA 9117->9119 9124 4064af _EH_prolog 9119->9124 9123->9116 9127 404faa 9124->9127 9432 401b37 GetModuleHandleW CreateWindowExW 9127->9432 9130 404fdc 9131 40648e MessageBoxA 9130->9131 9133 404ff6 9130->9133 9132 4064a5 exit _XcptFilter 9131->9132 9134 401411 2 API calls 9133->9134 9135 40502d 9134->9135 9136 401411 2 API calls 9135->9136 9137 405035 9136->9137 9435 403e23 9137->9435 9142 40254d 2 API calls 9143 405073 9142->9143 9444 402a69 9143->9444 9145 40507c 9458 403d71 9145->9458 9148 40509b _wtol 9150 4050b1 9148->9150 9463 404405 9150->9463 9151 4050d6 9152 403d71 6 API calls 9151->9152 9153 4050e1 9152->9153 9154 4050e7 9153->9154 9155 405118 9153->9155 9620 404996 9154->9620 9156 405130 GetModuleFileNameW 9155->9156 9158 40112b 2 API calls 9155->9158 9159 405151 9156->9159 9160 405142 9156->9160 9158->9156 9165 403d71 6 API calls 9159->9165 9162 407776 55 API calls 9160->9162 9161 4050ee ??3@YAXPAX 9638 403e70 9161->9638 9170 4050ec 9162->9170 9164 4050ff ??3@YAXPAX ??3@YAXPAX 9164->9132 9177 405173 9165->9177 9166 4052d5 9167 401362 2 API calls 9166->9167 9168 4052e5 9167->9168 9169 401362 2 API calls 9168->9169 9174 4052f2 9169->9174 9170->9161 9171 4051fa 9171->9170 9172 40522a 9171->9172 9176 405213 _wtol 9171->9176 9173 403d71 6 API calls 9172->9173 9182 405289 9173->9182 9175 40538d ??2@YAPAXI 9174->9175 9178 401329 2 API calls 9174->9178 9184 405399 9175->9184 9176->9172 9177->9166 9177->9170 9177->9171 9177->9172 9181 401429 2 API calls 9177->9181 9179 405327 9178->9179 9180 401329 2 API calls 9179->9180 9186 40533d 9180->9186 9181->9177 9182->9166 9183 404594 2 API calls 9182->9183 9185 4052ba 9183->9185 9187 4053cf 9184->9187 9191 407776 55 API calls 9184->9191 9185->9166 9189 401362 2 API calls 9185->9189 9190 401362 2 API calls 9186->9190 9488 4025ae 9187->9488 9189->9166 9193 405367 9190->9193 9191->9187 9195 401f9d 19 API calls 9193->9195 9194 4025ae 2 API calls 9197 4053f6 9194->9197 9196 40536e 9195->9196 9198 40254d 2 API calls 9196->9198 9199 4025ae 2 API calls 9197->9199 9200 405377 9198->9200 9201 4053fe 9199->9201 9200->9175 9491 404e3f 9201->9491 9206 40546f 9208 405534 9206->9208 9211 403d71 6 API calls 9206->9211 9207 402844 10 API calls 9209 405441 9207->9209 9210 40e8da ctype 3 API calls 9208->9210 9209->9206 9214 407776 55 API calls 9209->9214 9212 40553c 9210->9212 9213 405493 9211->9213 9215 405573 9212->9215 9669 403093 9212->9669 9213->9208 9221 40549d 9213->9221 9216 405450 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9214->9216 9218 405506 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9215->9218 9219 40557c 9215->9219 9216->9206 9218->9161 9218->9170 9223 405588 wsprintfW 9219->9223 9224 4055ed 9219->9224 9230 401411 2 API calls 9219->9230 9231 401329 ??2@YAPAXI ??3@YAXPAX 9219->9231 9234 401f9d 19 API calls 9219->9234 9703 402f6c ??2@YAPAXI 9219->9703 9709 402425 ??3@YAXPAX ??3@YAXPAX 9219->9709 9221->9218 9643 404cbc 9221->9643 9222 405556 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9225 4054f5 9222->9225 9226 401411 2 API calls 9223->9226 9519 404603 9224->9519 9225->9218 9226->9219 9229 4054cc 9229->9218 9232 407776 55 API calls 9229->9232 9230->9219 9231->9219 9233 4054da ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9232->9233 9233->9225 9234->9219 9235 40584a 9236 404603 26 API calls 9235->9236 9268 40586a 9236->9268 9240 405933 9581 404034 9240->9581 9241 4024fc 2 API calls 9241->9268 9245 4059d8 CoInitialize 9252 40243b lstrcmpW 9245->9252 9246 40595a 9249 40243b lstrcmpW 9246->9249 9247 405935 ??3@YAXPAX 9247->9240 9251 405969 9249->9251 9250 401411 ??2@YAPAXI ??3@YAXPAX 9250->9268 9253 405979 9251->9253 9255 401f9d 19 API calls 9251->9255 9254 4059fe 9252->9254 9736 403b40 9253->9736 9256 405a12 9254->9256 9259 401329 2 API calls 9254->9259 9255->9253 9587 403b59 9256->9587 9258 401362 2 API calls 9258->9268 9259->9256 9262 4055f6 9262->9235 9275 403b94 lstrlenW lstrlenW _wcsnicmp 9262->9275 9279 4057dd _wtol 9262->9279 9296 405878 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9262->9296 9710 40484d 9262->9710 9721 40408b 9262->9721 9264 4073d1 21 API calls 9267 40599c ctype 9264->9267 9265 401329 2 API calls 9265->9268 9266 405a4d 9270 405a2b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9266->9270 9310 405a61 9266->9310 9756 4082e9 9266->9756 9271 4059a7 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9267->9271 9268->9240 9268->9241 9268->9247 9268->9250 9268->9258 9268->9265 9273 402f6c 7 API calls 9268->9273 9578 40243b 9268->9578 9735 402425 ??3@YAXPAX ??3@YAXPAX 9268->9735 9270->9266 9271->9170 9273->9268 9275->9262 9276 405910 ??3@YAXPAX 9276->9268 9277 401411 2 API calls 9277->9310 9279->9262 9280 405bd8 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302 405bf3 9280->9302 9281 405a9f GetKeyState 9281->9310 9282 405c6c 9283 405ca2 9282->9283 9284 405c74 9282->9284 9288 4012f7 2 API calls 9283->9288 9798 403f85 9284->9798 9286 401429 ??2@YAPAXI ??3@YAXPAX 9286->9310 9289 405cb0 9288->9289 9292 403b59 15 API calls 9289->9292 9297 405cb9 9292->9297 9293 407776 55 API calls 9298 405c13 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9293->9298 9294 40243b lstrcmpW 9294->9310 9295 401362 2 API calls 9299 405c91 ??3@YAXPAX 9295->9299 9296->9170 9301 405cca ??3@YAXPAX 9297->9301 9305 401362 2 API calls 9297->9305 9298->9302 9306 405cd9 9299->9306 9300 401329 ??2@YAPAXI ??3@YAXPAX 9300->9310 9301->9306 9302->9293 9303 405c4a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9302->9303 9303->9302 9304 405bcd ??3@YAXPAX 9304->9310 9305->9301 9307 405d24 9306->9307 9308 405d16 9306->9308 9811 40786b 9307->9811 9594 404a44 9308->9594 9310->9277 9310->9280 9310->9281 9310->9282 9310->9286 9310->9294 9310->9300 9310->9302 9310->9303 9310->9304 9783 407613 9310->9783 9792 407674 9310->9792 9312 405d20 9313 405d65 9312->9313 9817 403e0d 9312->9817 9314 404034 21 API calls 9313->9314 9316 405d77 9314->9316 9318 401411 2 API calls 9316->9318 9319 406373 9316->9319 9320 405d95 9318->9320 9321 4063f7 ctype 9319->9321 9324 40243b lstrcmpW 9319->9324 9364 405da8 9320->9364 9821 40453e 9320->9821 9323 40643a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9321->9323 9329 40243b lstrcmpW 9321->9329 9326 406461 9323->9326 9327 406467 ??3@YAXPAX 9323->9327 9325 4063a4 9324->9325 9325->9321 9848 403f48 9325->9848 9326->9327 9328 403e70 ctype 4 API calls 9327->9328 9330 406478 ??3@YAXPAX ??3@YAXPAX 9328->9330 9332 406416 9329->9332 9330->9132 9331 401411 ??2@YAPAXI ??3@YAXPAX 9331->9364 9332->9323 9336 406423 9332->9336 9335 405dd8 9339 405de5 9335->9339 9340 4061fa ??3@YAXPAX ??3@YAXPAX 9335->9340 9337 4012f7 2 API calls 9336->9337 9342 406432 9337->9342 9338 4073d1 21 API calls 9343 4063e0 ??3@YAXPAX 9338->9343 9830 4043c6 9339->9830 9344 406312 9340->9344 9341 40243b lstrcmpW 9341->9364 9853 404aff 9342->9853 9343->9321 9347 40636a ??3@YAXPAX 9344->9347 9350 404034 21 API calls 9344->9350 9346 405e45 9352 401329 2 API calls 9346->9352 9347->9319 9355 406321 9350->9355 9356 405e4e 9352->9356 9353 4043c6 2 API calls 9354 405e0e 9353->9354 9357 401362 2 API calls 9354->9357 9838 4048ab 9355->9838 9361 403b7f 19 API calls 9356->9361 9362 405e1a ??3@YAXPAX ??3@YAXPAX GetFileAttributesW 9357->9362 9359 40626b ??3@YAXPAX ??3@YAXPAX 9359->9344 9360 401329 2 API calls 9360->9364 9377 405e57 9361->9377 9365 406211 9362->9365 9366 405e41 9362->9366 9363 40633a SetCurrentDirectoryW 9367 4048ab 4 API calls 9363->9367 9364->9331 9364->9335 9364->9341 9364->9346 9364->9359 9364->9360 9368 401429 2 API calls 9364->9368 9371 403e0d 16 API calls 9365->9371 9366->9346 9369 406362 9367->9369 9370 405ee5 ??3@YAXPAX ??3@YAXPAX 9368->9370 9372 403e0d 16 API calls 9369->9372 9370->9364 9373 406216 9371->9373 9372->9347 9374 407776 55 API calls 9373->9374 9375 40621f 7 API calls 9374->9375 9376 40625e 9375->9376 9376->9359 9378 405f61 _wtol 9377->9378 9379 403bce lstrlenW lstrlenW _wcsnicmp 9377->9379 9380 406025 9377->9380 9378->9377 9379->9377 9381 406080 9380->9381 9382 40602e 9380->9382 9383 401362 2 API calls 9381->9383 9384 406053 9382->9384 9385 406034 9382->9385 9386 40607e 9383->9386 9388 401329 2 API calls 9384->9388 9387 401329 2 API calls 9385->9387 9389 40254d 2 API calls 9386->9389 9390 40603f 9387->9390 9391 406051 9388->9391 9392 406092 9389->9392 9393 40254d 2 API calls 9390->9393 9394 40243b lstrcmpW 9391->9394 9395 401411 2 API calls 9392->9395 9396 406048 9393->9396 9397 406068 9394->9397 9398 40609a 9395->9398 9399 40254d 2 API calls 9396->9399 9397->9392 9401 40254d 2 API calls 9397->9401 9400 401411 2 API calls 9398->9400 9399->9391 9402 4060a2 memset 9400->9402 9401->9386 9403 4060e1 9402->9403 9404 404594 2 API calls 9403->9404 9405 4060fe 9404->9405 9406 401329 2 API calls 9405->9406 9407 406109 9406->9407 9408 403b7f 19 API calls 9407->9408 9409 406112 9408->9409 9410 4061b1 9409->9410 9614 4021ed 9409->9614 9412 4062ee ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9412 9414 4061c5 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9410->9414 9412->9344 9414->9340 9415 406150 9417 403b7f 19 API calls 9415->9417 9416 401429 2 API calls 9418 406147 9416->9418 9419 406168 ShellExecuteExW 9417->9419 9421 40254d 2 API calls 9418->9421 9422 406282 9419->9422 9423 40618c 9419->9423 9421->9415 9426 407776 55 API calls 9422->9426 9424 4061a0 CloseHandle 9423->9424 9425 406192 WaitForSingleObject 9423->9425 9835 402185 9424->9835 9425->9424 9428 40628c 9426->9428 9429 403e0d 16 API calls 9428->9429 9430 406291 9 API calls 9429->9430 9431 4062e1 9430->9431 9431->9412 9433 401b6c SetTimer GetMessageW DispatchMessageW KillTimer DestroyWindow 9432->9433 9434 401b9f GetVersionExW 9432->9434 9433->9434 9434->9130 9434->9131 9436 40112b 2 API calls 9435->9436 9437 403e38 GetCommandLineW 9436->9437 9438 404594 9437->9438 9439 4045ce 9438->9439 9441 4045a2 9438->9441 9440 4045c6 9439->9440 9443 401429 2 API calls 9439->9443 9440->9142 9441->9440 9442 401429 2 API calls 9441->9442 9442->9441 9443->9439 9445 401411 2 API calls 9444->9445 9453 402a79 9445->9453 9446 401362 2 API calls 9447 402b6c ??3@YAXPAX 9446->9447 9447->9145 9448 401429 ??2@YAPAXI ??3@YAXPAX 9448->9453 9449 402b5f 9449->9446 9451 401411 2 API calls 9451->9453 9453->9448 9453->9449 9453->9451 9454 401362 2 API calls 9453->9454 9892 4025c6 9453->9892 9895 40272e 9453->9895 9455 402ad9 ??3@YAXPAX 9454->9455 9456 4013e2 2 API calls 9455->9456 9457 402aee ??3@YAXPAX ??3@YAXPAX 9456->9457 9457->9453 9459 403d80 9458->9459 9460 403dbd 9459->9460 9461 403d9a lstrlenW lstrlenW 9459->9461 9460->9148 9460->9150 9906 401a85 9461->9906 9464 401f47 3 API calls 9463->9464 9465 404416 9464->9465 9466 401f9d 19 API calls 9465->9466 9467 40441d 9466->9467 9468 401f9d 19 API calls 9467->9468 9469 404429 9468->9469 9470 401f9d 19 API calls 9469->9470 9471 404435 9470->9471 9472 401f9d 19 API calls 9471->9472 9473 404441 9472->9473 9474 401f9d 19 API calls 9473->9474 9475 40444d 9474->9475 9476 401f9d 19 API calls 9475->9476 9477 404459 9476->9477 9478 401f9d 19 API calls 9477->9478 9479 404465 9478->9479 9480 404480 SHGetSpecialFolderPathW 9479->9480 9483 404533 #17 9479->9483 9484 401411 2 API calls 9479->9484 9485 401329 ??2@YAPAXI ??3@YAXPAX 9479->9485 9487 402f6c 7 API calls 9479->9487 9911 402425 ??3@YAXPAX ??3@YAXPAX 9479->9911 9480->9479 9481 40449a wsprintfW 9480->9481 9482 401411 2 API calls 9481->9482 9482->9479 9483->9151 9484->9479 9485->9479 9487->9479 9489 4022b0 2 API calls 9488->9489 9490 4025c2 9489->9490 9490->9194 9912 403e86 9491->9912 9493 404e56 9494 403e86 2 API calls 9493->9494 9495 404e65 9494->9495 9916 404343 9495->9916 9499 404e82 ??3@YAXPAX 9500 404343 3 API calls 9499->9500 9501 404e9d 9500->9501 9502 403ec1 2 API calls 9501->9502 9503 404ea8 ??3@YAXPAX wsprintfA 9502->9503 9932 403ef6 9503->9932 9505 404ed0 9506 403ef6 2 API calls 9505->9506 9507 404edb 9506->9507 9508 402844 9507->9508 9509 402851 9508->9509 9517 40dcfb 3 API calls 9509->9517 9510 402863 lstrlenA lstrlenA 9515 402890 9510->9515 9511 40296e 9511->9206 9511->9207 9512 40293b memmove 9512->9511 9512->9515 9513 4028db memcmp 9513->9511 9513->9515 9514 402918 memcmp 9514->9515 9515->9511 9515->9512 9515->9513 9515->9514 9518 40dcc7 GetLastError 9515->9518 9943 402640 9515->9943 9517->9510 9518->9515 9520 40243b lstrcmpW 9519->9520 9521 40461c 9520->9521 9522 40466c 9521->9522 9524 401329 2 API calls 9521->9524 9523 40243b lstrcmpW 9522->9523 9525 40468a 9523->9525 9526 404633 9524->9526 9529 40243b lstrcmpW 9525->9529 9527 401f9d 19 API calls 9526->9527 9528 40463a 9527->9528 9531 40254d 2 API calls 9528->9531 9530 4046a2 9529->9530 9533 40243b lstrcmpW 9530->9533 9532 404643 9531->9532 9534 401329 2 API calls 9532->9534 9535 4046ba 9533->9535 9536 40465c 9534->9536 9538 40243b lstrcmpW 9535->9538 9537 401f9d 19 API calls 9536->9537 9539 404663 9537->9539 9540 4046d2 9538->9540 9541 40254d 2 API calls 9539->9541 9542 4046e9 9540->9542 9543 4046d9 lstrcmpiW 9540->9543 9541->9522 9544 40243b lstrcmpW 9542->9544 9543->9542 9545 4046ff 9544->9545 9546 40243b lstrcmpW 9545->9546 9547 40472c 9546->9547 9548 404739 9547->9548 9946 403d1f 9547->9946 9550 40243b lstrcmpW 9548->9550 9554 40474d 9550->9554 9551 40476d 9552 40243b lstrcmpW 9551->9552 9559 404780 9552->9559 9554->9551 9555 40243b lstrcmpW 9554->9555 9950 403cc6 9554->9950 9555->9554 9556 4047a0 9558 40243b lstrcmpW 9556->9558 9560 4047ac 9558->9560 9559->9556 9561 40243b lstrcmpW 9559->9561 9954 403cf7 9559->9954 9562 40243b lstrcmpW 9560->9562 9561->9559 9563 4047bd 9562->9563 9564 40243b lstrcmpW 9563->9564 9565 4047ce 9564->9565 9566 4047e4 9565->9566 9567 4047db _wtol 9565->9567 9568 40243b lstrcmpW 9566->9568 9567->9566 9569 4047f0 9568->9569 9570 404800 9569->9570 9571 4047f7 _wtol 9569->9571 9572 40243b lstrcmpW 9570->9572 9571->9570 9573 40480c 9572->9573 9574 40243b lstrcmpW 9573->9574 9575 404824 9574->9575 9576 40243b lstrcmpW 9575->9576 9577 40483c 9576->9577 9577->9262 9962 4023dd 9578->9962 9582 404045 9581->9582 9583 404088 9581->9583 9584 4012f7 2 API calls 9582->9584 9585 403b7f 19 API calls 9582->9585 9583->9245 9583->9246 9584->9582 9586 404062 SetEnvironmentVariableW ??3@YAXPAX 9585->9586 9586->9582 9586->9583 9588 40393b 7 API calls 9587->9588 9589 403b69 9588->9589 9590 4039f6 7 API calls 9589->9590 9591 403b74 9590->9591 9592 4027c7 6 API calls 9591->9592 9593 403b7a 9592->9593 9593->9266 9739 4083b6 9593->9739 9966 408676 9594->9966 9596 404a55 ??2@YAPAXI 9597 404a64 9596->9597 9611 40dcfb 3 API calls 9597->9611 9598 404a85 9968 40a7de _EH_prolog 9598->9968 9984 40b2fc 9598->9984 9599 404a95 9600 404ab3 9599->9600 9601 404a99 9599->9601 9603 404ada ??2@YAPAXI 9600->9603 9607 403354 86 API calls 9600->9607 9602 407776 55 API calls 9601->9602 9606 404aa1 9602->9606 9604 404ae6 9603->9604 9605 404aed 9603->9605 10009 404292 9604->10009 9990 40150b 9605->9990 9606->9312 9609 404ac6 9607->9609 9609->9603 9609->9606 9611->9598 9615 402200 LoadLibraryA GetProcAddress 9614->9615 9616 4021fb 9614->9616 9617 40221b 9615->9617 9618 402223 9615->9618 9616->9410 9616->9415 9616->9416 9617->9616 9618->9617 10472 4021b9 LoadLibraryA GetProcAddress 9618->10472 9621 40661a 2 API calls 9620->9621 9622 4049af 9621->9622 9623 401f9d 19 API calls 9622->9623 9624 4049bd 9623->9624 9625 4024fc 2 API calls 9624->9625 9626 4049c7 9625->9626 9627 4049fd 9626->9627 9629 40254d ??2@YAPAXI ??3@YAXPAX 9626->9629 9628 40254d 2 API calls 9627->9628 9630 404a0a 9628->9630 9629->9626 9631 401f9d 19 API calls 9630->9631 9632 404a11 9631->9632 9633 40254d 2 API calls 9632->9633 9634 404a1b 9633->9634 9635 4073d1 21 API calls 9634->9635 9636 404a30 ??3@YAXPAX 9635->9636 9637 404a41 ctype 9636->9637 9637->9170 9639 40e8da ctype 3 API calls 9638->9639 9640 403e7e 9639->9640 9641 40e8da ctype 3 API calls 9640->9641 9642 40e943 ??3@YAXPAX 9641->9642 9642->9164 9644 40db53 2 API calls 9643->9644 9645 404ce8 9644->9645 9646 404d44 9645->9646 9648 4024fc 2 API calls 9645->9648 9647 4025ae 2 API calls 9646->9647 9649 404d4c 9647->9649 9650 404cf7 9648->9650 9651 403e86 2 API calls 9649->9651 9654 404db5 ??3@YAXPAX 9650->9654 9656 403354 86 API calls 9650->9656 9652 404d59 9651->9652 9653 403ef6 2 API calls 9652->9653 9655 404d66 9653->9655 9668 404db1 9654->9668 9657 403ef6 2 API calls 9655->9657 9658 404d1b 9656->9658 9659 404d73 9657->9659 9658->9654 9661 40db53 2 API calls 9658->9661 9660 403ef6 2 API calls 9659->9660 9662 404d80 9660->9662 9663 404d37 9661->9663 9664 40dd5f 2 API calls 9662->9664 9663->9654 9665 404d3b ??3@YAXPAX 9663->9665 9666 404d94 9664->9666 9665->9646 9666->9654 9667 404d9d ??3@YAXPAX 9666->9667 9667->9668 9668->9229 9670 4025ae 2 API calls 9669->9670 9686 4030a8 9670->9686 9671 403301 9672 403344 ??3@YAXPAX 9671->9672 9673 40334e 9672->9673 9673->9215 9673->9222 9674 401411 ??2@YAPAXI ??3@YAXPAX 9674->9686 9676 40272e ??2@YAPAXI ??3@YAXPAX MultiByteToWideChar 9676->9686 9677 401362 2 API calls 9678 4030f3 ??3@YAXPAX ??3@YAXPAX 9677->9678 9679 403303 9678->9679 9678->9686 10480 4029c3 9679->10480 9683 40331c ??3@YAXPAX 9683->9673 9684 4031e5 strncmp 9685 4031d0 strncmp 9684->9685 9684->9686 9685->9684 9685->9686 9686->9671 9686->9674 9686->9676 9686->9677 9686->9679 9686->9684 9687 401362 2 API calls 9686->9687 9688 402640 2 API calls 9686->9688 9691 402640 ??2@YAPAXI ??3@YAXPAX 9686->9691 9693 4023dd lstrcmpW 9686->9693 9694 402f6c 7 API calls 9686->9694 9696 403330 9686->9696 9697 4032b2 lstrcmpW 9686->9697 9701 401329 2 API calls 9686->9701 10474 402986 9686->10474 10479 402425 ??3@YAXPAX ??3@YAXPAX 9686->10479 9689 403252 ??3@YAXPAX 9687->9689 9688->9685 9690 402a69 9 API calls 9689->9690 9692 403263 lstrcmpW 9690->9692 9691->9686 9692->9686 9693->9686 9694->9686 9699 402f6c 7 API calls 9696->9699 9697->9686 9698 4032c0 lstrcmpW 9697->9698 9698->9686 9700 40333c 9699->9700 10498 402425 ??3@YAXPAX ??3@YAXPAX 9700->10498 9701->9686 9704 402f86 9703->9704 9705 402f7b 9703->9705 9707 408761 4 API calls 9704->9707 10500 402668 9705->10500 9708 402f92 9707->9708 9708->9219 9709->9219 9711 4024fc 2 API calls 9710->9711 9712 40485f 9711->9712 9713 40254d 2 API calls 9712->9713 9714 40486c 9713->9714 9715 404888 9714->9715 9716 401429 2 API calls 9714->9716 9717 40254d 2 API calls 9715->9717 9716->9714 9718 404892 9717->9718 9719 40408b 94 API calls 9718->9719 9720 40489d ??3@YAXPAX 9719->9720 9720->9262 9722 4040a2 lstrlenW 9721->9722 9723 4040ce 9721->9723 9724 401a85 4 API calls 9722->9724 9723->9262 9725 4040b8 9724->9725 9725->9722 9725->9723 9726 4040d5 9725->9726 9727 4024fc 2 API calls 9726->9727 9730 4040de 9727->9730 10505 402776 9730->10505 9731 403093 84 API calls 9732 40414c 9731->9732 9733 404156 ??3@YAXPAX ??3@YAXPAX 9732->9733 9734 40416d ??3@YAXPAX ??3@YAXPAX 9732->9734 9733->9723 9734->9723 9735->9276 9737 40661a 2 API calls 9736->9737 9738 403b48 9737->9738 9738->9264 9740 408646 9739->9740 9752 4083d5 ctype 9739->9752 9740->9270 9741 40243b lstrcmpW 9741->9752 9742 40661a 2 API calls 9742->9752 9743 40786b 23 API calls 9743->9752 9745 407674 23 API calls 9745->9752 9746 407613 23 API calls 9746->9752 9747 403b40 2 API calls 9747->9752 9748 401f9d 19 API calls 9748->9752 9749 407776 55 API calls 9749->9752 9750 403f48 4 API calls 9750->9752 9751 4073d1 21 API calls 9751->9752 9752->9740 9752->9741 9752->9742 9752->9743 9752->9745 9752->9746 9752->9747 9752->9748 9752->9749 9752->9750 9752->9751 9753 407717 25 API calls 9752->9753 9754 4073d1 21 API calls 9752->9754 10515 40744b 9752->10515 9753->9752 9755 408476 ??3@YAXPAX 9754->9755 9755->9752 9757 40243b lstrcmpW 9756->9757 9758 4082fd 9757->9758 9759 40830b 9758->9759 10519 4019f0 GetStdHandle WriteFile 9758->10519 9761 40831e 9759->9761 10520 4019f0 GetStdHandle WriteFile 9759->10520 9766 408333 9761->9766 10521 4019f0 GetStdHandle WriteFile 9761->10521 9765 40243b lstrcmpW 9768 408351 9765->9768 9767 408344 9766->9767 10522 4019f0 GetStdHandle WriteFile 9766->10522 9767->9765 9769 40835f 9768->9769 10523 4019f0 GetStdHandle WriteFile 9768->10523 9771 40243b lstrcmpW 9769->9771 9772 40836c 9771->9772 9773 40837a 9772->9773 10524 4019f0 GetStdHandle WriteFile 9772->10524 9775 40243b lstrcmpW 9773->9775 9776 408387 9775->9776 9777 408395 9776->9777 10525 4019f0 GetStdHandle WriteFile 9776->10525 9779 40243b lstrcmpW 9777->9779 9780 4083a2 9779->9780 9781 4083b2 9780->9781 10526 4019f0 GetStdHandle WriteFile 9780->10526 9781->9266 9784 407636 9783->9784 9785 407658 9784->9785 9786 40764b 9784->9786 10530 407186 9785->10530 10527 407154 9786->10527 9789 407653 9790 4073d1 21 API calls 9789->9790 9791 407671 9790->9791 9791->9310 9793 407689 9792->9793 9794 40716d 2 API calls 9793->9794 9795 407694 9794->9795 9796 4073d1 21 API calls 9795->9796 9797 4076a5 9796->9797 9797->9310 9799 401411 2 API calls 9798->9799 9800 403f96 9799->9800 9801 402535 2 API calls 9800->9801 9802 403f9f GetTempPathW 9801->9802 9803 403fb8 9802->9803 9807 403fcf 9802->9807 9804 402535 2 API calls 9803->9804 9805 403fc3 GetTempPathW 9804->9805 9805->9807 9806 402535 2 API calls 9808 403ff2 wsprintfW 9806->9808 9807->9806 9809 404009 GetFileAttributesW 9807->9809 9810 40402d 9807->9810 9808->9807 9809->9807 9809->9810 9810->9295 9812 40787e 9811->9812 10536 40719f 9812->10536 9815 4073d1 21 API calls 9816 4078b3 9815->9816 9816->9312 9818 403e21 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9817->9818 9819 403e16 9817->9819 9818->9313 9820 402c86 16 API calls 9819->9820 9820->9818 9822 40243b lstrcmpW 9821->9822 9823 40455d 9822->9823 9824 404592 9823->9824 9825 401329 2 API calls 9823->9825 9824->9364 9826 40456c 9825->9826 9827 403b7f 19 API calls 9826->9827 9828 404572 9827->9828 9828->9824 9829 401429 2 API calls 9828->9829 9829->9824 9831 4012f7 2 API calls 9830->9831 9832 4043d4 9831->9832 9833 40254d 2 API calls 9832->9833 9834 4043df 9833->9834 9834->9353 9836 4021a9 9835->9836 9837 40218e LoadLibraryA GetProcAddress 9835->9837 9836->9410 9837->9836 9839 401411 2 API calls 9838->9839 9846 4048bc 9839->9846 9840 401329 2 API calls 9840->9846 9841 40494e 9842 404988 ??3@YAXPAX 9841->9842 9844 4048ab 3 API calls 9841->9844 9842->9363 9843 401429 2 API calls 9843->9846 9845 404985 9844->9845 9845->9842 9846->9840 9846->9841 9846->9843 9847 40243b lstrcmpW 9846->9847 9847->9846 9849 40661a 2 API calls 9848->9849 9850 403f50 9849->9850 9851 401411 2 API calls 9850->9851 9852 403f5e 9851->9852 9852->9338 9854 404cb1 ??3@YAXPAX 9853->9854 9855 404b15 9853->9855 9857 404cb7 9854->9857 9855->9854 9856 404b29 GetDriveTypeW 9855->9856 9856->9854 9858 404b55 9856->9858 9857->9323 9859 403f85 6 API calls 9858->9859 9860 404b63 CreateFileW 9859->9860 9861 404b89 9860->9861 9862 404c7b ??3@YAXPAX ??3@YAXPAX 9860->9862 9863 401411 2 API calls 9861->9863 9862->9857 9864 404b92 9863->9864 9865 401329 2 API calls 9864->9865 9866 404b9f 9865->9866 9867 40254d 2 API calls 9866->9867 9868 404bad 9867->9868 9869 4013e2 2 API calls 9868->9869 9870 404bb9 9869->9870 9871 40254d 2 API calls 9870->9871 9872 404bc7 9871->9872 9873 40254d 2 API calls 9872->9873 9874 404bd4 9873->9874 9875 4013e2 2 API calls 9874->9875 9876 404be0 9875->9876 9877 40254d 2 API calls 9876->9877 9878 404bed 9877->9878 9879 40254d 2 API calls 9878->9879 9880 404bf6 9879->9880 9881 4013e2 2 API calls 9880->9881 9882 404c02 9881->9882 9883 40254d 2 API calls 9882->9883 9884 404c0b 9883->9884 9885 402776 3 API calls 9884->9885 9886 404c1d WriteFile ??3@YAXPAX CloseHandle 9885->9886 9887 404c4b 9886->9887 9888 404c8c 9886->9888 9887->9888 9889 404c53 SetFileAttributesW ShellExecuteW ??3@YAXPAX 9887->9889 9890 402c86 16 API calls 9888->9890 9889->9862 9891 404c94 ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 9890->9891 9891->9857 9901 4022b0 9892->9901 9896 401411 2 API calls 9895->9896 9897 40273a 9896->9897 9898 402772 9897->9898 9899 402535 2 API calls 9897->9899 9898->9453 9900 402757 MultiByteToWideChar 9899->9900 9900->9898 9902 4022ea 9901->9902 9903 4022be ??2@YAPAXI 9901->9903 9902->9453 9903->9902 9904 4022cf ??3@YAXPAX 9903->9904 9904->9902 9907 401ae3 9906->9907 9910 401a97 9906->9910 9907->9460 9908 401abc CharUpperW CharUpperW 9909 401af3 CharUpperW CharUpperW 9908->9909 9908->9910 9909->9907 9910->9907 9910->9908 9911->9479 9913 403e9e 9912->9913 9914 4022b0 2 API calls 9913->9914 9915 403eac 9914->9915 9915->9493 9917 40435e 9916->9917 9918 404375 9917->9918 9919 40436a 9917->9919 9920 4025ae 2 API calls 9918->9920 9936 4025f6 9919->9936 9921 40437e 9920->9921 9923 4022b0 2 API calls 9921->9923 9925 404387 9923->9925 9924 404373 9928 403ec1 9924->9928 9926 4025f6 2 API calls 9925->9926 9927 4043b5 ??3@YAXPAX 9926->9927 9927->9924 9929 403ecd 9928->9929 9931 403ede 9928->9931 9930 4022b0 2 API calls 9929->9930 9930->9931 9931->9499 9933 403f06 9932->9933 9939 4022fc 9933->9939 9935 403f13 9935->9505 9937 4022b0 2 API calls 9936->9937 9938 402610 9937->9938 9938->9924 9940 402340 9939->9940 9941 402310 9939->9941 9940->9935 9942 4022b0 2 API calls 9941->9942 9942->9940 9944 4022fc 2 API calls 9943->9944 9945 40264a 9944->9945 9945->9515 9947 403d3d 9946->9947 9958 403c63 9947->9958 9951 403cd3 9950->9951 9952 403c63 _wtol 9951->9952 9953 403cf4 9952->9953 9953->9554 9955 403d04 9954->9955 9956 403c63 _wtol 9955->9956 9957 403d1c 9956->9957 9957->9559 9959 403c6d 9958->9959 9960 403c88 _wtol 9959->9960 9961 403cc1 9959->9961 9960->9959 9961->9548 9965 4023e8 9962->9965 9963 4023f4 lstrcmpW 9964 402411 9963->9964 9963->9965 9964->9268 9965->9963 9965->9964 9967 408679 9966->9967 9967->9596 9969 40a7fe 9968->9969 9970 40b2fc 11 API calls 9969->9970 9971 40a823 9970->9971 9972 40a845 9971->9972 9973 40a82c 9971->9973 10014 40cc59 _EH_prolog 9972->10014 10017 40a3fe 9973->10017 9985 40b30d 9984->9985 9989 40dcfb 3 API calls 9985->9989 9986 40b321 9987 40b331 9986->9987 10453 40b163 9986->10453 9987->9599 9989->9986 9991 40151e 9990->9991 9992 401329 2 API calls 9991->9992 9993 40152b 9992->9993 9994 401429 2 API calls 9993->9994 9995 401534 CreateThread 9994->9995 9996 401563 9995->9996 9997 401568 WaitForSingleObject 9995->9997 10466 40129c 9995->10466 9998 40786b 23 API calls 9996->9998 9999 401585 9997->9999 10000 4015b7 9997->10000 9998->9997 10003 4015a3 9999->10003 10006 401594 9999->10006 10001 4015b3 10000->10001 10002 4015bf GetExitCodeThread 10000->10002 10001->9606 10004 4015d6 10002->10004 10005 407776 55 API calls 10003->10005 10004->10001 10004->10006 10007 401605 SetLastError 10004->10007 10005->10001 10006->10001 10008 407776 55 API calls 10006->10008 10007->10006 10008->10001 10010 401411 2 API calls 10009->10010 10011 4042ab 10010->10011 10012 401411 2 API calls 10011->10012 10013 4042b7 10012->10013 10013->9605 10025 40c9fc 10014->10025 10436 40a28e 10017->10436 10047 40a0bf 10025->10047 10181 40a030 10047->10181 10182 40e8da ctype 3 API calls 10181->10182 10183 40a039 10182->10183 10184 40e8da ctype 3 API calls 10183->10184 10185 40a041 10184->10185 10186 40e8da ctype 3 API calls 10185->10186 10187 40a049 10186->10187 10188 40e8da ctype 3 API calls 10187->10188 10189 40a051 10188->10189 10190 40e8da ctype 3 API calls 10189->10190 10191 40a059 10190->10191 10192 40e8da ctype 3 API calls 10191->10192 10193 40a061 10192->10193 10194 40e8da ctype 3 API calls 10193->10194 10195 40a06b 10194->10195 10196 40e8da ctype 3 API calls 10195->10196 10197 40a073 10196->10197 10198 40e8da ctype 3 API calls 10197->10198 10199 40a080 10198->10199 10200 40e8da ctype 3 API calls 10199->10200 10201 40a088 10200->10201 10202 40e8da ctype 3 API calls 10201->10202 10203 40a095 10202->10203 10204 40e8da ctype 3 API calls 10203->10204 10205 40a09d 10204->10205 10206 40e8da ctype 3 API calls 10205->10206 10207 40a0aa 10206->10207 10208 40e8da ctype 3 API calls 10207->10208 10209 40a0b2 10208->10209 10437 40e8da ctype 3 API calls 10436->10437 10438 40a29c 10437->10438 10454 40f0b6 GetLastError 10453->10454 10456 40b17e 10454->10456 10455 40b192 10455->9987 10456->10455 10457 40adc3 3 API calls 10456->10457 10458 40b1b6 memcpy 10457->10458 10463 40b1d9 10458->10463 10459 40b297 ??3@YAXPAX 10459->10455 10460 40b2a2 ??3@YAXPAX 10460->10455 10462 40b27a memmove 10462->10463 10463->10459 10463->10460 10463->10462 10464 40b2ac memcpy 10463->10464 10465 40dcfb 3 API calls 10464->10465 10465->10460 10467 4012a5 10466->10467 10468 4012b8 10466->10468 10467->10468 10469 4012a7 Sleep 10467->10469 10470 4012f1 10468->10470 10471 4012e3 EndDialog 10468->10471 10469->10467 10471->10470 10473 4021db 10472->10473 10473->9617 10475 4025ae 2 API calls 10474->10475 10476 402992 10475->10476 10477 4029be 10476->10477 10478 402640 2 API calls 10476->10478 10477->9686 10478->10476 10479->9686 10481 4029d2 10480->10481 10482 4029de 10480->10482 10499 4019f0 GetStdHandle WriteFile 10481->10499 10484 4025ae 2 API calls 10482->10484 10488 4029e8 10484->10488 10485 4029d9 10497 402425 ??3@YAXPAX ??3@YAXPAX 10485->10497 10486 402a13 10487 40272e 3 API calls 10486->10487 10489 402a25 10487->10489 10488->10486 10492 402640 2 API calls 10488->10492 10490 402a33 10489->10490 10491 402a47 10489->10491 10493 407776 55 API calls 10490->10493 10494 407776 55 API calls 10491->10494 10492->10488 10495 402a42 ??3@YAXPAX ??3@YAXPAX 10493->10495 10494->10495 10495->10485 10497->9683 10498->9672 10499->10485 10501 4012f7 2 API calls 10500->10501 10502 402676 10501->10502 10503 4012f7 2 API calls 10502->10503 10504 402682 10503->10504 10504->9704 10506 4025ae 2 API calls 10505->10506 10507 402785 10506->10507 10508 4027c1 10507->10508 10511 402628 10507->10511 10508->9731 10512 402634 10511->10512 10513 40263a WideCharToMultiByte 10511->10513 10514 4022b0 2 API calls 10512->10514 10513->10508 10514->10513 10516 407456 10515->10516 10517 40745b 10515->10517 10516->9752 10517->10516 10518 4073d1 21 API calls 10517->10518 10518->10516 10519->9759 10520->9761 10521->9766 10522->9767 10523->9769 10524->9773 10525->9777 10526->9781 10528 40661a 2 API calls 10527->10528 10529 40715c 10528->10529 10529->9789 10533 40716d 10530->10533 10534 40661a 2 API calls 10533->10534 10535 407175 10534->10535 10535->9789 10537 40661a 2 API calls 10536->10537 10538 4071a7 10537->10538 10538->9815 8037 40f3f1 8040 4024e7 8037->8040 8045 40245a 8040->8045 8043 4024f5 8044 4024f6 malloc 8046 40246a 8045->8046 8052 402466 8045->8052 8047 40247a GlobalMemoryStatusEx 8046->8047 8046->8052 8048 402488 8047->8048 8047->8052 8048->8052 8053 401f9d 8048->8053 8052->8043 8052->8044 8057 401fb4 8053->8057 8054 401fe5 GetLastError wsprintfW GetEnvironmentVariableW GetLastError 8055 402095 SetLastError 8054->8055 8056 40201d ??2@YAPAXI GetEnvironmentVariableW 8054->8056 8060 401fdb 8055->8060 8061 4020ac 8055->8061 8058 40207e ??3@YAXPAX 8056->8058 8059 40204c GetLastError 8056->8059 8057->8054 8057->8060 8067 402081 8058->8067 8059->8058 8062 402052 8059->8062 8073 407717 8060->8073 8064 4020cb lstrlenA ??2@YAPAXI 8061->8064 8080 401f47 8061->8080 8062->8067 8068 40205c lstrcmpiW 8062->8068 8065 402136 MultiByteToWideChar 8064->8065 8066 4020fc GetLocaleInfoW 8064->8066 8065->8060 8066->8065 8071 402123 _wtol 8066->8071 8067->8055 8068->8058 8072 40206b ??3@YAXPAX 8068->8072 8070 4020c1 8070->8064 8071->8065 8072->8067 8087 40661a 8073->8087 8076 40774e 8091 4073d1 8076->8091 8077 40773c IsBadReadPtr 8077->8076 8081 401f51 GetUserDefaultUILanguage 8080->8081 8082 401f95 8080->8082 8083 401f72 GetSystemDefaultUILanguage 8081->8083 8084 401f6e 8081->8084 8082->8070 8083->8082 8085 401f7e GetSystemDefaultLCID 8083->8085 8084->8070 8085->8082 8086 401f8e 8085->8086 8086->8082 8088 406643 8087->8088 8089 40666f IsWindow 8087->8089 8088->8089 8090 40664b GetSystemMetrics GetSystemMetrics 8088->8090 8089->8076 8089->8077 8090->8089 8092 4073e0 8091->8092 8093 407444 8091->8093 8092->8093 8103 4024fc 8092->8103 8093->8052 8095 4073f1 8096 4024fc 2 API calls 8095->8096 8097 4073fc 8096->8097 8107 403b7f 8097->8107 8100 403b7f 19 API calls 8101 40740e ??3@YAXPAX ??3@YAXPAX 8100->8101 8101->8093 8104 402513 8103->8104 8116 40112b 8104->8116 8106 40251e 8106->8095 8180 403880 8107->8180 8109 403b59 8121 40393b 8109->8121 8111 403b69 8144 4039f6 8111->8144 8113 403b74 8167 4027c7 8113->8167 8117 401177 8116->8117 8118 401139 ??2@YAPAXI 8116->8118 8117->8106 8118->8117 8120 40115a 8118->8120 8119 40116f ??3@YAXPAX 8119->8117 8120->8119 8120->8120 8203 401411 8121->8203 8125 403954 8210 40254d 8125->8210 8127 403961 8128 4024fc 2 API calls 8127->8128 8129 40396e 8128->8129 8214 403805 8129->8214 8132 401362 2 API calls 8133 403992 8132->8133 8134 40254d 2 API calls 8133->8134 8135 40399f 8134->8135 8136 4024fc 2 API calls 8135->8136 8137 4039ac 8136->8137 8138 403805 3 API calls 8137->8138 8139 4039bc ??3@YAXPAX 8138->8139 8140 4024fc 2 API calls 8139->8140 8141 4039d3 8140->8141 8142 403805 3 API calls 8141->8142 8143 4039e2 ??3@YAXPAX ??3@YAXPAX 8142->8143 8143->8111 8145 401411 2 API calls 8144->8145 8146 403a04 8145->8146 8147 401362 2 API calls 8146->8147 8148 403a0f 8147->8148 8149 40254d 2 API calls 8148->8149 8150 403a1c 8149->8150 8151 4024fc 2 API calls 8150->8151 8152 403a29 8151->8152 8153 403805 3 API calls 8152->8153 8154 403a39 ??3@YAXPAX 8153->8154 8155 401362 2 API calls 8154->8155 8156 403a4d 8155->8156 8157 40254d 2 API calls 8156->8157 8158 403a5a 8157->8158 8159 4024fc 2 API calls 8158->8159 8160 403a67 8159->8160 8161 403805 3 API calls 8160->8161 8162 403a77 ??3@YAXPAX 8161->8162 8163 4024fc 2 API calls 8162->8163 8164 403a8e 8163->8164 8165 403805 3 API calls 8164->8165 8166 403a9d ??3@YAXPAX ??3@YAXPAX 8165->8166 8166->8113 8168 401411 2 API calls 8167->8168 8169 4027d5 8168->8169 8170 4027e5 ExpandEnvironmentStringsW 8169->8170 8171 40112b 2 API calls 8169->8171 8172 402809 8170->8172 8173 4027fe ??3@YAXPAX 8170->8173 8171->8170 8239 402535 8172->8239 8174 402840 8173->8174 8174->8100 8177 402824 8178 401362 2 API calls 8177->8178 8179 402838 ??3@YAXPAX 8178->8179 8179->8174 8181 401411 2 API calls 8180->8181 8182 40388e 8181->8182 8183 401362 2 API calls 8182->8183 8184 403899 8183->8184 8185 40254d 2 API calls 8184->8185 8186 4038a6 8185->8186 8187 4024fc 2 API calls 8186->8187 8188 4038b3 8187->8188 8189 403805 3 API calls 8188->8189 8190 4038c3 ??3@YAXPAX 8189->8190 8191 401362 2 API calls 8190->8191 8192 4038d7 8191->8192 8193 40254d 2 API calls 8192->8193 8194 4038e4 8193->8194 8195 4024fc 2 API calls 8194->8195 8196 4038f1 8195->8196 8197 403805 3 API calls 8196->8197 8198 403901 ??3@YAXPAX 8197->8198 8199 4024fc 2 API calls 8198->8199 8200 403918 8199->8200 8201 403805 3 API calls 8200->8201 8202 403927 ??3@YAXPAX ??3@YAXPAX 8201->8202 8202->8109 8204 40112b 2 API calls 8203->8204 8205 401425 8204->8205 8206 401362 8205->8206 8207 40136e 8206->8207 8209 401380 8206->8209 8208 40112b 2 API calls 8207->8208 8208->8209 8209->8125 8211 40255a 8210->8211 8219 401398 8211->8219 8213 402565 8213->8127 8215 40381b 8214->8215 8216 403817 ??3@YAXPAX 8214->8216 8215->8216 8223 4026b1 8215->8223 8227 402f96 8215->8227 8216->8132 8220 4013dc 8219->8220 8221 4013ac 8219->8221 8220->8213 8222 40112b 2 API calls 8221->8222 8222->8220 8224 4026c7 8223->8224 8225 4026db 8224->8225 8231 402346 memmove 8224->8231 8225->8215 8228 402fa5 8227->8228 8230 402fbe 8228->8230 8232 4026e6 8228->8232 8230->8215 8231->8225 8233 4026f6 8232->8233 8234 401398 2 API calls 8233->8234 8235 402702 8234->8235 8238 402346 memmove 8235->8238 8237 40270f 8237->8230 8238->8237 8240 402541 8239->8240 8241 402547 ExpandEnvironmentStringsW 8239->8241 8242 40112b 2 API calls 8240->8242 8241->8177 8242->8241 11204 40e4f9 11205 40e516 11204->11205 11206 40e506 11204->11206 11209 40de46 11206->11209 11212 401b1f VirtualFree 11209->11212 11211 40de81 ??3@YAXPAX 11211->11205 11212->11211

                              Executed Functions

                              Function 00404FAA Relevance: 250.2, APIs: 103, Strings: 39, Instructions: 1671keyboardsynchronizationwindowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B37: GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                                • Part of subcall function 00401B37: CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                                • Part of subcall function 00401B37: SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                                • Part of subcall function 00401B37: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                                • Part of subcall function 00401B37: DispatchMessageW.USER32(?), ref: 00401B89
                                • Part of subcall function 00401B37: KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                                • Part of subcall function 00401B37: DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                              • GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00404FCE
                              • GetCommandLineW.KERNEL32(?,00000020,?,?,00000000), ref: 0040505C
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                                • Part of subcall function 00402A69: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,00000000,00000020,?,0040508F,?,?,00000000,?,00000000), ref: 00403DA5
                                • Part of subcall function 00403D71: lstrlenW.KERNEL32(?,?,00000000), ref: 00403DAD
                              • _wtol.MSVCRT ref: 0040509F
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004050F1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405102
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040510A
                              • GetModuleFileNameW.KERNEL32(00000000,00000208,00000000,?,00000000), ref: 00405138
                              • _wtol.MSVCRT ref: 00405217
                              • ??2@YAPAXI@Z.MSVCRT(00000010,004177C4,004177C4,?,00000000), ref: 0040538F
                                • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                • Part of subcall function 00404E3F: ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                                • Part of subcall function 00404E3F: wsprintfA.USER32 ref: 00404EBC
                                • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                                • Part of subcall function 00402844: lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                                • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?), ref: 004028E4
                                • Part of subcall function 00402844: memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                                • Part of subcall function 00402844: memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405453
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 0040545B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000009,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405463
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054DD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054E5
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000A,?,?,00000000,004177C4,004177C4,?,00000000), ref: 004054ED
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405509
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405511
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405519
                                • Part of subcall function 00403093: ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405559
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405561
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,004177C4,004177C4,?,00000000), ref: 00405569
                                • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,00000020,?,?,00405650,?,00414668,?,00000000,?), ref: 00403BA1
                                • Part of subcall function 00403B94: lstrlenW.KERNEL32(?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00403BAA
                                • Part of subcall function 00403B94: _wcsnicmp.MSVCRT ref: 00403BB6
                              • wsprintfW.USER32 ref: 00405595
                              • _wtol.MSVCRT ref: 004057DE
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040587B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 00405883
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4,?,00000000), ref: 0040588B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,0000003D,00000000,00000000,?,?,00000000,?), ref: 00405913
                              • ??3@YAXPAX@Z.MSVCRT(?,0000003D,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,004177C4,004177C4), ref: 00405938
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059AA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059B2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000011,00000000,00000000,0000003D,00000000,00000000,?,?,00000000,?), ref: 004059BA
                              • CoInitialize.OLE32(00000000), ref: 004059E9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405A30
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405A38
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405A40
                              • GetKeyState.USER32(00000010), ref: 00405AA1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405BCD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BDB
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BE3
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C16
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C1E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C26
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000E,?,?,?,00000000,AutoInstall), ref: 00405C2E
                              • memset.MSVCRT ref: 004060AE
                              • ShellExecuteExW.SHELL32(?), ref: 0040617E
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 0040619A
                              • CloseHandle.KERNEL32(?,?,?,?), ref: 004061A6
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004061D4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004061DC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 004061E4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 004061EA
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 004061FD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00406205
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406222
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040622A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406232
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 0040623A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00406242
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 0040624A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,0000000F,?,?,?,?,00000000,AutoInstall), ref: 00406252
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 0040626E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00406276
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405BEB
                                • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,004177C4), ref: 00405C4A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?), ref: 00405C52
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C5A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C62
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,00000000,?), ref: 00405C94
                              • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405CD4
                              • ??3@YAXPAX@Z.MSVCRT(?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D41
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D49
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D51
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405D59
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E20
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E28
                              • GetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,00000000,AutoInstall,?,?,00417788), ref: 00405E32
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000,?), ref: 00405EEC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,AutoInstall,?,?,00417788,?,?,?,?,?,?,?,?,00000000), ref: 00405EF4
                              • _wtol.MSVCRT ref: 00405F65
                              • ??3@YAXPAX@Z.MSVCRT(?,00000001,00000010,?,?,?,?), ref: 00406294
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000001,00000010,?,?,?,?), ref: 0040629C
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000001,00000010,?,?,?,?), ref: 004062A4
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062AA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062B2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062BA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062C2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062CA
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000001,00000010,?,?,?,?), ref: 004062D2
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,?), ref: 004062F1
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?,?), ref: 004062F9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,?,?), ref: 00406301
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 00406307
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406343
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040636D
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 004063E6
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,?,?), ref: 0040643D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,?,?), ref: 00406445
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,?,?), ref: 0040644D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406455
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040646A
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040647B
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00406483
                              • MessageBoxA.USER32(00000000,Sorry, this program requires Microsoft Windows 2000 or later.,7-Zip SFX,00000010), ref: 0040649C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$lstrlen$Message$_wtol$??2@FileFormatHandleModuleTimerWindowlstrcpymemcmpwsprintf$AttributesCloseCommandCreateCurrentDestroyDirectoryDispatchErrorExecuteFreeInitializeKillLastLineLocalNameObjectShellSingleStateVersionWait_wcsnicmpmemmovememsetwvsprintf
                              • String ID: 4AA$4DA$7-Zip SFX$7ZipSfx.%03x$7zSfxString%d$;!@Install@!UTF-8!$;!@InstallEnd@!$@DA$AutoInstall$BeginPrompt$Delete$ExecuteFile$ExecuteParameters$FinishMessage$GUIFlags$GUIMode$HelpText$InstallPath$MiscFlags$OverwriteMode$RunProgram$SelfDelete$SetEnvironment$Shortcut$Sorry, this program requires Microsoft Windows 2000 or later.$XpA$amd64$del$forcenowait$hidcon$i386$nowait$setup.exe$sfxconfig$sfxversion$shc$x64$x86$IA
                              • API String ID: 3696187633-3058303289
                              • Opcode ID: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                              • Instruction ID: bd55e9a5e2f2b8c77b34d16bce6880ff8bafa7c96c93ceffa7f521d25999041e
                              • Opcode Fuzzy Hash: 926e16e0d72d3398af4091c0d2fb4f0e89ce66b1218389f87f1cbe10f28a7287
                              • Instruction Fuzzy Hash: 65C2E231904619AADF21AF61DC45AEF3769EF00708F54403BF906B61E2EB7C9981CB5D
                              Function 00401626 Relevance: 22.8, APIs: 15, Instructions: 304COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 651 401626-401636 652 401642-40166d call 40874d call 40a62f 651->652 653 401638-40163d 651->653 658 401680-40168c call 401411 652->658 659 40166f 652->659 654 401980-401983 653->654 665 401962-40197d ??3@YAXPAX@Z call 40eca9 658->665 666 401692-401697 658->666 660 401671-40167b call 40eca9 659->660 667 40197f 660->667 665->667 666->665 668 40169d-4016d3 call 401329 call 401454 call 401362 ??3@YAXPAX@Z 666->668 667->654 678 401948-40194b 668->678 679 4016d9-4016f8 668->679 680 40194d-401960 ??3@YAXPAX@Z call 40eca9 678->680 683 401713-401717 679->683 684 4016fa-40170e call 40eca9 ??3@YAXPAX@Z 679->684 680->667 687 401719-40171c 683->687 688 40171e-401723 683->688 684->660 690 40174b-401762 687->690 691 401745-401748 688->691 692 401725 688->692 690->684 695 401764-401787 690->695 691->690 693 401727-40172d 692->693 697 40172f-401740 call 40eca9 ??3@YAXPAX@Z 693->697 701 4017a2-4017a8 695->701 702 401789-40179d call 40eca9 ??3@YAXPAX@Z 695->702 697->660 704 4017c4-4017d6 GetLocalTime SystemTimeToFileTime 701->704 705 4017aa-4017ad 701->705 702->660 706 4017dc-4017df 704->706 708 4017b6-4017c2 705->708 709 4017af-4017b1 705->709 710 4017e1-4017e3 call 403354 706->710 711 4017f8-4017ff call 40301a 706->711 708->706 709->693 714 4017e8-4017eb 710->714 715 401804-401809 711->715 714->697 716 4017f1-4017f3 714->716 717 401934-401943 GetLastError 715->717 718 40180f-401812 715->718 716->693 717->678 719 401818-401822 ??2@YAPAXI@Z 718->719 720 40192a-40192d 718->720 722 401833 719->722 723 401824-401831 719->723 720->717 724 401835-401859 call 4010e2 call 40db53 722->724 723->724 729 40190f-401928 call 408726 call 40eca9 724->729 730 40185f-40187d GetLastError call 4012f7 call 402d5a 724->730 729->680 739 4018ba-4018cf call 403354 730->739 740 40187f-401886 730->740 744 4018d1-4018d9 739->744 745 4018db-4018f3 call 40db53 739->745 743 40188a-40189a ??3@YAXPAX@Z 740->743 746 4018a2-4018b5 call 40eca9 ??3@YAXPAX@Z 743->746 747 40189c-40189e 743->747 744->743 753 4018f5-401904 GetLastError 745->753 754 401906-40190e ??3@YAXPAX@Z 745->754 746->660 747->746 753->743 754->729
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                              • Instruction ID: 8ae67fe93764504dd4472983a8ee98937692ca3eac7777145cc28303e79798ac
                              • Opcode Fuzzy Hash: bc4e185761910bab2b3e9b4b194fe0f2484e14367d7febfa53cbc10b96610557
                              • Instruction Fuzzy Hash: 8DB17C71900205EFCB14EFA5D8849AEB7B5FF44304B24842BF512BB2F1EB39A945CB58
                              Function 0040301A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1082 40301a-403031 GetFileAttributesW 1083 403033-403035 1082->1083 1084 403037-403039 1082->1084 1085 403090-403092 1083->1085 1086 403048-40304f 1084->1086 1087 40303b-403046 SetLastError 1084->1087 1088 403051-403058 call 402fed 1086->1088 1089 40305a-40305d 1086->1089 1087->1085 1088->1085 1091 40308d-40308f 1089->1091 1092 40305f-403070 FindFirstFileW 1089->1092 1091->1085 1092->1088 1094 403072-40308b FindClose CompareFileTime 1092->1094 1094->1088 1094->1091
                              APIs
                              • GetFileAttributesW.KERNELBASE(?,-00000001), ref: 00403028
                              • SetLastError.KERNEL32(00000010), ref: 0040303D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AttributesErrorFileLast
                              • String ID:
                              • API String ID: 1799206407-0
                              • Opcode ID: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                              • Instruction ID: 32a2c072cbeca167af0ba40feded167abd8377b8b15159977275e4e23b0806bf
                              • Opcode Fuzzy Hash: 611e1059d124648bfa8909f45edfa8144be0e8992cd1f43fa13480e02f084d79
                              • Instruction Fuzzy Hash: 42018B30102004AADF206F749C4CAAB3BACAB0136BF108632F621F11D8D738DB46965E
                              Function 0040118A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDiskFreeSpaceExW.KERNELBASE(?,00000000,00000000), ref: 004011A6
                              • SendMessageW.USER32(00008001,00000000,?), ref: 004011FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: DiskFreeMessageSendSpace
                              • String ID:
                              • API String ID: 696007252-0
                              • Opcode ID: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                              • Instruction ID: 9edb1a80411cac00ba33afe52a6c86c35bfa08927eae57e7515b94cd88b359ae
                              • Opcode Fuzzy Hash: 3a86173e64e6b0f12d7b84feb59694df1deaa45c142369f31f6b7a0286f107e3
                              • Instruction Fuzzy Hash: 1C014B30654209ABEB18EB90DD85F9A3BE9EB05704F108436F611F91F0CB79BA408B1D
                              Function 00411DEF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 757 411def-411e64 __set_app_type __p__fmode __p__commode call 411f7b 760 411e72-411ec9 call 411f66 _initterm __getmainargs _initterm 757->760 761 411e66-411e71 __setusermatherr 757->761 764 411f05-411f08 760->764 765 411ecb-411ed3 760->765 761->760 766 411ee2-411ee6 764->766 767 411f0a-411f0e 764->767 768 411ed5-411ed7 765->768 769 411ed9-411edc 765->769 770 411ee8-411eea 766->770 771 411eec-411efd GetStartupInfoA 766->771 767->764 768->765 768->769 769->766 772 411ede-411edf 769->772 770->771 770->772 773 411f10-411f12 771->773 774 411eff-411f03 771->774 772->766 775 411f13-411f40 GetModuleHandleA call 4064af exit _XcptFilter 773->775 774->775
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                              • String ID: HpA
                              • API String ID: 801014965-2938899866
                              • Opcode ID: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                              • Instruction ID: 158ffaedae0d42993a529c42e252781da09b2560f8e529a8c548a3e081932a5e
                              • Opcode Fuzzy Hash: 9fb10d9e3a65800a4f5e1ed226729125e22e54dc21e3b7cab0738d928573cc55
                              • Instruction Fuzzy Hash: 254192B0944344AFDB20DFA4DC45AEA7BB8FB09711F20452FFA51973A1D7784981CB58
                              Function 00401B37 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47timewindowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B43
                              • CreateWindowExW.USER32(00000000,Static,0041335C,00000000,000000F6,000000F6,00000005,00000005,00000000,00000000,00000000), ref: 00401B60
                              • SetTimer.USER32(00000000,00000001,00000001,00000000), ref: 00401B72
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00401B7F
                              • DispatchMessageW.USER32(?), ref: 00401B89
                              • KillTimer.USER32(00000000,00000001,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B92
                              • DestroyWindow.USER32(00000000,?,?,?,?,?,00404FBD,?,?,00000000), ref: 00401B99
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateDestroyDispatchHandleKillModule
                              • String ID: Static
                              • API String ID: 1156981321-2272013587
                              • Opcode ID: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                              • Instruction ID: f02a6d563a0a994406544e3b77250aae51f77c8b940714b819f60fd1d37dc764
                              • Opcode Fuzzy Hash: 3628b680e9888d51f3ede5b7fd431ea4f93bb964a28f818be4a598c22db00f11
                              • Instruction Fuzzy Hash: 10F03C3250212476CA203FA69C4DEEF7E6CDB86BA2F008160B615A10D1DAB88241C6B9
                              Function 0040B163 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 781 40b163-40b183 call 40f0b6 784 40b2f6-40b2f9 781->784 785 40b189-40b190 call 40ac2d 781->785 788 40b192-40b194 785->788 789 40b199-40b1d6 call 40adc3 memcpy 785->789 788->784 792 40b1d9-40b1dd 789->792 793 40b202-40b221 792->793 794 40b1df-40b1f2 792->794 800 40b2a2 793->800 801 40b223-40b22b 793->801 795 40b297-40b2a0 ??3@YAXPAX@Z 794->795 796 40b1f8 794->796 799 40b2f4-40b2f5 795->799 796->793 797 40b1fa-40b1fc 796->797 797->793 797->795 799->784 802 40b2a4-40b2a5 800->802 803 40b2a7-40b2aa 801->803 804 40b22d-40b231 801->804 805 40b2ed-40b2f2 ??3@YAXPAX@Z 802->805 803->802 804->793 806 40b233-40b243 804->806 805->799 807 40b245 806->807 808 40b27a-40b292 memmove 806->808 809 40b254-40b258 807->809 808->792 810 40b25a 809->810 811 40b24c-40b24e 809->811 812 40b25c 810->812 811->812 813 40b250-40b251 811->813 812->808 814 40b25e-40b267 call 40ac2d 812->814 813->809 817 40b269-40b278 814->817 818 40b2ac-40b2e5 memcpy call 40dcfb 814->818 817->808 819 40b247-40b24a 817->819 820 40b2e8-40b2eb 818->820 819->809 820->805
                              APIs
                              • memcpy.MSVCRT(00000000,?,0000001F,00010000), ref: 0040B1C5
                              • memmove.MSVCRT(00000000,-000000C1,00000020,?,00010000), ref: 0040B289
                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040B298
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@memcpymemmove
                              • String ID:
                              • API String ID: 3549172513-3916222277
                              • Opcode ID: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                              • Instruction ID: 201babb0cc669d9fea5df8a163075e687156198648327345136f7fe875bf0058
                              • Opcode Fuzzy Hash: 5bad17cc77e2d39d7f6897ae69eb46f7fe1422127806d73b42e5b41d987a673b
                              • Instruction Fuzzy Hash: 495181B1A00205ABDF14DB95C889AAE7BB4EF49354F1441BAE905B7381D338DD81CB9D
                              Function 00403354 Relevance: 10.6, APIs: 7, Instructions: 145stringtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 822 403354-40337a lstrlenW call 4024fc 825 403385-403391 822->825 826 40337c-403380 call 40112b 822->826 828 403393-403397 825->828 829 403399-40339f 825->829 826->825 828->829 830 4033a2-4033a4 828->830 829->830 831 4033c8-4033d1 call 401986 830->831 834 4033d3-4033e6 GetSystemTimeAsFileTime GetFileAttributesW 831->834 835 4033b7-4033b9 831->835 838 4033e8-4033f6 call 40301a 834->838 839 4033ff-403408 call 401986 834->839 836 4033a6-4033ae 835->836 837 4033bb-4033bd 835->837 836->837 844 4033b0-4033b4 836->844 840 4033c3 837->840 841 403477-40347d 837->841 838->839 852 4033f8-4033fa 838->852 853 403419-40341b 839->853 854 40340a-403417 call 407776 839->854 840->831 848 4034a7-4034ba call 407776 ??3@YAXPAX@Z 841->848 849 40347f-40348a 841->849 844->837 845 4033b6 844->845 845->835 865 4034bc-4034c0 848->865 849->848 850 40348c-403490 849->850 850->848 856 403492-403497 850->856 860 40349c-4034a5 ??3@YAXPAX@Z 852->860 857 40346b-403475 ??3@YAXPAX@Z 853->857 858 40341d-40343c memcpy 853->858 854->852 856->848 862 403499-40349b 856->862 857->865 863 403451-403455 858->863 864 40343e 858->864 860->865 862->860 867 403440-403448 863->867 868 403457-403464 call 401986 863->868 866 403450 864->866 866->863 867->868 869 40344a-40344e 867->869 868->854 872 403466-403469 868->872 869->866 869->868 872->857 872->858
                              APIs
                              • lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                              • GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                              • ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                                • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              • memcpy.MSVCRT(-00000001,00404AC6,?,?,?,?,?,00404AC6,?), ref: 0040342F
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 0040346C
                              • ??3@YAXPAX@Z.MSVCRT(?,00000001,0000000C,00404AC6,00404AC6,?,?,?,?,00404AC6,?), ref: 004034B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$FileTime$??2@AttributesSystemlstrlenmemcpy
                              • String ID:
                              • API String ID: 846840743-0
                              • Opcode ID: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                              • Instruction ID: c1b9adc2f16cc45d244a7c0b75b8b4a4f89234fa72cd4c12ee41ca3d86f3c48f
                              • Opcode Fuzzy Hash: 59d4a2ad1293f13bca9fbc2cc36a10c810479fd21a5ed498f46fbcb1fa619914
                              • Instruction Fuzzy Hash: 8F41C836904611AADB216F998881ABF7F6CEF40716F80403BED01B61D5DB3C9B4282DD
                              Function 00404405 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00401F47: GetUserDefaultUILanguage.KERNEL32(00404416,00000000,00000020,?), ref: 00401F51
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                                • Part of subcall function 00401F9D: _wtol.MSVCRT ref: 0040212A
                                • Part of subcall function 00401F9D: MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000020,?), ref: 0040448C
                              • wsprintfW.USER32 ref: 004044A7
                                • Part of subcall function 00402F6C: ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                              • #17.COMCTL32(?,?,?,?,00000000,00000020,?), ref: 00404533
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@$??3@EnvironmentVariablewsprintf$ByteCharDefaultFolderInfoLanguageLocaleMultiPathSpecialUserWide_wtollstrcmpilstrlen
                              • String ID: 7zSfxFolder%02d$IA
                              • API String ID: 3387708999-1317665167
                              • Opcode ID: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                              • Instruction ID: c443879f351b6d6d2b07c84fde6f3777072453d7374e8d7fc75fcfd2f507d9dd
                              • Opcode Fuzzy Hash: 205a0074c49e5804c32477661e2015f4351efd6e14d5df67bf5bfd9f1882f569
                              • Instruction Fuzzy Hash: E03140B19042199BDB10FFA2DC86AEE7B78EB44308F40407FF619B21E1EB785644DB58
                              Function 00408EA4 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 464COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 913 408ea4-408ebf call 40aef3 916 408ec1-408ecb 913->916 917 408ece-408f07 call 4065ea call 408726 913->917 922 408fd5-408ffb call 408d21 call 408b7c 917->922 923 408f0d-408f17 ??2@YAPAXI@Z 917->923 935 408ffd-409013 call 408858 922->935 936 40901e 922->936 924 408f26 923->924 925 408f19-408f24 923->925 927 408f28-408f61 call 4010e2 ??2@YAPAXI@Z 924->927 925->927 933 408f73 927->933 934 408f63-408f71 927->934 937 408f75-408fae call 4010e2 call 408726 call 40cdb8 933->937 934->937 945 409199-4091b0 935->945 946 409019-40901c 935->946 939 409020-409035 call 40e8da call 40874d 936->939 966 408fb0-408fb2 937->966 967 408fb6-408fbb 937->967 954 409037-409044 ??2@YAPAXI@Z 939->954 955 40906d-40907d 939->955 952 4091b6 945->952 953 40934c-409367 call 4087ea 945->953 946->939 957 4091b9-4091e9 952->957 975 409372-409375 953->975 976 409369-40936f 953->976 958 409046-40904d call 408c96 954->958 959 40904f 954->959 968 4090ad-4090b3 955->968 969 40907f 955->969 978 409219-40925f call 40e811 * 2 957->978 979 4091eb-4091f1 957->979 964 409051-409061 call 408726 958->964 959->964 988 409063-409066 964->988 989 409068 964->989 966->967 970 408fc3-408fcf 967->970 971 408fbd-408fbf 967->971 981 409187-409196 call 408e83 968->981 982 4090b9-4090e6 call 40d94b 968->982 977 409081-4090a7 call 40e959 call 408835 call 408931 call 408963 969->977 970->922 970->923 971->970 975->977 983 40937b-4093a2 call 40e811 975->983 976->975 977->968 1016 409261-409264 978->1016 1017 4092c9 978->1017 986 4091f7-409209 979->986 987 4092b9-4092bb 979->987 981->945 1000 409283-409288 982->1000 1001 4090ec-4090f3 982->1001 1002 4093a4-4093b8 call 408761 983->1002 1003 4093ba-4093d6 983->1003 1014 409293-409295 986->1014 1015 40920f-409211 986->1015 1004 4092bf-4092c4 987->1004 996 40906a 988->996 989->996 996->955 1012 409290 1000->1012 1013 40928a-40928c 1000->1013 1008 409121-409124 1001->1008 1009 4090f5-4090f9 1001->1009 1002->1003 1080 4093d7 call 40ce70 1003->1080 1081 4093d7 call 40f160 1003->1081 1004->977 1022 4092b2-4092b7 1008->1022 1023 40912a-409138 call 408726 1008->1023 1009->1008 1018 4090fb-4090fe 1009->1018 1012->1014 1013->1012 1025 409297-409299 1014->1025 1026 40929d-4092a0 1014->1026 1015->978 1024 409213-409215 1015->1024 1027 409267-40927f call 408761 1016->1027 1030 4092cc-4092d2 1017->1030 1028 409104-409112 call 408726 1018->1028 1029 4092a5-4092aa 1018->1029 1020 4093da-4093e4 call 40e959 1020->977 1022->987 1022->1004 1046 409145-409156 call 40cdb8 1023->1046 1047 40913a-409140 call 40d6f0 1023->1047 1024->978 1025->1026 1026->977 1050 409281 1027->1050 1028->1046 1051 409114-40911f call 40d6cb 1028->1051 1029->1004 1034 4092ac-4092ae 1029->1034 1037 4092d4-4092e0 call 408a55 1030->1037 1038 40931d-409346 call 40e959 * 2 1030->1038 1034->1022 1057 4092e2-4092ec 1037->1057 1058 4092ee-4092fa call 408aa0 1037->1058 1038->953 1038->957 1059 409158-40915a 1046->1059 1060 40915e-409163 1046->1060 1047->1046 1050->1030 1051->1046 1063 409303-40931b call 408761 1057->1063 1074 409300 1058->1074 1075 4093e9-4093fe call 40e959 * 2 1058->1075 1059->1060 1066 409165-409167 1060->1066 1067 40916b-409170 1060->1067 1063->1037 1063->1038 1066->1067 1071 409172-409174 1067->1071 1072 409178-409181 1067->1072 1071->1072 1072->981 1072->982 1074->1063 1075->977 1080->1020 1081->1020
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,00000000,?), ref: 00408F0F
                              • ??2@YAPAXI@Z.MSVCRT(00000028,00000000,?,?,00000000,?), ref: 00408F59
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID: IA$IA
                              • API String ID: 1033339047-1400641299
                              • Opcode ID: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                              • Instruction ID: ddcf9de22f7a46eeefc4975c1fab543939f34ce9f972055b0c78c556d294e1f5
                              • Opcode Fuzzy Hash: ade758c57321b25e9a53a0c33f99253ab3068af0158966582580042e8f9f7447
                              • Instruction Fuzzy Hash: EF123671A00209DFCB14EFA5C98489ABBB5FF48304B10456EF95AA7392DB39ED85CF44
                              Function 00410CD0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 23COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1095 410cd0-410d1a call 410b9a free 1098 410d22-410d23 1095->1098 1099 410d1c-410d1e 1095->1099 1099->1098
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: free
                              • String ID: $KA$4KA$HKA$\KA
                              • API String ID: 1294909896-3316857779
                              • Opcode ID: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                              • Instruction ID: 889df95fe732b3a4b2d84b4ab476e7a54c7f97cead7299b76f73e2708a1c6c0a
                              • Opcode Fuzzy Hash: 376fb7dfafd84c32bde4dd83858b4f8e2c6f0d8f0efa40633e7013e4dd95691d
                              • Instruction Fuzzy Hash: C5F09271409B109FC7319F55E405AC6B7F4AE447183058A2EA89A5BA11D3B8F989CB9C
                              Function 004096C7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1100 4096c7-40970f _EH_prolog call 4010e2 1103 409711-409714 1100->1103 1104 409717-40971a 1100->1104 1103->1104 1105 409730-409755 1104->1105 1106 40971c-409721 1104->1106 1109 409757-40975d 1105->1109 1107 409723-409725 1106->1107 1108 409729-40972b 1106->1108 1107->1108 1110 409b93-409ba4 1108->1110 1111 409763-409767 1109->1111 1112 409827-40983a call 40118a 1109->1112 1113 409769-40976c 1111->1113 1114 40976f-40977e 1111->1114 1121 409851-409876 call 408e4e ??2@YAPAXI@Z 1112->1121 1122 40983c-409846 call 409425 1112->1122 1113->1114 1115 409780-409796 call 4094e0 call 40969d call 40e959 1114->1115 1116 4097a3-4097a8 1114->1116 1137 40979b-4097a1 1115->1137 1119 4097b6-4097f0 call 4094e0 call 40969d call 40e959 call 4095b7 1116->1119 1120 4097aa-4097b4 1116->1120 1125 4097f3-409809 1119->1125 1120->1119 1120->1125 1133 409881-40989a call 4010e2 call 40eb24 1121->1133 1134 409878-40987f call 40ebf7 1121->1134 1144 40984a-40984c 1122->1144 1130 40980c-409814 1125->1130 1136 409816-409825 call 409403 1130->1136 1130->1137 1154 40989d-4098c0 call 40eb19 1133->1154 1134->1133 1136->1130 1137->1109 1144->1110 1157 4098c2-4098c7 1154->1157 1158 4098f6-4098f9 1154->1158 1161 4098c9-4098cb 1157->1161 1162 4098cf-4098e7 call 409530 call 409425 1157->1162 1159 409925-409949 ??2@YAPAXI@Z 1158->1159 1160 4098fb-409900 1158->1160 1164 409954 1159->1164 1165 40994b-409952 call 409c13 1159->1165 1166 409902-409904 1160->1166 1167 409908-40991e call 409530 call 409425 1160->1167 1161->1162 1180 4098e9-4098eb 1162->1180 1181 4098ef-4098f1 1162->1181 1170 409956-40996d call 4010e2 1164->1170 1165->1170 1166->1167 1167->1159 1182 40997b-4099a0 call 409fb4 1170->1182 1183 40996f-409978 1170->1183 1180->1181 1181->1110 1186 4099a2-4099a7 1182->1186 1187 4099e3-4099e6 1182->1187 1183->1182 1190 4099a9-4099ab 1186->1190 1191 4099af-4099b4 1186->1191 1188 4099ec-409a49 call 409603 call 4094b1 call 408ea4 1187->1188 1189 409b4e-409b53 1187->1189 1205 409a4e-409a53 1188->1205 1194 409b55-409b56 1189->1194 1195 409b5b-409b7f 1189->1195 1190->1191 1192 4099b6-4099b8 1191->1192 1193 4099bc-4099d4 call 409530 call 409425 1191->1193 1192->1193 1206 4099d6-4099d8 1193->1206 1207 4099dc-4099de 1193->1207 1194->1195 1195->1154 1208 409ab5-409abb 1205->1208 1209 409a55 1205->1209 1206->1207 1207->1110 1211 409ac1-409ac3 1208->1211 1212 409abd-409abf 1208->1212 1210 409a57 1209->1210 1213 409a5a-409a63 call 409f49 1210->1213 1214 409a65-409a67 1211->1214 1215 409ac5-409ad1 1211->1215 1212->1210 1213->1214 1226 409aa2-409aa4 1213->1226 1217 409a69-409a6a 1214->1217 1218 409a6f-409a71 1214->1218 1219 409ad3-409ad5 1215->1219 1220 409ad7-409add 1215->1220 1217->1218 1223 409a73-409a75 1218->1223 1224 409a79-409a91 call 409530 call 409425 1218->1224 1219->1213 1220->1195 1221 409adf-409ae5 1220->1221 1221->1195 1223->1224 1224->1144 1233 409a97-409a9d 1224->1233 1229 409aa6-409aa8 1226->1229 1230 409aac-409ab0 1226->1230 1229->1230 1230->1195 1233->1144
                              APIs
                              • _EH_prolog.MSVCRT ref: 004096D0
                              • ??2@YAPAXI@Z.MSVCRT(00000038,00000001), ref: 0040986E
                              • ??2@YAPAXI@Z.MSVCRT(00000038,?,00000000,00000000,00000001), ref: 00409941
                                • Part of subcall function 00409C13: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,?,00409952,?,00000000,00000000,00000001), ref: 00409C3B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@$H_prolog
                              • String ID: HIA
                              • API String ID: 3431946709-2712174624
                              • Opcode ID: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                              • Instruction ID: da3614a8b55b1d80bdf53177d95d0cff5abf3d9c279f99a440b99522f39c568d
                              • Opcode Fuzzy Hash: 5664c2804fe39f9fee2805cb412b18014b96d9821453edab9864f4d5d9c1b48b
                              • Instruction Fuzzy Hash: 53F13971610249DFCB24DF69C884AAA77F4BF48314F24416AF829AB392DB39ED41CF54
                              Function 00402844 Relevance: 6.4, APIs: 5, Instructions: 118stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1236 402844-40288e call 411c20 call 40dcfb lstrlenA * 2 1240 402893-4028af call 40dcc7 1236->1240 1242 4028b5-4028ba 1240->1242 1243 40297f 1240->1243 1242->1243 1244 4028c0-4028ca 1242->1244 1245 402981-402985 1243->1245 1246 4028cd-4028d2 1244->1246 1247 402911-402916 1246->1247 1248 4028d4-4028d9 1246->1248 1249 40293b-40295f memmove 1247->1249 1251 402918-40292b memcmp 1247->1251 1248->1249 1250 4028db-4028ee memcmp 1248->1250 1256 402961-402968 1249->1256 1257 40296e-402979 1249->1257 1252 4028f4-4028fe 1250->1252 1253 40297b-40297d 1250->1253 1254 40290b-40290f 1251->1254 1255 40292d-402939 1251->1255 1252->1243 1258 402900-402906 call 402640 1252->1258 1253->1245 1254->1246 1255->1246 1256->1257 1259 402890 1256->1259 1257->1245 1258->1254 1259->1240
                              APIs
                              • lstrlenA.KERNEL32(?,?,00000000), ref: 00402876
                              • lstrlenA.KERNEL32(?,?,00000000), ref: 0040287E
                              • memcmp.MSVCRT(?,?,?), ref: 004028E4
                              • memcmp.MSVCRT(?,?,?,?,00000000), ref: 00402921
                              • memmove.MSVCRT(?,?,00000000,?,00000000), ref: 00402953
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: lstrlenmemcmp$memmove
                              • String ID:
                              • API String ID: 3251180759-0
                              • Opcode ID: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                              • Instruction ID: d4955105e7b234ce255a009ef61331e6eb412850de833d0a73495bfba1f32545
                              • Opcode Fuzzy Hash: 67daa449d30d113f3b3b6daec82bd49862eba03341b4cd8aae73257779b8cae6
                              • Instruction Fuzzy Hash: 4A417F72E00209AFCF01DFA4C9889EEBBB5EF08344F04447AE945B3291D3B49E55CB55
                              Function 0040150B Relevance: 6.1, APIs: 4, Instructions: 100synchronizationthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1263 40150b-401561 call 408726 call 401329 call 401429 CreateThread 1270 401563 call 40786b 1263->1270 1271 401568-401583 WaitForSingleObject 1263->1271 1270->1271 1273 401585-401588 1271->1273 1274 4015b7-4015bd 1271->1274 1277 40158a-40158d 1273->1277 1278 4015ab 1273->1278 1275 40161b 1274->1275 1276 4015bf-4015d4 GetExitCodeThread 1274->1276 1280 401620-401623 1275->1280 1281 4015d6-4015d8 1276->1281 1282 4015de-4015e9 1276->1282 1283 4015a7-4015a9 1277->1283 1284 40158f-401592 1277->1284 1279 4015ad-4015b5 call 407776 1278->1279 1279->1275 1281->1282 1286 4015da-4015dc 1281->1286 1287 4015f1-4015fa 1282->1287 1288 4015eb-4015ec 1282->1288 1283->1279 1289 4015a3-4015a5 1284->1289 1290 401594-401597 1284->1290 1286->1280 1293 401605-401611 SetLastError 1287->1293 1294 4015fc-401603 1287->1294 1292 4015ee-4015ef 1288->1292 1289->1279 1295 401599-40159c 1290->1295 1296 40159e-4015a1 1290->1296 1297 401613-401618 call 407776 1292->1297 1293->1297 1294->1275 1294->1293 1295->1275 1295->1296 1296->1292 1297->1275
                              APIs
                              • CreateThread.KERNELBASE(00000000,00000000,0040129C,00000000,00000000,?), ref: 0040154F
                              • WaitForSingleObject.KERNEL32(000000FF,?,00404AFB,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401570
                                • Part of subcall function 00407776: wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                                • Part of subcall function 00407776: GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                                • Part of subcall function 00407776: FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                                • Part of subcall function 00407776: lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                                • Part of subcall function 00407776: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                                • Part of subcall function 00407776: lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                                • Part of subcall function 00407776: ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                                • Part of subcall function 00407776: LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FormatMessagelstrcpylstrlen$??2@??3@CreateErrorFreeLastLocalObjectSingleThreadWaitwvsprintf
                              • String ID:
                              • API String ID: 359084233-0
                              • Opcode ID: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                              • Instruction ID: 87277f5b9ffc23463226fd0df2644328d4cfb3d5af9d6e9341eee715f5e270ad
                              • Opcode Fuzzy Hash: bfd7be960afb110040db1d822841385e4bb8395790a59903d21b295a7462948d
                              • Instruction Fuzzy Hash: 8231F171644200BBDA305B15DC86EBB37B9EBC5350F24843BF522F92F0CA79A941DA5E
                              Function 00401986 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1300 401986-401995 CreateDirectoryW 1301 4019c7-4019cb 1300->1301 1302 401997-4019a4 GetLastError 1300->1302 1303 4019b1-4019be GetFileAttributesW 1302->1303 1304 4019a6 1302->1304 1303->1301 1306 4019c0-4019c2 1303->1306 1305 4019a7-4019b0 SetLastError 1304->1305 1306->1301 1307 4019c4-4019c5 1306->1307 1307->1305
                              APIs
                              • CreateDirectoryW.KERNELBASE(004033CE,00000000,-00000001,004033CE,?,00404AC6,?,?,?,?,00404AC6,?), ref: 0040198D
                              • GetLastError.KERNEL32(?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00401997
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019A7
                              • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004019B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorLast$AttributesCreateDirectoryFile
                              • String ID:
                              • API String ID: 635176117-0
                              • Opcode ID: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                              • Instruction ID: 5ae0be16486f509c6b40768ba71a6c1c2cea9be4331c5fc90c1b41dbeb0419e3
                              • Opcode Fuzzy Hash: 393c5bca226d6deeec728b25f224b431065b6bfcdefbc0a9fd36f7f362ffe78b
                              • Instruction Fuzzy Hash: D5E09AB0518250AFDE142BB4BD187DB3AA5AF46362F508932F495E02F0C33888428A89
                              Function 00404A44 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1308 404a44-404a62 call 408676 ??2@YAPAXI@Z 1311 404a64-404a6b call 40a9f8 1308->1311 1312 404a6d 1308->1312 1314 404a6f-404a91 call 408726 call 40dcfb 1311->1314 1312->1314 1341 404a92 call 40b2fc 1314->1341 1342 404a92 call 40a7de 1314->1342 1319 404a95-404a97 1320 404ab3-404abd 1319->1320 1321 404a99-404aa9 call 407776 1319->1321 1323 404ada-404ae4 ??2@YAPAXI@Z 1320->1323 1324 404abf-404ac1 call 403354 1320->1324 1337 404aae-404ab2 1321->1337 1325 404ae6-404aed call 404292 1323->1325 1326 404aef 1323->1326 1331 404ac6-404ac9 1324->1331 1330 404af1-404af6 call 40150b 1325->1330 1326->1330 1336 404afb-404afd 1330->1336 1331->1323 1335 404acb 1331->1335 1338 404ad0-404ad8 1335->1338 1336->1338 1338->1337 1341->1319 1342->1319
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(000001E8,00000000,?,ExecuteFile,00000015,?,00405D20,?,00417788,00417788), ref: 00404A5A
                              • ??2@YAPAXI@Z.MSVCRT(00000040,?,?,?,?,?,?,?,?,00000000,?), ref: 00404ADC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID: ExecuteFile
                              • API String ID: 1033339047-323923146
                              • Opcode ID: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                              • Instruction ID: 446d0bd8c70a379003bbf02419fa435b46014474c8a02eb0da5acec479ce97d7
                              • Opcode Fuzzy Hash: fa0511c003ccdb3ab72568a6a3a656966613ea7ca94b66f833361549b4052979
                              • Instruction Fuzzy Hash: EA1184B5340104BFD710AB659C85D6B73A8EF80355724443FF602B72D1DA789D418A6D
                              Function 0040ADC3 Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1343 40adc3-40adce 1344 40add0-40add3 1343->1344 1345 40ae0d-40ae0f 1343->1345 1346 40add5-40ade3 ??2@YAPAXI@Z 1344->1346 1347 40adfb 1344->1347 1348 40adfd-40ae0c ??3@YAXPAX@Z 1346->1348 1349 40ade5-40ade7 1346->1349 1347->1348 1348->1345 1350 40ade9 1349->1350 1351 40adeb-40adf9 memmove 1349->1351 1350->1351 1351->1348
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                              • memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@??3@memmove
                              • String ID:
                              • API String ID: 3828600508-0
                              • Opcode ID: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                              • Instruction ID: a8ce0a3cb4653ecb547b1a3698f229d81d6147035ad3680bc60947505803a3f4
                              • Opcode Fuzzy Hash: 681e1b0d226f40fe4ab8b8450f07d9ff2e75d0d2427af455dbd11f2bdce48d51
                              • Instruction Fuzzy Hash: 74F089763047016FC3205B1ADC80857BBABDFC4715311883FE55E93A50D634F891965A
                              Function 0040245A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 0040247E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID: @
                              • API String ID: 1890195054-2766056989
                              • Opcode ID: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                              • Instruction ID: 9ce3ff159218229c34eda893c3d8d64f83397f3f2cddac743d7c565554413103
                              • Opcode Fuzzy Hash: e165e649a9da5613d175048000a137ea24de4513e4899c41680211bbe6bcf060
                              • Instruction Fuzzy Hash: AAF0AF30A042048ADF15AB719E8DA5A37A4BB00348F10853AF516F52D4D7BCE9048B5D
                              Function 0040C9FC Relevance: 3.2, APIs: 2, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040AAAB: _CxxThrowException.MSVCRT(?,00414EF8), ref: 0040AAC5
                                • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,004149F0,?,004149B0), ref: 0040CAF2
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,004149F0,?,004149B0), ref: 0040CC4A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$??2@ExceptionThrowmemmove
                              • String ID:
                              • API String ID: 4269121280-0
                              • Opcode ID: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                              • Instruction ID: 88480e7f7e551c391a26326ce122d220a9eefc885560dc6ed21150e7f5ba8ef6
                              • Opcode Fuzzy Hash: 55a34ad2a1bb823cdc9ec8962d94a78352b48210c79ef81d7d99dd1713e8f51f
                              • Instruction Fuzzy Hash: 00712571A00209EFCB24DFA5C8D1AAEBBB1FF08314F10463AE545A3291D739A945CF99
                              Function 0040A62F Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@H_prolog
                              • String ID:
                              • API String ID: 1329742358-0
                              • Opcode ID: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                              • Instruction ID: 956102545b91a7c0cba0a64d671320761176ea25dc816e9057e3d4af94f09eda
                              • Opcode Fuzzy Hash: 6656e43d2981dee3a96cb881ff7527404ad10ce0abe68b4cdaafc38c009261e5
                              • Instruction Fuzzy Hash: 0D411F32800204AFCB09DB65CD45EBE7B35EF50304B18883BF402B72E2D63E9E21965B
                              Function 0040112B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@??3@
                              • String ID:
                              • API String ID: 1936579350-0
                              • Opcode ID: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                              • Instruction ID: 063e94d8e06ff9613a5b681c15dc067c338ae4066a9753272274ce5f9f11bd0f
                              • Opcode Fuzzy Hash: 453a3e3f1ff100c9dcfb77a92201942aa697f3f866fb972755d4e05e551f17b9
                              • Instruction Fuzzy Hash: 71F0A476210612ABC334DF2DC581867B3E4EF88711710893FE6C7C72B1DA31A881C754
                              Function 004022B0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022C0
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000024,004025DB,00000001,00000020,00402AB6,00000000,00000000,00000000,00000020), ref: 004022E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@??3@
                              • String ID:
                              • API String ID: 1936579350-0
                              • Opcode ID: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                              • Instruction ID: 09ebe67ff45b08f81c36141d9c2dc2e417a159b47c448e0a3757dda97e47d19e
                              • Opcode Fuzzy Hash: 161b1d3c566106e9ad65e75d5d4507556b29aa609190ea75727e2c569a68f83b
                              • Instruction Fuzzy Hash: 8CF030351046529FC330DF69C584853F7E4EB59715721887FE1D6D36A2C674A880CB64
                              Function 0040D9F0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040DA0B
                              • GetLastError.KERNEL32(?,?,?,?), ref: 0040DA19
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                              • Instruction ID: d86f9e507f4e039952bd1031b0dc001be1b0661bb6f0ed5f18f0f7cd7a7605a3
                              • Opcode Fuzzy Hash: d304dccc413f9fbc2375b0c992bb18d0fa27bc648f40137314f68655dcdcf89d
                              • Instruction Fuzzy Hash: FCF0B2B8A04208FFCB04CFA8D8448AE7BB9EB49314B2085A9F815A7390D735DA04DF64
                              Function 0040ECED Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(?), ref: 0040ED05
                              • _CxxThrowException.MSVCRT(?,00415010), ref: 0040ED28
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                              • Instruction ID: 896a1b371a95ab63a3f889c911e7bff8eb1facf706b7c8fcc1dab20228dace7a
                              • Opcode Fuzzy Hash: 34848b6f66320e7823decd545e24a334e79eeaa2350f65fc9219e56b57dd4bad
                              • Instruction Fuzzy Hash: CDE06D71600309ABDB10AF66D8419D67BE8EF00380B00C83FF948CA250E779E590C7D9
                              Function 0040E73A Relevance: 2.5, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?), ref: 0040E745
                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 0040E764
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                              • Instruction ID: 086d926b78662e0ab04275255430a857868cdabe8091615e808f779c17768b54
                              • Opcode Fuzzy Hash: 91dbafe27853da7d419d240d9f0ee1b362973845cd939a0bd3a75ec29d074311
                              • Instruction Fuzzy Hash: 76F05436200214FBCB119F95DC08E9BBBB9FF49761F14842AF945E7260C771E821DBA4
                              Function 0040A7DE Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                              • Instruction ID: 39d544f4fee3d18347c8ea8d59cce7c7d4ef222c74644271f89bd24cd9d44c54
                              • Opcode Fuzzy Hash: e5321c9a15e7e390b560e3b31c2ad4413e862a9b2ae91dd544a8c0e33ade4a6e
                              • Instruction Fuzzy Hash: 4B2180316003099BCB14EFA5C945AAE73B5EF40344F14843EF806BB291DB38DD16CB1A
                              Function 0040120B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • SetFileAttributesW.KERNELBASE(?,?), ref: 0040124F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                              • Instruction ID: 5817d5120c2da98d16edaa91ace5ca285f5b3ff1e58b2ffd557e42fef7bfdc6e
                              • Opcode Fuzzy Hash: 5adc5d60a7dd4af011d60b8927d5fbfdd00464e259639d1fcd3b0c23b8927a9d
                              • Instruction Fuzzy Hash: 66F05E72100201DBC720AF98C840BA777F5BB84314F04483EE583F2AA0D778B885CB59
                              Function 00411A2D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                              • Instruction ID: 375caa893e42e0daca7b158ffe4b4b415bc54d3572d418f3e5e61c8e5be1c541
                              • Opcode Fuzzy Hash: 05aa82fd4493c2954843b58147a6e12e638aaadf2772ca9641b0bace8f10624d
                              • Instruction Fuzzy Hash: 30F0F272500109BBCF029F85D901AEEBB36EB48354F00811ABA1161160D33A9961AB99
                              Function 0040DA56 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040D985: CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                              • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50), ref: 0040DA78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CloseCreateFileHandle
                              • String ID:
                              • API String ID: 3498533004-0
                              • Opcode ID: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                              • Instruction ID: 040011ad7fb3de3f437c6c7e3ebc1dcda5640d8293b7e84d035d3e38099293ab
                              • Opcode Fuzzy Hash: 08bceb1980caaee1328d4f84b7def86f7a2986f91a3075995b51455990be9560
                              • Instruction Fuzzy Hash: A1E04F32140219ABCF215FA49C01BCA7B96AF09760F144526BE11A61E0C672D465AF94
                              Function 0040DB97 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,00000001,00000000,00000000,?,?,0040DD78,00000001,00000000,00000000,00413330,?,00404D94,?,?), ref: 0040DBBA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                              • Instruction ID: ec3d056ad33d5175d1bee219b94afd5900c8108b90431a53c6143dcb1d381838
                              • Opcode Fuzzy Hash: 3077b537328fed6cd21bdd98b87c61334e39a2b5a14a0e6e22fef2783c677b0b
                              • Instruction Fuzzy Hash: D7E0C275600208FBCB00CF95C801B9E7BBABB49755F10C069F918AA2A0D739AA10DF54
                              Function 0040653F Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • _beginthreadex.MSVCRT ref: 00406552
                                • Part of subcall function 00406501: GetLastError.KERNEL32(00406563,00000000), ref: 004064F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                              • Instruction ID: fe95790bd269afcad05a26a3721163fc0b830ac61c9b3c5b6bbddf8a66cf2d64
                              • Opcode Fuzzy Hash: e5ca857e6cae9760b500a95e192be9ea992c298de85bf840c792a1269a380ec9
                              • Instruction Fuzzy Hash: 12D05EF6400208BFDF01DFE0DC05CAB3BADEB08204B004464FD05C2150E632DA108B60
                              Function 0040CC59 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                              • Instruction ID: 312fbe8762c42e8d4a239ae194adb86e93363bc1e5443e54fb58aca6058f63a2
                              • Opcode Fuzzy Hash: e8864bf39b3a1c941500cd6d38dedcba990c3b7db4eb5411aa9ab2a8414fad35
                              • Instruction Fuzzy Hash: 70D05EB2A04108FBE7109F85D946BEEFB78EB80399F10823FB506B1150D7BC5A0196AD
                              Function 0040DADC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040DAF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                              • Instruction ID: c05821c64f4412cbb188b0f884d423eaa3d686fb1c941f6ac6705c8b1bb703da
                              • Opcode Fuzzy Hash: 05e1a1911e5ec75f7d6758f34865a5827037a9c860dec67033daab0b9cfe5943
                              • Instruction Fuzzy Hash: 58E0EC75211208FFDB01CF90CD01FDE7BBDFB49755F208058E90596160C7759A10EB54
                              Function 0040DB6A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,0040DB94,00000000,00000000,?,0040123C,?), ref: 0040DB78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                              • Instruction ID: c6000770aa4fb4c72b4925fc402daec6625791e8065b7518697746b49206ca3e
                              • Opcode Fuzzy Hash: d3a1cd3220883f1d47adb6259c26a1719b9664e7d8bae69288c7dd66fbb4bdaa
                              • Instruction Fuzzy Hash: 40C04C3A199105FF8F020F70CD04C1ABBA2AB95722F10C918B199C4070CB328424EB02
                              Function 0040E9F7 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                              • Instruction ID: f56dbf57367ec124b55c1fed62106b1dafce564086f6503587e0b0fbfa293862
                              • Opcode Fuzzy Hash: 97bd8de7a7fe9ad43a3345e9333d2138b4beb196f0434672ce39f7d09e0e15cd
                              • Instruction Fuzzy Hash: EA21A271A00B009FC724CFAAC88485BF7F9FF88724764896EE49A93A40E774B945CB54
                              Function 0040E5D3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(?,00414F84), ref: 0040E616
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ExceptionThrow
                              • String ID:
                              • API String ID: 432778473-0
                              • Opcode ID: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                              • Instruction ID: f2b552c6dcb6979234feea5fe890f572eb9d388e9264680fa6f26452196acfb0
                              • Opcode Fuzzy Hash: 85c4e5dde0f8cee934fbe77132b2d5831568e55a053817787dcfc8e06ea2b7f6
                              • Instruction Fuzzy Hash: 20017171600701AFDB28CFBAD805997BBF8EF85314704496EE482D3651E374F946CB50
                              Function 0040F42D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                              • Instruction ID: 8ccd5c106adaedd21fdabd868c2a091acccb285e2c6396e7c66228af9079aab7
                              • Opcode Fuzzy Hash: ad693850b0beb581ae9f70f91648a78de6b85f526a16152dd36665cc48ec9015
                              • Instruction Fuzzy Hash: 68E0ED311087008BEB74DA38A941F97B3DAAB14314F15893FE89AE7690EB74FC448A59
                              Function 00402F6C Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000018,00000000,004044E9,?,?,?,?,?,?,?,?,?,?,00000000,00000020,?), ref: 00402F71
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@
                              • String ID:
                              • API String ID: 1033339047-0
                              • Opcode ID: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                              • Instruction ID: 194059228ff5733793a196764ebf5a0b63d959e09992ce12dff2d54d27d13516
                              • Opcode Fuzzy Hash: a7abc97568459436273e1f083447e626332fd1c69ee6784c82a7404474e7416c
                              • Instruction Fuzzy Hash: 67D0A9313083121ADA5432320A09AAF84848B503A0F10083FB800A32D1DCBE8C81A299
                              Function 0040D985 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000001,000000FF,0040DA61,00413330,?,0040DB39,L@,40000000,00000000,00000000,00000000,0040DB50,00000000,00000001,00000001,00000080), ref: 0040D990
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                              • Instruction ID: 71cfb53d0268b44c797f7400575dcc0518408263689e7c465582b3111ebcfb94
                              • Opcode Fuzzy Hash: 5a1e794e604a6db35733be3680912b24c50de2529967425d082228c541f5af6f
                              • Instruction Fuzzy Hash: 95D0127251422156CF646E7CB8849C277D85A06334335176AF0B4E32E4D3749DCB5698
                              Function 004024C4 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040E4D6,00020000,00000000,?,00000000,?,0040D92B,?,?,00000000,?,0040D96E), ref: 004024E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                              • Instruction ID: 23ad038ad5ccaf642d49e1102795c1c714580f299e31bec6e074b0e2bc220d86
                              • Opcode Fuzzy Hash: 076169c5b403ddfe74b0b9752022086d8412a0b80d08fe31e2627fee67d73aef
                              • Instruction Fuzzy Hash: D3C080301443007DED115F505E06B463A916B44717F508065F344540D0C7F484009509
                              Function 00401B1F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,0040E561,?,00000004,0040E5B0,?,?,004117E5,?), ref: 00401B2A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                              • Instruction ID: 5381ed20748db0b7fd93371e38984c83fa4171db9cf80dc6a42123bab5888d64
                              • Opcode Fuzzy Hash: 727c456c664ec040fae2a494910ef8e866b16c48e489126d85a402f0e100615f
                              • Instruction Fuzzy Hash: 45A002305446007ADE515B10DD05F457F516744B11F20C5547155540E586755654DA09
                              Function 0040F3FC Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                              • Instruction ID: 7baee4be7330d58fba6a4d3e6254b3dabd4481adb37f3967e502ba2394f26960
                              • Opcode Fuzzy Hash: d9246d09a93a321ccd45a7f77b4b3a05b9734a8e70a1dc2b954ba7e43b8076d7
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 004034C1 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 290comCOMMON
                              Download Yara Rule
                              APIs
                              • _wtol.MSVCRT ref: 004034E5
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,CC5BE863,00000000,004177A0,00000000,00417794), ref: 00403588
                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 004035F9
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 00403601
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00403609
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 00403611
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 00403619
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00403621
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403629
                              • _wtol.MSVCRT ref: 0040367F
                              • CoCreateInstance.OLE32(00414BF4,00000000,00000001,00414BE4,00404F9B,.lnk,?,0000005C), ref: 00403720
                              • ??3@YAXPAX@Z.MSVCRT(?,0000005C), ref: 004037B8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,0000005C), ref: 004037C0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0000005C), ref: 004037C8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0000005C), ref: 004037D0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,0000005C), ref: 004037D8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,0000005C), ref: 004037E0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,0000005C), ref: 004037E8
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,0000005C), ref: 004037EE
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0000005C), ref: 004037F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$_wtol$CreateFolderInstancePathSpecial
                              • String ID: .lnk
                              • API String ID: 408529070-24824748
                              • Opcode ID: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                              • Instruction ID: c4a1d47ac56633071a1bd2db01059e5edb54ffe0bccc65637149caefe5d2277b
                              • Opcode Fuzzy Hash: cb1a116a375c0276f3cc47ebae34f017b071fc5c88c5a353f484599fe5934efa
                              • Instruction Fuzzy Hash: 8EA18A71910219ABDF04EFA1CC46DEEBB79EF44705F50442AF502B71A1EB79AA81CB18
                              Function 00401F9D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 150stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                              • wsprintfW.USER32 ref: 00401FFD
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                              • GetLastError.KERNEL32 ref: 00402017
                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                              • GetLastError.KERNEL32 ref: 0040204C
                              • lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                              • ??3@YAXPAX@Z.MSVCRT(00000020), ref: 0040208F
                              • SetLastError.KERNEL32(00000000), ref: 00402098
                              • lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                              • GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                              • _wtol.MSVCRT ref: 0040212A
                              • MultiByteToWideChar.KERNEL32(00000000,00413FD0,00000001,00000000,00000002), ref: 0040214A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@??3@EnvironmentVariable$ByteCharInfoLocaleMultiWide_wtollstrcmpilstrlenwsprintf
                              • String ID: 7zSfxString%d$XpA$\3A
                              • API String ID: 2117570002-3108448011
                              • Opcode ID: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                              • Instruction ID: 5c0681f152172bce6659d4e02be164ba9bb36eab7c70e8d4f1a0ed4420d73572
                              • Opcode Fuzzy Hash: 548ade176c921e3c89d1731ce67e310a71d7e7a73203bdbbb6ff14cd1b9bb65a
                              • Instruction Fuzzy Hash: 11518471604305AFDB209F74DD899DBBBB9EB08345B11407AF646E62E0E774AA44CB18
                              Function 00401BDF Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 85libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                              • FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                              • FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                              • SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                              • LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                              • LockResource.KERNEL32(00000000), ref: 00401C41
                              • LoadLibraryA.KERNEL32(kernel32,SetProcessPreferredUILanguages), ref: 00401C6D
                              • GetProcAddress.KERNEL32(00000000), ref: 00401C76
                              • wsprintfW.USER32 ref: 00401C95
                              • LoadLibraryA.KERNEL32(kernel32,SetThreadPreferredUILanguages), ref: 00401CAA
                              • GetProcAddress.KERNEL32(00000000), ref: 00401CAD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Resource$Load$AddressFindLibraryProc$HandleLockModuleSizeofwsprintf
                              • String ID: %04X%c%04X%c$SetProcessPreferredUILanguages$SetThreadPreferredUILanguages$kernel32
                              • API String ID: 2639302590-365843014
                              • Opcode ID: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                              • Instruction ID: 1b367ad183524107b1556f539f271e2bfa11f4d2ebd4ebc35158efee647c5c94
                              • Opcode Fuzzy Hash: a5d0d847a20e007311d4afefc35bdd0d1043cb70ace8406c3a5a944bd10805b9
                              • Instruction Fuzzy Hash: 002153B1944318BBDB109FA59D48F9B7FBCEB48751F118036FA05B72D1D678DA008BA8
                              Function 00407776 Relevance: 16.6, APIs: 11, Instructions: 96stringwindowCOMMON
                              Download Yara Rule
                              APIs
                              • wvsprintfW.USER32(?,00000000,?), ref: 0040779A
                              • GetLastError.KERNEL32(?,00000000,0000FDE9), ref: 004077AB
                              • FormatMessageW.KERNEL32(00001100,00000000,00000000,00402A50,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077D3
                              • FormatMessageW.KERNEL32(00001100,00000000,00402A50,00000000,00402A50,00000000,00000000,?,00000000,0000FDE9), ref: 004077E8
                              • lstrlenW.KERNEL32(?,?,00000000,0000FDE9), ref: 004077FB
                              • lstrlenW.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407802
                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,0000FDE9), ref: 00407817
                              • lstrcpyW.KERNEL32(00000000,?,?,00000000,0000FDE9), ref: 0040782D
                              • lstrcpyW.KERNEL32(-00000002,00402A50,?,00000000,0000FDE9), ref: 0040783E
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,0000FDE9), ref: 00407847
                              • LocalFree.KERNEL32(00402A50,?,00000000,0000FDE9), ref: 00407851
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
                              • String ID:
                              • API String ID: 829399097-0
                              • Opcode ID: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                              • Instruction ID: 98041b7e574f1f1c61a73cce3db0a13ad597614178cae5aaf21d0c5f67190c53
                              • Opcode Fuzzy Hash: a8862aa27d5a6cc2b1ba12d709e13e5df444902fd3bed4afc67f02113c073308
                              • Instruction Fuzzy Hash: 85218172804209BEDF14AFA0DC85CEB7BACEB04355B10847BF506A7150EB34EE848BA4
                              Function 00402B79 Relevance: 16.6, APIs: 11, Instructions: 90filestringCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,00413454,?,?,?,00000000), ref: 00402BA8
                              • lstrcmpW.KERNEL32(?,00413450,?,0000005C,?,?,?,00000000), ref: 00402BFB
                              • lstrcmpW.KERNEL32(?,00413448,?,?,00000000), ref: 00402C11
                              • SetFileAttributesW.KERNEL32(?,00000000,?,0000005C,?,?,?,00000000), ref: 00402C27
                              • DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00402C2E
                              • FindNextFileW.KERNEL32(00000000,00000010,?,?,00000000), ref: 00402C40
                              • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00402C4F
                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000000), ref: 00402C5A
                              • RemoveDirectoryW.KERNEL32(?,?,?,00000000), ref: 00402C63
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C6E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000), ref: 00402C79
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: File$Find$??3@Attributeslstrcmp$CloseDeleteDirectoryFirstNextRemove
                              • String ID:
                              • API String ID: 1862581289-0
                              • Opcode ID: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                              • Instruction ID: 7ffcf375551190f92b7aba4ef5ef3cd4ed0286f9dec59b0789af02bc25bdcc12
                              • Opcode Fuzzy Hash: 3adc14f40e23b1cdad4e4199877390cf68653eec517b691feb080405b1435fa2
                              • Instruction Fuzzy Hash: A321A230500209BAEB10AF61DE4CFBF7B7C9B0470AF14417AB505B11E0EB78DB459A6C
                              Function 00406D5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(uxtheme,?,00407F57,000004B1,00000000,?,?,?,?,?,0040803E), ref: 00406D65
                              • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00406D76
                              • GetWindow.USER32(?,00000005), ref: 00406D8F
                              • GetWindow.USER32(00000000,00000002), ref: 00406DA5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Window$AddressLibraryLoadProc
                              • String ID: SetWindowTheme$\EA$uxtheme
                              • API String ID: 324724604-1613512829
                              • Opcode ID: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                              • Instruction ID: f2e0bdee1e376373ef12be0a37c87caa708c4cf78f5ebad58458586032015049
                              • Opcode Fuzzy Hash: 249f97bdfab0f17876e9996a58034084f131abf1d363e9cca7f48feb82d9f298
                              • Instruction Fuzzy Hash: 47F0A73274172537C6312A6A6C4CF9B6B9C9FC6B51B070176B905F7280DA6CCD0045BC
                              Function 0041022D Relevance: .5, Instructions: 501COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                              • Instruction ID: 2cf66fefa79674a345482580870fbecf2b771b639b37e27eb1fc897e4fc9b441
                              • Opcode Fuzzy Hash: ff1f75169f88eb9072603f867e1b9c380318d13f71256e892471df4b1a5f26b0
                              • Instruction Fuzzy Hash: 44126E31E00129DFDF08CF68C6945ECBBB2EF85345F2585AAD856AB280D6749EC1DF84
                              Function 0041206B Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                              • Instruction ID: 8743f1180a29be23716da9caa70fae7f7856ace610ba4dfa2102d12747f13ae8
                              • Opcode Fuzzy Hash: 6e2407533f79ef22d8e6d794d98aef535f9904e2ced6ea7e6753812806be966d
                              • Instruction Fuzzy Hash: D12129725104255BC711DF1DE8887B7B3E1FFC4319F678A36DA81CB281C629D894C6A0
                              Function 00411F91 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction ID: 7cc7f0f00d3fdf34bc0739e2af2c3edfb6ca911da6c9eaecf720caf4c907201e
                              • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction Fuzzy Hash: 0621F53290062587CB12CE6EE4845A7F392FBC436AF134727EE84A3291C62CA855C6A0
                              Function 0040D72E Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                              • Instruction ID: 0032c0c3dd355d3b1328166acc4be040b7821e5e83bc1fe28c274bced218c28f
                              • Opcode Fuzzy Hash: dde32e57196543c58229ec3a92fed9e80e5316f67d8377c6540d091cf30b3fc0
                              • Instruction Fuzzy Hash: 4EF074B5A05209EFCB09CFA9C49199EFBF5FF48304B1084A9E819E7350E731AA11CF50
                              Function 00404AFF Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 144fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetDriveTypeW.KERNEL32(?,?,?), ref: 00404B46
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404B77
                              • WriteFile.KERNEL32(004177C4,?,?,00406437,00000000,del ",:Repeat,00000000), ref: 00404C2C
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C37
                              • CloseHandle.KERNEL32(004177C4), ref: 00404C40
                              • SetFileAttributesW.KERNEL32(00406437,00000000), ref: 00404C57
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00404C69
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C72
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00404C7E
                              • ??3@YAXPAX@Z.MSVCRT(00406437,?), ref: 00404C84
                              • ??3@YAXPAX@Z.MSVCRT(00406437,?,?,?,?,?,?,?,?,?,?,?,?,?,00406437,004177C4), ref: 00404CB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$File$AttributesCloseCreateDriveExecuteHandleShellTypeWrite
                              • String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
                              • API String ID: 3007203151-3467708659
                              • Opcode ID: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                              • Instruction ID: 7a4c4b622d76ac6c1822c64a370ea4e05d699ec4102568342bfcf68b8c9639ad
                              • Opcode Fuzzy Hash: 867eebb51e1b750364ee620a5f1ec15cba4384e9a655442323ea2c3f34152715
                              • Instruction Fuzzy Hash: DE416171D01119BADB00EBA5ED85DEEBB78EF44358F50803AF511720E1EB78AE85CB58
                              Function 00404603 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 207stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpiW.KERNEL32(00000000,0041442C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004046DF
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32(00000000,00000020,?), ref: 00401FEC
                                • Part of subcall function 00401F9D: wsprintfW.USER32 ref: 00401FFD
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00402012
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 00402017
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00402032
                                • Part of subcall function 00401F9D: GetEnvironmentVariableW.KERNEL32(?,00000000,?), ref: 00402045
                                • Part of subcall function 00401F9D: GetLastError.KERNEL32 ref: 0040204C
                                • Part of subcall function 00401F9D: lstrcmpiW.KERNEL32(00000000,00000020), ref: 00402061
                                • Part of subcall function 00401F9D: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00402071
                                • Part of subcall function 00401F9D: SetLastError.KERNEL32(00000000), ref: 00402098
                                • Part of subcall function 00401F9D: lstrlenA.KERNEL32(00413FD0), ref: 004020CC
                                • Part of subcall function 00401F9D: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 004020E7
                                • Part of subcall function 00401F9D: GetLocaleInfoW.KERNEL32(?,00001004,?,0000001F), ref: 00402119
                              • _wtol.MSVCRT ref: 004047DC
                              • _wtol.MSVCRT ref: 004047F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ErrorLast$??2@EnvironmentVariable_wtollstrcmpi$??3@InfoLocalelstrlenwsprintf
                              • String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title$WarningTitle$|wA
                              • API String ID: 2725485552-3187639848
                              • Opcode ID: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                              • Instruction ID: a5d789275b7dd46d140941e9fd319bf554fc7ea6ad5da08365fcb0f0a182a74d
                              • Opcode Fuzzy Hash: 7a70c90a09e6339ceb99db9b5511794fba0efbdd365b8bdd8dc3dc4b6a1705ac
                              • Instruction Fuzzy Hash: 4251B5F1A402047EDB10BB619D86EFF36ACDA85308B64443BF904F32C1E6BC5E854A6D
                              Function 00402DC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 123windowlibrarystringCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameA.USER32(?,?,00000040), ref: 00402DD3
                              • lstrcmpiA.KERNEL32(?,STATIC), ref: 00402DE6
                              • GetWindowLongW.USER32(?,000000F0), ref: 00402DF3
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402E20
                              • GetParent.USER32(?), ref: 00402E2E
                              • LoadLibraryA.KERNEL32(riched20), ref: 00402E42
                              • GetMenu.USER32(?), ref: 00402E55
                              • SetThreadLocale.KERNEL32(00000419), ref: 00402E62
                              • CreateWindowExW.USER32(00000000,RichEdit20W,0041335C,50000804,?,?,?,?,?,00000000,00000000,00000000), ref: 00402E92
                              • DestroyWindow.USER32(?), ref: 00402EA3
                              • SendMessageW.USER32(00000000,00000459,00000022,00000000), ref: 00402EB8
                              • GetSysColor.USER32(0000000F), ref: 00402EBC
                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00402ECA
                              • SendMessageW.USER32(00000000,00000461,?,?), ref: 00402EF5
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00402EFA
                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00402F02
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Window$??3@MessageSend$CharTextUpper$ClassColorCreateDestroyLengthLibraryLoadLocaleLongMenuNameParentThreadlstrcmpi
                              • String ID: RichEdit20W$STATIC$riched20${\rtf
                              • API String ID: 1731037045-2281146334
                              • Opcode ID: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                              • Instruction ID: c7c9ca1f65d7473fe19c29f8272bdbb18bb8b251efb89c9ee4785ec66c96c850
                              • Opcode Fuzzy Hash: 2b38b22499d69b5ca28c01525db5cb238b78fd2564d1ef548c56061806c72a13
                              • Instruction Fuzzy Hash: FE316072A40119BFDB01AFA5DD49DEF7BBCEF08745F104036F601B21D1DA789A008B68
                              Function 00401CC8 Relevance: 31.6, APIs: 21, Instructions: 121windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowDC.USER32(00000000), ref: 00401CD4
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                              • MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                              • GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                              • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                              • MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                              • CreateCompatibleDC.GDI32(?), ref: 00401D4B
                              • CreateCompatibleDC.GDI32(?), ref: 00401D52
                              • SelectObject.GDI32(00000000,?), ref: 00401D60
                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                              • SelectObject.GDI32(00000000,00000000), ref: 00401D76
                              • SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                              • GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                              • SelectObject.GDI32(00000000,?), ref: 00401DB3
                              • SelectObject.GDI32(00000000,?), ref: 00401DB9
                              • DeleteDC.GDI32(00000000), ref: 00401DC2
                              • DeleteDC.GDI32(00000000), ref: 00401DC5
                              • ReleaseDC.USER32(00000000,?), ref: 00401DCC
                              • ReleaseDC.USER32(00000000,?), ref: 00401DDB
                              • CopyImage.USER32(?,00000000,00000000,00000000,00000000), ref: 00401DE8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Object$Select$CompatibleCreate$DeleteReleaseStretch$BitmapCapsCopyCurrentDeviceImageModeWindow
                              • String ID:
                              • API String ID: 3462224810-0
                              • Opcode ID: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                              • Instruction ID: 24730f8ff9b6a3f8d7f0600a39c6f646a54ca28d21b12e05547a6914d757f366
                              • Opcode Fuzzy Hash: edcdae41b00ef410d3e7ba3ed19d3c131e86ad83f2f2f2d47359cb6bb3a71bdf
                              • Instruction Fuzzy Hash: 00313976D00208BBDF215FA19C48EEFBFBDEB48752F108066F604B21A0C6758A50EB64
                              Function 00401DF3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 120windowcommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameA.USER32(?,?,00000040), ref: 00401E05
                              • lstrcmpiA.KERNEL32(?,STATIC), ref: 00401E1C
                              • GetWindowLongW.USER32(?,000000F0), ref: 00401E2F
                              • GetMenu.USER32(?), ref: 00401E44
                                • Part of subcall function 00401BDF: GetModuleHandleW.KERNEL32(00000000), ref: 00401BEA
                                • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000000), ref: 00401C07
                                • Part of subcall function 00401BDF: FindResourceExA.KERNEL32(00000000,?,?,00000409), ref: 00401C1B
                                • Part of subcall function 00401BDF: SizeofResource.KERNEL32(00000000,00000000), ref: 00401C2C
                                • Part of subcall function 00401BDF: LoadResource.KERNEL32(00000000,00000000), ref: 00401C36
                                • Part of subcall function 00401BDF: LockResource.KERNEL32(00000000), ref: 00401C41
                              • GlobalAlloc.KERNEL32(00000040,00000010), ref: 00401E76
                              • memcpy.MSVCRT(00000000,00000000,00000010), ref: 00401E83
                              • CoInitialize.OLE32(00000000), ref: 00401E8C
                              • CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 00401E98
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00414C14,?), ref: 00401EBD
                              • GlobalFree.KERNEL32(00000000), ref: 00401ECD
                                • Part of subcall function 00401CC8: GetWindowDC.USER32(00000000), ref: 00401CD4
                                • Part of subcall function 00401CC8: GetDeviceCaps.GDI32(00000000,00000058), ref: 00401CE0
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(00000000,00000064,00000060), ref: 00401CF9
                                • Part of subcall function 00401CC8: GetObjectW.GDI32(?,00000018,?), ref: 00401D28
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D33
                                • Part of subcall function 00401CC8: MulDiv.KERNEL32(?,00000003,00000002), ref: 00401D3D
                                • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D4B
                                • Part of subcall function 00401CC8: CreateCompatibleDC.GDI32(?), ref: 00401D52
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401D60
                                • Part of subcall function 00401CC8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00401D6E
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,00000000), ref: 00401D76
                                • Part of subcall function 00401CC8: SetStretchBltMode.GDI32(00000000,00000004), ref: 00401D7E
                                • Part of subcall function 00401CC8: StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00401D9D
                                • Part of subcall function 00401CC8: GetCurrentObject.GDI32(00000000,00000007), ref: 00401DA6
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB3
                                • Part of subcall function 00401CC8: SelectObject.GDI32(00000000,?), ref: 00401DB9
                                • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC2
                                • Part of subcall function 00401CC8: DeleteDC.GDI32(00000000), ref: 00401DC5
                                • Part of subcall function 00401CC8: ReleaseDC.USER32(00000000,?), ref: 00401DCC
                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00401EFF
                              • SetWindowPos.USER32(00000010,00000000,00000000,00000000,?,?,00000006), ref: 00401F13
                              • SendMessageW.USER32(00000010,00000172,00000000,?), ref: 00401F25
                              • GlobalFree.KERNEL32(00000000), ref: 00401F3A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Object$Resource$CreateGlobalSelect$CompatibleWindow$DeleteFindFreeLoadStretch$AllocBitmapCapsClassCurrentDeviceHandleInitializeLockLongMenuMessageModeModuleNamePictureReleaseSendSizeofStreamlstrcmpimemcpy
                              • String ID: IMAGES$STATIC
                              • API String ID: 4202116410-1168396491
                              • Opcode ID: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                              • Instruction ID: 08c73d75f8249df6a552952f3d33af28cabbedea74541c6d0cfd8ce2793c0c4e
                              • Opcode Fuzzy Hash: 352b3c5e08a174ec4a3ffb4ca519ce1611b0b6cc4168eadb64d38ca8f457be46
                              • Instruction Fuzzy Hash: C7417C71A00218BFCB11DFA1DC49DEEBF7DEF08742B008076FA05A61A0DB758A41DB68
                              Function 0040813D Relevance: 27.1, APIs: 18, Instructions: 147windowcomtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              • GetDlgItem.USER32(?,000004B8), ref: 0040816A
                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00408179
                              • GetDlgItem.USER32(?,000004B5), ref: 004081C0
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004081C5
                              • GetDlgItem.USER32(?,000004B5), ref: 004081D5
                              • SetWindowLongW.USER32(00000000), ref: 004081D8
                              • GetSystemMenu.USER32(?,00000000,000004B4,00000000), ref: 004081FE
                              • EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00408210
                              • GetDlgItem.USER32(?,000004B4), ref: 0040821A
                              • SetFocus.USER32(00000000), ref: 0040821D
                              • SetTimer.USER32(?,00000001,00000000,00000000), ref: 0040824C
                              • CoCreateInstance.OLE32(00414C34,00000000,00000001,00414808,00000000), ref: 00408277
                              • GetDlgItem.USER32(?,00000002), ref: 00408294
                              • IsWindow.USER32(00000000), ref: 00408297
                              • GetDlgItem.USER32(?,00000002), ref: 004082A7
                              • EnableWindow.USER32(00000000), ref: 004082AA
                              • GetDlgItem.USER32(?,000004B5), ref: 004082BE
                              • ShowWindow.USER32(00000000), ref: 004082C1
                                • Part of subcall function 00407134: GetDlgItem.USER32(?,000004B6), ref: 00407142
                                • Part of subcall function 00407B33: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                                • Part of subcall function 00407B33: GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                                • Part of subcall function 00407B33: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                                • Part of subcall function 00407B33: wsprintfW.USER32 ref: 00407BBB
                                • Part of subcall function 00407B33: ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Item$Window$MessageSend$System$EnableHandleLoadLongMenuMetricsModuleShow$??3@CreateFocusIconImageInstanceTimerUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                              • String ID:
                              • API String ID: 855516470-0
                              • Opcode ID: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                              • Instruction ID: 3ce0214ef3d03b0ee840dd4ab9c121ae631e901bc0d6870238ad5b6e85178a64
                              • Opcode Fuzzy Hash: f96aa9b93e1fd9714dbcbc8c2c582c1e46f74a713c41b2300bd45d2dcf84ac32
                              • Instruction Fuzzy Hash: 014174B0644748ABDA206F65DD49F5B7BADEB40B05F00847DF552A62E1CB79B800CA1C
                              Function 00403093 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 244stringCOMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,hAA,00000000), ref: 004030F6
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,hAA,00000000), ref: 004030FE
                              • strncmp.MSVCRT ref: 004031F1
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 00403255
                              • lstrcmpW.KERNEL32(?,SetEnvironment,00000000), ref: 00403273
                              • ??3@YAXPAX@Z.MSVCRT(0040414C,?), ref: 00403347
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$lstrcmpstrncmp
                              • String ID: GUIFlags$MiscFlags$SetEnvironment$hAA${\rtf
                              • API String ID: 2881732429-172299233
                              • Opcode ID: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                              • Instruction ID: da55d09168dcf28f6e950782b6654b171f18f9ca5632fa18d2c46afc5d57570a
                              • Opcode Fuzzy Hash: 436b0b5fdcd0fc7850317bda0c1040a654aafe726af0558e82b6743448b11ef5
                              • Instruction Fuzzy Hash: 23819D31900218ABDF11DFA1CD55BEE7B78AF14305F1040ABE8017B2E6DB78AB05DB59
                              Function 00406A47 Relevance: 24.3, APIs: 16, Instructions: 270COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000004B3), ref: 00406A69
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00406A6E
                              • GetDlgItem.USER32(?,000004B4), ref: 00406AA5
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00406AAA
                              • GetSystemMetrics.USER32(00000010), ref: 00406B0B
                              • GetSystemMetrics.USER32(00000011), ref: 00406B11
                              • GetSystemMetrics.USER32(00000008), ref: 00406B18
                              • GetSystemMetrics.USER32(00000007), ref: 00406B1F
                              • GetParent.USER32(?), ref: 00406B43
                              • GetClientRect.USER32(00000000,?), ref: 00406B55
                              • ClientToScreen.USER32(?,?), ref: 00406B68
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00406BCE
                              • GetClientRect.USER32(?,?), ref: 00406C55
                              • ClientToScreen.USER32(?,?), ref: 00406B71
                                • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                              • GetSystemMetrics.USER32(00000008), ref: 00406CD6
                              • GetSystemMetrics.USER32(00000007), ref: 00406CDD
                                • Part of subcall function 00406A18: GetDlgItem.USER32(?,?), ref: 00406A36
                                • Part of subcall function 00406A18: SetWindowPos.USER32(00000000), ref: 00406A3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: MetricsSystem$ClientItemWindow$LongRectScreen$Parent
                              • String ID:
                              • API String ID: 747815384-0
                              • Opcode ID: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                              • Instruction ID: 701d8c843d4ec3579feae24e97f284edc15b0bac0439a5efdbaa5111af673c9b
                              • Opcode Fuzzy Hash: bdc5cc6ef77edd437f37f749138dc65a224d6988716d71e8386f1ae5cf91717f
                              • Instruction Fuzzy Hash: 7B912D71A00209AFDB14DFB9CD85AEEB7F9EF48704F148529E642F6290D778E9008B64
                              Function 00407D06 Relevance: 22.7, APIs: 15, Instructions: 231windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                              • LoadIconW.USER32(00000000), ref: 00407D33
                              • GetSystemMetrics.USER32(00000032), ref: 00407D43
                              • GetSystemMetrics.USER32(00000031), ref: 00407D48
                              • GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                              • LoadImageW.USER32(00000000), ref: 00407D54
                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                              • SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                              • GetWindow.USER32(?,00000005), ref: 00407E76
                              • GetWindow.USER32(?,00000005), ref: 00407E92
                              • GetWindow.USER32(?,00000005), ref: 00407EAA
                              • GetModuleHandleW.KERNEL32(00000000,00000065,000004B4,00000000,000004B3,00000000,000004B2,?,000004B7,?,?,?,?,?,0040803E), ref: 00407F0A
                              • LoadIconW.USER32(00000000), ref: 00407F0D
                              • GetDlgItem.USER32(?,000004B1), ref: 00407F28
                              • SendMessageW.USER32(00000000), ref: 00407F2F
                                • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Window$HandleItemLoadMessageModuleSend$IconMetricsSystem$ImageLengthShowText
                              • String ID:
                              • API String ID: 1889686859-0
                              • Opcode ID: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                              • Instruction ID: b6a50195b8a608de49edc5b96f3e83ee8a9b90890169e94b1220211b89b9884f
                              • Opcode Fuzzy Hash: 54e99e0b53345dbf389ae49fdb6e6d7c6227533794aadf34278c182137d853b4
                              • Instruction Fuzzy Hash: E861D47064C7096AE9257B61DC4AF3B3699AB40B05F10447FF642B92D2DBBCBC0056AF
                              Function 00406F37 Relevance: 16.6, APIs: 11, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00406F45
                              • GetWindowLongW.USER32(00000000), ref: 00406F4C
                              • DefWindowProcW.USER32(?,?,?,?), ref: 00406F62
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00406F7F
                              • GetSystemMetrics.USER32(00000031), ref: 00406F91
                              • GetSystemMetrics.USER32(00000032), ref: 00406F98
                              • GetWindowDC.USER32(?), ref: 00406FAA
                              • GetWindowRect.USER32(?,?), ref: 00406FB7
                              • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 00406FEB
                              • ReleaseDC.USER32(?,00000000), ref: 00406FF3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: Window$MetricsProcSystem$CallDrawIconLongParentRectRelease
                              • String ID:
                              • API String ID: 2586545124-0
                              • Opcode ID: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                              • Instruction ID: b1ff7c23223d170b9333fa97acec74f2c9230ee3eabfe87d0be763292bfdf634
                              • Opcode Fuzzy Hash: 25d202db14ae47cc7765131eef640a3ba3c2163a3dcc7105130798770ded3a1b
                              • Instruction Fuzzy Hash: 8E210C7650021ABFCF01AFA8DD48DDF7F69FB08351F008565FA15E21A0C775EA209B64
                              Function 0040677A Relevance: 13.5, APIs: 9, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000004B3), ref: 0040678E
                              • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067A1
                              • GetDlgItem.USER32(?,000004B4), ref: 004067AB
                              • SendMessageW.USER32(00000000,000000F4,00000000,00000001), ref: 004067B3
                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 004067C3
                              • GetDlgItem.USER32(?,?), ref: 004067CC
                              • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 004067D4
                              • GetDlgItem.USER32(?,?), ref: 004067DD
                              • SetFocus.USER32(00000000,?,000004B4,75920E50,00407E06,000004B4,000004B3,00000000,000004B4,00000000,000004B2,?,000004B7), ref: 004067E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ItemMessageSend$Focus
                              • String ID:
                              • API String ID: 3946207451-0
                              • Opcode ID: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                              • Instruction ID: e7a8c5b21de344c7c4c5496bf688f1d5cc3ba414acf11b32f4788b893cc62525
                              • Opcode Fuzzy Hash: ad16f172208785dca513fa64c118104ef693669a3ac6e088fd96c23032a45483
                              • Instruction Fuzzy Hash: 6FF04F712403087BEA212B61DD86F5BBA6EEF81B45F018425F340650F0CBF7EC109A28
                              Function 0040C3D8 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 480COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,?,?,00000000), ref: 0040C603
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: IA$IA$IA$IA$IA$IA
                              • API String ID: 613200358-3743982587
                              • Opcode ID: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                              • Instruction ID: 4cebfcab61734def35128a955d6a3e34031d8899c11ca8f9bd2aeb72941b6852
                              • Opcode Fuzzy Hash: 6e54149e8c3d77333b16b378dc95c38791a09178c73359331ff936fd258cd747
                              • Instruction Fuzzy Hash: D2221671900248DFCB24EF65C8D09EEBBB5FF48304F50852EE91AA7291DB38A945CF58
                              Function 004083B6 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000011,00000000,00000000,00417788,00000000,SetEnvironment), ref: 00408479
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: BeginPrompt$ErrorTitle$FinishMessage$HelpText$SetEnvironment$WarningTitle
                              • API String ID: 613200358-994561823
                              • Opcode ID: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                              • Instruction ID: 5566f9f9667118f06bc812855c9affabb63102f3a10b3971892d5eca1131561f
                              • Opcode Fuzzy Hash: 971dcdd12a827a4034ed94f9ba1d623efd1f14b2bcca4d73e06b44b648e667ed
                              • Instruction Fuzzy Hash: CA51D47080420AAACF24AB559E85AFB7774EB20348F54443FF881722E1EF7D5D82D64E
                              Function 00406DB2 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00417410,00000160), ref: 00406DD1
                              • SystemParametersInfoW.USER32(00000029,00000000,?,00000000), ref: 00406DF0
                              • GetDC.USER32(00000000), ref: 00406DFB
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406E07
                              • MulDiv.KERNEL32(?,00000048,00000000), ref: 00406E16
                              • ReleaseDC.USER32(00000000,?), ref: 00406E24
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00406E4C
                              • DialogBoxIndirectParamW.USER32(00000000,?,?,Function_0000667A), ref: 00406E81
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CapsDeviceDialogHandleIndirectInfoModuleParamParametersReleaseSystemmemcpy
                              • String ID:
                              • API String ID: 2693764856-0
                              • Opcode ID: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                              • Instruction ID: b2c1943609947f3a034a1f42a4fd453b3666a2b5c4d4ccfd9a1c2059c5c1cb6f
                              • Opcode Fuzzy Hash: e70a94c77e8458ae7b0f85d98e5dff18e09bef3a98047e8bed90a0db42bf0d7e
                              • Instruction Fuzzy Hash: C32184B5500218BFDB215F61DC45EEB7B7CFB08746F0040B6F609A1190D7748E948B65
                              Function 0040695E Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(?), ref: 0040696E
                              • GetSystemMetrics.USER32(0000000B), ref: 0040698A
                              • GetSystemMetrics.USER32(0000003D), ref: 00406993
                              • GetSystemMetrics.USER32(0000003E), ref: 0040699B
                              • SelectObject.GDI32(?,?), ref: 004069B8
                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 004069D3
                              • SelectObject.GDI32(?,?), ref: 004069F9
                              • ReleaseDC.USER32(?,?), ref: 00406A08
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: MetricsSystem$ObjectSelect$DrawReleaseText
                              • String ID:
                              • API String ID: 2466489532-0
                              • Opcode ID: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                              • Instruction ID: 7c755332e1b278278a0584394201b19561512224090c74d51841a9ad660c27ee
                              • Opcode Fuzzy Hash: 3371c90df87af61a96ab0a4f5adfc31794890a389d4733c3cd0e84d47817aa4d
                              • Instruction Fuzzy Hash: 6B216871900209EFCB119F65DD84A8EBFF4EF08321F10C46AE559A72A0C7359A50DF40
                              Function 00407B33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102windowCOMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407B6D
                              • GetDlgItem.USER32(?,000004B8), ref: 00407B8B
                              • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00407B9D
                              • wsprintfW.USER32 ref: 00407BBB
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00407C53
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@ItemMessageSendUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                              • String ID: %d%%
                              • API String ID: 3753976982-1518462796
                              • Opcode ID: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                              • Instruction ID: b955b8041d8a67620c3180d4911c799512bd6939d195f5b55c3092177650065a
                              • Opcode Fuzzy Hash: 0b792d7adb6174ba2d50e5ca9cf87896ffea0db59519718aa7dbff65f529ef39
                              • Instruction Fuzzy Hash: 1D31D371904208BBDB11AFA0CC45EDA7BB9EF48708F10847AFA42B61E1D779B904CB59
                              Function 0040408B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(hAA,00000020,?,?,00405838,?,?,?,00000000,?), ref: 004040A4
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                                • Part of subcall function 00401A85: CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 00404156
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040415E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 0040416D
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?), ref: 00404175
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$CharUpper$lstrlen
                              • String ID: hAA
                              • API String ID: 2587799592-1362906312
                              • Opcode ID: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                              • Instruction ID: 7f7e13310b21401de90169bcc26cd057e2afddf23eedd5de54135d69024cf91c
                              • Opcode Fuzzy Hash: f1afb06a12cfea52e195ddd9e8ddb158cdff932f9735d488ba252034b153affa
                              • Instruction Fuzzy Hash: D7212772D40215AACF20ABA4CC46AEB77B9DF90354F10407BEB41BB2E1E7789D848658
                              Function 00404CBC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000001,00000000,00000000,00000001,?,00000000), ref: 00404D3E
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DA0
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,004054CC,?,;!@InstallEnd@!,004054CC,;!@Install@!UTF-8!,00417400,00000000,00000001,?,00000000), ref: 00404DB8
                                • Part of subcall function 00403354: lstrlenW.KERNEL32(00404AC6,?,?,00000000,?,?,?,?,00404AC6,?), ref: 00403361
                                • Part of subcall function 00403354: GetSystemTimeAsFileTime.KERNEL32(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 004033D7
                                • Part of subcall function 00403354: GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?,00000000), ref: 004033DE
                                • Part of subcall function 00403354: ??3@YAXPAX@Z.MSVCRT(?,00404AC6,?,?,?,?,00404AC6,?,?,?,?,?,?,?,?,?), ref: 0040349D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$FileTime$AttributesSystemlstrlen
                              • String ID: 03A$;!@Install@!UTF-8!$;!@InstallEnd@!
                              • API String ID: 4038993085-2279431206
                              • Opcode ID: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                              • Instruction ID: 637b7b13a9bcd1d52ea1019587bfa2fb4435f6835f564ae220b3123002230846
                              • Opcode Fuzzy Hash: 1e5f1ef11ab3d9e84330ff60a8d60345b5fdf25d940142a54a900a3d947b53ea
                              • Instruction Fuzzy Hash: CE312D71D0021EEACF05EF92CD429EEBBB4BF44318F10042BE911762E1DB785649DB98
                              Function 0040755F Relevance: 10.6, APIs: 7, Instructions: 63timethreadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • EndDialog.USER32(?,00000000), ref: 00407579
                              • KillTimer.USER32(?,00000001), ref: 0040758A
                              • SetTimer.USER32(?,00000001,00000000,00000000), ref: 004075B4
                              • SuspendThread.KERNEL32(00000274), ref: 004075CD
                              • ResumeThread.KERNEL32(00000274), ref: 004075EA
                              • EndDialog.USER32(?,00000000), ref: 0040760C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: DialogThreadTimer$KillResumeSuspend
                              • String ID:
                              • API String ID: 4151135813-0
                              • Opcode ID: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                              • Instruction ID: ebb94c5c4675b2e6542c2b2cb7d5652cccd5624f9a00d71f737e39ca63bd9789
                              • Opcode Fuzzy Hash: fa37b7d0569be928e5d0aecc9653dabfd5de706af621d680b5378aa8e85f3b57
                              • Instruction Fuzzy Hash: 9811BF70A08618BBD7212F15EE849E77BBDFB00756B00843AF523A05A0CB39BD00DA1D
                              Function 00404E3F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404E85
                                • Part of subcall function 00404343: ??3@YAXPAX@Z.MSVCRT(?,?,?,004177C4,004177C4,?,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 004043B6
                              • ??3@YAXPAX@Z.MSVCRT(004177C4,004177C4,004177C4,00000000,00000025,004177C4,004177C4,00000000,00000025,;!@InstallEnd@!,;!@Install@!UTF-8!,00000000,00000000), ref: 00404EAB
                              • wsprintfA.USER32 ref: 00404EBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$wsprintf
                              • String ID: :Language:%u!$;!@Install@!UTF-8!$;!@InstallEnd@!
                              • API String ID: 2704270482-1550708412
                              • Opcode ID: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                              • Instruction ID: afe26c372a183c0ca4a1b7edc16cb7be903c3e4040aad79e05e22cec791dc9d0
                              • Opcode Fuzzy Hash: b3a647dc230e6375ba5304378dede3f86871d19815b7720c308d82744c7d9f3d
                              • Instruction Fuzzy Hash: D8115E71B00018BBCF00FB95CC42EFE77ADAB84705B10402EBA15E3182DB78AB028799
                              Function 00403880 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000,00000000), ref: 004038C6
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405,?,00000000,00000000), ref: 00403904
                              • ??3@YAXPAX@Z.MSVCRT(00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788,00407405), ref: 0040392A
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00417788,00417788,00000000,00417788,00417788,00000000,%%T/,004134FC,00000000,00417788,00000000,%%T\,0041350C,00000000,00417788), ref: 00403932
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%T/$%%T\
                              • API String ID: 613200358-2679640699
                              • Opcode ID: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                              • Instruction ID: 53c9ca64f2466311d4136dbbff57d229d1af9e29f5fa76e56e45344ae10c91f3
                              • Opcode Fuzzy Hash: 9eec194740abc4bee078c15c8dc217b66edb47652cee4dab90ed516c3b80c8f9
                              • Instruction Fuzzy Hash: 5011DD3190410EBACF05FFA1D857CEDBB79AE00708F50806AB511760E1EF79A785DB98
                              Function 0040393B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403981
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 004039BF
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784,00407405), ref: 004039E5
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%S/,004134FC,00000000,00414784,00000000,%%S\,0041350C,00000000,00414784), ref: 004039ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%S/$%%S\
                              • API String ID: 613200358-358529586
                              • Opcode ID: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                              • Instruction ID: c240205f9e12946546b7747d8fd44f392230bc1153c6614d6b8016afa5fd7689
                              • Opcode Fuzzy Hash: c94d4b60668bfb9eedf3143ce332dc4c41685f87d495a97f985edcc2faf71bca
                              • Instruction Fuzzy Hash: 1D11AD3190410EBACF05FFA1D856CEDBB79AE00708F51806AB511760E1EF78A789DB98
                              Function 004039F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000,00000000), ref: 00403A3C
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405,?,00000000,00000000), ref: 00403A7A
                              • ??3@YAXPAX@Z.MSVCRT(00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784,00407405), ref: 00403AA0
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00414784,00414784,00000000,00414784,00414784,00000000,%%M/,004134FC,00000000,00414784,00000000,%%M\,0041350C,00000000,00414784), ref: 00403AA8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@
                              • String ID: %%M/$%%M\
                              • API String ID: 613200358-4143866494
                              • Opcode ID: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                              • Instruction ID: 5f6947e2f47a7d655e02fb84317d9747a35bc7200d49f7273ebe403b31479b31
                              • Opcode Fuzzy Hash: 3eb134fca1680c0093703720a533bafa1d2fd801437f3d80c27f205d784cf8f2
                              • Instruction Fuzzy Hash: C911AD3190410EBACF05FFA1D956CEDBB79AE00708F51806AB511760E1EF78A789DB58
                              Function 0040E456 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(00000000,00414CFC), ref: 0040E4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ExceptionThrow
                              • String ID: $JA$4JA$DJA$TJA$hJA$xJA
                              • API String ID: 432778473-803145960
                              • Opcode ID: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                              • Instruction ID: 5492ea6659e041f1bcf420c4685f7038b08242b420f8f2c51a6428b2159ddc92
                              • Opcode Fuzzy Hash: 8cab838d89dd1577677f775eaf8cb930bb6d64206a7fe5cceb0cff601651d84b
                              • Instruction Fuzzy Hash: 7211A5F0541B419BC7308F16E544587FBF8AF907587218A1FD0AA9BA51D3F8A1888B9C
                              Function 0040C0DC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040BA46: ??2@YAPAXI@Z.MSVCRT(0000000C,?,0040C20C,004149B0,00000001,?,?,00000000), ref: 0040BA4B
                              • ??3@YAXPAX@Z.MSVCRT(00000000,004149B0,00000001,?,?,00000000), ref: 0040C20D
                                • Part of subcall function 0040ADC3: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040ADD6
                                • Part of subcall function 0040ADC3: memmove.MSVCRT(00000000,?,?,?,?,?,0040B1B6,00010000), ref: 0040ADF0
                                • Part of subcall function 0040ADC3: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,0040B1B6,00010000), ref: 0040AE00
                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,004149B0,00000001,?,?,00000000), ref: 0040C245
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@$??3@$memmove
                              • String ID: IA$IA$IA
                              • API String ID: 4294387087-924693538
                              • Opcode ID: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                              • Instruction ID: 38d37476858cbe2739f158cf8086d9562841ccd83740beefedbf55b6536d6dac
                              • Opcode Fuzzy Hash: 85fc5e494f6b2b84d8098d484c2c91b8b6bfa0a3dc3e29a15476b27879269a5e
                              • Instruction Fuzzy Hash: 20B1C1B1900209DFCB54EFAAC8819DEBBB5BF48304F50852EF919A7291DB38A945CF54
                              Function 0040E811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • _CxxThrowException.MSVCRT(00100EC3,00414CFC), ref: 0040E83C
                              • ??2@YAPAXI@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E864
                              • memcpy.MSVCRT(00000000,?,?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?), ref: 0040E88D
                              • ??3@YAXPAX@Z.MSVCRT(?,IA,IA,00000000,?,0040E909,00000000,00408769,IA,00402F92,00000000,00000000,004044E9,?,?,?), ref: 0040E898
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??2@??3@ExceptionThrowmemcpy
                              • String ID: IA
                              • API String ID: 3462485524-3293647318
                              • Opcode ID: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                              • Instruction ID: e9362666a157510f6fc1816af10740f0f0ab3f4ff6eb75305f8b2a096945a613
                              • Opcode Fuzzy Hash: 87c970ed3d1d6bacfe04aab15aff8add49b6e5554cbd4f9de67434676486f6a2
                              • Instruction Fuzzy Hash: 6811E5736003009BCB28AF57D880D6BFBE9AB84354714C83FEA59A7290D779E8954794
                              Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: wsprintf$ExitProcesslstrcat
                              • String ID: 0x%p
                              • API String ID: 2530384128-1745605757
                              • Opcode ID: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                              • Instruction ID: 6c9eba3c29ae2a0cc7ccd16f79f39b6d6218d418ab2b897ff95ca6c62132cda7
                              • Opcode Fuzzy Hash: beb3389330693802dd4b40a551927b7f0c9c9e0999a7fc1e7fc7f64098bb755c
                              • Instruction Fuzzy Hash: CF019E7580020CAFDB20AFA0DC45FDA777CBF44305F04486AF945A2081D738F6948FAA
                              Function 00407A3A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000B), ref: 004071E0
                                • Part of subcall function 004071B8: GetSystemMetrics.USER32(0000000C), ref: 004071E9
                              • GetSystemMetrics.USER32(00000007), ref: 00407A51
                              • GetSystemMetrics.USER32(00000007), ref: 00407A62
                              • ??3@YAXPAX@Z.MSVCRT(?,000004B8,?,?), ref: 00407B29
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: MetricsSystem$??3@
                              • String ID: 100%%
                              • API String ID: 2562992111-568723177
                              • Opcode ID: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                              • Instruction ID: d2e8aa6d75c6757367bbc63d1236441fd7733528c0e5853e38aed7656a5d7d9b
                              • Opcode Fuzzy Hash: 8625fd62ee8a1587f51b59dec5492359d41c9a7e7955315cbfbb4a3169dab2fe
                              • Instruction Fuzzy Hash: 0D31D771A047059FCB24DFA9C9419AEB7F4EF40308B00012EE542A26E1DB78FE44CF99
                              Function 00407998 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • wsprintfW.USER32 ref: 00407A12
                                • Part of subcall function 0040725A: GetDlgItem.USER32(?,?), ref: 00407264
                                • Part of subcall function 0040725A: GetWindowTextLengthW.USER32(00000000), ref: 0040726B
                              • GetDlgItem.USER32(?,000004B3), ref: 004079C6
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000), ref: 004079E4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: TextWindow$ItemLength$??3@wsprintf
                              • String ID: (%u%s)
                              • API String ID: 3595513934-2496177969
                              • Opcode ID: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                              • Instruction ID: 1b031bef2a273fddd3247fbc9e57f9590cc69a100d620b238320e5a3a24b3f72
                              • Opcode Fuzzy Hash: 81108d5736a162b6d9564d3eb7a2e93f5e39dd0108d0485d36b03b99dec63073
                              • Instruction Fuzzy Hash: 1401C8B15042147FDB107B65DC46EAF777CAF44708F10807FF516A21E2DB7CA9448A68
                              Function 004021ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,GetNativeSystemInfo,0000003C,?,?,?,?,?,?,00406130,?,00000000,?,?,?), ref: 0040220A
                              • GetProcAddress.KERNEL32(00000000), ref: 00402211
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetNativeSystemInfo$kernel32
                              • API String ID: 2574300362-3846845290
                              • Opcode ID: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                              • Instruction ID: b757a3d5c4c17e34abb063926c294d8abaed4bc4edbc3347b9308a3de004b423
                              • Opcode Fuzzy Hash: dcc7844bde5d914e3d472255d944d602bbefc6ee0fc65a521985863f2fff9548
                              • Instruction Fuzzy Hash: 88F0B432E1521495CF20BBF48B0D6EF66E89A19349B1004BBD852F31D0E5FCCE8141EE
                              Function 00402185 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,004061B1,?,?,?), ref: 00402198
                              • GetProcAddress.KERNEL32(00000000), ref: 0040219F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64RevertWow64FsRedirection$kernel32
                              • API String ID: 2574300362-3900151262
                              • Opcode ID: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                              • Instruction ID: b94e249185ae4a70534d65e1a66e6cdcdba3a47a1e4784fabdbc91f5644b18b3
                              • Opcode Fuzzy Hash: e5c6d40c89fc1f3fb34c79c32c3445fbc861d0d884c7149ba98d4f5b826d618a
                              • Instruction Fuzzy Hash: AFD0C934294201DBDB125FA0EE0E7EA3AB9FB04B0BF458035A920A00F0CBBC9644CA5C
                              Function 004021B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,0040223A), ref: 004021CA
                              • GetProcAddress.KERNEL32(00000000), ref: 004021D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64DisableWow64FsRedirection$kernel32
                              • API String ID: 2574300362-736604160
                              • Opcode ID: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                              • Instruction ID: 817513c890d082da38b6284c2862a66e2f32a8da2897575df7e5c1eb8648f331
                              • Opcode Fuzzy Hash: 5a0f418ac3e49e57b967c4010738a21a45af66be6bd625357fa5c872d0fae828
                              • Instruction Fuzzy Hash: 0DD012342443009BDB515FA09E0D7DA3EB4B705B07F508076A520E11D1CBFCA244C7AC
                              Function 00402A69 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402B6F
                                • Part of subcall function 0040272E: MultiByteToWideChar.KERNEL32(00000020,00000000,00000024,?,00000000,?,?,00000020,00000024,00000000,00402ACD,?,?,00000000,00000000,00000000), ref: 00402760
                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?,00000000), ref: 00402ADC
                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C,?), ref: 00402AF7
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,00000000,00000000,00000020,?,?,?,?,?,?,?,?,0040507C), ref: 00402AFF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$ByteCharMultiWide
                              • String ID:
                              • API String ID: 1731127917-0
                              • Opcode ID: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                              • Instruction ID: 3903ebf3ba6088976d83fc344d3b185d6a20d7f45533e28e7dbc13297377a7b4
                              • Opcode Fuzzy Hash: ae4930b9035af11edc18eb83865398ea889af843cb2bb96c85f7d9ecca2ecb95
                              • Instruction Fuzzy Hash: 2831B3729041156ACB14FFA6DD81DEFB3BCEF00714B51403FF952B31E1EA38AA458658
                              Function 00403F85 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathW.KERNEL32(00000001,00000000,00000002,00000000,00406437,00000000,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FA8
                              • GetTempPathW.KERNEL32(00000001,00000000,00000001,?,?,00404B63,?,7ZSfx%03x.cmd), ref: 00403FC5
                              • wsprintfW.USER32 ref: 00403FFB
                              • GetFileAttributesW.KERNEL32(?), ref: 00404016
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: PathTemp$AttributesFilewsprintf
                              • String ID:
                              • API String ID: 1746483863-0
                              • Opcode ID: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                              • Instruction ID: 4b01c17e8612d334da970e7aef70975a1f373095b445c13461924cc76c43a46f
                              • Opcode Fuzzy Hash: 013dbc26b67ec8e4cb6dbc59edbfaa415160c5e99e9f4e95bea1135156e91aed
                              • Instruction Fuzzy Hash: 1B113672100204BFCB01AF59CC85AADB7F8FF88755F50802EF905972E1DB78AA008B88
                              Function 00401A85 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperW.USER32(?,7591E0B0,00000000,00000000,?,?,?,00403DBD,00000002), ref: 00401AC3
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401ACF
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B03
                              • CharUpperW.USER32(?,?,?,?,00403DBD,00000002), ref: 00401B13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CharUpper
                              • String ID:
                              • API String ID: 9403516-0
                              • Opcode ID: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                              • Instruction ID: 0ba0c8867aa888139ba8faa8f8ff432121b60ad667f2455bf366b55ac651d143
                              • Opcode Fuzzy Hash: 18230d7c19ca01b706053a4839b324d461c93759ef2237e6a4782e95e1545131
                              • Instruction Fuzzy Hash: 02112E34A11269ABCF108F99C8446BAB7E8FF44356B504467F881E3290D77CDE51EB64
                              Function 00407FA5 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040690F: GetDlgItem.USER32(?,?), ref: 0040691B
                                • Part of subcall function 0040692C: GetDlgItem.USER32(?,?), ref: 00406939
                                • Part of subcall function 0040692C: ShowWindow.USER32(00000000,?), ref: 00406950
                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00407FED
                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000103), ref: 0040800D
                              • GetDlgItem.USER32(?,000004B7), ref: 00408020
                              • SetWindowLongW.USER32(00000000,000000FC,Function_00006F37), ref: 0040802E
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,000004B7,?,?,?,?,?,0040803E), ref: 00407D30
                                • Part of subcall function 00407D06: LoadIconW.USER32(00000000), ref: 00407D33
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000032), ref: 00407D43
                                • Part of subcall function 00407D06: GetSystemMetrics.USER32(00000031), ref: 00407D48
                                • Part of subcall function 00407D06: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000,?,?,?,?,?,0040803E), ref: 00407D51
                                • Part of subcall function 00407D06: LoadImageW.USER32(00000000), ref: 00407D54
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000001,?), ref: 00407D79
                                • Part of subcall function 00407D06: SendMessageW.USER32(?,00000080,00000000,?), ref: 00407D89
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E76
                                • Part of subcall function 00407D06: GetWindow.USER32(?,00000005), ref: 00407E92
                                • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ItemWindow$System$HandleLoadMessageMetricsModuleSend$DirectoryFileFocusIconImageInfoLongShow
                              • String ID:
                              • API String ID: 2538916108-0
                              • Opcode ID: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                              • Instruction ID: 9218ed989044434557cb474aaa53437228351995edfdd36a91d94446a14b3a18
                              • Opcode Fuzzy Hash: a74d79fd4605bc1a7757bdbc28ebf3a23631424810f8539fda01f9cd24d05c25
                              • Instruction Fuzzy Hash: 7D1186B1A402146BCB10BBB99D09F9EB7FDEB84B04F00446EB652E31C0D6B8DA008B54
                              Function 004067ED Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000029,000001F4,?,00000000), ref: 00406814
                              • GetSystemMetrics.USER32(00000031), ref: 0040683A
                              • CreateFontIndirectW.GDI32(?), ref: 00406849
                              • DeleteObject.GDI32(00000000), ref: 00406878
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
                              • String ID:
                              • API String ID: 1900162674-0
                              • Opcode ID: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                              • Instruction ID: e152b01862f646c7a4819b14062263d5307cf72e2961abd6127bac75ebed32e6
                              • Opcode Fuzzy Hash: 5f8418ac61918c0235adc1083e46979a63813a21cc36a9cb80778b220a455722
                              • Instruction Fuzzy Hash: A9116376A00205AFDB10DF94DC88FEAB7B8EB08300F0180AAED06A7291DB74DE54CF54
                              Function 0040748A Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 0040749F
                              • SHBrowseForFolderW.SHELL32(?), ref: 004074B8
                              • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 004074D4
                              • SHGetMalloc.SHELL32(00000000), ref: 004074FE
                                • Part of subcall function 004072DD: GetDlgItem.USER32(?,000004B6), ref: 004072EA
                                • Part of subcall function 004072DD: SetFocus.USER32(00000000,?,?,004073B2,000004B6,?), ref: 004072F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: BrowseFocusFolderFromItemListMallocPathmemset
                              • String ID:
                              • API String ID: 1557639607-0
                              • Opcode ID: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                              • Instruction ID: 30b51fec80d89fd3ac1614d0428bedaa433d1aa4d1a510c8e8bcd0531de43efe
                              • Opcode Fuzzy Hash: a8285b8de4733da597857d8c27af206edc1c0a360700d70dd9a7d2ed45ada19f
                              • Instruction Fuzzy Hash: 43112171A00114ABDB10EBA5DD48BDE77FCAB84715F1040A9E505E7280DB78EF05CB75
                              Function 004027C7 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 004027F8
                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00402801
                                • Part of subcall function 0040112B: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 0040114B
                                • Part of subcall function 0040112B: ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00401425,00000003,?,0040502D,?,?,00000000), ref: 00401171
                              • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000001,00000001,00000000,?,00000000,00000000,00000000), ref: 00402819
                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00402839
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@$EnvironmentExpandStrings$??2@
                              • String ID:
                              • API String ID: 612612615-0
                              • Opcode ID: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                              • Instruction ID: 71972da321696c7643696fa2d61077c4bfdb6251f9c85b9dd911fab2e4c9aeed
                              • Opcode Fuzzy Hash: 1bf054f2ccdc3be335b048ff77a64ac4bdb67295ffe3aca3d2c9ccbf2cc91127
                              • Instruction Fuzzy Hash: EF017976D00118BADB04AB55DD41DDEB7BCEF48714B10417BF901B31D1EB746A4086A8
                              Function 00403AB1 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402D7D: GetWindowTextLengthW.USER32(?), ref: 00402D8E
                                • Part of subcall function 00402D7D: GetWindowTextW.USER32(00402E07,00000000,00000001), ref: 00402DAB
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00413550,00413558), ref: 00403AFD
                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00413550,00413558), ref: 00403B05
                              • SetWindowTextW.USER32(?,?), ref: 00403B12
                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 00403B1D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ??3@TextWindow$Length
                              • String ID:
                              • API String ID: 2308334395-0
                              • Opcode ID: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                              • Instruction ID: 2cc122b1f520d7f8021a056a959bf32eecafdcf33a956e59961b1277582e5a57
                              • Opcode Fuzzy Hash: 8119ca7b33955cbac21e87e4fe12ba773d40effc5d925a3b7e480b00d6a2293b
                              • Instruction Fuzzy Hash: 2EF0FF32D0410DBACF01FBA5DD46CDE7B79EF04705B10406BF501720A1EA79AB559B98
                              Function 0040702A Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetObjectW.GDI32(?,0000005C,?), ref: 00407045
                              • CreateFontIndirectW.GDI32(?), ref: 0040705B
                              • GetDlgItem.USER32(?,000004B5), ref: 0040706F
                              • SendMessageW.USER32(00000000,00000030,00000000,00000000), ref: 0040707B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: CreateFontIndirectItemMessageObjectSend
                              • String ID:
                              • API String ID: 2001801573-0
                              • Opcode ID: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                              • Instruction ID: 5c236ef126686a3da9008926c30106754acf3bfa0ff8e01310dffb34f405da6a
                              • Opcode Fuzzy Hash: 78def116b4819d627590729c5baad135a5410a8d7e74f17ad4cec64f2c4de15c
                              • Instruction Fuzzy Hash: 35F05475900704ABDB209BA4DC09F8B7BFCAB48B01F048139BD51E11D4D7B4E5018B19
                              Function 00401BA3 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00401BA8
                              • GetWindowRect.USER32(?,?), ref: 00401BC1
                              • ScreenToClient.USER32(00000000,?), ref: 00401BCF
                              • ScreenToClient.USER32(00000000,?), ref: 00401BD6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: ClientScreen$ParentRectWindow
                              • String ID:
                              • API String ID: 2099118873-0
                              • Opcode ID: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                              • Instruction ID: 3a6f634f9500a9f0e676680e31990ed58166cb62974d534a535afb1fb6b8d00a
                              • Opcode Fuzzy Hash: ede60c7992125a9d10b8f8c06fbaeb3be6251aeef84f0c1b655461571a46cee2
                              • Instruction Fuzzy Hash: 09E04F722052116BCB10AFA5AC88C8BBF6DDFC5723700447AF941A2220D7709D109A61
                              Function 00403C63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: _wtol
                              • String ID: GUIFlags$[G@
                              • API String ID: 2131799477-2126219683
                              • Opcode ID: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                              • Instruction ID: b6302b9691b8fcfec91ee3c39af82f4337802e9cb3a6f407b943601295de961a
                              • Opcode Fuzzy Hash: f402b0c85aba1d66b07b6addbe7eda3b1a8910d5e18cf18c534464033b9959d4
                              • Instruction Fuzzy Hash: 6DF03C3611C1635AFB342E0994187B6AA9CEB05793FE4443BE9C3F12D0C37C8E82825D
                              Function 00402F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentVariableW.KERNEL32(?O@,?,00000001,004177A0,00000000,00417794,?,?,00404F3F,?,?,?,?,?), ref: 00402F26
                              • GetEnvironmentVariableW.KERNEL32(?,00000000,?,00000001,00000002,?,?,00404F3F,?,?,?,?,?), ref: 00402F52
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2065156669.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2065128272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065217895.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065327206.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2065395361.000000000041A000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_CnjMEmbChO.jbxd
                              Similarity
                              • API ID: EnvironmentVariable
                              • String ID: ?O@
                              • API String ID: 1431749950-3511380453
                              • Opcode ID: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                              • Instruction ID: 315e17eccb05daff3adc91fa9074d23558c2207180d60d9b2b56ce26dbf77fcb
                              • Opcode Fuzzy Hash: 0f0cab1a5fe64df75075e876fd7e6a607817ca224d69030a73e0dc08c334b9f4
                              • Instruction Fuzzy Hash: 24F06272200118BFDB00AFA9DC458AEB7EDEF88764B51402BF904D72A1D7B4AD008B98

                              Execution Graph

                              Execution Coverage:5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:8.9%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:89
                              execution_graph 115273 f554f1 RegOpenKeyExW 115274 f55576 RegOpenKeyExW 115273->115274 115276 f55666 115274->115276 115277 f5560b StructuredWorkStealingQueue 115274->115277 115278 f556b0 115276->115278 115279 f556ad RegCloseKey 115276->115279 115280 f55623 RegQueryValueExW 115277->115280 115307 f55cea Concurrency::details::SchedulerBase::Finalize 115278->115307 115320 f605b0 32 API calls _ValidateLocalCookies 115278->115320 115279->115278 115280->115276 115282 f55d26 Concurrency::details::SchedulerBase::Finalize 115322 f9b5dd 115282->115322 115283 f556f6 PathAddBackslashW 115289 f5578a 115283->115289 115285 f55d72 115329 fb6739 115285->115329 115286 f55d50 115321 f604d0 HeapAlloc RaiseException 115289->115321 115307->115282 115307->115285 115320->115283 115323 f9b5e8 IsProcessorFeaturePresent 115322->115323 115324 f9b5e6 115322->115324 115326 f9c164 115323->115326 115324->115286 115334 f9c128 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 115326->115334 115328 f9c247 115328->115286 115335 fb66ae 26 API calls 4 library calls 115329->115335 115331 fb6748 115336 fb6756 IsProcessorFeaturePresent 115331->115336 115333 fb6755 115334->115328 115335->115331 115337 fb6761 115336->115337 115340 fb655f 115337->115340 115341 fb657b StructuredWorkStealingQueue ___scrt_fastfail 115340->115341 115342 fb65a7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 115341->115342 115345 fb6678 ___scrt_fastfail 115342->115345 115343 f9b5dd _ValidateLocalCookies 5 API calls 115344 fb6696 GetCurrentProcess TerminateProcess 115343->115344 115344->115333 115345->115343 115348 6c95ab10 MessageBoxA 115349 f6be70 GetLocalTime 115350 f6bed0 StructuredWorkStealingQueue 115349->115350 115383 f6be50 115350->115383 115352 f6befd StructuredWorkStealingQueue 115386 fbc29e 115352->115386 115357 f6bfc6 115404 f6b260 104 API calls 115357->115404 115358 f6bfd8 FindNextFileA 115360 f6bfd0 115358->115360 115379 f6bfee Concurrency::details::SchedulerBase::Finalize 115358->115379 115361 f6c28e Concurrency::details::SchedulerBase::Finalize 115360->115361 115363 f6c2b6 115360->115363 115362 f9b5dd _ValidateLocalCookies 5 API calls 115361->115362 115364 f6c2b0 115362->115364 115365 fb6739 std::system_error::system_error 26 API calls 115363->115365 115367 f6c2bb 115365->115367 115366 f6c24b FindNextFileA 115366->115360 115366->115379 115410 f6ca20 95 API calls 2 library calls 115367->115410 115369 f6c2ce 115370 fb6739 std::system_error::system_error 26 API calls 115369->115370 115372 f6c2f2 __Mtx_destroy_in_situ Concurrency::details::SchedulerBase::Finalize 115369->115372 115371 f6c349 115370->115371 115411 f6ca20 95 API calls 2 library calls 115371->115411 115374 f6c35b 115375 fb6739 std::system_error::system_error 26 API calls 115374->115375 115376 f6c37f __Mtx_destroy_in_situ Concurrency::details::SchedulerBase::Finalize 115374->115376 115377 f6c3bd Concurrency::details::SchedulerBase::Finalize 115375->115377 115379->115363 115379->115366 115380 f6c1dc 115379->115380 115405 f6ae30 115379->115405 115381 f6be50 78 API calls 115380->115381 115382 f6c1fb DeleteFileA 115381->115382 115382->115379 115412 f6b1d0 115383->115412 115387 fbc2ab 115386->115387 115388 fbc2b9 115386->115388 115387->115388 115391 fbc2d0 115387->115391 115441 fb6802 20 API calls __dosmaperr 115388->115441 115392 f6bf85 115391->115392 115443 fb6802 20 API calls __dosmaperr 115391->115443 115395 fbc235 115392->115395 115394 fbc2c1 115442 fb6729 26 API calls std::system_error::system_error 115394->115442 115396 fbc251 115395->115396 115399 fbc243 115395->115399 115444 fb6802 20 API calls __dosmaperr 115396->115444 115398 fbc259 115445 fb6729 26 API calls std::system_error::system_error 115398->115445 115399->115396 115402 fbc27a 115399->115402 115401 f6bf9e FindFirstFileA 115401->115357 115401->115358 115402->115401 115446 fb6802 20 API calls __dosmaperr 115402->115446 115404->115360 115406 f6ae61 Concurrency::details::SchedulerBase::Finalize 115405->115406 115407 f6ae3e 115405->115407 115406->115379 115407->115406 115408 fb6739 std::system_error::system_error 26 API calls 115407->115408 115409 f6aeac 115408->115409 115410->115369 115411->115374 115413 f6b1ea 115412->115413 115416 fbae6a 115413->115416 115419 fb83e4 115416->115419 115418 f6b1f4 115418->115352 115420 fb83ef 115419->115420 115421 fb8404 115419->115421 115435 fb6802 20 API calls __dosmaperr 115420->115435 115423 fb8446 115421->115423 115426 fb8412 115421->115426 115439 fb6802 20 API calls __dosmaperr 115423->115439 115425 fb83f4 115436 fb6729 26 API calls std::system_error::system_error 115425->115436 115437 fb7de2 78 API calls 4 library calls 115426->115437 115427 fb843e 115440 fb6729 26 API calls std::system_error::system_error 115427->115440 115430 fb83ff 115430->115418 115431 fb842a 115433 fb8456 115431->115433 115438 fb6802 20 API calls __dosmaperr 115431->115438 115433->115418 115435->115425 115436->115430 115437->115431 115438->115427 115439->115427 115440->115433 115441->115394 115442->115392 115443->115394 115444->115398 115445->115401 115446->115398 115447 f85830 IsWindow 115448 f85881 115447->115448 115449 f85865 SetWindowLongW PostMessageW 115447->115449 115460 f92ee0 115448->115460 115449->115448 115451 f85890 115452 f92ee0 176 API calls 115451->115452 115453 f8589b StructuredWorkStealingQueue 115452->115453 115587 f61bd0 41 API calls 115453->115587 115455 f858b3 115588 f85900 54 API calls 115455->115588 115457 f858c6 115589 f90a80 48 API calls 3 library calls 115457->115589 115459 f858e8 115590 f62560 115460->115590 115463 f932cd 115466 f9b5dd _ValidateLocalCookies 5 API calls 115463->115466 115464 f932c3 curl_easy_cleanup 115464->115463 115465 f62560 38 API calls 115468 f92f65 std::system_error::system_error BuildCatchObjectHelperInternal _strrchr 115465->115468 115467 f932eb 115466->115467 115467->115451 115598 f5f1d0 115468->115598 115471 f93237 Concurrency::details::SchedulerBase::Finalize 115473 f9326f Concurrency::details::SchedulerBase::Finalize 115471->115473 115475 f932f4 115471->115475 115472 f932ef 115474 fb6739 std::system_error::system_error 26 API calls 115472->115474 115473->115463 115473->115464 115474->115475 115476 fb6739 std::system_error::system_error 26 API calls 115475->115476 115477 f932f9 115476->115477 115478 f936df 115477->115478 115479 f93350 curl_easy_init 115477->115479 115621 f57070 36 API calls 115478->115621 115606 f949f0 115479->115606 115483 f9336a 115484 f62560 38 API calls 115483->115484 115485 f9336f 115484->115485 115488 f62560 38 API calls 115485->115488 115517 f9368c Concurrency::details::SchedulerBase::Finalize 115485->115517 115486 f9371c 115622 f94aa0 122 API calls 5 library calls 115486->115622 115508 f933b7 BuildCatchObjectHelperInternal _strrchr 115488->115508 115489 f93760 115623 f899e0 115489->115623 115492 f9b5dd _ValidateLocalCookies 5 API calls 115494 f93ca7 115492->115494 115493 f937aa curl_easy_setopt curl_easy_setopt curl_easy_setopt 115496 f937ef curl_easy_perform 115493->115496 115497 f937e2 curl_easy_setopt 115493->115497 115494->115451 115499 f9380a 115496->115499 115500 f93ba1 115496->115500 115497->115496 115498 f937a7 115498->115493 115501 f62560 38 API calls 115499->115501 115661 f57150 36 API calls 115500->115661 115507 f9380f 115501->115507 115503 f93b8b curl_easy_cleanup 115503->115517 115504 f93bc6 115662 f61470 115504->115662 115505 f62560 38 API calls 115511 f9385a BuildCatchObjectHelperInternal _strrchr 115505->115511 115507->115503 115507->115505 115611 f62020 115508->115611 115510 f93530 std::system_error::system_error BuildCatchObjectHelperInternal 115513 f5f1d0 109 API calls 115510->115513 115512 f62020 5 API calls 115511->115512 115523 f939dc std::system_error::system_error BuildCatchObjectHelperInternal 115512->115523 115514 f93614 115513->115514 115515 f93642 Concurrency::details::SchedulerBase::Finalize 115514->115515 115516 f93cad 115514->115516 115515->115517 115518 f93cb2 115515->115518 115519 fb6739 std::system_error::system_error 26 API calls 115516->115519 115517->115492 115520 fb6739 std::system_error::system_error 26 API calls 115518->115520 115519->115518 115521 f93cb7 115520->115521 115522 fb6739 std::system_error::system_error 26 API calls 115521->115522 115524 f93cbc 115522->115524 115643 f58330 115523->115643 115525 fb6739 std::system_error::system_error 26 API calls 115524->115525 115526 f93cc1 115525->115526 115527 f93d1a curl_easy_init 115526->115527 115528 f940af 115526->115528 115530 f949f0 14 API calls 115527->115530 115615 f57070 36 API calls 115528->115615 115533 f93d2a 115530->115533 115533->115528 115536 f93d34 115533->115536 115534 f93af5 Concurrency::details::SchedulerBase::Finalize 115534->115524 115535 f93b42 Concurrency::details::SchedulerBase::Finalize 115534->115535 115535->115503 115537 f62560 38 API calls 115536->115537 115538 f93d39 115537->115538 115541 f62560 38 API calls 115538->115541 115586 f94015 Concurrency::details::SchedulerBase::Finalize 115538->115586 115539 f940ec 115616 f94aa0 122 API calls 5 library calls 115539->115616 115569 f93d81 BuildCatchObjectHelperInternal _strrchr 115541->115569 115542 f94164 curl_easy_setopt curl_easy_setopt curl_easy_setopt 115544 f941a3 curl_easy_perform 115542->115544 115545 f94196 curl_easy_setopt 115542->115545 115543 f94130 115543->115542 115694 f89de0 22 API calls 115543->115694 115548 f9454b 115544->115548 115549 f941bb 115544->115549 115545->115544 115546 f9b5dd _ValidateLocalCookies 5 API calls 115550 f949c8 115546->115550 115553 f945b9 115548->115553 115617 f57070 36 API calls 115548->115617 115552 f62560 38 API calls 115549->115552 115550->115451 115551 f94161 115551->115542 115558 f941c0 115552->115558 115554 f62560 38 API calls 115553->115554 115561 f945c1 115554->115561 115556 f9456d 115618 fbc21e 115556->115618 115559 f94532 curl_easy_cleanup 115558->115559 115560 f62560 38 API calls 115558->115560 115559->115586 115571 f9420d BuildCatchObjectHelperInternal _strrchr 115560->115571 115562 f62560 38 API calls 115561->115562 115561->115586 115564 f94609 115562->115564 115563 f9457d 115563->115553 115695 fb71fa 115563->115695 115573 f94647 BuildCatchObjectHelperInternal _strrchr 115564->115573 115705 f89de0 22 API calls 115564->115705 115570 f62020 5 API calls 115569->115570 115575 f93efd std::system_error::system_error BuildCatchObjectHelperInternal 115570->115575 115572 f62020 5 API calls 115571->115572 115581 f94389 std::system_error::system_error BuildCatchObjectHelperInternal 115572->115581 115574 f62020 5 API calls 115573->115574 115583 f947a9 std::system_error::system_error BuildCatchObjectHelperInternal 115574->115583 115576 f5f1d0 109 API calls 115575->115576 115577 f93fe7 115576->115577 115578 f949ce 115577->115578 115577->115586 115579 fb6739 std::system_error::system_error 26 API calls 115578->115579 115580 f949ec 115579->115580 115582 f58330 109 API calls 115581->115582 115585 f94471 Concurrency::details::SchedulerBase::Finalize 115582->115585 115706 f95290 29 API calls 4 library calls 115583->115706 115585->115559 115586->115546 115587->115455 115588->115457 115589->115459 115591 f62575 115590->115591 115597 f625bd 115590->115597 115707 f9b7ab 5 API calls __Init_thread_wait 115591->115707 115593 f6257f 115593->115597 115708 f9bb2a 29 API calls __onexit 115593->115708 115595 f625b3 115709 f9b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 115595->115709 115597->115465 115597->115473 115599 f5f210 115598->115599 115600 f5f259 115598->115600 115710 f5f140 115599->115710 115601 f9b5dd _ValidateLocalCookies 5 API calls 115600->115601 115602 f5f271 115601->115602 115602->115471 115602->115472 115607 f93360 115606->115607 115608 f94a02 curl_easy_setopt 115606->115608 115607->115478 115607->115483 115609 f94a19 curl_easy_setopt curl_easy_setopt 115608->115609 115610 f94a2a 11 API calls 115608->115610 115609->115610 115610->115607 115612 f62044 115611->115612 115613 f9b5dd _ValidateLocalCookies 5 API calls 115612->115613 115614 f620c6 115613->115614 115614->115510 115615->115539 115616->115543 115617->115556 116041 fbc086 115618->116041 115620 fbc230 115620->115563 115621->115486 115622->115489 116109 f61ad0 115623->116109 115626 f89a1a 116124 f89d00 115626->116124 115627 f89abc 116143 f617d0 115627->116143 115629 f89ac6 115631 f617d0 2 API calls 115629->115631 115632 f89ad0 115631->115632 115634 f89a94 115634->115493 115642 f89de0 22 API calls 115634->115642 115635 f89a58 115637 f89a5e 115635->115637 115638 f89a9f 115635->115638 115636 f89a3e WideCharToMultiByte 115636->115635 115639 f89a79 WideCharToMultiByte 115637->115639 116141 f8a650 22 API calls 115637->116141 116142 f8a0a0 HeapAlloc RaiseException 115638->116142 115639->115629 115639->115634 115642->115498 115645 f5837e StructuredWorkStealingQueue 115643->115645 115652 f5845c Concurrency::details::SchedulerBase::Finalize 115643->115652 115644 f9b5dd _ValidateLocalCookies 5 API calls 115646 f5847e 115644->115646 116161 f59020 115645->116161 115646->115521 115646->115534 115649 f5f140 2 API calls 115650 f58413 115649->115650 115660 f6fd00 108 API calls 115650->115660 115651 f5841e 115651->115652 115653 f5858c 115651->115653 115652->115644 115654 fb6739 std::system_error::system_error 26 API calls 115653->115654 115655 f58591 115654->115655 116165 f985d4 115655->116165 115660->115651 115661->115504 115663 f6147f 115662->115663 115668 f6148c 115662->115668 116170 f61250 HeapAlloc RaiseException 115663->116170 115665 f61484 115665->115517 115666 f617d0 2 API calls 115667 f61552 115666->115667 115673 f61ad0 39 API calls 115667->115673 115669 f614ca 115668->115669 115679 f614f5 BuildCatchObjectHelperInternal 115668->115679 116171 f61410 22 API calls 115668->116171 115671 f614d4 115669->115671 115672 f6151c 115669->115672 115676 f614f7 115671->115676 115677 f614e5 115671->115677 115671->115679 116176 f61610 20 API calls 3 library calls 115672->116176 115675 f6158f 115673->115675 115680 f61595 115675->115680 115681 f615ef 115675->115681 115676->115679 116174 fb6802 20 API calls __dosmaperr 115676->116174 116172 fb6802 20 API calls __dosmaperr 115677->116172 115678 f61535 115678->115517 115679->115666 115679->115678 116177 f61180 115680->116177 115684 f617d0 2 API calls 115681->115684 115687 f615f9 115684->115687 115685 f614ea 116173 fb6729 26 API calls std::system_error::system_error 115685->116173 115686 f61502 116175 fb6729 26 API calls std::system_error::system_error 115686->116175 115691 f615da 115691->115517 115693 f61470 51 API calls 115693->115691 115694->115551 115696 fb7208 115695->115696 115701 f945b3 115695->115701 115697 fb722a 115696->115697 115698 fb7214 115696->115698 115696->115701 116196 fb7013 115697->116196 116199 fb6802 20 API calls __dosmaperr 115698->116199 115704 fb7b21 95 API calls 4 library calls 115701->115704 115702 fb7219 116200 fb6729 26 API calls std::system_error::system_error 115702->116200 115704->115553 115705->115573 115706->115586 115707->115593 115708->115595 115709->115597 115730 f9939b 115710->115730 115713 f5f184 115715 f6fd00 115713->115715 115714 f5f16f GetCurrentThreadId 115714->115713 115736 f6f6a0 115715->115736 115717 f6fe02 Concurrency::details::SchedulerBase::Finalize 115717->115600 115718 f6fdaa 115718->115717 115719 fb6739 std::system_error::system_error 26 API calls 115718->115719 115720 f6fe28 115719->115720 115739 f9bb4d 115720->115739 115723 f6fd00 108 API calls 115725 f6fee8 115723->115725 115724 f6fffe Concurrency::details::SchedulerBase::Finalize 115724->115600 115725->115724 115726 fb6739 std::system_error::system_error 26 API calls 115725->115726 115727 f70022 115726->115727 115728 f70062 115727->115728 115746 f6c450 115727->115746 115728->115600 115733 f9ac13 115730->115733 115734 f5f157 115733->115734 115735 f9ac34 GetSystemTimeAsFileTime 115733->115735 115734->115713 115734->115714 115735->115734 115755 f6f850 115736->115755 115738 f6f6bf 115738->115718 115740 f9bb52 ___std_exception_copy 115739->115740 115741 f6fe8a 115740->115741 115743 f9bb6e make_shared 115740->115743 115772 fc52fa 7 API calls 2 library calls 115740->115772 115741->115723 115773 fb2a4a RaiseException 115743->115773 115745 f9c84a 115774 f9a660 115746->115774 115749 f6c490 115777 f6c6a0 115749->115777 115751 f6c4a4 __Mtx_unlock 115752 f6c4be 115751->115752 115808 f99e53 27 API calls std::_Throw_Cpp_error 115751->115808 115752->115727 115756 f6f872 115755->115756 115757 f6f87a 115755->115757 115756->115738 115758 f6f882 115757->115758 115759 f6f8fb 115757->115759 115761 f6f8c4 115758->115761 115762 f6f88d 115758->115762 115771 f6ee30 27 API calls std::_Winerror_message 115759->115771 115765 f6f8e5 115761->115765 115767 f9bb4d make_shared 8 API calls 115761->115767 115764 f9bb4d make_shared 8 API calls 115762->115764 115763 f6f89e 115766 fb6739 std::system_error::system_error 26 API calls 115763->115766 115769 f6f8a7 115763->115769 115764->115763 115765->115738 115768 f6f905 115766->115768 115770 f6f8ce 115767->115770 115769->115738 115770->115738 115772->115740 115773->115745 115809 f9a3ba 115774->115809 115778 f6c6e7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 115777->115778 115779 f6c7c8 StructuredWorkStealingQueue 115777->115779 115778->115779 115829 f6d3b0 115778->115829 115780 fb71fa 93 API calls 115779->115780 115782 f6c846 115780->115782 115784 f6c8b3 115782->115784 115785 f6c84d 115782->115785 115882 fb6802 20 API calls __dosmaperr 115784->115882 115788 f6c887 Concurrency::details::SchedulerBase::Finalize 115785->115788 115794 f6c902 115785->115794 115789 f9b5dd _ValidateLocalCookies 5 API calls 115788->115789 115792 f6c8a8 115789->115792 115790 f6c8b8 115883 f6ccd0 27 API calls std::system_error::system_error 115790->115883 115792->115751 115795 fb6739 std::system_error::system_error 26 API calls 115794->115795 115797 f6c907 115795->115797 115870 fb6a27 115797->115870 115798 f6c8ae 115800 fb6739 std::system_error::system_error 26 API calls 115798->115800 115800->115784 115801 f6c8c8 115884 f74350 26 API calls 5 library calls 115801->115884 115802 f6c7b3 Concurrency::details::SchedulerBase::Finalize 115881 f6d660 76 API calls 4 library calls 115802->115881 115803 f6c918 115803->115751 115805 f6c8f1 115885 fb2a4a RaiseException 115805->115885 115807 f99e53 27 API calls std::_Throw_Cpp_error 115807->115749 115808->115752 115810 f9a410 115809->115810 115811 f9a3e2 GetCurrentThreadId 115809->115811 115813 f9a43a 115810->115813 115814 f9a414 GetCurrentThreadId 115810->115814 115812 f9a3ed GetCurrentThreadId 115811->115812 115823 f9a408 115811->115823 115812->115823 115815 f9a4d3 GetCurrentThreadId 115813->115815 115818 f9a45a 115813->115818 115816 f9a423 115814->115816 115815->115816 115817 f9a52a GetCurrentThreadId 115816->115817 115816->115823 115817->115823 115827 f99475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 115818->115827 115819 f9b5dd _ValidateLocalCookies 5 API calls 115822 f6c483 115819->115822 115822->115749 115822->115807 115823->115819 115824 f9a492 GetCurrentThreadId 115824->115816 115825 f9a465 __Xtime_diff_to_millis2 115824->115825 115825->115816 115825->115823 115825->115824 115828 f99475 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 115825->115828 115827->115825 115828->115825 115886 f6cfc0 115829->115886 115831 f6d425 115832 f6ae30 26 API calls 115831->115832 115833 f6d433 115832->115833 115834 f6ae30 26 API calls 115833->115834 115835 f6d43c 115834->115835 115906 f6d270 115835->115906 115837 f6d447 StructuredWorkStealingQueue 115911 f6d300 115837->115911 115839 f6d4d2 115840 f6d537 Concurrency::details::SchedulerBase::Finalize 115839->115840 115842 f6d5da 115839->115842 115841 f6d571 Concurrency::details::SchedulerBase::Finalize 115840->115841 115844 f6d5df 115840->115844 115847 f6d5e4 115841->115847 115850 f6d5b3 Concurrency::details::SchedulerBase::Finalize 115841->115850 115843 fb6739 std::system_error::system_error 26 API calls 115842->115843 115843->115844 115846 fb6739 std::system_error::system_error 26 API calls 115844->115846 115845 f9b5dd _ValidateLocalCookies 5 API calls 115848 f6c763 115845->115848 115846->115847 115849 fb6739 std::system_error::system_error 26 API calls 115847->115849 115852 f6ccf0 115848->115852 115851 f6d5e9 115849->115851 115850->115845 115853 f6cd2d 115852->115853 115856 f6cd33 Concurrency::details::SchedulerBase::Finalize 115852->115856 115919 fb7b21 95 API calls 4 library calls 115853->115919 115855 f6ce36 115920 fb6802 20 API calls __dosmaperr 115855->115920 115856->115855 115863 f6ce04 Sleep 115856->115863 115864 f6c77c 115856->115864 115865 f6ce31 115856->115865 115858 f6ce3b 115863->115855 115867 f6ce12 115863->115867 115864->115798 115864->115802 115869 fb6739 std::system_error::system_error 26 API calls 115865->115869 115867->115856 115869->115855 115871 fb6a33 CallCatchBlock 115870->115871 115872 fb6a3a 115871->115872 115873 fb6a43 115871->115873 115935 fb694f 94 API calls 4 library calls 115872->115935 115924 fb7a83 EnterCriticalSection 115873->115924 115876 fb6a4d 115925 fb68ff 115876->115925 115879 fb6a40 __wsopen_s 115879->115803 115881->115779 115882->115790 115883->115801 115884->115805 115885->115794 115889 f6d014 115886->115889 115887 f6d1f1 115918 f5f9c0 27 API calls 7 library calls 115887->115918 115889->115887 115890 f6d059 115889->115890 115891 f6d0d8 115890->115891 115893 f6d071 115890->115893 115916 f6cf60 27 API calls 2 library calls 115891->115916 115915 f6cee0 27 API calls std::system_error::system_error 115893->115915 115894 f6d0e7 115917 f6cf60 27 API calls 2 library calls 115894->115917 115897 f6d0ff 115900 f6d18b Concurrency::details::SchedulerBase::Finalize 115897->115900 115903 fb6739 std::system_error::system_error 26 API calls 115897->115903 115898 f6d1d1 Concurrency::details::SchedulerBase::Finalize 115898->115831 115899 f6d098 115901 f6d0c9 Concurrency::details::SchedulerBase::Finalize 115899->115901 115902 fb6739 std::system_error::system_error 26 API calls 115899->115902 115900->115898 115904 fb6739 std::system_error::system_error 26 API calls 115900->115904 115901->115831 115902->115897 115903->115900 115905 f6d26d 115904->115905 115907 f6d27b Concurrency::details::SchedulerBase::Finalize 115906->115907 115908 f6d2d8 Concurrency::details::SchedulerBase::Finalize 115907->115908 115909 fb6739 std::system_error::system_error 26 API calls 115907->115909 115908->115837 115910 f6d2fc 115909->115910 115912 f6d322 115911->115912 115913 f9b5dd _ValidateLocalCookies 5 API calls 115912->115913 115914 f6d3a6 115913->115914 115914->115839 115915->115899 115916->115894 115917->115897 115918->115901 115919->115856 115920->115858 115924->115876 115926 fb690c 115925->115926 115927 fb6915 115925->115927 115943 fb694f 94 API calls 4 library calls 115926->115943 115937 fb6899 115927->115937 115930 fb6912 115936 fb6a78 LeaveCriticalSection __fread_nolock 115930->115936 115933 fb6935 115951 fc70d3 30 API calls 2 library calls 115933->115951 115935->115879 115936->115879 115938 fb68b1 115937->115938 115940 fb68ad 115937->115940 115939 fc79c9 __fread_nolock 26 API calls 115938->115939 115938->115940 115941 fb68d1 115939->115941 115940->115930 115944 fc79c9 115940->115944 115952 fc76d2 115941->115952 115943->115930 115945 fc79ea 115944->115945 115946 fc79d5 115944->115946 115945->115933 116039 fb6802 20 API calls __dosmaperr 115946->116039 115948 fc79da 116040 fb6729 26 API calls std::system_error::system_error 115948->116040 115950 fc79e5 115950->115933 115951->115930 115953 fc76de CallCatchBlock 115952->115953 115954 fc76fe 115953->115954 115955 fc76e6 115953->115955 115957 fc779c 115954->115957 115961 fc7733 115954->115961 116031 fb67ef 20 API calls __dosmaperr 115955->116031 116036 fb67ef 20 API calls __dosmaperr 115957->116036 115959 fc76eb 116032 fb6802 20 API calls __dosmaperr 115959->116032 115960 fc77a1 116037 fb6802 20 API calls __dosmaperr 115960->116037 115977 fd063a EnterCriticalSection 115961->115977 115965 fc77a9 116038 fb6729 26 API calls std::system_error::system_error 115965->116038 115966 fc7739 115968 fc776a 115966->115968 115969 fc7755 115966->115969 115978 fc77bd 115968->115978 116033 fb6802 20 API calls __dosmaperr 115969->116033 115971 fc76f3 __wsopen_s 115971->115940 115973 fc775a 116034 fb67ef 20 API calls __dosmaperr 115973->116034 115974 fc7765 116035 fc7794 LeaveCriticalSection __wsopen_s 115974->116035 115977->115966 115979 fc77eb 115978->115979 115980 fc77e4 115978->115980 115981 fc780e 115979->115981 115982 fc77ef 115979->115982 115983 f9b5dd _ValidateLocalCookies 5 API calls 115980->115983 115985 fc785f 115981->115985 115986 fc7842 115981->115986 115984 fb67ef __dosmaperr 20 API calls 115982->115984 115987 fc79c5 115983->115987 115988 fc77f4 115984->115988 115990 fc7875 115985->115990 115994 fc819b __fread_nolock 28 API calls 115985->115994 115989 fb67ef __dosmaperr 20 API calls 115986->115989 115987->115974 115991 fb6802 __dosmaperr 20 API calls 115988->115991 115993 fc7847 115989->115993 115992 fc7362 __wsopen_s 67 API calls 115990->115992 115994->115990 116031->115959 116032->115971 116033->115973 116034->115974 116035->115971 116036->115960 116037->115965 116038->115971 116039->115948 116040->115950 116043 fbc092 CallCatchBlock 116041->116043 116042 fbc0a0 116066 fb6802 20 API calls __dosmaperr 116042->116066 116043->116042 116046 fbc0cd 116043->116046 116045 fbc0a5 116067 fb6729 26 API calls std::system_error::system_error 116045->116067 116048 fbc0df 116046->116048 116049 fbc0d2 116046->116049 116058 fc9f38 116048->116058 116068 fb6802 20 API calls __dosmaperr 116049->116068 116052 fbc0e8 116053 fbc0ef 116052->116053 116054 fbc0fc 116052->116054 116069 fb6802 20 API calls __dosmaperr 116053->116069 116070 fbc130 LeaveCriticalSection __fread_nolock 116054->116070 116057 fbc0b0 __wsopen_s 116057->115620 116059 fc9f44 CallCatchBlock 116058->116059 116071 fbc53e EnterCriticalSection 116059->116071 116061 fc9f52 116072 fc9fd2 116061->116072 116065 fc9f83 __wsopen_s 116065->116052 116066->116045 116067->116057 116068->116057 116069->116057 116070->116057 116071->116061 116079 fc9ff5 116072->116079 116073 fca04e 116090 fc9213 116073->116090 116078 fca060 116084 fc9f5f 116078->116084 116103 fc9936 11 API calls 2 library calls 116078->116103 116079->116073 116079->116079 116079->116084 116088 fb7a83 EnterCriticalSection 116079->116088 116089 fb7a97 LeaveCriticalSection 116079->116089 116081 fca07f 116085 fc9f8e 116084->116085 116108 fbc586 LeaveCriticalSection 116085->116108 116087 fc9f95 116087->116065 116088->116079 116089->116079 116095 fc9220 _strftime 116090->116095 116091 fc924b RtlAllocateHeap 116093 fc925e 116091->116093 116091->116095 116092 fc9260 116106 fb6802 20 API calls __dosmaperr 116092->116106 116097 fc79ef 116093->116097 116095->116091 116095->116092 116105 fc52fa 7 API calls 2 library calls 116095->116105 116098 fc79fa HeapFree 116097->116098 116099 fc7a23 __dosmaperr 116097->116099 116098->116099 116100 fc7a0f 116098->116100 116099->116078 116107 fb6802 20 API calls __dosmaperr 116100->116107 116102 fc7a15 GetLastError 116102->116099 116103->116081 116105->116095 116106->116093 116107->116102 116108->116087 116110 f61ae6 116109->116110 116113 f61b41 116109->116113 116151 f9b7ab 5 API calls __Init_thread_wait 116110->116151 116112 f61bbf 116112->115626 116112->115627 116113->116112 116154 f9b7ab 5 API calls __Init_thread_wait 116113->116154 116114 f61af0 116114->116113 116116 f61afc GetProcessHeap 116114->116116 116152 f9bb2a 29 API calls __onexit 116116->116152 116117 f61b5c 116117->116112 116155 f9bb2a 29 API calls __onexit 116117->116155 116120 f61b37 116153 f9b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 116120->116153 116121 f61bb5 116156 f9b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 116121->116156 116125 f89d13 116124->116125 116126 f89a36 116124->116126 116125->116126 116157 f61000 9 API calls 116125->116157 116126->115634 116126->115635 116126->115636 116128 f89d2a 116128->116126 116129 f89d34 FindResourceW 116128->116129 116129->116126 116130 f89d48 116129->116130 116158 f61080 LoadResource LockResource SizeofResource 116130->116158 116132 f89d52 116132->116126 116133 f89d5b WideCharToMultiByte 116132->116133 116134 f89dcb 116133->116134 116135 f89d7b 116133->116135 116137 f617d0 2 API calls 116134->116137 116136 f89d98 WideCharToMultiByte 116135->116136 116159 f8a650 22 API calls 116135->116159 116136->116126 116136->116134 116139 f89dd5 116137->116139 116140 f89d96 116140->116136 116141->115639 116142->115634 116144 f617de 116143->116144 116160 fb2a4a RaiseException 116144->116160 116146 f617eb 116147 f6180e 116146->116147 116148 f617fd 116146->116148 116149 f617d0 RaiseException 116147->116149 116148->115629 116150 f61818 HeapAlloc 116149->116150 116150->115629 116151->116114 116152->116120 116153->116113 116154->116117 116155->116121 116156->116112 116157->116128 116158->116132 116159->116140 116160->116146 116162 f59067 116161->116162 116163 f9b5dd _ValidateLocalCookies 5 API calls 116162->116163 116164 f583e1 116163->116164 116164->115649 116166 f985e2 116165->116166 116169 fb2a4a RaiseException 116166->116169 116168 f985f0 116169->116168 116170->115665 116171->115669 116172->115685 116173->115679 116174->115686 116175->115679 116176->115679 116178 f61193 116177->116178 116190 f61219 116177->116190 116178->116190 116191 f61000 9 API calls 116178->116191 116180 f611aa 116181 f611b0 FindResourceW 116180->116181 116180->116190 116182 f611c4 116181->116182 116181->116190 116192 f61080 LoadResource LockResource SizeofResource 116182->116192 116184 f611ce 116185 f611fa 116184->116185 116184->116190 116193 f61410 22 API calls 116184->116193 116194 fb6815 26 API calls 4 library calls 116185->116194 116188 f61213 116195 f610e0 HeapAlloc RaiseException 116188->116195 116190->115691 116190->115693 116191->116180 116192->116184 116193->116185 116194->116188 116195->116190 116201 fb6fc2 116196->116201 116199->115702 116200->115701 116202 fb6fce CallCatchBlock 116201->116202 116209 fb7a83 EnterCriticalSection 116202->116209 116204 fb6fdc 116210 fb703b 116204->116210 116209->116204 116218 fc858c 116210->116218 116219 fc79c9 __fread_nolock 26 API calls 116218->116219 116220 fc859b 116219->116220 116262 f8e1b0 116263 f8e1fb 116262->116263 116264 f8e1e5 116262->116264 116265 f8e2ba 116263->116265 116269 f8e26e 116263->116269 116276 f8e30b 116263->116276 116277 f90f50 116263->116277 116266 f9a660 Concurrency::details::_CancellationTokenRegistration::_Invoke 12 API calls 116265->116266 116265->116276 116268 f8e2ca 116266->116268 116273 f8e297 __Mtx_unlock 116268->116273 116296 f99e53 27 API calls std::_Throw_Cpp_error 116268->116296 116271 f9a660 Concurrency::details::_CancellationTokenRegistration::_Invoke 12 API calls 116269->116271 116269->116276 116272 f8e28a 116271->116272 116272->116273 116295 f99e53 27 API calls std::_Throw_Cpp_error 116272->116295 116273->116276 116297 f99e53 27 API calls std::_Throw_Cpp_error 116273->116297 116278 f90f95 116277->116278 116289 f91121 116277->116289 116278->116289 116298 fb4fb8 116278->116298 116280 f9b5dd _ValidateLocalCookies 5 API calls 116281 f911f6 116280->116281 116281->116263 116282 f90fab FindHandler 116283 f9a660 Concurrency::details::_CancellationTokenRegistration::_Invoke 12 API calls 116282->116283 116282->116289 116284 f90fd3 116283->116284 116285 f90fe0 116284->116285 116303 f99e53 27 API calls std::_Throw_Cpp_error 116284->116303 116304 fb4ec5 RaiseException 7 library calls 116285->116304 116288 f90ffd 116290 f910c8 __Mtx_unlock 116288->116290 116291 f911fc 116288->116291 116289->116280 116290->116289 116305 f99e53 27 API calls std::_Throw_Cpp_error 116290->116305 116292 f985d4 RaiseException 116291->116292 116294 f91201 Concurrency::details::SchedulerBase::Finalize 116292->116294 116294->116263 116295->116273 116296->116273 116297->116276 116299 fb4fc4 std::__non_rtti_object::__construct_from_string_literal CallCatchBlock 116298->116299 116300 fb4fdb 116299->116300 116306 fb2a4a RaiseException 116299->116306 116300->116282 116302 fb5044 116303->116285 116304->116288 116305->116289 116306->116302 116307 f88a70 116445 f95630 116307->116445 116309 f88ac4 StructuredWorkStealingQueue 116311 f88b4e MultiByteToWideChar 116309->116311 116502 f6b210 116309->116502 116312 f88b90 116311->116312 116313 f899e0 55 API calls 116312->116313 116314 f88bd9 116313->116314 116315 f88c13 Concurrency::details::SchedulerBase::Finalize 116314->116315 116317 f88d95 116314->116317 116316 f61ad0 39 API calls 116315->116316 116318 f88c43 116316->116318 116319 fb6739 std::system_error::system_error 26 API calls 116317->116319 116320 f88d9a 116318->116320 116321 f88c4d 116318->116321 116319->116320 116322 f617d0 2 API calls 116320->116322 116539 fb35c0 116445->116539 116448 f9586a 116615 f96390 7 API calls 4 library calls 116448->116615 116449 f956bc SetupDiEnumDeviceInfo 116451 f95807 SetupDiDestroyDeviceInfoList 116449->116451 116477 f956e5 116449->116477 116451->116448 116452 f9582a 116451->116452 116454 f958f6 116452->116454 116458 f95903 StructuredWorkStealingQueue 116452->116458 116453 f956f0 SetupDiGetDeviceInstanceIdW 116453->116451 116453->116477 116616 fb6802 20 API calls __dosmaperr 116454->116616 116456 f95908 116461 f9596e 116456->116461 116469 f9597b StructuredWorkStealingQueue 116456->116469 116457 f958fb 116618 fb6729 26 API calls std::system_error::system_error 116457->116618 116458->116456 116617 fb6802 20 API calls __dosmaperr 116458->116617 116459 fc423c 68 API calls 116459->116477 116619 fb6802 20 API calls __dosmaperr 116461->116619 116465 f95980 116554 f95590 116465->116554 116466 f957e4 SetupDiEnumDeviceInfo 116466->116451 116466->116453 116467 f95973 116621 fb6729 26 API calls std::system_error::system_error 116467->116621 116469->116465 116620 fb6802 20 API calls __dosmaperr 116469->116620 116471 f959bc 116473 f959fe 116471->116473 116479 f95a0b StructuredWorkStealingQueue 116471->116479 116622 fb6802 20 API calls __dosmaperr 116473->116622 116475 f95a10 116574 f96aa0 116475->116574 116476 f95a03 116624 fb6729 26 API calls std::system_error::system_error 116476->116624 116477->116453 116477->116459 116477->116466 116541 f96520 116477->116541 116479->116475 116623 fb6802 20 API calls __dosmaperr 116479->116623 116483 f962af 116601 f921e0 116483->116601 116485 f96305 116607 f92040 116485->116607 116488 f95590 26 API calls 116489 f96323 116488->116489 116490 f9b5dd _ValidateLocalCookies 5 API calls 116489->116490 116491 f96343 116490->116491 116491->116309 116492 f95b76 std::system_error::system_error 116493 f96349 116492->116493 116498 f95c60 std::system_error::system_error Concurrency::details::SchedulerBase::Finalize 116492->116498 116501 f9623a Concurrency::details::SchedulerBase::Finalize 116492->116501 116494 fb6739 std::system_error::system_error 26 API calls 116493->116494 116495 f96380 116494->116495 116496 f9621d 116499 f95590 26 API calls 116496->116499 116497 f96245 116500 f95590 26 API calls 116497->116500 116498->116496 116498->116497 116499->116501 116500->116501 116596 f96740 116501->116596 116503 f6b1d0 78 API calls 116502->116503 116504 f6b229 116503->116504 116504->116309 116540 f9567a SetupDiGetClassDevsW 116539->116540 116540->116448 116540->116449 116546 f96556 StructuredWorkStealingQueue 116541->116546 116542 f96604 CreateFileW 116543 f96628 DeviceIoControl 116542->116543 116544 f9671f 116542->116544 116547 f96688 DeviceIoControl 116543->116547 116548 f9666b Concurrency::SchedulerPolicy::_Initialize 116543->116548 116545 f9b5dd _ValidateLocalCookies 5 API calls 116544->116545 116550 f9672d 116545->116550 116546->116542 116549 f96705 CloseHandle 116547->116549 116553 f966c3 Concurrency::SchedulerPolicy::_Initialize 116547->116553 116548->116547 116551 f9b5dd _ValidateLocalCookies 5 API calls 116549->116551 116550->116477 116552 f9671b 116551->116552 116552->116477 116553->116549 116555 f9559e 116554->116555 116556 f955a4 116554->116556 116555->116471 116557 f955a8 116556->116557 116558 f955c1 StructuredWorkStealingQueue 116556->116558 116625 fb6802 20 API calls __dosmaperr 116557->116625 116561 f955cd Concurrency::SchedulerPolicy::_Initialize 116558->116561 116563 f95609 116558->116563 116564 f955ef 116558->116564 116560 f955ad 116626 fb6729 26 API calls std::system_error::system_error 116560->116626 116561->116471 116567 f955ff 116563->116567 116629 fb6802 20 API calls __dosmaperr 116563->116629 116627 fb6802 20 API calls __dosmaperr 116564->116627 116565 f955b8 116565->116471 116567->116471 116568 f955f4 116628 fb6729 26 API calls std::system_error::system_error 116568->116628 116571 f95612 116630 fb6729 26 API calls std::system_error::system_error 116571->116630 116573 f9561d 116573->116471 116631 f97640 116574->116631 116576 f96b01 116577 f97640 27 API calls 116576->116577 116578 f96b0b 116577->116578 116643 f97700 116578->116643 116580 f96b13 116589 f96b49 116580->116589 116593 f96b1a Concurrency::details::SchedulerBase::Finalize 116580->116593 116683 f979e0 27 API calls 4 library calls 116580->116683 116581 f96db2 Concurrency::details::SchedulerBase::Finalize 116582 f9b5dd _ValidateLocalCookies 5 API calls 116581->116582 116583 f96dd7 116582->116583 116583->116492 116584 f96de0 116585 fb6739 std::system_error::system_error 26 API calls 116584->116585 116588 f96de5 116585->116588 116589->116593 116684 f979e0 27 API calls 4 library calls 116589->116684 116590 f96c36 116591 f6ae30 26 API calls 116590->116591 116590->116593 116592 f96c87 116591->116592 116592->116593 116594 f96ddb 116592->116594 116593->116581 116593->116584 116595 fb6739 std::system_error::system_error 26 API calls 116594->116595 116595->116584 116599 f9674e Concurrency::details::SchedulerBase::Finalize 116596->116599 116597 fb6739 std::system_error::system_error 26 API calls 116598 f96a96 116597->116598 116599->116597 116600 f96a72 Concurrency::details::SchedulerBase::Finalize 116599->116600 116600->116483 116602 f92212 Concurrency::SchedulerPolicy::_Initialize 116601->116602 116604 f9226b Concurrency::SchedulerPolicy::_Initialize 116602->116604 116742 f922a0 5 API calls _ValidateLocalCookies 116602->116742 116604->116485 116605 f92245 116605->116604 116743 f922a0 5 API calls _ValidateLocalCookies 116605->116743 116608 f9205d 116607->116608 116614 f920d2 116607->116614 116611 f921e0 5 API calls 116608->116611 116609 f9b5dd _ValidateLocalCookies 5 API calls 116610 f9212c 116609->116610 116610->116488 116612 f920c5 116611->116612 116613 f921e0 5 API calls 116612->116613 116613->116614 116614->116609 116614->116614 116615->116452 116616->116457 116617->116457 116618->116456 116619->116467 116620->116467 116621->116465 116622->116476 116623->116476 116624->116475 116625->116560 116626->116565 116627->116568 116628->116567 116629->116571 116630->116573 116632 f9766a 116631->116632 116633 f9bb4d make_shared 8 API calls 116632->116633 116637 f976df 116632->116637 116634 f97689 116633->116634 116635 f976ba 116634->116635 116636 f976d3 116634->116636 116638 f9b5dd _ValidateLocalCookies 5 API calls 116635->116638 116685 f982f0 27 API calls 5 library calls 116636->116685 116640 f9b5dd _ValidateLocalCookies 5 API calls 116637->116640 116641 f976cd 116638->116641 116642 f976ec 116640->116642 116641->116576 116642->116576 116686 f97280 116643->116686 116645 f9771e 116646 f978dc GetProcAddress 116645->116646 116647 f97733 GetProcAddress 116645->116647 116652 f97948 GetSystemFirmwareTable 116646->116652 116653 f978f3 116646->116653 116650 f97748 GetCurrentProcess 116647->116650 116651 f97765 LoadLibraryA 116647->116651 116666 f97756 116650->116666 116654 f977e2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 116651->116654 116679 f9786d 116651->116679 116655 f9795b WorkStealingQueue 116652->116655 116656 f97979 116652->116656 116739 f97ee0 50 API calls 3 library calls 116653->116739 116676 f97818 116654->116676 116654->116679 116664 f97961 GetSystemFirmwareTable 116655->116664 116658 f9b5dd _ValidateLocalCookies 5 API calls 116656->116658 116663 f97992 116658->116663 116660 f97903 116661 f97923 116660->116661 116662 f97907 116660->116662 116661->116656 116668 f9792b 116661->116668 116740 f97d60 27 API calls 2 library calls 116662->116740 116663->116580 116664->116656 116670 f97996 116664->116670 116665 f9787f 116665->116656 116682 f97887 116665->116682 116666->116651 116669 f978d7 116666->116669 116674 f9b5dd _ValidateLocalCookies 5 API calls 116668->116674 116669->116646 116741 f97d60 27 API calls 2 library calls 116670->116741 116671 f97916 116672 f979c1 116671->116672 116675 f9b5dd _ValidateLocalCookies 5 API calls 116672->116675 116677 f97944 116674->116677 116678 f979da 116675->116678 116676->116679 116680 f97894 WorkStealingQueue 116676->116680 116677->116580 116678->116580 116738 f97ee0 50 API calls 3 library calls 116679->116738 116681 f95590 26 API calls 116680->116681 116681->116682 116682->116670 116683->116589 116684->116590 116685->116637 116687 f9752e 116686->116687 116688 f972a3 GetModuleHandleA GetProcAddress 116686->116688 116691 f9b5dd _ValidateLocalCookies 5 API calls 116687->116691 116689 f972ca GetCurrentProcess 116688->116689 116690 f972d7 LoadLibraryW 116688->116690 116689->116690 116694 f97524 116690->116694 116695 f97314 GetProcAddress 116690->116695 116693 f9753b 116691->116693 116693->116645 116694->116687 116696 f97324 116695->116696 116697 f97337 FreeLibrary 116695->116697 116696->116697 116697->116694 116698 f97346 116697->116698 116699 f9734e 116698->116699 116700 f97383 116698->116700 116699->116694 116701 f97363 116699->116701 116702 f97429 116700->116702 116703 f9738c 116700->116703 116704 f9b5dd _ValidateLocalCookies 5 API calls 116701->116704 116705 f97432 116702->116705 116706 f974f7 116702->116706 116707 f973b3 116703->116707 116708 f97393 116703->116708 116709 f9737f 116704->116709 116711 f9743d StructuredWorkStealingQueue 116705->116711 116712 f974c7 116705->116712 116706->116694 116710 f974f9 116706->116710 116714 f973b8 116707->116714 116715 f973dc 116707->116715 116713 f9b5dd _ValidateLocalCookies 5 API calls 116708->116713 116709->116645 116718 f9b5dd _ValidateLocalCookies 5 API calls 116710->116718 116725 f9744f GetVersionExW 116711->116725 116712->116710 116717 f974cc 116712->116717 116719 f973af 116713->116719 116720 f9b5dd _ValidateLocalCookies 5 API calls 116714->116720 116715->116694 116716 f973e5 116715->116716 116721 f97409 116716->116721 116722 f973e9 116716->116722 116723 f9b5dd _ValidateLocalCookies 5 API calls 116717->116723 116724 f97520 116718->116724 116719->116645 116726 f973d8 116720->116726 116728 f9b5dd _ValidateLocalCookies 5 API calls 116721->116728 116727 f9b5dd _ValidateLocalCookies 5 API calls 116722->116727 116729 f974f3 116723->116729 116724->116645 116730 f9749d 116725->116730 116731 f9746f 116725->116731 116726->116645 116733 f97405 116727->116733 116734 f97425 116728->116734 116729->116645 116732 f9b5dd _ValidateLocalCookies 5 API calls 116730->116732 116735 f9b5dd _ValidateLocalCookies 5 API calls 116731->116735 116736 f974c3 116732->116736 116733->116645 116734->116645 116737 f97499 116735->116737 116736->116645 116737->116645 116738->116665 116739->116660 116740->116671 116741->116672 116742->116605 116743->116605 116794 6c976fdf 116795 6c976fe3 116794->116795 116796 6c976ff9 116794->116796 116795->116796 116798 6c98583d 7 API calls 3 library calls 116795->116798 116798->116796 116799 f5245c 116800 f52461 __ExceptionPtrCurrentException 116799->116800 116802 f62560 38 API calls 116800->116802 116838 f525d6 __ExceptionPtrCurrentException 116800->116838 116818 f52475 _strrchr 116802->116818 116803 f525fa InitializeSecurityDescriptor SetSecurityDescriptorDacl CreateEventW 116804 f62560 38 API calls 116803->116804 116806 f5264e __ExceptionPtrCurrentException 116804->116806 116805 f52811 GetModuleHandleW 117172 f81930 116805->117172 116806->116805 116807 f62560 38 API calls 116806->116807 116825 f5268d _strrchr 116807->116825 116814 f62560 38 API calls 116815 f5286e __ExceptionPtrCurrentException 116814->116815 116816 f62560 38 API calls 116815->116816 116817 f529fd __ExceptionPtrCurrentException 116815->116817 116846 f528a7 _strrchr 116816->116846 117198 f616a0 116817->117198 116819 f62020 5 API calls 116818->116819 116826 f52547 std::system_error::system_error 116819->116826 116821 f52a3b 117212 f55dd0 116821->117212 116828 f62020 5 API calls 116825->116828 116829 f58330 109 API calls 116826->116829 116827 f52a66 117229 f852d0 IsWindow 116827->117229 116839 f52765 std::system_error::system_error 116828->116839 116830 f525b8 116829->116830 117548 f620d0 26 API calls 2 library calls 116830->117548 116833 f52a9d 117273 f60ee0 116833->117273 116834 f525c7 117549 f620d0 26 API calls 2 library calls 116834->117549 116837 f52aac 116840 f62560 38 API calls 116837->116840 117126 f81190 IsWindow 116838->117126 117140 f585a0 116839->117140 116843 f52ab5 __ExceptionPtrCurrentException 116840->116843 116842 f527d6 117550 f620d0 26 API calls 2 library calls 116842->117550 116847 f62560 38 API calls 116843->116847 116893 f52c4a __ExceptionPtrCurrentException 116843->116893 116845 f527e5 117551 f620d0 26 API calls 2 library calls 116845->117551 116852 f62020 5 API calls 116846->116852 116874 f52aee _strrchr 116847->116874 116850 f527f4 __ExceptionPtrCurrentException 116850->116805 116856 f52972 std::system_error::system_error 116852->116856 116860 f5f1d0 109 API calls 116856->116860 116862 f529df 116860->116862 117552 f620d0 26 API calls 2 library calls 116862->117552 116866 f529ee 117553 f620d0 26 API calls 2 library calls 116866->117553 117278 f8b870 116893->117278 117127 f811b5 SetWindowLongW 117126->117127 117130 f811d4 117126->117130 117128 f9b5dd _ValidateLocalCookies 5 API calls 117127->117128 117129 f811d0 117128->117129 117129->116803 117131 f8121a GetModuleHandleW RegisterClassW CreateWindowExW 117130->117131 117132 f812a9 117131->117132 117133 f8129f SetWindowLongW 117131->117133 117134 f812d7 Concurrency::details::SchedulerBase::Finalize 117132->117134 117136 f812f4 117132->117136 117133->117132 117135 f9b5dd _ValidateLocalCookies 5 API calls 117134->117135 117137 f812f0 117135->117137 117138 fb6739 std::system_error::system_error 26 API calls 117136->117138 117137->116803 117139 f812f9 117138->117139 117142 f585ee StructuredWorkStealingQueue 117140->117142 117149 f586cb Concurrency::details::SchedulerBase::Finalize 117140->117149 117141 f9b5dd _ValidateLocalCookies 5 API calls 117143 f586ed 117141->117143 117590 f590a0 117142->117590 117143->116842 117146 f5f140 2 API calls 117147 f58682 117146->117147 117171 f6fd00 108 API calls 117147->117171 117148 f5868d 117148->117149 117150 f587fb 117148->117150 117149->117141 117151 fb6739 std::system_error::system_error 26 API calls 117150->117151 117152 f58800 117151->117152 117153 f985d4 RaiseException 117152->117153 117154 f58805 117153->117154 117155 f985d4 RaiseException 117154->117155 117156 f5880a 117155->117156 117157 f9bb4d make_shared 8 API calls 117156->117157 117158 f58855 117157->117158 117594 f6ed00 8 API calls make_shared 117158->117594 117160 f588ab 117595 f9a63f 117160->117595 117164 f588db 117165 f9a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 117164->117165 117166 f588e8 117165->117166 117167 f9a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 117166->117167 117168 f588f3 117167->117168 117169 f9b5dd _ValidateLocalCookies 5 API calls 117168->117169 117170 f589e8 117169->117170 117170->116842 117171->117148 117605 f81700 117172->117605 117174 f8197f 117175 f61ad0 39 API calls 117174->117175 117176 f819c3 117175->117176 117177 f81a19 117176->117177 117178 f819c9 117176->117178 117179 f617d0 2 API calls 117177->117179 117630 f81ac0 117178->117630 117180 f81a23 117179->117180 117183 f61700 RegOpenKeyExW 117184 f61767 117183->117184 117185 f61733 RegQueryValueExW RegCloseKey 117183->117185 117186 f9b5dd _ValidateLocalCookies 5 API calls 117184->117186 117185->117184 117187 f52850 117186->117187 117188 f81bd0 117187->117188 117189 f52869 117188->117189 117190 f81c07 117188->117190 117189->116814 117703 f9b7ab 5 API calls __Init_thread_wait 117190->117703 117192 f81c11 117192->117189 117704 f907e0 28 API calls 3 library calls 117192->117704 117194 f81c39 117705 f9bb2a 29 API calls __onexit 117194->117705 117196 f81c4d 117706 f9b761 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 117196->117706 117199 f616ab 117198->117199 117200 f616ba 117199->117200 117201 f616f2 117199->117201 117202 f616d3 117199->117202 117200->116821 117203 f61600 2 API calls 117201->117203 117707 f61610 20 API calls 3 library calls 117202->117707 117206 f616f7 RegOpenKeyExW 117203->117206 117205 f616ea 117205->116821 117208 f61767 117206->117208 117209 f61733 RegQueryValueExW RegCloseKey 117206->117209 117210 f9b5dd _ValidateLocalCookies 5 API calls 117208->117210 117209->117208 117211 f61772 117210->117211 117211->116821 117213 f61ad0 39 API calls 117212->117213 117214 f55dfe 117213->117214 117215 f55e04 117214->117215 117216 f55e41 117214->117216 117219 f61180 38 API calls 117215->117219 117217 f617d0 2 API calls 117216->117217 117218 f55e4b 117217->117218 117220 f55e1f 117219->117220 117221 f52a57 117220->117221 117708 f56fe0 24 API calls 117220->117708 117223 f60f40 117221->117223 117224 fb35c0 StructuredWorkStealingQueue 117223->117224 117225 f60f75 GetModuleFileNameW PathRemoveFileSpecW PathAddBackslashW 117224->117225 117226 f60fc2 117225->117226 117227 f9b5dd _ValidateLocalCookies 5 API calls 117226->117227 117228 f60fed 117227->117228 117228->116827 117230 f8532a SetWindowLongW 117229->117230 117231 f8533b StructuredWorkStealingQueue 117229->117231 117267 f85733 Concurrency::details::SchedulerBase::Finalize 117230->117267 117232 f8534e lstrcpynW PathAddBackslashW 117231->117232 117233 f8539c 117232->117233 117242 f853c0 117232->117242 117234 f85407 117233->117234 117235 f853b5 117233->117235 117236 f61470 51 API calls 117234->117236 117238 f616a0 25 API calls 117235->117238 117236->117242 117237 f61470 51 API calls 117240 f8544b 117237->117240 117238->117242 117239 f9b5dd _ValidateLocalCookies 5 API calls 117241 f857ec 117239->117241 117243 f854d5 117240->117243 117244 f85483 117240->117244 117254 f8548e 117240->117254 117241->116833 117242->117237 117246 f61470 51 API calls 117243->117246 117249 f616a0 25 API calls 117244->117249 117246->117254 117247 f8556e 117250 f61470 51 API calls 117247->117250 117248 f8551c 117252 f616a0 25 API calls 117248->117252 117249->117254 117256 f85527 117250->117256 117252->117256 117254->117247 117254->117248 117254->117256 117709 f81a30 CoCreateGuid UuidToStringW 117256->117709 117267->117239 117274 f60eeb 117273->117274 117275 f60f0c Concurrency::details::SchedulerBase::Finalize 117273->117275 117274->117275 117276 fb6739 std::system_error::system_error 26 API calls 117274->117276 117275->116837 117277 f60f32 117276->117277 117548->116834 117549->116838 117550->116845 117551->116850 117552->116866 117553->116817 117591 f590e7 117590->117591 117592 f9b5dd _ValidateLocalCookies 5 API calls 117591->117592 117593 f58651 117592->117593 117593->117146 117594->117160 117599 f9a337 117595->117599 117597 f588b8 117598 f6ed00 8 API calls make_shared 117597->117598 117598->117164 117600 f9a300 117599->117600 117601 f9a320 ___crtAcquireSRWLockExclusive 117599->117601 117600->117601 117604 f9ad10 InitializeCriticalSectionAndSpinCount 117600->117604 117601->117597 117603 f9a319 117603->117597 117604->117603 117606 fb35c0 StructuredWorkStealingQueue 117605->117606 117607 f8175f GetModuleFileNameW 117606->117607 117608 f817c0 117607->117608 117608->117608 117609 f817e2 GetFileVersionInfoSizeW 117608->117609 117612 f81817 StructuredWorkStealingQueue WorkStealingQueue 117609->117612 117617 f8188f Concurrency::details::SchedulerBase::Finalize 117609->117617 117610 f818f5 Concurrency::details::SchedulerBase::Finalize 117611 f9b5dd _ValidateLocalCookies 5 API calls 117610->117611 117614 f8191c 117611->117614 117615 f81846 GetFileVersionInfoW 117612->117615 117613 f81923 117616 fb6739 std::system_error::system_error 26 API calls 117613->117616 117614->117174 117615->117617 117618 f81871 VerQueryValueW 117615->117618 117619 f81928 117616->117619 117617->117610 117617->117613 117618->117617 117620 f81700 91 API calls 117619->117620 117621 f8197f 117620->117621 117622 f61ad0 39 API calls 117621->117622 117623 f819c3 117622->117623 117624 f81a19 117623->117624 117625 f819c9 117623->117625 117626 f617d0 2 API calls 117624->117626 117628 f81ac0 79 API calls 117625->117628 117627 f81a23 117626->117627 117629 f81a02 117628->117629 117629->117174 117631 f81ad4 117630->117631 117641 f81b12 117630->117641 117643 f5f110 117631->117643 117633 f617d0 2 API calls 117634 f81b38 117633->117634 117635 f617d0 2 API calls 117634->117635 117636 f81b42 117635->117636 117637 f81aff 117647 f5f0c0 117637->117647 117641->117633 117642 f5282a 117641->117642 117642->117183 117644 f5f123 117643->117644 117652 fbae8e 117644->117652 117648 f5f0d5 117647->117648 117678 fbaeb2 117648->117678 117651 f61410 22 API calls 117651->117637 117655 fb825f 117652->117655 117656 fb829f 117655->117656 117657 fb8287 117655->117657 117656->117657 117659 fb82a7 117656->117659 117672 fb6802 20 API calls __dosmaperr 117657->117672 117674 fb891c 66 API calls 2 library calls 117659->117674 117660 fb828c 117673 fb6729 26 API calls std::system_error::system_error 117660->117673 117663 fb82b7 117675 fb88e7 20 API calls __dosmaperr 117663->117675 117665 f9b5dd _ValidateLocalCookies 5 API calls 117667 f5f131 117665->117667 117666 fb832f 117676 fb9169 78 API calls 3 library calls 117666->117676 117667->117634 117667->117637 117667->117651 117670 fb8297 117670->117665 117671 fb833a 117677 fb899f 20 API calls _free 117671->117677 117672->117660 117673->117670 117674->117663 117675->117666 117676->117671 117677->117670 117681 fb845c 117678->117681 117680 f5f0e3 117680->117641 117682 fb847c 117681->117682 117683 fb8467 117681->117683 117685 fb84c0 117682->117685 117688 fb848a 117682->117688 117697 fb6802 20 API calls __dosmaperr 117683->117697 117701 fb6802 20 API calls __dosmaperr 117685->117701 117687 fb846c 117698 fb6729 26 API calls std::system_error::system_error 117687->117698 117699 fb7f5e 78 API calls 4 library calls 117688->117699 117689 fb84b8 117702 fb6729 26 API calls std::system_error::system_error 117689->117702 117692 fb8477 117692->117680 117693 fb84a2 117695 fb84d0 117693->117695 117700 fb6802 20 API calls __dosmaperr 117693->117700 117695->117680 117697->117687 117698->117692 117699->117693 117700->117689 117701->117689 117702->117695 117703->117192 117704->117194 117705->117196 117706->117189 117707->117205 117708->117221 117710 f81a84 117709->117710 117710->117710 117711 f81a9c RpcStringFreeW 117710->117711 117712 f9b5dd _ValidateLocalCookies 5 API calls 117711->117712 117713 f81ab4 117712->117713 118117 6c95fb5f 118122 6c97e0bb 118117->118122 118119 6c95fb69 118126 6c96068b 118119->118126 118123 6c97e0c7 __EH_prolog3 118122->118123 118129 6c97e417 118123->118129 118125 6c97e2b0 Concurrency::details::ExternalContextBase::~ExternalContextBase 118125->118119 118423 6c9606a0 118126->118423 118130 6c97e438 std::invalid_argument::invalid_argument 118129->118130 118139 6c97e4bf 118129->118139 118133 6c97e468 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 118130->118133 118132 6c97e4d2 118132->118125 118140 6c97e4d4 118133->118140 118303 6c97f667 118139->118303 118310 6c97f675 118140->118310 118142 6c97e4e0 GetSysColor 118143 6c97e4f5 GetSysColor 118142->118143 118144 6c97e501 GetSysColor 118142->118144 118143->118144 118146 6c97e524 118144->118146 118147 6c97e518 GetSysColor 118144->118147 118311 6c963f98 118146->118311 118147->118146 118149 6c97e53a 22 API calls 118150 6c97e664 118149->118150 118151 6c97e66d GetSysColor 118149->118151 118152 6c97e67f GetSysColorBrush 118150->118152 118151->118152 118153 6c97e8ec 118152->118153 118154 6c97e69b GetSysColorBrush 118152->118154 118351 6c97789a RaiseException CallUnexpected 118153->118351 118154->118153 118156 6c97e6ae GetSysColorBrush 118154->118156 118156->118153 118157 6c97e6c1 118156->118157 118319 6c9632ba 118157->118319 118160 6c97e6ce CreateSolidBrush 118324 6c963264 118160->118324 118163 6c9632ba 4 API calls 118164 6c97e6ec CreateSolidBrush 118163->118164 118165 6c963264 3 API calls 118164->118165 118166 6c97e6fd 118165->118166 118167 6c9632ba 4 API calls 118166->118167 118168 6c97e70a CreateSolidBrush 118167->118168 118169 6c963264 3 API calls 118168->118169 118170 6c97e71b 118169->118170 118171 6c9632ba 4 API calls 118170->118171 118172 6c97e728 CreateSolidBrush 118171->118172 118173 6c963264 3 API calls 118172->118173 118174 6c97e73c 118173->118174 118175 6c9632ba 4 API calls 118174->118175 118176 6c97e749 CreateSolidBrush 118175->118176 118177 6c963264 3 API calls 118176->118177 118178 6c97e75a 118177->118178 118179 6c9632ba 4 API calls 118178->118179 118180 6c97e767 CreateSolidBrush 118179->118180 118181 6c963264 3 API calls 118180->118181 118182 6c97e778 118181->118182 118183 6c9632ba 4 API calls 118182->118183 118184 6c97e785 CreateSolidBrush 118183->118184 118185 6c963264 3 API calls 118184->118185 118186 6c97e796 118185->118186 118187 6c9632ba 4 API calls 118186->118187 118188 6c97e7a3 CreatePen 118187->118188 118189 6c963264 3 API calls 118188->118189 118190 6c97e7bc 118189->118190 118191 6c9632ba 4 API calls 118190->118191 118192 6c97e7c9 CreatePen 118191->118192 118193 6c963264 3 API calls 118192->118193 118194 6c97e7e0 118193->118194 118195 6c9632ba 4 API calls 118194->118195 118196 6c97e7ed CreatePen 118195->118196 118197 6c963264 3 API calls 118196->118197 118198 6c97e804 118197->118198 118199 6c97e81b 118198->118199 118203 6c9632ba 4 API calls 118198->118203 118200 6c97e824 CreateSolidBrush 118199->118200 118201 6c97e888 118199->118201 118204 6c963264 3 API calls 118200->118204 118347 6c97f4a2 7 API calls 2 library calls 118201->118347 118203->118199 118206 6c97e886 118204->118206 118205 6c97e892 118205->118153 118207 6c97e896 118205->118207 118304 6c97f670 IsProcessorFeaturePresent 118303->118304 118305 6c97f66f 118303->118305 118307 6c9d86c0 118304->118307 118305->118132 118422 6c9d87a6 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 118307->118422 118309 6c9d87a3 118309->118132 118310->118142 118312 6c963fa4 __EH_prolog3 118311->118312 118313 6c963fc7 GetWindowDC 118312->118313 118352 6c963446 118313->118352 118316 6c963fdd Concurrency::details::ExternalContextBase::~ExternalContextBase 118316->118149 118320 6c9632c3 118319->118320 118321 6c9632c0 118319->118321 118361 6c963290 118320->118361 118321->118160 118323 6c9632c8 DeleteObject 118323->118160 118325 6c963271 118324->118325 118326 6c963286 118324->118326 118366 6c964160 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 118325->118366 118326->118163 118328 6c96327b 118367 6c980682 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 118328->118367 118347->118205 118353 6c963469 118352->118353 118354 6c963453 118352->118354 118353->118316 118358 6c962beb RaiseException CallUnexpected 118353->118358 118359 6c9640ef RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 118354->118359 118356 6c96345e 118360 6c980682 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 118356->118360 118359->118356 118360->118353 118362 6c9632a2 118361->118362 118363 6c96329b 118361->118363 118362->118323 118365 6c964160 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 118363->118365 118365->118362 118366->118328 118367->118326 118422->118309 118424 6c9606b6 118423->118424 118425 6c9606af 118423->118425 118430 6caaff27 32 API calls 118424->118430 118429 6caaff98 32 API calls 118425->118429 118428 6c95fb73 118429->118428 118430->118428 118431 fbb6d7 118432 fbb6fa 118431->118432 118433 fbb6e7 118431->118433 118434 fbb70c 118432->118434 118444 fbb71f 118432->118444 118470 fb6802 20 API calls __dosmaperr 118433->118470 118472 fb6802 20 API calls __dosmaperr 118434->118472 118437 fbb6ec 118471 fb6729 26 API calls std::system_error::system_error 118437->118471 118438 fbb711 118473 fb6729 26 API calls std::system_error::system_error 118438->118473 118439 fbb73f 118474 fb6802 20 API calls __dosmaperr 118439->118474 118440 fbb752 118462 fcc80f 118440->118462 118444->118439 118444->118440 118446 fbb757 118475 fcc044 118446->118475 118448 fbb769 118449 fbb956 118448->118449 118482 fcc070 118448->118482 118450 fb6756 __Getctype 11 API calls 118449->118450 118452 fbb960 118450->118452 118453 fbb77b 118453->118449 118489 fcc09c 118453->118489 118455 fbb78d 118455->118449 118456 fbb796 118455->118456 118457 fbb81e 118456->118457 118459 fbb7ba 118456->118459 118461 fbb6f6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 118457->118461 118497 fcc860 26 API calls 3 library calls 118457->118497 118459->118461 118496 fcc860 26 API calls 3 library calls 118459->118496 118463 fcc81b CallCatchBlock 118462->118463 118464 fcc851 __wsopen_s 118463->118464 118498 fbc53e EnterCriticalSection 118463->118498 118464->118446 118466 fcc82b 118467 fcc83e 118466->118467 118499 fcc72f 118466->118499 118517 fcc857 LeaveCriticalSection std::_Lockit::~_Lockit 118467->118517 118470->118437 118471->118461 118472->118438 118473->118461 118474->118461 118476 fcc065 118475->118476 118477 fcc050 118475->118477 118476->118448 118622 fb6802 20 API calls __dosmaperr 118477->118622 118479 fcc055 118623 fb6729 26 API calls std::system_error::system_error 118479->118623 118481 fcc060 118481->118448 118483 fcc07c 118482->118483 118484 fcc091 118482->118484 118624 fb6802 20 API calls __dosmaperr 118483->118624 118484->118453 118486 fcc081 118625 fb6729 26 API calls std::system_error::system_error 118486->118625 118488 fcc08c 118488->118453 118490 fcc0bd 118489->118490 118491 fcc0a8 118489->118491 118490->118455 118626 fb6802 20 API calls __dosmaperr 118491->118626 118493 fcc0ad 118627 fb6729 26 API calls std::system_error::system_error 118493->118627 118495 fcc0b8 118495->118455 118496->118461 118497->118461 118498->118466 118501 fcc77b _strftime 118499->118501 118500 fcc782 118502 fcc7f2 118500->118502 118506 fcc7e9 118500->118506 118501->118500 118503 fc7a29 _strftime 21 API calls 118501->118503 118504 fcc7ef 118502->118504 118579 fcc5d4 118502->118579 118513 fcc79a _strftime 118503->118513 118508 fc79ef _free 20 API calls 118504->118508 118518 fcc3ff 118506->118518 118510 fcc7fd 118508->118510 118509 fcc7a1 118512 fc79ef _free 20 API calls 118509->118512 118511 f9b5dd _ValidateLocalCookies 5 API calls 118510->118511 118515 fcc80b 118511->118515 118512->118500 118513->118509 118514 fcc7c7 118513->118514 118516 fc79ef _free 20 API calls 118514->118516 118515->118467 118516->118500 118517->118464 118519 fcc40e _strftime 118518->118519 118520 fcc09c _strftime 26 API calls 118519->118520 118521 fcc424 118520->118521 118522 fcc59e 118521->118522 118524 fcc044 _strftime 26 API calls 118521->118524 118523 fb6756 __Getctype 11 API calls 118522->118523 118577 fcc5a7 _strftime 118522->118577 118526 fcc5d3 _strftime 118523->118526 118525 fcc436 118524->118525 118525->118522 118527 fc79ef _free 20 API calls 118525->118527 118525->118577 118528 fcc09c _strftime 26 API calls 118526->118528 118529 fcc486 118527->118529 118530 fcc5f9 118528->118530 118534 fc7a29 _strftime 21 API calls 118529->118534 118531 fcc724 118530->118531 118533 fcc044 _strftime 26 API calls 118530->118533 118532 fb6756 __Getctype 11 API calls 118531->118532 118539 fcc72e _strftime 118532->118539 118536 fcc60b 118533->118536 118535 fcc49e 118534->118535 118537 fc79ef _free 20 API calls 118535->118537 118536->118531 118538 fcc070 _strftime 26 API calls 118536->118538 118543 fcc4aa 118537->118543 118540 fcc61d 118538->118540 118547 fc7a29 _strftime 21 API calls 118539->118547 118564 fcc782 118539->118564 118540->118531 118541 fcc626 118540->118541 118542 fc79ef _free 20 API calls 118541->118542 118545 fcc631 GetTimeZoneInformation 118542->118545 118546 fbc29e ___std_exception_copy 26 API calls 118543->118546 118543->118577 118544 fcc7f2 118548 fcc7ef 118544->118548 118549 fcc5d4 _strftime 73 API calls 118544->118549 118557 fcc64d 118545->118557 118567 fcc6ee _strftime 118545->118567 118551 fcc4d4 118546->118551 118560 fcc79a _strftime 118547->118560 118553 fc79ef _free 20 API calls 118548->118553 118549->118548 118550 fcc7e9 118552 fcc3ff _strftime 73 API calls 118550->118552 118551->118522 118615 fcbe67 26 API calls 2 library calls 118551->118615 118552->118548 118555 fcc7fd 118553->118555 118554 fcc7a1 118559 fc79ef _free 20 API calls 118554->118559 118558 f9b5dd _ValidateLocalCookies 5 API calls 118555->118558 118620 fbc636 66 API calls __Getcvt 118557->118620 118563 fcc80b 118558->118563 118559->118564 118560->118554 118561 fcc7c7 118560->118561 118565 fc79ef _free 20 API calls 118561->118565 118563->118504 118564->118544 118564->118550 118565->118564 118566 fcc6a2 WideCharToMultiByte 118568 fcc6c0 WideCharToMultiByte 118566->118568 118567->118504 118568->118567 118569 fcc4ed 118569->118522 118616 fc4212 70 API calls _strftime 118569->118616 118572 fcc515 118573 fcc561 118572->118573 118617 fc4212 70 API calls _strftime 118572->118617 118573->118577 118619 fcbe67 26 API calls 2 library calls 118573->118619 118576 fcc53c 118576->118573 118618 fc4212 70 API calls _strftime 118576->118618 118577->118504 118580 fcc5e3 _strftime 118579->118580 118581 fcc09c _strftime 26 API calls 118580->118581 118582 fcc5f9 118581->118582 118583 fcc724 118582->118583 118585 fcc044 _strftime 26 API calls 118582->118585 118584 fb6756 __Getctype 11 API calls 118583->118584 118588 fcc72e _strftime 118584->118588 118586 fcc60b 118585->118586 118586->118583 118587 fcc070 _strftime 26 API calls 118586->118587 118589 fcc61d 118587->118589 118594 fc7a29 _strftime 21 API calls 118588->118594 118609 fcc782 118588->118609 118589->118583 118590 fcc626 118589->118590 118591 fc79ef _free 20 API calls 118590->118591 118593 fcc631 GetTimeZoneInformation 118591->118593 118592 fcc7f2 118595 fcc7ef 118592->118595 118596 fcc5d4 _strftime 73 API calls 118592->118596 118602 fcc64d 118593->118602 118612 fcc6ee _strftime 118593->118612 118605 fcc79a _strftime 118594->118605 118599 fc79ef _free 20 API calls 118595->118599 118596->118595 118597 fcc7e9 118598 fcc3ff _strftime 73 API calls 118597->118598 118598->118595 118601 fcc7fd 118599->118601 118600 fcc7a1 118604 fc79ef _free 20 API calls 118600->118604 118603 f9b5dd _ValidateLocalCookies 5 API calls 118601->118603 118621 fbc636 66 API calls __Getcvt 118602->118621 118608 fcc80b 118603->118608 118604->118609 118605->118600 118606 fcc7c7 118605->118606 118610 fc79ef _free 20 API calls 118606->118610 118608->118504 118609->118592 118609->118597 118610->118609 118611 fcc6a2 WideCharToMultiByte 118613 fcc6c0 WideCharToMultiByte 118611->118613 118612->118504 118613->118612 118615->118569 118616->118572 118617->118576 118618->118573 118619->118522 118620->118566 118621->118611 118622->118479 118623->118481 118624->118486 118625->118488 118626->118493 118627->118495 118628 6c985794 118629 6c9857ad 118628->118629 118630 6c98579d 118628->118630 118634 6c9857ff 118629->118634 118640 6c9853fd EnterCriticalSection 118629->118640 118659 6c9853bd TlsAlloc InitializeCriticalSection RaiseException 118630->118659 118633 6c9857c1 118633->118634 118635 6c9857c7 118633->118635 118661 6c97789a RaiseException CallUnexpected 118634->118661 118660 6c9856f6 EnterCriticalSection TlsGetValue LeaveCriticalSection LeaveCriticalSection 118635->118660 118639 6c9857d3 Concurrency::details::ExternalContextBase::~ExternalContextBase 118641 6c985421 118640->118641 118644 6c985488 GlobalHandle 118641->118644 118645 6c985473 118641->118645 118651 6c985534 LeaveCriticalSection 118641->118651 118658 6c9854d1 std::invalid_argument::invalid_argument 118641->118658 118643 6c985501 LeaveCriticalSection 118643->118633 118648 6c98549b GlobalUnlock 118644->118648 118649 6c98551c 118644->118649 118652 6c98547b GlobalAlloc 118645->118652 118653 6c9772c2 118648->118653 118650 6c985521 GlobalHandle 118649->118650 118649->118651 118650->118651 118655 6c98552d GlobalLock 118650->118655 118662 6c977866 RaiseException CallUnexpected 118651->118662 118656 6c9854bd 118652->118656 118654 6c9854b1 GlobalReAlloc 118653->118654 118654->118656 118655->118651 118656->118649 118657 6c9854c1 GlobalLock 118656->118657 118657->118651 118657->118658 118658->118643 118659->118629 118660->118639 118663 6c95a620 118717 6c935510 118663->118717 118846 6c935660 118717->118846 118721 6c935557 118853 6c933da0 118721->118853 118723 6c93558c 118892 6c9345b0 118723->118892 118729 6c935575 118729->118723 118732 6c9355c2 Sleep 118729->118732 118860 6c933fb0 118729->118860 118878 6c934d80 118729->118878 118884 6c934ed0 118729->118884 118732->118729 118733 6c9345b0 39 API calls 118734 6c935620 118733->118734 118909 6c9356b0 118734->118909 118737 6c95a150 GetModuleFileNameA 118738 6c937bf0 30 API calls 118737->118738 118739 6c95a1c9 118738->118739 118740 6c95a240 118739->118740 118741 6c95a1fc 118739->118741 118743 6c937bf0 30 API calls 118740->118743 119045 6c958050 30 API calls 118741->119045 118744 6c95a229 118743->118744 118745 6c9387d0 29 API calls 118744->118745 118746 6c95a277 118745->118746 118747 6c945960 118746->118747 119046 6c938b50 118747->119046 118847 6c93566c 118846->118847 118912 6cab2f02 GetSystemTimeAsFileTime 118847->118912 118849 6c93554c 118850 6cab6288 118849->118850 118914 6cab9743 GetLastError 118850->118914 118959 6cab629a 118853->118959 118856 6cab629a 50 API calls 118857 6c933e18 118856->118857 118962 6c933f30 118857->118962 118861 6c934005 118860->118861 118862 6c934071 118861->118862 118863 6c9345b0 39 API calls 118861->118863 118864 6c9345b0 39 API calls 118862->118864 118863->118861 118877 6c93408c 118864->118877 118865 6c9340c7 118867 6c934520 118865->118867 118869 6c9345b0 39 API calls 118865->118869 118866 6c9345b0 39 API calls 118866->118877 118868 6c9345b0 39 API calls 118867->118868 118870 6c93453b 118868->118870 118869->118865 118871 6c9345b0 39 API calls 118870->118871 118872 6c934559 118871->118872 118873 6c934ae0 82 API calls 118872->118873 118874 6c934587 118873->118874 118875 6c9345b0 39 API calls 118874->118875 118876 6c93459e 118875->118876 118876->118729 118877->118865 118877->118866 118879 6c934d8e 118878->118879 118970 6cab1637 118879->118970 118881 6c934da1 118881->118729 118885 6c934ef0 118884->118885 118886 6cab629a 50 API calls 118885->118886 118891 6c9351ca 118885->118891 118887 6c93515c 118886->118887 118888 6cab629a 50 API calls 118887->118888 118889 6c93516e 118888->118889 118890 6c933f30 30 API calls 118889->118890 118890->118891 118891->118729 118893 6c934600 118892->118893 119005 6c936b60 118893->119005 118898 6c934929 118900 6c934ae0 118898->118900 118899 6c9346a1 119009 6c936ed0 118899->119009 118901 6c936b60 39 API calls 118900->118901 118902 6c934b2d 118901->118902 118908 6c934b40 std::ios_base::_Ios_base_dtor 118902->118908 119036 6c939980 76 API calls 2 library calls 118902->119036 118903 6c936ed0 39 API calls 118904 6c934cbc 118903->118904 118906 6c936f40 39 API calls 118904->118906 118907 6c934ccc 118906->118907 118907->118733 118908->118903 119037 6c935840 118909->119037 118913 6cab2f3b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 118912->118913 118913->118849 118915 6cab9759 118914->118915 118916 6cab975f 118914->118916 118941 6cabb66b 6 API calls std::_Lockit::_Lockit 118915->118941 118920 6cab9763 SetLastError 118916->118920 118942 6cabb6aa 6 API calls std::_Lockit::_Lockit 118916->118942 118919 6cab977b 118919->118920 118943 6cabc808 118919->118943 118924 6cab97f8 118920->118924 118925 6cab6292 118920->118925 118956 6cab46b1 50 API calls CallUnexpected 118924->118956 118925->118721 118926 6cab97a9 118951 6cabb6aa 6 API calls std::_Lockit::_Lockit 118926->118951 118927 6cab9798 118950 6cabb6aa 6 API calls std::_Lockit::_Lockit 118927->118950 118929 6cab97fd 118932 6cab97a6 118953 6cab94b7 14 API calls __dosmaperr 118932->118953 118933 6cab97b5 118934 6cab97b9 118933->118934 118935 6cab97d0 118933->118935 118952 6cabb6aa 6 API calls std::_Lockit::_Lockit 118934->118952 118954 6cab9a80 14 API calls __Getctype 118935->118954 118939 6cab97db 118955 6cab94b7 14 API calls __dosmaperr 118939->118955 118941->118916 118942->118919 118948 6cabc815 __Getctype 118943->118948 118944 6cabc840 RtlAllocateHeap 118946 6cab9790 118944->118946 118944->118948 118945 6cabc855 118958 6caa5636 14 API calls __dosmaperr 118945->118958 118946->118926 118946->118927 118948->118944 118948->118945 118957 6caaf81b EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 118948->118957 118950->118932 118951->118933 118952->118932 118953->118920 118954->118939 118955->118920 118956->118929 118957->118948 118958->118946 118960 6cab9743 __Getctype 50 API calls 118959->118960 118961 6c933e06 118960->118961 118961->118856 118965 6c935ad0 118962->118965 118964 6c933e79 118964->118729 118966 6c935b0a 118965->118966 118968 6c935b0f 118965->118968 118969 6c935c00 30 API calls 118966->118969 118968->118964 118969->118968 118971 6cab1643 ___scrt_is_nonwritable_in_current_image 118970->118971 118979 6cab25cc EnterCriticalSection 118971->118979 118973 6cab164a 118980 6cab18f5 118973->118980 118978 6cab1687 29 API calls 2 library calls 118978->118881 118979->118973 118981 6cab1913 118980->118981 118992 6cab1922 118981->118992 118999 6cabff66 CreateFileW ___initconin 118981->118999 118983 6cab192f 118983->118992 119000 6cabffd7 5 API calls ___initconin 118983->119000 118984 6c97f667 _ValidateLocalCookies 5 API calls 118986 6cab1658 118984->118986 118996 6cab167e 118986->118996 118987 6cab1940 118988 6cab196d __DllMainCRTStartup@12 118987->118988 118989 6cab1980 118987->118989 118987->118992 118995 6cab19aa 118987->118995 118988->118995 119002 6cac001d 5 API calls ___initconin 118988->119002 119001 6cab94f1 15 API calls 3 library calls 118989->119001 118992->118984 118993 6cab1986 118993->118988 119003 6c9a856c 14 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 118995->119003 119004 6cab25e3 LeaveCriticalSection 118996->119004 118998 6c934d93 118998->118881 118998->118978 118999->118983 119000->118987 119001->118993 119002->118995 119003->118992 119004->118998 119007 6c936ba9 119005->119007 119006 6c936bc1 119006->118899 119007->119006 119017 6c937070 39 API calls 119007->119017 119010 6c936f0e 119009->119010 119018 6c937390 119010->119018 119013 6c936f40 119014 6c936f54 119013->119014 119016 6c936f75 119014->119016 119035 6c939770 39 API calls 119014->119035 119016->118898 119017->119006 119021 6c937400 119018->119021 119022 6c937493 119021->119022 119023 6c934913 119021->119023 119025 6c9374a4 119022->119025 119031 6caa2301 RaiseException 119022->119031 119023->119013 119032 6c9375c0 38 API calls 119025->119032 119027 6c93756e 119033 6c937600 30 API calls 119027->119033 119029 6c937591 119034 6caa2301 RaiseException 119029->119034 119031->119025 119032->119027 119033->119029 119034->119023 119035->119016 119036->118908 119040 6c935860 119037->119040 119041 6c935874 119040->119041 119043 6c93562d 119041->119043 119044 6c935970 29 API calls 119041->119044 119043->118737 119044->119043 119045->118744 119047 6c938b6d 119046->119047 119050 6c938cb0 119047->119050 119049 6c938b93 119051 6c938dbf 119050->119051 119053 6c938d19 119050->119053 119054 6c938ec0 30 API calls 119051->119054 119053->119049 119054->119053 120084 f6d740 120111 f6e5e0 120084->120111 120087 f9a63f __Mtx_init_in_situ InitializeCriticalSectionAndSpinCount 120088 f6d7a3 120087->120088 120089 f6d844 120088->120089 120092 f6d91a 120088->120092 120090 f9939b __Xtime_get_ticks GetSystemTimeAsFileTime 120089->120090 120091 f6d849 120090->120091 120116 f6d5f0 120091->120116 120121 fb2a4a RaiseException 120092->120121 120096 f6d3b0 27 API calls 120098 f6d869 120096->120098 120097 f6d93e 120099 fb6739 std::system_error::system_error 26 API calls 120097->120099 120100 f6ccf0 96 API calls 120098->120100 120101 f6d943 120099->120101 120103 f6d87c 120100->120103 120102 fb6739 std::system_error::system_error 26 API calls 120101->120102 120104 f6d948 120102->120104 120103->120097 120105 f6d8a6 Concurrency::details::SchedulerBase::Finalize 120103->120105 120120 f6d660 76 API calls 4 library calls 120105->120120 120107 f6d8ee Concurrency::details::SchedulerBase::Finalize 120109 f9b5dd _ValidateLocalCookies 5 API calls 120107->120109 120108 f6d8bb 120108->120101 120108->120107 120110 f6d911 120109->120110 120112 f9bb4d make_shared 8 API calls 120111->120112 120113 f6e623 StructuredWorkStealingQueue 120112->120113 120122 f6e410 120113->120122 120115 f6d792 120115->120087 120117 f6d616 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 120116->120117 120118 f9b5dd _ValidateLocalCookies 5 API calls 120117->120118 120119 f6d64e 120118->120119 120119->120096 120120->120108 120121->120097 120123 f6e480 120122->120123 120124 f9bb4d make_shared 8 API calls 120123->120124 120125 f6e4fc StructuredWorkStealingQueue 120124->120125 120126 f6e568 120125->120126 120137 f76590 27 API calls 3 library calls 120125->120137 120138 f71b10 26 API calls 2 library calls 120126->120138 120129 f6e5b8 Concurrency::details::SchedulerBase::Finalize 120129->120115 120130 f6e592 120130->120129 120131 fb6739 std::system_error::system_error 26 API calls 120130->120131 120132 f6e5df 120131->120132 120133 f9bb4d make_shared 8 API calls 120132->120133 120134 f6e623 StructuredWorkStealingQueue 120133->120134 120135 f6e410 27 API calls 120134->120135 120136 f6e666 120135->120136 120136->120115 120137->120126 120138->120130 120139 6cac00fb CreateFileW 120140 f81440 GetWindowLongW 120141 f81468 120140->120141 120142 f81496 DefWindowProcW 120140->120142 120141->120142 120145 f81482 120141->120145 120143 f9b5dd _ValidateLocalCookies 5 API calls 120142->120143 120144 f814b1 120143->120144 120146 f9b5dd _ValidateLocalCookies 5 API calls 120145->120146 120147 f81490 120146->120147 120148 fc83a4 120149 fc79c9 __fread_nolock 26 API calls 120148->120149 120150 fc83b2 120149->120150 120151 fc83df 120150->120151 120152 fc83c0 120150->120152 120153 fc83ec 120151->120153 120159 fc83f9 120151->120159 120174 fb6802 20 API calls __dosmaperr 120152->120174 120175 fb6802 20 API calls __dosmaperr 120153->120175 120156 fc8489 120163 fc84b5 120156->120163 120158 fc83c5 120159->120156 120159->120158 120160 fd3555 __fread_nolock 26 API calls 120159->120160 120161 fc847c 120159->120161 120160->120161 120161->120156 120176 fc91b6 21 API calls 2 library calls 120161->120176 120164 fc79c9 __fread_nolock 26 API calls 120163->120164 120165 fc84c4 120164->120165 120166 fc8568 120165->120166 120167 fc84d6 120165->120167 120169 fc76d2 __wsopen_s 90 API calls 120166->120169 120168 fc84f3 120167->120168 120172 fc8519 120167->120172 120170 fc76d2 __wsopen_s 90 API calls 120168->120170 120171 fc8500 120169->120171 120170->120171 120171->120158 120172->120171 120177 fc8180 120172->120177 120174->120158 120175->120158 120176->120156 120180 fc7ffd 120177->120180 120179 fc8196 120179->120171 120181 fc8009 CallCatchBlock 120180->120181 120182 fc8011 120181->120182 120185 fc8029 120181->120185 120215 fb67ef 20 API calls __dosmaperr 120182->120215 120184 fc80dd 120220 fb67ef 20 API calls __dosmaperr 120184->120220 120185->120184 120189 fc8061 120185->120189 120186 fc8016 120216 fb6802 20 API calls __dosmaperr 120186->120216 120188 fc80e2 120221 fb6802 20 API calls __dosmaperr 120188->120221 120205 fd063a EnterCriticalSection 120189->120205 120193 fc80ea 120222 fb6729 26 API calls std::system_error::system_error 120193->120222 120194 fc8067 120196 fc808b 120194->120196 120197 fc80a0 120194->120197 120217 fb6802 20 API calls __dosmaperr 120196->120217 120206 fc8102 120197->120206 120199 fc801e __wsopen_s 120199->120179 120201 fc8090 120218 fb67ef 20 API calls __dosmaperr 120201->120218 120202 fc809b 120219 fc80d5 LeaveCriticalSection __wsopen_s 120202->120219 120205->120194 120223 fd08b7 120206->120223 120208 fc8114 120209 fc811c 120208->120209 120210 fc812d SetFilePointerEx 120208->120210 120236 fb6802 20 API calls __dosmaperr 120209->120236 120212 fc8145 GetLastError 120210->120212 120214 fc8121 120210->120214 120237 fb67cc 20 API calls __dosmaperr 120212->120237 120214->120202 120215->120186 120216->120199 120217->120201 120218->120202 120219->120199 120220->120188 120221->120193 120222->120199 120224 fd08d9 120223->120224 120225 fd08c4 120223->120225 120230 fd08fe 120224->120230 120240 fb67ef 20 API calls __dosmaperr 120224->120240 120238 fb67ef 20 API calls __dosmaperr 120225->120238 120227 fd08c9 120239 fb6802 20 API calls __dosmaperr 120227->120239 120230->120208 120231 fd0909 120241 fb6802 20 API calls __dosmaperr 120231->120241 120232 fd08d1 120232->120208 120234 fd0911 120242 fb6729 26 API calls std::system_error::system_error 120234->120242 120236->120214 120237->120214 120238->120227 120239->120232 120240->120231 120241->120234 120242->120232 120243 6caa21b3 120244 6caa21bc 120243->120244 120245 6caa21c1 120243->120245 120260 6caa21d6 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 120244->120260 120249 6caa20a8 120245->120249 120252 6caa20b4 ___scrt_is_nonwritable_in_current_image 120249->120252 120250 6caa20c3 120251 6caa20dd dllmain_raw 120251->120250 120253 6caa20f7 dllmain_crt_dispatch 120251->120253 120252->120250 120252->120251 120254 6caa20d8 __DllMainCRTStartup@12 120252->120254 120253->120250 120253->120254 120255 6caa2149 120254->120255 120261 6caa1f7c 122 API calls 4 library calls 120254->120261 120255->120250 120256 6caa2152 dllmain_crt_dispatch 120255->120256 120256->120250 120257 6caa2165 dllmain_raw 120256->120257 120257->120250 120259 6caa213e dllmain_raw 120259->120255 120260->120245 120261->120259 120262 fccda5 120267 fccadc 120262->120267 120266 fccdcd 120272 fccb0d try_get_first_available_module 120267->120272 120269 fccd0c 120291 fb6729 26 API calls std::system_error::system_error 120269->120291 120271 fccc61 120271->120266 120279 fd58df 120271->120279 120272->120272 120275 fccc56 120272->120275 120282 fc423c 120272->120282 120275->120271 120290 fb6802 20 API calls __dosmaperr 120275->120290 120276 fc423c 68 API calls 120277 fcccc9 120276->120277 120277->120275 120278 fc423c 68 API calls 120277->120278 120278->120275 120295 fd4f6b 120279->120295 120281 fd58fa 120281->120266 120283 fc42dc 120282->120283 120284 fc4250 120282->120284 120294 fc42f4 68 API calls 4 library calls 120283->120294 120289 fc4272 120284->120289 120292 fb6802 20 API calls __dosmaperr 120284->120292 120287 fc4267 120293 fb6729 26 API calls std::system_error::system_error 120287->120293 120289->120275 120289->120276 120290->120269 120291->120271 120292->120287 120293->120289 120294->120289 120296 fd4f77 CallCatchBlock 120295->120296 120297 fd4f85 120296->120297 120299 fd4fbe 120296->120299 120353 fb6802 20 API calls __dosmaperr 120297->120353 120306 fd55b6 120299->120306 120300 fd4f8a 120354 fb6729 26 API calls std::system_error::system_error 120300->120354 120305 fd4f94 __wsopen_s 120305->120281 120356 fd5319 120306->120356 120309 fd55e8 120387 fb67ef 20 API calls __dosmaperr 120309->120387 120310 fd5601 120373 fd0714 120310->120373 120313 fd5606 120315 fd560f 120313->120315 120316 fd5626 120313->120316 120314 fd55ed 120388 fb6802 20 API calls __dosmaperr 120314->120388 120389 fb67ef 20 API calls __dosmaperr 120315->120389 120386 fd5284 CreateFileW 120316->120386 120320 fd5614 120390 fb6802 20 API calls __dosmaperr 120320->120390 120322 fd56dc GetFileType 120323 fd572e 120322->120323 120324 fd56e7 GetLastError 120322->120324 120395 fd065d 21 API calls 2 library calls 120323->120395 120393 fb67cc 20 API calls __dosmaperr 120324->120393 120325 fd56b1 GetLastError 120392 fb67cc 20 API calls __dosmaperr 120325->120392 120326 fd565f 120326->120322 120326->120325 120391 fd5284 CreateFileW 120326->120391 120330 fd56f5 CloseHandle 120330->120314 120333 fd571e 120330->120333 120332 fd56a4 120332->120322 120332->120325 120394 fb6802 20 API calls __dosmaperr 120333->120394 120334 fd574f 120336 fd579b 120334->120336 120396 fd5495 100 API calls 3 library calls 120334->120396 120341 fd57c8 120336->120341 120397 fd5037 100 API calls 4 library calls 120336->120397 120337 fd5723 120337->120314 120340 fd57c1 120340->120341 120342 fd57d9 120340->120342 120398 fc9e9c 29 API calls 2 library calls 120341->120398 120344 fd4fe2 120342->120344 120345 fd5857 CloseHandle 120342->120345 120355 fd500b LeaveCriticalSection __wsopen_s 120344->120355 120399 fd5284 CreateFileW 120345->120399 120347 fd5882 120348 fd588c GetLastError 120347->120348 120352 fd57d1 120347->120352 120400 fb67cc 20 API calls __dosmaperr 120348->120400 120350 fd5898 120401 fd0826 21 API calls 2 library calls 120350->120401 120352->120344 120353->120300 120354->120305 120355->120305 120357 fd5354 120356->120357 120358 fd533a 120356->120358 120402 fd52a9 120357->120402 120358->120357 120409 fb6802 20 API calls __dosmaperr 120358->120409 120361 fd5349 120410 fb6729 26 API calls std::system_error::system_error 120361->120410 120363 fd538c 120364 fd53bb 120363->120364 120411 fb6802 20 API calls __dosmaperr 120363->120411 120372 fd540e 120364->120372 120413 fc5524 26 API calls 2 library calls 120364->120413 120367 fd5409 120370 fb6756 __Getctype 11 API calls 120367->120370 120367->120372 120368 fd53b0 120412 fb6729 26 API calls std::system_error::system_error 120368->120412 120371 fd5494 120370->120371 120372->120309 120372->120310 120374 fd0720 CallCatchBlock 120373->120374 120416 fbc53e EnterCriticalSection 120374->120416 120376 fd076e 120417 fd081d 120376->120417 120378 fd074c 120420 fd04f3 21 API calls 3 library calls 120378->120420 120379 fd0727 120379->120376 120379->120378 120383 fd07ba EnterCriticalSection 120379->120383 120380 fd0797 __wsopen_s 120380->120313 120382 fd0751 120382->120376 120421 fd063a EnterCriticalSection 120382->120421 120383->120376 120385 fd07c7 LeaveCriticalSection 120383->120385 120385->120379 120386->120326 120387->120314 120388->120344 120389->120320 120390->120314 120391->120332 120392->120314 120393->120330 120394->120337 120395->120334 120396->120336 120397->120340 120398->120352 120399->120347 120400->120350 120401->120352 120405 fd52c1 120402->120405 120403 fd52dc 120403->120363 120405->120403 120414 fb6802 20 API calls __dosmaperr 120405->120414 120406 fd5300 120415 fb6729 26 API calls std::system_error::system_error 120406->120415 120408 fd530b 120408->120363 120409->120361 120410->120357 120411->120368 120412->120364 120413->120367 120414->120406 120415->120408 120416->120379 120422 fbc586 LeaveCriticalSection 120417->120422 120419 fd0824 120419->120380 120420->120382 120421->120376 120422->120419 120423 fccd20 120428 fcc8aa 120423->120428 120426 fccd48 120433 fcc8d5 120428->120433 120430 fccac8 120447 fb6729 26 API calls std::system_error::system_error 120430->120447 120432 fcca27 120432->120426 120440 fd5596 120432->120440 120433->120433 120436 fcca1e 120433->120436 120443 fd4d7c 74 API calls 2 library calls 120433->120443 120435 fcca68 120435->120436 120444 fd4d7c 74 API calls 2 library calls 120435->120444 120436->120432 120446 fb6802 20 API calls __dosmaperr 120436->120446 120438 fcca87 120438->120436 120445 fd4d7c 74 API calls 2 library calls 120438->120445 120448 fd4e9f 120440->120448 120442 fd55b1 120442->120426 120443->120435 120444->120438 120445->120436 120446->120430 120447->120432 120451 fd4eab CallCatchBlock 120448->120451 120449 fd4eb9 120466 fb6802 20 API calls __dosmaperr 120449->120466 120451->120449 120453 fd4ef2 120451->120453 120452 fd4ebe 120467 fb6729 26 API calls std::system_error::system_error 120452->120467 120459 fd5545 120453->120459 120458 fd4ec8 __wsopen_s 120458->120442 120469 fd65b1 120459->120469 120462 fd4f16 120468 fd4f3f LeaveCriticalSection __wsopen_s 120462->120468 120463 fd55b6 __wsopen_s 116 API calls 120464 fd5583 120463->120464 120465 fc79ef _free 20 API calls 120464->120465 120465->120462 120466->120452 120467->120458 120468->120458 120470 fd65bd 120469->120470 120471 fd65d4 120469->120471 120493 fb6802 20 API calls __dosmaperr 120470->120493 120473 fd65dc 120471->120473 120474 fd65f3 120471->120474 120495 fb6802 20 API calls __dosmaperr 120473->120495 120497 fc9493 10 API calls 2 library calls 120474->120497 120476 fd65c2 120494 fb6729 26 API calls std::system_error::system_error 120476->120494 120478 fd65fa MultiByteToWideChar 120482 fd6629 120478->120482 120483 fd6619 GetLastError 120478->120483 120480 fd65e1 120496 fb6729 26 API calls std::system_error::system_error 120480->120496 120486 fc7a29 _strftime 21 API calls 120482->120486 120498 fb67cc 20 API calls __dosmaperr 120483->120498 120484 fd555b 120484->120462 120484->120463 120487 fd6631 120486->120487 120488 fd6659 120487->120488 120489 fd6638 MultiByteToWideChar 120487->120489 120490 fc79ef _free 20 API calls 120488->120490 120489->120488 120491 fd664d GetLastError 120489->120491 120490->120484 120499 fb67cc 20 API calls __dosmaperr 120491->120499 120493->120476 120494->120484 120495->120480 120496->120484 120497->120478 120498->120484 120499->120488 120500 6c95fc6a 120505 6c9e6ed2 120500->120505 120503 6c96068b 32 API calls 120504 6c95fc7e 120503->120504 120508 6c9e1042 120505->120508 120507 6c95fc74 120507->120503 120509 6c9e104e __EH_prolog3 120508->120509 120516 6c9834c0 120509->120516 120511 6c9e1086 120512 6c9e108f GetProfileIntW GetProfileIntW 120511->120512 120513 6c9e10c7 120511->120513 120512->120513 120527 6c983534 LeaveCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 120513->120527 120515 6c9e10ce Concurrency::details::ExternalContextBase::~ExternalContextBase 120515->120507 120517 6c9834cc 120516->120517 120518 6c98352e 120516->120518 120519 6c9834da 120517->120519 120528 6c983558 InitializeCriticalSection 120517->120528 120529 6c97789a RaiseException CallUnexpected 120518->120529 120522 6c9834ea EnterCriticalSection 120519->120522 120523 6c98351c EnterCriticalSection 120519->120523 120525 6c983501 InitializeCriticalSection 120522->120525 120526 6c983514 LeaveCriticalSection 120522->120526 120523->120511 120525->120526 120526->120523 120527->120515 120528->120519

                              Executed Functions

                              Function 00F5245C Relevance: 152.8, APIs: 53, Strings: 33, Instructions: 2261windowsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00F524CE
                              • _strrchr.LIBCMT ref: 00F524E1
                              • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00F5261A
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 00F5262A
                              • CreateEventW.KERNEL32(0000000C,00000000,00000000,{BD1397DC-D793-4948-B24A-116ED32CB105}), ref: 00F52640
                              • _strrchr.LIBCMT ref: 00F526EC
                              • _strrchr.LIBCMT ref: 00F526FF
                              • GetModuleHandleW.KERNEL32(00000000), ref: 00F5281A
                              • _strrchr.LIBCMT ref: 00F528F9
                              • _strrchr.LIBCMT ref: 00F5290C
                              • _strrchr.LIBCMT ref: 00F52B40
                              • _strrchr.LIBCMT ref: 00F52B53
                              • _strrchr.LIBCMT ref: 00F52CFD
                              • _strrchr.LIBCMT ref: 00F52D10
                              • _strrchr.LIBCMT ref: 00F52EB6
                              • _strrchr.LIBCMT ref: 00F52EC9
                              • _strrchr.LIBCMT ref: 00F53090
                              • _strrchr.LIBCMT ref: 00F530A3
                              • _strrchr.LIBCMT ref: 00F5324E
                              • _strrchr.LIBCMT ref: 00F53261
                              • _strrchr.LIBCMT ref: 00F53412
                              • _strrchr.LIBCMT ref: 00F53425
                              • _strrchr.LIBCMT ref: 00F535DE
                              • _strrchr.LIBCMT ref: 00F535F1
                              • _strrchr.LIBCMT ref: 00F53885
                              • _strrchr.LIBCMT ref: 00F53898
                              • _strrchr.LIBCMT ref: 00F539FF
                              • _strrchr.LIBCMT ref: 00F53A12
                              • PeekMessageW.USER32(00000001,00000000,00000000,00000000,00000001), ref: 00F53AE1
                              • TranslateMessage.USER32(00000001), ref: 00F53AEF
                              • DispatchMessageW.USER32(00000001), ref: 00F53AF9
                              • WaitForSingleObject.KERNEL32(?,00000001,?,00000000,?,?,?,00000064,00000001), ref: 00F53B0B
                              • WaitForSingleObject.KERNEL32(?,00000064,?,00000000,?,?,?,00000064,00000001), ref: 00F53B1D
                              • _strrchr.LIBCMT ref: 00F53BA4
                              • _strrchr.LIBCMT ref: 00F53BBB
                              • _strrchr.LIBCMT ref: 00F53C47
                              • _strrchr.LIBCMT ref: 00F53C5A
                              • _strrchr.LIBCMT ref: 00F53E04
                              • _strrchr.LIBCMT ref: 00F53E17
                                • Part of subcall function 00F8FD30: __Cnd_broadcast.LIBCPMT ref: 00F8FD86
                                • Part of subcall function 00F8FD30: __Mtx_unlock.LIBCPMT ref: 00F8FE35
                              • _strrchr.LIBCMT ref: 00F53F4B
                              • _strrchr.LIBCMT ref: 00F53F5E
                              • _strrchr.LIBCMT ref: 00F54092
                              • _strrchr.LIBCMT ref: 00F540A5
                              • _strrchr.LIBCMT ref: 00F541F9
                              • _strrchr.LIBCMT ref: 00F5420C
                                • Part of subcall function 00F81300: IsWindow.USER32(00000001), ref: 00F81306
                                • Part of subcall function 00F81300: SetWindowLongW.USER32(00000001,000000EB,00000000), ref: 00F81317
                                • Part of subcall function 00F81300: DestroyWindow.USER32(00000001), ref: 00F81320
                              • _strrchr.LIBCMT ref: 00F54340
                              • _strrchr.LIBCMT ref: 00F54353
                              • _strrchr.LIBCMT ref: 00F54487
                              • _strrchr.LIBCMT ref: 00F5449A
                              • curl_global_cleanup.LIBCURL(?,00000000,?,?,?,00000064,00000001), ref: 00F54556
                              • MoveFileExW.KERNEL32(00000000,00000000,00000004,?,00000000,?,?,?,00000064,00000001), ref: 00F54569
                              • _strrchr.LIBCMT ref: 00F545F0
                              • _strrchr.LIBCMT ref: 00F54603
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr$MessageWindow$DescriptorObjectSecuritySingleWait$Cnd_broadcastCreateDaclDestroyDispatchEventFileHandleInitializeLongModuleMoveMtx_unlockPeekTranslatecurl_global_cleanup
                              • String ID: /%s %u$/%s true$CXZShellExecute UnInit$CXZShellExecute init$CXZUpdateModule Stop$CXZUpdateModule UnInit$CXZUpdateModule init$CreateEvent [{}]$InstallListenWnd$InstallSlience$Message Loop$PerformExecute Ok$PerformLoadUpdateInfo Ok$Run$Running m_hWndAsy:{}$SOFTWARE\XZDesktopCalendar$ServiceMgr Run$ServiceMgr Stop$ThreadPoolMgr Run$ThreadPoolMgr stop$Timer init$Timer stop$UnionId$UpdateInfo.bHasNewVersion:{}-UpdateInfo.UpdateType:{}$WaitForSingleObject Event is touch$XZDesktopCalendar$curl init res:{}$d$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$https://update-xztodolist.cqttech.com/api/v1/update/check$stoped${BD1397DC-D793-4948-B24A-116ED32CB105}$}
                              • API String ID: 3533261124-1744484503
                              • Opcode ID: d10993018b152e3223c2940f1f3db1dfccd9def6b4f6d450bcf7b9bf330542e4
                              • Instruction ID: 74b1e56579a65548b9fc78d063129eb9e715ebcc9bfb5f52bf97efddd8761bc6
                              • Opcode Fuzzy Hash: d10993018b152e3223c2940f1f3db1dfccd9def6b4f6d450bcf7b9bf330542e4
                              • Instruction Fuzzy Hash: EE13A134E007489ADF54F7B48C26BAD76666F55304F044098B54AB72C3EFB89F48BB62
                              Function 00F90420 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 294processlibraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2152 f90420-f90483 CreateToolhelp32Snapshot 2153 f90489-f90499 Process32FirstW 2152->2153 2154 f9055f 2152->2154 2155 f90558-f90559 CloseHandle 2153->2155 2156 f9049f 2153->2156 2157 f90561-f90569 GetLastError 2154->2157 2155->2154 2158 f904a0-f904a9 call f61ad0 2156->2158 2159 f9056f-f90578 CloseHandle 2157->2159 2160 f906b4 2157->2160 2168 f9073b-f9076a call f617d0 2158->2168 2169 f904af-f904d1 call f61180 2158->2169 2162 f906ba-f906bf 2159->2162 2160->2162 2164 f906cb-f906d0 2162->2164 2165 f906c1-f906c4 CloseHandle 2162->2165 2166 f906dc-f906f7 2164->2166 2167 f906d2-f906d5 CloseHandle 2164->2167 2165->2164 2170 f906f9-f906fc 2166->2170 2171 f90701-f90716 2166->2171 2167->2166 2179 f907cd-f907da call f9b5dd 2168->2179 2180 f9076c-f907c8 call fb35c0 GetModuleFileNameW PathRemoveFileSpecW call fc4173 LoadLibraryW 2168->2180 2186 f904ff-f90512 call fc3ffe 2169->2186 2187 f904d3-f904dc 2169->2187 2170->2171 2173 f90718-f9071b 2171->2173 2174 f90720-f9073a call f9b5dd 2171->2174 2173->2174 2180->2179 2196 f9051f-f90531 2186->2196 2197 f90514-f9051d 2186->2197 2191 f904e0-f904e9 2187->2191 2191->2191 2194 f904eb-f904fa call f61470 2191->2194 2194->2186 2199 f9053b-f9054f Process32NextW 2196->2199 2200 f90533-f90536 2196->2200 2197->2196 2198 f9057d-f905ad OpenProcess CloseHandle 2197->2198 2202 f905af-f905b2 2198->2202 2203 f905b7-f905bd 2198->2203 2199->2158 2201 f90555 2199->2201 2200->2199 2201->2155 2202->2203 2203->2157 2204 f905bf-f905c2 2203->2204 2204->2157 2205 f905c4-f905d3 OpenProcessToken 2204->2205 2205->2157 2206 f905d5-f90600 DuplicateTokenEx 2205->2206 2206->2157 2207 f90606-f9060b 2206->2207 2207->2157 2208 f90611-f90664 2207->2208 2209 f90677-f90697 CreateProcessWithTokenW 2208->2209 2210 f90666-f90674 call f61310 2208->2210 2209->2157 2212 f9069d-f906af CloseHandle * 2 2209->2212 2210->2209 2212->2157
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,33902926), ref: 00F90470
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F90491
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F90547
                              • CloseHandle.KERNEL32(00000000), ref: 00F90559
                              • GetLastError.KERNEL32 ref: 00F90561
                              • CloseHandle.KERNEL32(00000000), ref: 00F90576
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00F90585
                              • CloseHandle.KERNEL32(?), ref: 00F90593
                              • OpenProcessToken.ADVAPI32(00000000,0000000B,00000000), ref: 00F905CB
                              • DuplicateTokenEx.ADVAPI32(00000000,02000000,?,00000001,00000001,00000000), ref: 00F905F8
                              • CreateProcessWithTokenW.ADVAPI32(00000000,00000001,?,?,04000630,00000000,00000000,00000044,?), ref: 00F9068F
                              • CloseHandle.KERNEL32(?), ref: 00F906A0
                              • CloseHandle.KERNEL32(?), ref: 00F906A9
                                • Part of subcall function 00F61AD0: GetProcessHeap.KERNEL32 ref: 00F61B11
                              • CloseHandle.KERNEL32(00000000), ref: 00F906C2
                              • CloseHandle.KERNEL32(00000000), ref: 00F906D3
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00F9078F
                              • PathRemoveFileSpecW.SHLWAPI(?), ref: 00F9079C
                              • LoadLibraryW.KERNEL32(?), ref: 00F907C2
                                • Part of subcall function 00F61180: FindResourceW.KERNEL32(00000000,?,00000006,?,?,?,?,00F510A4,{B33F2493-A9D4-4D1D-B32A-4CD0BDC5B344},?,00FDBE3E,000000FF), ref: 00F611BA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseHandle$Process$Token$CreateFileOpenProcess32$DuplicateErrorFindFirstHeapLastLibraryLoadModuleNameNextPathRemoveResourceSnapshotSpecToolhelp32With
                              • String ID: D$\CrashCatch.dll$explorer.exe
                              • API String ID: 1976851797-2239689160
                              • Opcode ID: 060e6d6d2cb5e166ed73007f756ba1896bf60c86916ea22c1536ada7a2cdc0a4
                              • Instruction ID: 5e7cf81eaffc4d0c792268218e190061d70d746970bdcc71ec244907c7d78c1a
                              • Opcode Fuzzy Hash: 060e6d6d2cb5e166ed73007f756ba1896bf60c86916ea22c1536ada7a2cdc0a4
                              • Instruction Fuzzy Hash: 45B1AF71E012099FEB10DFA4CC48BAEB7B9EF45324F14826AF815E7291DB749A44DF50
                              Function 00F546D0 Relevance: 29.0, APIs: 6, Strings: 10, Instructions: 953COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F60760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00F607A8
                                • Part of subcall function 00F60760: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00F607BE
                                • Part of subcall function 00F60760: GetTempPathW.KERNEL32(00000104,?), ref: 00F607D4
                                • Part of subcall function 00F60760: PathAppendW.SHLWAPI(?), ref: 00F607F0
                                • Part of subcall function 00F60760: PathAddBackslashW.SHLWAPI(?), ref: 00F607FD
                                • Part of subcall function 00F60760: PathFileExistsW.SHLWAPI(?), ref: 00F60810
                                • Part of subcall function 00F60760: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00F60820
                                • Part of subcall function 00F60760: PathFileExistsW.SHLWAPI(?), ref: 00F6082D
                              • _strrchr.LIBCMT ref: 00F54C19
                              • _strrchr.LIBCMT ref: 00F54C2C
                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00F54F9D
                              • PathFileExistsW.SHLWAPI(00000003,Name_UpdateForceID_Key,00FEDB92,?,?,00000000,0000FDE9,Name_UpdateForceFile_Key,00FEDB78,?,?,00000000,0000FDE9,Name_UpdateForceLog_Key,00FEDB5F,?), ref: 00F55257
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F553D9
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F554D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Path$ExistsFile$FolderIos_base_dtorSpecial_strrchrstd::ios_base::_$AppendBackslashCreateDirectoryHandleModuleTemp
                              • String ID: Cqttech\XZDesktopCalendar$Name_UpdateForceFile_Key$Name_UpdateForceFromVersion_Key$Name_UpdateForceID_Key$Name_UpdateForceLog_Key$Name_UpdateForceNewVersion_Key$Parse Config fail$PerformLoadUpdateInfo$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp$update.cfg
                              • API String ID: 4104599493-1853103233
                              • Opcode ID: 41161c963ead645452ac0ed2e495d09432a35413733b70703864d1c9c6e55110
                              • Instruction ID: 55dbf46b1618cf7ec432458284f2436753626af2953b17a1071d71f2592032d5
                              • Opcode Fuzzy Hash: 41161c963ead645452ac0ed2e495d09432a35413733b70703864d1c9c6e55110
                              • Instruction Fuzzy Hash: 4E92D030A00248DFDB14DF68CC59BDDBBB1BF45305F1481E8E509AB292DB74AA89DF91
                              Function 00F88A70 Relevance: 27.4, APIs: 10, Strings: 5, Instructions: 1128COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F95630: SetupDiGetClassDevsW.SETUPAPI(00FEF610,00000000,00000000,00000002), ref: 00F956A7
                                • Part of subcall function 00F95630: SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00F956D7
                                • Part of subcall function 00F95630: SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00F9570B
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000020,?,00000024,?,?,?,?,?,33902926), ref: 00F88B61
                              • curl_slist_append.LIBCURL(00000000,-00000010,?,?,?,?,?,33902926), ref: 00F88C84
                              • curl_slist_append.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,?,?,33902926), ref: 00F88CE2
                              • curl_slist_append.LIBCURL(?,?), ref: 00F88D31
                                • Part of subcall function 00F617D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00F617E6
                              • __Mtx_unlock.LIBCPMT ref: 00F88E29
                              • __Mtx_unlock.LIBCPMT ref: 00F88E8A
                              • __Mtx_unlock.LIBCPMT ref: 00F89178
                              • __Mtx_unlock.LIBCPMT ref: 00F88FF1
                                • Part of subcall function 00F99E53: std::_Throw_Cpp_error.LIBCPMT ref: 00F99E7A
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F89868
                              • GetWindowLongW.USER32(?,000000EB), ref: 00F89908
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Setupcurl_slist_append$Device$ByteCharClassCpp_errorDevsEnumException@8InfoInstanceIos_base_dtorLongMultiThrowThrow_WideWindowstd::_std::ios_base::_
                              • String ID: $$%c%c$X$appid: %d$id: %s
                              • API String ID: 2834369693-1652127108
                              • Opcode ID: 41e508fd370c59cb4f1aea14a395bbb6774642522cea567e104b2d103945a036
                              • Instruction ID: 300672a135f431484368c92aef2879bcf33f911875881cb24f502b8b8b9f073b
                              • Opcode Fuzzy Hash: 41e508fd370c59cb4f1aea14a395bbb6774642522cea567e104b2d103945a036
                              • Instruction Fuzzy Hash: 4BA2CE71D00219DFDB10EFA8CC89BEEBBB4EF05314F1481A9E409AB291DB759A44DF91
                              Function 00F6BE70 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 421filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2871 f6be70-f6bf21 GetLocalTime call fb35c0 call f6be50 2876 f6bf24-f6bf29 2871->2876 2876->2876 2877 f6bf2b-f6bfc4 call f61ee0 call fb35c0 * 2 call fbc29e call fbc235 FindFirstFileA 2876->2877 2888 f6bfc6-f6bfd3 call f6b260 2877->2888 2889 f6bfd8-f6bfe8 FindNextFileA 2877->2889 2891 f6c266-f6c26f 2888->2891 2889->2891 2892 f6bfee 2889->2892 2893 f6c271-f6c27c 2891->2893 2894 f6c298-f6c2b3 call f9b5dd 2891->2894 2896 f6bff0-f6bffb 2892->2896 2897 f6c28e-f6c295 call f9bb3f 2893->2897 2898 f6c27e-f6c28c 2893->2898 2900 f6c000-f6c004 2896->2900 2897->2894 2898->2897 2901 f6c2b6-f6c2d4 call fb6739 call f6ca20 2898->2901 2904 f6c006-f6c008 2900->2904 2905 f6c020-f6c022 2900->2905 2923 f6c2d6-f6c2e0 2901->2923 2924 f6c2fe-f6c321 call f9a5e3 2901->2924 2909 f6c01c-f6c01e 2904->2909 2910 f6c00a-f6c010 2904->2910 2906 f6c025-f6c027 2905->2906 2911 f6c02d-f6c032 2906->2911 2912 f6c24b-f6c260 FindNextFileA 2906->2912 2909->2906 2910->2905 2914 f6c012-f6c01a 2910->2914 2915 f6c038-f6c03c 2911->2915 2912->2891 2912->2896 2914->2900 2914->2909 2917 f6c03e-f6c040 2915->2917 2918 f6c058-f6c05a 2915->2918 2920 f6c054-f6c056 2917->2920 2921 f6c042-f6c048 2917->2921 2922 f6c05d-f6c05f 2918->2922 2920->2922 2921->2918 2926 f6c04a-f6c052 2921->2926 2922->2912 2927 f6c065-f6c089 2922->2927 2928 f6c2f4-f6c2fb call f9bb3f 2923->2928 2929 f6c2e2-f6c2f0 2923->2929 2936 f6c323-f6c325 2924->2936 2937 f6c329-f6c32d 2924->2937 2926->2915 2926->2920 2934 f6c090-f6c095 2927->2934 2928->2924 2930 f6c344-f6c361 call fb6739 call f6ca20 2929->2930 2931 f6c2f2 2929->2931 2951 f6c363-f6c36d 2930->2951 2952 f6c38b-f6c3af call f9a5e3 2930->2952 2931->2928 2934->2934 2938 f6c097-f6c0f0 call f61ee0 call f6adc0 2934->2938 2936->2937 2941 f6c32f-f6c33a call f9bb3f 2937->2941 2942 f6c33d-f6c341 2937->2942 2953 f6c127-f6c196 call f6bce0 call f61ee0 call f6ae30 2938->2953 2954 f6c0f2-f6c0f9 2938->2954 2941->2942 2955 f6c381-f6c388 call f9bb3f 2951->2955 2956 f6c36f-f6c37d 2951->2956 2970 f6c3b7 2952->2970 2971 f6c3b1-f6c3b3 2952->2971 2984 f6c1c7-f6c1da call f6bdb0 2953->2984 2985 f6c198-f6c1a7 2953->2985 2958 f6c245 2954->2958 2959 f6c0ff-f6c10a 2954->2959 2955->2952 2960 f6c37f 2956->2960 2961 f6c3b8-f6c3ca call fb6739 2956->2961 2958->2912 2966 f6c120-f6c122 2959->2966 2967 f6c10c-f6c11a 2959->2967 2960->2955 2975 f6c3cc-f6c3d7 call f9bb3f 2961->2975 2976 f6c3da-f6c3de 2961->2976 2973 f6c23d-f6c242 call f9bb3f 2966->2973 2967->2901 2967->2966 2971->2970 2973->2958 2975->2976 2992 f6c1dc-f6c205 call f6be50 DeleteFileA 2984->2992 2993 f6c20b-f6c218 2984->2993 2987 f6c1bd-f6c1c4 call f9bb3f 2985->2987 2988 f6c1a9-f6c1b7 2985->2988 2987->2984 2988->2901 2988->2987 2992->2993 2993->2958 2995 f6c21a-f6c229 2993->2995 2997 f6c23b-f6c23c 2995->2997 2998 f6c22b-f6c239 2995->2998 2997->2973 2998->2901 2998->2997
                              APIs
                              • GetLocalTime.KERNEL32(?,33902926,?,00000001), ref: 00F6BEB7
                              • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6BFAF
                              • FindNextFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6BFE0
                              • DeleteFileA.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 00F6C205
                              • FindNextFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6C258
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00F6C314
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00F6C3A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$Find$Mtx_destroy_in_situNext$DeleteFirstLocalTime
                              • String ID: %s\%s$%s_%d-%02d-%02d.log$\*.*
                              • API String ID: 1207274154-693424811
                              • Opcode ID: d543c923401267a6a1f774b78cbf8faa8e6fddb13b0495a9facd63782a8cc450
                              • Instruction ID: 9cb218918722b2b91e10cd9305c9af3812983cc2da6937645ec2a5c8632feff4
                              • Opcode Fuzzy Hash: d543c923401267a6a1f774b78cbf8faa8e6fddb13b0495a9facd63782a8cc450
                              • Instruction Fuzzy Hash: 97E15971A002589BDB24CF64CC95BEEB779AF05314F0441E9E98AD7282D735EB88DF90
                              Function 00FCC3FF Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3150 fcc3ff-fcc427 call fcc03e call fcc09c 3155 fcc42d-fcc439 call fcc044 3150->3155 3156 fcc5c7-fcc5fc call fb6756 call fcc03e call fcc09c 3150->3156 3155->3156 3161 fcc43f-fcc44a 3155->3161 3181 fcc724-fcc780 call fb6756 call fd4d71 3156->3181 3182 fcc602-fcc60e call fcc044 3156->3182 3163 fcc44c-fcc44e 3161->3163 3164 fcc480-fcc489 call fc79ef 3161->3164 3166 fcc450-fcc454 3163->3166 3177 fcc48c-fcc491 3164->3177 3169 fcc456-fcc458 3166->3169 3170 fcc470-fcc472 3166->3170 3173 fcc46c-fcc46e 3169->3173 3174 fcc45a-fcc460 3169->3174 3175 fcc475-fcc477 3170->3175 3173->3175 3174->3170 3178 fcc462-fcc46a 3174->3178 3179 fcc47d 3175->3179 3180 fcc5c1-fcc5c6 3175->3180 3177->3177 3183 fcc493-fcc4b4 call fc7a29 call fc79ef 3177->3183 3178->3166 3178->3173 3179->3164 3199 fcc78a-fcc78d 3181->3199 3200 fcc782-fcc788 3181->3200 3182->3181 3192 fcc614-fcc620 call fcc070 3182->3192 3183->3180 3196 fcc4ba-fcc4bd 3183->3196 3192->3181 3201 fcc626-fcc647 call fc79ef GetTimeZoneInformation 3192->3201 3202 fcc4c0-fcc4c5 3196->3202 3203 fcc7d0-fcc7e2 3199->3203 3206 fcc78f-fcc79f call fc7a29 3199->3206 3200->3203 3215 fcc64d-fcc66e 3201->3215 3216 fcc700-fcc723 call fcc038 call fcc02c call fcc032 3201->3216 3202->3202 3205 fcc4c7-fcc4d9 call fbc29e 3202->3205 3207 fcc7e4-fcc7e7 3203->3207 3208 fcc7f2 3203->3208 3205->3156 3224 fcc4df-fcc4f2 call fcbf18 3205->3224 3225 fcc7a9-fcc7c2 call fd4d71 3206->3225 3226 fcc7a1 3206->3226 3207->3208 3214 fcc7e9-fcc7f0 call fcc3ff 3207->3214 3212 fcc7f7-fcc80e call fc79ef call f9b5dd 3208->3212 3213 fcc7f2 call fcc5d4 3208->3213 3213->3212 3214->3212 3220 fcc678-fcc67f 3215->3220 3221 fcc670-fcc675 3215->3221 3229 fcc697-fcc69a 3220->3229 3230 fcc681-fcc688 3220->3230 3221->3220 3224->3156 3247 fcc4f8-fcc4fb 3224->3247 3242 fcc7c4-fcc7c5 3225->3242 3243 fcc7c7-fcc7cd call fc79ef 3225->3243 3233 fcc7a2-fcc7a7 call fc79ef 3226->3233 3237 fcc69d-fcc6be call fbc636 WideCharToMultiByte 3229->3237 3230->3229 3236 fcc68a-fcc695 3230->3236 3254 fcc7cf 3233->3254 3236->3237 3257 fcc6cc-fcc6ce 3237->3257 3258 fcc6c0-fcc6c3 3237->3258 3242->3233 3243->3254 3252 fcc4fd-fcc501 3247->3252 3253 fcc503-fcc50c 3247->3253 3252->3247 3252->3253 3259 fcc50e 3253->3259 3260 fcc50f-fcc51c call fc4212 3253->3260 3254->3203 3263 fcc6d0-fcc6ec WideCharToMultiByte 3257->3263 3258->3257 3262 fcc6c5-fcc6ca 3258->3262 3259->3260 3268 fcc51f-fcc523 3260->3268 3262->3263 3264 fcc6ee-fcc6f1 3263->3264 3265 fcc6fb-fcc6fe 3263->3265 3264->3265 3267 fcc6f3-fcc6f9 3264->3267 3265->3216 3267->3216 3269 fcc52d-fcc52e 3268->3269 3270 fcc525-fcc527 3268->3270 3269->3268 3271 fcc529-fcc52b 3270->3271 3272 fcc530-fcc533 3270->3272 3271->3269 3271->3272 3273 fcc535-fcc548 call fc4212 3272->3273 3274 fcc577-fcc579 3272->3274 3282 fcc54f-fcc553 3273->3282 3275 fcc57b-fcc57d 3274->3275 3276 fcc580-fcc58f 3274->3276 3275->3276 3278 fcc5a7-fcc5aa 3276->3278 3279 fcc591-fcc5a3 call fcbf18 3276->3279 3283 fcc5ad-fcc5bf call fcc038 call fcc02c 3278->3283 3279->3283 3288 fcc5a5 3279->3288 3285 fcc54a-fcc54c 3282->3285 3286 fcc555-fcc558 3282->3286 3283->3180 3285->3286 3289 fcc54e 3285->3289 3286->3274 3290 fcc55a-fcc56a call fc4212 3286->3290 3288->3156 3289->3282 3296 fcc571-fcc575 3290->3296 3296->3274 3297 fcc56c-fcc56e 3296->3297 3297->3274 3298 fcc570 3297->3298 3298->3296
                              APIs
                              • _free.LIBCMT ref: 00FCC481
                              • _free.LIBCMT ref: 00FCC4A5
                              • _free.LIBCMT ref: 00FCC62C
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FE5EB4), ref: 00FCC63E
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00FCC6B6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00FCC6E3
                              • _free.LIBCMT ref: 00FCC7F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 314583886-239921721
                              • Opcode ID: f3064419a8a2068fad8beaf97cae78aa549f369f4e1b94719618e27067267ad1
                              • Instruction ID: 144d5c8cfbb4ed4cf2057d85948bdef9321ce4b1abce35bad374a9a4cd1729b8
                              • Opcode Fuzzy Hash: f3064419a8a2068fad8beaf97cae78aa549f369f4e1b94719618e27067267ad1
                              • Instruction Fuzzy Hash: 2BC12672D002079BCB21DF788E43FAA7BA9EF42320F18459EE589D7241E7359D41EB90
                              Function 00F96520 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 168fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,#{ad498944-762f-11d0-8dcb-00c04fc3358c},?,?,00000000,00000000), ref: 00F96617
                              • DeviceIoControl.KERNEL32(00000000,00170002,?,00000004,?,00000008,?,00000000), ref: 00F96660
                              • DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,?,00000008,00000000,00000000), ref: 00F966BB
                              • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 00F96706
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ControlDevice$CloseCreateFileHandle
                              • String ID: #{ad498944-762f-11d0-8dcb-00c04fc3358c}$\\.\
                              • API String ID: 1375849437-832775485
                              • Opcode ID: 7d0c51cabe95894b98838e63c81e6676976688c9babb25c1fec2dc351fbf15a3
                              • Instruction ID: 5e55a68618ec29e399c54522abbf6bfd080ffd9efde30c70585c09c41b2d263a
                              • Opcode Fuzzy Hash: 7d0c51cabe95894b98838e63c81e6676976688c9babb25c1fec2dc351fbf15a3
                              • Instruction Fuzzy Hash: 1751E971E4021C9BEF20DB14CC45BEA73B8EF54710F4541AAE949E7190EB749F498FA1
                              Function 6C940200 Relevance: 9.5, APIs: 6, Instructions: 505encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextW.ADVAPI32 ref: 6C94028A
                              • CryptCreateHash.ADVAPI32 ref: 6C940328
                                • Part of subcall function 6CAA2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C936633,?,?,?,6C9364E8,?), ref: 6CAA2362
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$AcquireContextCreateExceptionHashRaise
                              • String ID:
                              • API String ID: 333276693-0
                              • Opcode ID: 5c16d5c36ab1e2383ad366368302ffc63ade7381087261a915554f69014b35c6
                              • Instruction ID: f0391ca481bdbc301118ca2862062712f62ca1f956afe257f8f77e598cc869ba
                              • Opcode Fuzzy Hash: 5c16d5c36ab1e2383ad366368302ffc63ade7381087261a915554f69014b35c6
                              • Instruction Fuzzy Hash: 0432FBB4A00358CFCB15EF68D9557DDBBB4AF69304F0185A9D809AB750DB30EA48CF92
                              Function 6C941340 Relevance: 7.9, APIs: 5, Instructions: 405encryptionCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C93FF50: CryptStringToBinaryA.CRYPT32 ref: 6C93FFD0
                                • Part of subcall function 6C93FF50: CryptStringToBinaryA.CRYPT32 ref: 6C940077
                              • CryptAcquireContextW.ADVAPI32 ref: 6C941589
                              • CryptImportKey.ADVAPI32 ref: 6C941657
                              • CryptSetKeyParam.ADVAPI32 ref: 6C9416E2
                              • CryptSetKeyParam.ADVAPI32 ref: 6C941789
                                • Part of subcall function 6CAA2301: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,?,?,?,6C936633,?,?,?,6C9364E8,?), ref: 6CAA2362
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$BinaryParamString$AcquireContextExceptionImportRaise
                              • String ID:
                              • API String ID: 2873263705-0
                              • Opcode ID: 2dd262f28fac99de6606439f28698c3d9afe6d555ee9b67fdc4ae9dbc1b663ec
                              • Instruction ID: b00ba3b12e2c34311c0503911f63e7a784d6875ef7b21c4f7477260c062882f2
                              • Opcode Fuzzy Hash: 2dd262f28fac99de6606439f28698c3d9afe6d555ee9b67fdc4ae9dbc1b663ec
                              • Instruction Fuzzy Hash: 0B1237B0A043588FDB14EF68D9557DDBBB0BF59304F0085A9D849AB750DB34EA88CF92
                              Function 6C97E4D4 Relevance: 77.3, APIs: 43, Strings: 1, Instructions: 298COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1235 6c97e4d4-6c97e4f3 call 6c97f675 GetSysColor 1238 6c97e4f5-6c97e4ff GetSysColor 1235->1238 1239 6c97e504 1235->1239 1238->1239 1240 6c97e501-6c97e502 1238->1240 1241 6c97e506-6c97e516 GetSysColor 1239->1241 1240->1241 1242 6c97e529 1241->1242 1243 6c97e518-6c97e522 GetSysColor 1241->1243 1245 6c97e52b-6c97e662 call 6c963f98 GetDeviceCaps GetSysColor * 21 1242->1245 1243->1242 1244 6c97e524-6c97e527 1243->1244 1244->1245 1248 6c97e664-6c97e66b 1245->1248 1249 6c97e66d-6c97e679 GetSysColor 1245->1249 1250 6c97e67f-6c97e695 GetSysColorBrush 1248->1250 1249->1250 1251 6c97e8ec-6c97e8f1 call 6c97789a 1250->1251 1252 6c97e69b-6c97e6a8 GetSysColorBrush 1250->1252 1252->1251 1254 6c97e6ae-6c97e6bb GetSysColorBrush 1252->1254 1254->1251 1255 6c97e6c1-6c97e80c call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreateSolidBrush call 6c963264 call 6c9632ba CreatePen call 6c963264 call 6c9632ba CreatePen call 6c963264 call 6c9632ba CreatePen call 6c963264 1254->1255 1297 6c97e80e-6c97e812 1255->1297 1298 6c97e81b-6c97e822 1255->1298 1297->1298 1299 6c97e814-6c97e816 call 6c9632ba 1297->1299 1300 6c97e824-6c97e886 CreateSolidBrush call 6c963264 1298->1300 1301 6c97e888-6c97e894 call 6c97f4a2 1298->1301 1299->1298 1307 6c97e8cf-6c97e8eb call 6c9b2019 call 6c963fed call 6c97f74d 1300->1307 1301->1251 1308 6c97e896-6c97e8ca call 6c963264 CreatePatternBrush call 6c963264 call 6c95d720 1301->1308 1308->1307
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C97E4DB
                              • GetSysColor.USER32(00000016), ref: 6C97E4E4
                              • GetSysColor.USER32(0000000F), ref: 6C97E4F7
                              • GetSysColor.USER32(00000015), ref: 6C97E50E
                              • GetSysColor.USER32(0000000F), ref: 6C97E51A
                              • GetDeviceCaps.GDI32(?,0000000C), ref: 6C97E542
                              • GetSysColor.USER32(0000000F), ref: 6C97E550
                              • GetSysColor.USER32(00000010), ref: 6C97E55E
                              • GetSysColor.USER32(00000015), ref: 6C97E56C
                              • GetSysColor.USER32(00000016), ref: 6C97E57A
                              • GetSysColor.USER32(00000014), ref: 6C97E588
                              • GetSysColor.USER32(00000012), ref: 6C97E596
                              • GetSysColor.USER32(00000011), ref: 6C97E5A4
                              • GetSysColor.USER32(00000006), ref: 6C97E5AF
                              • GetSysColor.USER32(0000000D), ref: 6C97E5BA
                              • GetSysColor.USER32(0000000E), ref: 6C97E5C5
                              • GetSysColor.USER32(00000005), ref: 6C97E5D0
                              • GetSysColor.USER32(00000008), ref: 6C97E5DE
                              • GetSysColor.USER32(00000009), ref: 6C97E5E9
                              • GetSysColor.USER32(00000007), ref: 6C97E5F4
                              • GetSysColor.USER32(00000002), ref: 6C97E5FF
                              • GetSysColor.USER32(00000003), ref: 6C97E60A
                              • GetSysColor.USER32(0000001B), ref: 6C97E618
                              • GetSysColor.USER32(0000001C), ref: 6C97E626
                              • GetSysColor.USER32(0000000A), ref: 6C97E634
                              • GetSysColor.USER32(0000000B), ref: 6C97E642
                              • GetSysColor.USER32(00000013), ref: 6C97E650
                              • GetSysColor.USER32(0000001A), ref: 6C97E679
                              • GetSysColorBrush.USER32(00000010), ref: 6C97E68A
                              • GetSysColorBrush.USER32(00000014), ref: 6C97E69D
                              • GetSysColorBrush.USER32(00000005), ref: 6C97E6B0
                              • CreateSolidBrush.GDI32(?), ref: 6C97E6D1
                              • CreateSolidBrush.GDI32(?), ref: 6C97E6EF
                              • CreateSolidBrush.GDI32(?), ref: 6C97E70D
                              • CreateSolidBrush.GDI32(?), ref: 6C97E72E
                              • CreateSolidBrush.GDI32(?), ref: 6C97E74C
                              • CreateSolidBrush.GDI32(?), ref: 6C97E76A
                              • CreateSolidBrush.GDI32(?), ref: 6C97E788
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C97E7AE
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C97E7D2
                              • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C97E7F6
                              • CreateSolidBrush.GDI32(?), ref: 6C97E874
                              • CreatePatternBrush.GDI32(00000000), ref: 6C97E8B2
                                • Part of subcall function 6C9632BA: DeleteObject.GDI32(00000000), ref: 6C9632C9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                              • String ID: k-IN
                              • API String ID: 3754413814-1294590582
                              • Opcode ID: a45b0beb989fa19297521351a587d247417e1328aa1e766b7cb49ef7ce352e7c
                              • Instruction ID: 1ffb2f2e4e1ea0a70526901757ec03b55e60ca52e576defe4a0ada2dd6dd56ae
                              • Opcode Fuzzy Hash: a45b0beb989fa19297521351a587d247417e1328aa1e766b7cb49ef7ce352e7c
                              • Instruction Fuzzy Hash: 76C17D71B00642AFDB05AFB588097ADBFB5BF1A705F004129E616D7E80DF74E9289BD0
                              Function 6C97E8F2 Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1320 6c97e8f2-6c97e948 call 6c97f6de call 6c963f98 GetDeviceCaps 1325 6c97e960-6c97e968 1320->1325 1326 6c97e94a-6c97e956 1320->1326 1327 6c97e97e-6c97e986 1325->1327 1328 6c97e96a-6c97e96e 1325->1328 1326->1325 1329 6c97e958 1326->1329 1331 6c97e99c-6c97e9a4 1327->1331 1332 6c97e988-6c97e98c 1327->1332 1328->1327 1330 6c97e970-6c97e978 call 6c963290 DeleteObject 1328->1330 1329->1325 1330->1327 1335 6c97e9a6-6c97e9aa 1331->1335 1336 6c97e9ba-6c97e9c2 1331->1336 1332->1331 1334 6c97e98e-6c97e996 call 6c963290 DeleteObject 1332->1334 1334->1331 1335->1336 1339 6c97e9ac-6c97e9b4 call 6c963290 DeleteObject 1335->1339 1340 6c97e9c4-6c97e9c8 1336->1340 1341 6c97e9d8-6c97e9e0 1336->1341 1339->1336 1340->1341 1342 6c97e9ca-6c97e9d2 call 6c963290 DeleteObject 1340->1342 1343 6c97e9f6-6c97e9fe 1341->1343 1344 6c97e9e2-6c97e9e6 1341->1344 1342->1341 1349 6c97ea14-6c97ea1c 1343->1349 1350 6c97ea00-6c97ea04 1343->1350 1344->1343 1348 6c97e9e8-6c97e9f0 call 6c963290 DeleteObject 1344->1348 1348->1343 1355 6c97ea32-6c97ea3a 1349->1355 1356 6c97ea1e-6c97ea22 1349->1356 1350->1349 1354 6c97ea06-6c97ea0e call 6c963290 DeleteObject 1350->1354 1354->1349 1357 6c97ea50-6c97ea58 1355->1357 1358 6c97ea3c-6c97ea40 1355->1358 1356->1355 1361 6c97ea24-6c97ea2c call 6c963290 DeleteObject 1356->1361 1364 6c97ea6e-6c97ea76 1357->1364 1365 6c97ea5a-6c97ea5e 1357->1365 1358->1357 1363 6c97ea42-6c97ea4a call 6c963290 DeleteObject 1358->1363 1361->1355 1363->1357 1370 6c97ea8c-6c97eae9 call 6c97f3a3 call 6caa4600 GetTextCharsetInfo 1364->1370 1371 6c97ea78-6c97ea7c 1364->1371 1365->1364 1369 6c97ea60-6c97ea68 call 6c963290 DeleteObject 1365->1369 1369->1364 1382 6c97eaf0-6c97eaf4 1370->1382 1383 6c97eaeb-6c97eaee 1370->1383 1371->1370 1375 6c97ea7e-6c97ea86 call 6c963290 DeleteObject 1371->1375 1375->1370 1384 6c97eaf7-6c97eb1d lstrcpyW 1382->1384 1385 6c97eaf6 1382->1385 1383->1384 1386 6c97eb1f-6c97eb26 1384->1386 1387 6c97eb8b-6c97ebcc CreateFontIndirectW call 6c963264 call 6cab46f5 1384->1387 1385->1384 1386->1387 1389 6c97eb28-6c97eb42 EnumFontFamiliesW 1386->1389 1398 6c97ebd3-6c97ecd9 CreateFontIndirectW call 6c963264 call 6c97f3a3 CreateFontIndirectW call 6c963264 CreateFontIndirectW call 6c963264 CreateFontIndirectW call 6c963264 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c963264 GetStockObject 1387->1398 1399 6c97ebce-6c97ebd0 1387->1399 1391 6c97eb44-6c97eb57 lstrcpyW 1389->1391 1392 6c97eb59-6c97eb76 EnumFontFamiliesW 1389->1392 1391->1387 1394 6c97eb7f 1392->1394 1395 6c97eb78-6c97eb7d 1392->1395 1396 6c97eb84-6c97eb85 lstrcpyW 1394->1396 1395->1396 1396->1387 1412 6c97ecdf-6c97ecee GetObjectW 1398->1412 1413 6c97eda9-6c97edb6 call 6c97f3e4 1398->1413 1399->1398 1412->1413 1414 6c97ecf4-6c97eda4 lstrcpyW CreateFontIndirectW call 6c963264 CreateFontIndirectW call 6c963264 GetObjectW CreateFontIndirectW call 6c963264 CreateFontIndirectW call 6c963264 1412->1414 1418 6c97ede1-6c97ede3 1413->1418 1414->1413 1421 6c97ede5-6c97edf5 call 6c95d720 1418->1421 1422 6c97edb8-6c97edbf 1418->1422 1430 6c97edfa-6c97ee0a call 6c963fed call 6c97f761 1421->1430 1423 6c97edc1-6c97edcb call 6c96ade5 1422->1423 1424 6c97ee0b-6c97ee10 call 6c97789a 1422->1424 1423->1418 1435 6c97edcd-6c97eddd 1423->1435 1435->1418
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C97E8FC
                                • Part of subcall function 6C963F98: __EH_prolog3.LIBCMT ref: 6C963F9F
                                • Part of subcall function 6C963F98: GetWindowDC.USER32(00000000,00000004,6C97E53A,00000000), ref: 6C963FCB
                              • GetDeviceCaps.GDI32(?,00000058), ref: 6C97E91C
                              • DeleteObject.GDI32(00000000), ref: 6C97E978
                              • DeleteObject.GDI32(00000000), ref: 6C97E996
                              • DeleteObject.GDI32(00000000), ref: 6C97E9B4
                              • DeleteObject.GDI32(00000000), ref: 6C97E9D2
                              • DeleteObject.GDI32(00000000), ref: 6C97E9F0
                              • DeleteObject.GDI32(00000000), ref: 6C97EA0E
                              • DeleteObject.GDI32(00000000), ref: 6C97EA2C
                              • DeleteObject.GDI32(00000000), ref: 6C97EA4A
                              • DeleteObject.GDI32(00000000), ref: 6C97EA68
                              • DeleteObject.GDI32(00000000), ref: 6C97EA86
                              • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C97EABE
                              • lstrcpyW.KERNEL32(?,?), ref: 6C97EB13
                              • EnumFontFamiliesW.GDI32(?,00000000,6C97F59F,Segoe UI), ref: 6C97EB3A
                              • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C97EB4D
                              • EnumFontFamiliesW.GDI32(?,00000000,6C97F59F,Tahoma), ref: 6C97EB6B
                              • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C97EB85
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EB8F
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EBD7
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EC16
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EC42
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EC63
                              • GetSystemMetrics.USER32(00000048), ref: 6C97EC82
                              • lstrcpyW.KERNEL32(?,Marlett), ref: 6C97EC95
                              • CreateFontIndirectW.GDI32(?), ref: 6C97EC9F
                              • GetStockObject.GDI32(00000011), ref: 6C97ECCB
                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C97ECE6
                              • lstrcpyW.KERNEL32(?,Arial), ref: 6C97ED27
                              • CreateFontIndirectW.GDI32(?), ref: 6C97ED31
                              • CreateFontIndirectW.GDI32(?), ref: 6C97ED4A
                              • GetObjectW.GDI32(?,0000005C,?), ref: 6C97ED68
                              • CreateFontIndirectW.GDI32(?), ref: 6C97ED76
                              • CreateFontIndirectW.GDI32(?), ref: 6C97ED97
                                • Part of subcall function 6C97F3E4: __EH_prolog3_GS.LIBCMT ref: 6C97F3EB
                                • Part of subcall function 6C97F3E4: GetTextMetricsW.GDI32(?,?), ref: 6C97F420
                                • Part of subcall function 6C97F3E4: GetTextMetricsW.GDI32(?,?), ref: 6C97F460
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                              • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
                              • API String ID: 2837096512-1395034203
                              • Opcode ID: 3cc391624bdff114d317195ab87fd5b718c0485c04c7ba86afe48480bb734317
                              • Instruction ID: 9f209fc4bd65ec4c2c8b479dc44ccecdacdcc775bfe73988daafe33b567f9425
                              • Opcode Fuzzy Hash: 3cc391624bdff114d317195ab87fd5b718c0485c04c7ba86afe48480bb734317
                              • Instruction Fuzzy Hash: 82E16B71A013499FDF21DBB1C849BDEBBBCBF16308F108569A05AA7A80DB74D548CF60
                              Function 00F92EE0 Relevance: 61.8, APIs: 27, Strings: 7, Instructions: 2266COMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00F92FBA
                              • _strrchr.LIBCMT ref: 00F92FCD
                              • curl_easy_cleanup.LIBCURL(00000000,33902926,00000000,?), ref: 00F932C4
                              • _strrchr.LIBCMT ref: 00F93405
                              • _strrchr.LIBCMT ref: 00F93418
                              • _strrchr.LIBCMT ref: 00F938AE
                              • _strrchr.LIBCMT ref: 00F938C1
                              • curl_easy_cleanup.LIBCURL(?), ref: 00F93B90
                              • curl_easy_init.LIBCURL(33902926,00000000,?), ref: 00F93D1A
                              • curl_easy_init.LIBCURL(33902926,00000000,?), ref: 00F93350
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00000029,00000001,00000000,?), ref: 00F94A0E
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00000040,00000000,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A1E
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00000051,00000000,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A25
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,000000D5,00000001,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A32
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,000000D6,00000078,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A3C
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,000000D7,0000003C,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A46
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00000063,00000001,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A4D
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,0000000D,00000708,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A57
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,0000004E,0000003C,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A5E
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00002722,Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36), ref: 00F94A6E
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,0000002B,00000000), ref: 00F94A75
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00000034,00000001), ref: 00F94A7C
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00002749), ref: 00F94A85
                                • Part of subcall function 00F949F0: curl_easy_setopt.LIBCURL(00FEE204,00004E58,00F95270), ref: 00F94A92
                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,?,00000000,?,?), ref: 00F937B8
                              • curl_easy_setopt.LIBCURL(?,00004E2B,00F94E10), ref: 00F937C9
                              • curl_easy_setopt.LIBCURL(?,00002711), ref: 00F937D6
                              • curl_easy_setopt.LIBCURL(?,00002727,?), ref: 00F937EA
                              • curl_easy_perform.LIBCURL ref: 00F937F1
                              • _strrchr.LIBCMT ref: 00F93DD2
                              • _strrchr.LIBCMT ref: 00F93DE5
                              • curl_easy_setopt.LIBCURL(?,00002712,00000000,00000000,?,?), ref: 00F94172
                              • curl_easy_setopt.LIBCURL(?,00004E2B,00F94E10,?,00002712,00000000,00000000,?,?), ref: 00F94180
                              • curl_easy_setopt.LIBCURL(?,00002711,?,?,00004E2B,00F94E10,?,00002712,00000000,00000000,?,?), ref: 00F9418A
                              • curl_easy_setopt.LIBCURL(?,00002727,?), ref: 00F9419E
                              • curl_easy_perform.LIBCURL ref: 00F941A5
                              • _strrchr.LIBCMT ref: 00F9425E
                              • _strrchr.LIBCMT ref: 00F94271
                              • curl_easy_cleanup.LIBCURL(?), ref: 00F94537
                              • _strrchr.LIBCMT ref: 00F9467E
                              • _strrchr.LIBCMT ref: 00F94691
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: curl_easy_setopt$_strrchr$curl_easy_cleanup$curl_easy_initcurl_easy_perform
                              • String ID: DownLoadFinish:{}, Size:{}$Download$Get$UnInit$curl init failed$curl_easy_perform failed,{}$g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp
                              • API String ID: 533436632-4114691947
                              • Opcode ID: ef97e94b28ff7138de9bfcaf7d251850be3b0f3b4ecbb3c50134ad5911acb607
                              • Instruction ID: d3afcfa1b1ecb9c479a6fc24087bd21ef7bc3a8dea8a6dfb4c8d5a996dfac97b
                              • Opcode Fuzzy Hash: ef97e94b28ff7138de9bfcaf7d251850be3b0f3b4ecbb3c50134ad5911acb607
                              • Instruction Fuzzy Hash: B413E530A002489FEF14DFA8CC85B9EBBB2BF45304F148158E415AB392DB75EE45EB91
                              Function 00F97700 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 237libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2214 f97700-f9772d call f97280 2217 f978dc-f978f1 GetProcAddress 2214->2217 2218 f97733-f97746 GetProcAddress 2214->2218 2223 f97948-f97959 GetSystemFirmwareTable 2217->2223 2224 f978f3-f97905 call f97ee0 2217->2224 2221 f97748-f97758 GetCurrentProcess 2218->2221 2222 f97765-f977dc LoadLibraryA 2218->2222 2221->2222 2242 f9775a-f9775f 2221->2242 2225 f97873-f97881 call f97ee0 2222->2225 2226 f977e2-f97816 GetProcAddress * 4 2222->2226 2227 f9795b-f97977 call f9bb8b GetSystemFirmwareTable 2223->2227 2228 f97982-f97995 call f9b5dd 2223->2228 2236 f97923-f97929 2224->2236 2237 f97907-f97918 call f97d60 2224->2237 2225->2228 2246 f97887-f9788f 2225->2246 2226->2225 2230 f97818-f9781e 2226->2230 2248 f97979-f9797f call f9bb94 2227->2248 2249 f97996-f979b9 2227->2249 2230->2225 2239 f97820-f97825 2230->2239 2236->2228 2245 f9792b-f97947 call f9bb94 call f9b5dd 2236->2245 2256 f979ca-f979dd call f9b5dd 2237->2256 2257 f9791e 2237->2257 2239->2225 2244 f97827-f97829 2239->2244 2242->2222 2247 f978d7 2242->2247 2244->2225 2252 f9782b-f97843 2244->2252 2250 f979ba-f979bc call f97d60 2246->2250 2247->2217 2248->2228 2249->2250 2260 f979c1-f979c7 call f9bb94 2250->2260 2252->2225 2264 f97845-f9786b 2252->2264 2257->2260 2260->2256 2270 f9786d 2264->2270 2271 f97894-f978d2 call f9bb8b call f95590 2264->2271 2270->2225 2271->2250
                              APIs
                                • Part of subcall function 00F97280: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?), ref: 00F972B7
                                • Part of subcall function 00F97280: GetProcAddress.KERNEL32(00000000), ref: 00F972BE
                                • Part of subcall function 00F97280: GetCurrentProcess.KERNEL32(00F9771E), ref: 00F972CE
                                • Part of subcall function 00F97280: LoadLibraryW.KERNEL32(ntdll.dll,?), ref: 00F97304
                                • Part of subcall function 00F97280: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00F9731A
                                • Part of subcall function 00F97280: FreeLibrary.KERNEL32(00000000), ref: 00F97338
                              • GetProcAddress.KERNEL32(00000000), ref: 00F97740
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F96B13,00000003), ref: 00F9774D
                              • LoadLibraryA.KERNEL32(?,?,ntdll.dll), ref: 00F977D2
                              • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 00F977E8
                              • GetProcAddress.KERNEL32(00000000,ZwMapViewOfSection), ref: 00F977F4
                              • GetProcAddress.KERNEL32(00000000,ZwUnmapViewOfSection), ref: 00F97800
                              • GetProcAddress.KERNEL32(00000000,ZwClose), ref: 00F9780C
                              • GetProcAddress.KERNEL32(00000000), ref: 00F978E9
                              • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00F97953
                              • GetSystemFirmwareTable.KERNEL32(52534D42,00000000,00000000,00000000), ref: 00F9796F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressProc$Library$CurrentFirmwareLoadProcessSystemTable$FreeHandleModule
                              • String ID: ,$@$GetSystemFirmwareTable$IsWow64Process$ZwClose$ZwMapViewOfSection$ZwOpenSection$ZwUnmapViewOfSection$kernel32$kernel32.dll$ntdll.dll
                              • API String ID: 461479394-3246421382
                              • Opcode ID: 92cee3f66d7e999955e9db41c35b9038acd4aa8f4578ae2dfad0960fd3388b85
                              • Instruction ID: d7b14f3e4036e8f6c1da4f77487e4a2ef64341de1d43c42c9d27308154b38fa3
                              • Opcode Fuzzy Hash: 92cee3f66d7e999955e9db41c35b9038acd4aa8f4578ae2dfad0960fd3388b85
                              • Instruction Fuzzy Hash: 5481C271608305AFEB10EF648C45B6FBBE8EF84314F04492DF68997291DB75D908EB92
                              Function 00FD55B6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2999 fd55b6-fd55e6 call fd5319 3002 fd55e8-fd55f3 call fb67ef 2999->3002 3003 fd5601-fd560d call fd0714 2999->3003 3008 fd55f5-fd55fc call fb6802 3002->3008 3009 fd560f-fd5624 call fb67ef call fb6802 3003->3009 3010 fd5626-fd566f call fd5284 3003->3010 3017 fd58d8-fd58de 3008->3017 3009->3008 3019 fd56dc-fd56e5 GetFileType 3010->3019 3020 fd5671-fd567a 3010->3020 3021 fd572e-fd5731 3019->3021 3022 fd56e7-fd5718 GetLastError call fb67cc CloseHandle 3019->3022 3024 fd567c-fd5680 3020->3024 3025 fd56b1-fd56d7 GetLastError call fb67cc 3020->3025 3029 fd573a-fd5740 3021->3029 3030 fd5733-fd5738 3021->3030 3022->3008 3038 fd571e-fd5729 call fb6802 3022->3038 3024->3025 3026 fd5682-fd56af call fd5284 3024->3026 3025->3008 3026->3019 3026->3025 3031 fd5744-fd5792 call fd065d 3029->3031 3032 fd5742 3029->3032 3030->3031 3041 fd5794-fd57a0 call fd5495 3031->3041 3042 fd57a2-fd57c6 call fd5037 3031->3042 3032->3031 3038->3008 3041->3042 3048 fd57ca-fd57d4 call fc9e9c 3041->3048 3049 fd57d9-fd581c 3042->3049 3050 fd57c8 3042->3050 3048->3017 3052 fd583d-fd584b 3049->3052 3053 fd581e-fd5822 3049->3053 3050->3048 3055 fd58d6 3052->3055 3056 fd5851-fd5855 3052->3056 3053->3052 3054 fd5824-fd5838 3053->3054 3054->3052 3055->3017 3056->3055 3058 fd5857-fd588a CloseHandle call fd5284 3056->3058 3061 fd588c-fd58b8 GetLastError call fb67cc call fd0826 3058->3061 3062 fd58be-fd58d2 3058->3062 3061->3062 3062->3055
                              APIs
                                • Part of subcall function 00FD5284: CreateFileW.KERNEL32(00000000,00000000,?,00FD565F,?,?,00000000,?,00FD565F,00000000,0000000C), ref: 00FD52A1
                              • GetLastError.KERNEL32 ref: 00FD56CA
                              • __dosmaperr.LIBCMT ref: 00FD56D1
                              • GetFileType.KERNEL32(00000000), ref: 00FD56DD
                              • GetLastError.KERNEL32 ref: 00FD56E7
                              • __dosmaperr.LIBCMT ref: 00FD56F0
                              • CloseHandle.KERNEL32(00000000), ref: 00FD5710
                              • CloseHandle.KERNEL32(?), ref: 00FD585A
                              • GetLastError.KERNEL32 ref: 00FD588C
                              • __dosmaperr.LIBCMT ref: 00FD5893
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: d2e769ff0f86f23413214733b4df1eee284e55fc17373fd61550127b630873f1
                              • Instruction ID: be9666a6d865d9fd1f91d6620989af88bb4241fd051e8432d478150c1424d05f
                              • Opcode Fuzzy Hash: d2e769ff0f86f23413214733b4df1eee284e55fc17373fd61550127b630873f1
                              • Instruction Fuzzy Hash: CFA14732A005488FDF19DF78DC557AD3BA2AF06324F28015AE816DF391DB398916EB51
                              Function 00F852D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 381stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3067 f852d0-f85328 IsWindow 3068 f8532a-f85336 SetWindowLongW 3067->3068 3069 f8533b-f8539a call fb35c0 lstrcpynW PathAddBackslashW 3067->3069 3071 f8575a-f8576e 3068->3071 3075 f8539c-f853ac 3069->3075 3076 f85416-f8541f 3069->3076 3073 f85778-f8578c 3071->3073 3074 f85770-f85773 3071->3074 3077 f8578e-f85791 3073->3077 3078 f85796-f857aa 3073->3078 3074->3073 3079 f853ae-f853b3 3075->3079 3080 f85407-f85411 call f61470 3075->3080 3083 f85425-f8542e 3076->3083 3077->3078 3081 f857ac-f857af 3078->3081 3082 f857b4-f857c9 3078->3082 3079->3080 3084 f853b5-f853d9 call f616a0 3079->3084 3080->3076 3081->3082 3085 f857cb-f857ce 3082->3085 3086 f857d3-f857f2 call f9b5dd 3082->3086 3083->3083 3088 f85430-f85468 call f61470 3083->3088 3097 f853f8-f85405 3084->3097 3098 f853db-f853f2 3084->3098 3085->3086 3095 f8546a-f8547a 3088->3095 3096 f854e4-f85501 3088->3096 3099 f8547c-f85481 3095->3099 3100 f854d5-f854df call f61470 3095->3100 3101 f8557d-f855f8 call f81a30 call f814c0 3096->3101 3102 f85503-f85513 3096->3102 3097->3076 3098->3097 3099->3100 3103 f85483-f854a7 call f616a0 3099->3103 3100->3096 3122 f855fa-f8560f 3101->3122 3123 f8562f-f856e2 GetModuleHandleW RegisterClassW CreateWindowExW 3101->3123 3107 f8556e-f85578 call f61470 3102->3107 3108 f85515-f8551a 3102->3108 3117 f854a9-f854c0 3103->3117 3118 f854c6-f854d3 3103->3118 3107->3101 3108->3107 3109 f8551c-f85540 call f616a0 3108->3109 3120 f8555f-f8556c 3109->3120 3121 f85542-f85559 3109->3121 3117->3118 3118->3096 3120->3101 3121->3120 3127 f85611-f8561f 3122->3127 3128 f85625-f8562c call f9bb3f 3122->3128 3124 f856ee-f85706 call f88980 3123->3124 3125 f856e4-f856e8 SetWindowLongW 3123->3125 3136 f85708-f8571d 3124->3136 3137 f8573d-f85753 3124->3137 3125->3124 3127->3128 3129 f857f5 call fb6739 3127->3129 3128->3123 3138 f857fa-f85821 call fb6739 call f92ad0 * 2 3129->3138 3140 f8571f-f8572d 3136->3140 3141 f85733-f8573a call f9bb3f 3136->3141 3137->3071 3140->3138 3140->3141 3141->3137
                              APIs
                              • IsWindow.USER32(?), ref: 00F8531D
                              • SetWindowLongW.USER32(?,000000EB,?), ref: 00F85330
                                • Part of subcall function 00F92AD0: _strrchr.LIBCMT ref: 00F92BAD
                                • Part of subcall function 00F92AD0: _strrchr.LIBCMT ref: 00F92BC0
                              • lstrcpynW.KERNEL32(?,00000003,00000103), ref: 00F85360
                              • PathAddBackslashW.SHLWAPI(?), ref: 00F8536D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window_strrchr$BackslashLongPathlstrcpyn
                              • String ID: CXZUpdateModule
                              • API String ID: 1126664090-2850203272
                              • Opcode ID: bc7294127901ad60d8d98f3742fbac20e57534a180519d592f348f523d0d0fd5
                              • Instruction ID: 016066ac785d4dab66d59d6faed5b69e56cf224029ec1702ed0665d89efb4b0f
                              • Opcode Fuzzy Hash: bc7294127901ad60d8d98f3742fbac20e57534a180519d592f348f523d0d0fd5
                              • Instruction Fuzzy Hash: 1AF1BF30905609DFDB24DF28CC98B9AB7B1FF45314F2482D9E40A9B2A1DB35AE84DF50
                              Function 6C9853FD Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3299 6c9853fd-6c98541f EnterCriticalSection 3300 6c985421-6c985425 3299->3300 3301 6c985435-6c985438 3299->3301 3302 6c98553a 3300->3302 3303 6c98542b-6c98542f 3300->3303 3304 6c98543a-6c98543d 3301->3304 3305 6c985465-6c985467 3301->3305 3309 6c98553d-6c985548 LeaveCriticalSection call 6c977866 3302->3309 3303->3301 3306 6c9854f6-6c9854fc 3303->3306 3304->3302 3307 6c985443-6c985448 3304->3307 3308 6c985468-6c985471 3305->3308 3311 6c9854fe 3306->3311 3312 6c985501-6c98551b LeaveCriticalSection 3306->3312 3310 6c98544b-6c98544e 3307->3310 3313 6c985488-6c985495 GlobalHandle 3308->3313 3314 6c985473-6c985486 call 6c9772c2 GlobalAlloc 3308->3314 3317 6c985458-6c98545a 3310->3317 3318 6c985450-6c985456 3310->3318 3311->3312 3320 6c98549b-6c9854b7 GlobalUnlock call 6c9772c2 GlobalReAlloc 3313->3320 3321 6c98551c-6c98551f 3313->3321 3329 6c9854bd-6c9854bf 3314->3329 3317->3306 3322 6c985460-6c985463 3317->3322 3318->3310 3318->3317 3320->3329 3323 6c985521-6c98552b GlobalHandle 3321->3323 3324 6c985534-6c985538 3321->3324 3322->3308 3323->3324 3328 6c98552d-6c98552e GlobalLock 3323->3328 3324->3309 3328->3324 3329->3321 3330 6c9854c1-6c9854cf GlobalLock 3329->3330 3330->3324 3331 6c9854d1-6c9854f4 call 6caa4600 3330->3331 3331->3306
                              APIs
                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C931B28,?,6C974930,6C931B28,6C9694A5,6C931B28,6C973DF0), ref: 6C98540E
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,6C931B28,?,6C974930,6C931B28,6C9694A5,6C931B28,6C973DF0), ref: 6C985480
                              • GlobalHandle.KERNEL32(?), ref: 6C98548A
                              • GlobalUnlock.KERNEL32(00000000), ref: 6C98549C
                              • GlobalReAlloc.KERNEL32(?,00000000), ref: 6C9854B7
                              • GlobalLock.KERNEL32(00000000), ref: 6C9854C2
                              • LeaveCriticalSection.KERNEL32(?), ref: 6C98550F
                              • GlobalHandle.KERNEL32(?), ref: 6C985523
                              • GlobalLock.KERNEL32(00000000), ref: 6C98552E
                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,6C931B28,?,6C974930,6C931B28,6C9694A5,6C931B28,6C973DF0,195F0026), ref: 6C98553D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                              • String ID:
                              • API String ID: 2667261700-0
                              • Opcode ID: bf86e07e044b3deebf31782fe61a59c9289cf807d4fce0aed3623c818be17911
                              • Instruction ID: 482c860253c938e9cc6ceeef9ef88a8fa0990e0e982d773b1817b357f944f8fb
                              • Opcode Fuzzy Hash: bf86e07e044b3deebf31782fe61a59c9289cf807d4fce0aed3623c818be17911
                              • Instruction Fuzzy Hash: 6F41F471602205EFEB15DFA8C889B99BBF8FF11345F108569E816D7E80DB30E958CB90
                              Function 00F95630 Relevance: 14.9, APIs: 5, Strings: 3, Instructions: 862COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3334 f95630-f956b6 call fb35c0 SetupDiGetClassDevsW 3337 f9586a-f958aa call f96390 3334->3337 3338 f956bc-f956df SetupDiEnumDeviceInfo 3334->3338 3345 f958b1-f958f4 3337->3345 3340 f956e5 3338->3340 3341 f95807-f95828 SetupDiDestroyDeviceInfoList 3338->3341 3344 f956f0-f95713 SetupDiGetDeviceInstanceIdW 3340->3344 3341->3337 3342 f9582a-f95868 3341->3342 3342->3345 3344->3341 3346 f95719-f95731 call fc423c 3344->3346 3347 f95903-f95906 3345->3347 3348 f958f6-f95901 call fb6802 3345->3348 3354 f95751-f95757 call f96520 3346->3354 3355 f95733-f9574b call fc423c 3346->3355 3351 f95908-f95912 3347->3351 3352 f95914-f95925 call fb35c0 call fb6802 3347->3352 3364 f9592b call fb6729 3348->3364 3357 f95930-f9596c 3351->3357 3352->3364 3368 f9575c-f9575e 3354->3368 3355->3354 3373 f957e4-f95801 SetupDiEnumDeviceInfo 3355->3373 3362 f9597b-f9597e 3357->3362 3363 f9596e-f95979 call fb6802 3357->3363 3370 f9598a-f9599b call fb35c0 call fb6802 3362->3370 3371 f95980-f95988 3362->3371 3381 f959a1 call fb6729 3363->3381 3364->3357 3368->3373 3374 f95764-f95766 3368->3374 3370->3381 3376 f959a6-f959fc call f95590 3371->3376 3373->3341 3373->3344 3379 f95768 3374->3379 3380 f957cb-f957d9 3374->3380 3388 f95a0b-f95a0e 3376->3388 3389 f959fe-f95a09 call fb6802 3376->3389 3383 f957dd-f957e3 3379->3383 3386 f9576a-f95780 3379->3386 3380->3383 3381->3376 3383->3373 3390 f95792-f9579a 3386->3390 3391 f95782-f9578f 3386->3391 3394 f95a1c-f95a2d call fb35c0 call fb6802 3388->3394 3395 f95a10-f95a1a 3388->3395 3403 f95a33 call fb6729 3389->3403 3396 f9579c-f957a6 3390->3396 3397 f957c7-f957c9 3390->3397 3391->3390 3394->3403 3399 f95a38-f95b78 call f96aa0 3395->3399 3396->3397 3401 f957a8-f957af 3396->3401 3397->3380 3397->3383 3410 f95b7e-f95baf 3399->3410 3411 f962a4-f96346 call f96740 call f921e0 call f92040 call f95590 call f9b5dd 3399->3411 3401->3397 3405 f957b1-f957bb 3401->3405 3403->3399 3405->3397 3409 f957bd-f957c5 3405->3409 3409->3397 3413 f95bb2-f95bb7 3410->3413 3413->3413 3415 f95bb9-f95bfd call f61ee0 3413->3415 3422 f95c00-f95c05 3415->3422 3422->3422 3424 f95c07-f95c39 call f61ee0 call f62180 3422->3424 3433 f95c3b-f95c4a 3424->3433 3434 f95c6a-f95c9e 3424->3434 3435 f95c4c-f95c5a 3433->3435 3436 f95c60-f95c67 call f9bb3f 3433->3436 3437 f95ca0-f95ca5 3434->3437 3435->3436 3438 f96349-f96380 call fb6739 3435->3438 3436->3434 3437->3437 3440 f95ca7-f95cd9 call f61ee0 call f62180 3437->3440 3448 f95cdb-f95cea 3440->3448 3449 f95d0a-f95d3f 3440->3449 3451 f95cec-f95cfa 3448->3451 3452 f95d00-f95d07 call f9bb3f 3448->3452 3450 f95d40-f95d45 3449->3450 3450->3450 3453 f95d47-f95d79 call f61ee0 call f62180 3450->3453 3451->3452 3452->3449 3460 f95d7b-f95d8a 3453->3460 3461 f95daa-f95ddf 3453->3461 3462 f95d8c-f95d9a 3460->3462 3463 f95da0-f95da7 call f9bb3f 3460->3463 3464 f95de0-f95de5 3461->3464 3462->3463 3463->3461 3464->3464 3466 f95de7-f95e19 call f61ee0 call f62180 3464->3466 3472 f95e1b-f95e2a 3466->3472 3473 f95e4a-f95e7f 3466->3473 3474 f95e2c-f95e3a 3472->3474 3475 f95e40-f95e47 call f9bb3f 3472->3475 3476 f95e80-f95e85 3473->3476 3474->3475 3475->3473 3476->3476 3478 f95e87-f95eb9 call f61ee0 call f62180 3476->3478 3484 f95ebb-f95eca 3478->3484 3485 f95eea-f95f1f 3478->3485 3486 f95ecc-f95eda 3484->3486 3487 f95ee0-f95ee7 call f9bb3f 3484->3487 3488 f95f20-f95f25 3485->3488 3486->3487 3487->3485 3488->3488 3490 f95f27-f95f59 call f61ee0 call f62180 3488->3490 3496 f95f5b-f95f6a 3490->3496 3497 f95f8a-f95fbf 3490->3497 3499 f95f6c-f95f7a 3496->3499 3500 f95f80-f95f87 call f9bb3f 3496->3500 3498 f95fc0-f95fc5 3497->3498 3498->3498 3501 f95fc7-f95ff9 call f61ee0 call f62180 3498->3501 3499->3500 3500->3497 3508 f95ffb-f9600a 3501->3508 3509 f9602a-f9605f 3501->3509 3510 f9600c-f9601a 3508->3510 3511 f96020-f96027 call f9bb3f 3508->3511 3512 f96060-f96065 3509->3512 3510->3511 3511->3509 3512->3512 3514 f96067-f96099 call f61ee0 call f62180 3512->3514 3520 f9609b-f960aa 3514->3520 3521 f960ca-f960ff 3514->3521 3522 f960ac-f960ba 3520->3522 3523 f960c0-f960c7 call f9bb3f 3520->3523 3524 f96100-f96105 3521->3524 3522->3523 3523->3521 3524->3524 3526 f96107-f96139 call f61ee0 call f62180 3524->3526 3532 f9613b-f9614a 3526->3532 3533 f9616a-f9619f 3526->3533 3534 f9614c-f9615a 3532->3534 3535 f96160-f96167 call f9bb3f 3532->3535 3536 f961a0-f961a5 3533->3536 3534->3535 3535->3533 3536->3536 3538 f961a7-f961d5 call f61ee0 call f62180 3536->3538 3544 f961d7-f961e6 3538->3544 3545 f96206-f9621b 3538->3545 3548 f961e8-f961f6 3544->3548 3549 f961fc-f96203 call f9bb3f 3544->3549 3546 f9621d-f96243 call f95590 3545->3546 3547 f96245-f96265 call f95590 3545->3547 3556 f9626a-f96273 3546->3556 3547->3556 3548->3549 3549->3545 3556->3411 3557 f96275-f96284 3556->3557 3558 f9629a-f962a1 call f9bb3f 3557->3558 3559 f96286-f96294 3557->3559 3558->3411 3559->3558
                              APIs
                              • SetupDiGetClassDevsW.SETUPAPI(00FEF610,00000000,00000000,00000002), ref: 00F956A7
                              • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 00F956D7
                              • SetupDiGetDeviceInstanceIdW.SETUPAPI(?,0000001C,?,00000100,00000000), ref: 00F9570B
                              • SetupDiEnumDeviceInfo.SETUPAPI(?,00000001,0000001C), ref: 00F957F9
                              • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 00F9580D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Setup$Device$Info$Enum$ClassDestroyDevsInstanceList
                              • String ID: "$PCI${1A3E09BE-1E45-494B-9174-D7385B45BBF5}
                              • API String ID: 2459852064-1041598021
                              • Opcode ID: 6beb85a5739ef405c1d7118456247cfdbc7562c326248ad4a74bdd6c9935dc80
                              • Instruction ID: 00942ac08a1273045649a492cf7580290c22c898e84c0c4271bf429a25acdf70
                              • Opcode Fuzzy Hash: 6beb85a5739ef405c1d7118456247cfdbc7562c326248ad4a74bdd6c9935dc80
                              • Instruction Fuzzy Hash: 0C72E0B09006188BEF25CF24CC94BEEBBB5AF41308F5482D9D549A7282DB795BC8DF54
                              Function 6CAC8E1E Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3562 6cac8e1e-6cac8e4e call 6cac92b8 3565 6cac8e69-6cac8e75 call 6cab126d 3562->3565 3566 6cac8e50-6cac8e5b call 6caa5649 3562->3566 3572 6cac8e8e-6cac8ed7 call 6cac9223 3565->3572 3573 6cac8e77-6cac8e8c call 6caa5649 call 6caa5636 3565->3573 3571 6cac8e5d-6cac8e64 call 6caa5636 3566->3571 3582 6cac9143-6cac9147 3571->3582 3580 6cac8ed9-6cac8ee2 3572->3580 3581 6cac8f44-6cac8f4d GetFileType 3572->3581 3573->3571 3585 6cac8f19-6cac8f3f GetLastError call 6caa565c 3580->3585 3586 6cac8ee4-6cac8ee8 3580->3586 3587 6cac8f4f-6cac8f80 GetLastError call 6caa565c CloseHandle 3581->3587 3588 6cac8f96-6cac8f99 3581->3588 3585->3571 3586->3585 3591 6cac8eea-6cac8f17 call 6cac9223 3586->3591 3587->3571 3599 6cac8f86-6cac8f91 call 6caa5636 3587->3599 3589 6cac8f9b-6cac8fa0 3588->3589 3590 6cac8fa2-6cac8fa8 3588->3590 3594 6cac8fac-6cac8ffa call 6cab1411 3589->3594 3590->3594 3595 6cac8faa 3590->3595 3591->3581 3591->3585 3605 6cac8ffc-6cac9008 call 6cac9432 3594->3605 3606 6cac9019-6cac9041 call 6cac94dc 3594->3606 3595->3594 3599->3571 3605->3606 3613 6cac900a 3605->3613 3611 6cac9046-6cac9087 3606->3611 3612 6cac9043-6cac9044 3606->3612 3615 6cac90a8-6cac90b6 3611->3615 3616 6cac9089-6cac908d 3611->3616 3614 6cac900c-6cac9014 call 6cac1790 3612->3614 3613->3614 3614->3582 3618 6cac90bc-6cac90c0 3615->3618 3619 6cac9141 3615->3619 3616->3615 3617 6cac908f-6cac90a3 3616->3617 3617->3615 3618->3619 3622 6cac90c2-6cac90f5 CloseHandle call 6cac9223 3618->3622 3619->3582 3625 6cac9129-6cac913d 3622->3625 3626 6cac90f7-6cac9123 GetLastError call 6caa565c call 6cab1380 3622->3626 3625->3619 3626->3625
                              APIs
                                • Part of subcall function 6CAC9223: CreateFileW.KERNEL32(6C94A8D0,00000000,?,6CAC8EC7,?,?,00000000,?,6CAC8EC7,6C94A8D0,0000000C), ref: 6CAC9240
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAC8F32
                              • __dosmaperr.LIBCMT ref: 6CAC8F39
                              • GetFileType.KERNEL32(00000000), ref: 6CAC8F45
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CAC8F4F
                              • __dosmaperr.LIBCMT ref: 6CAC8F58
                              • CloseHandle.KERNEL32(00000000), ref: 6CAC8F78
                              • CloseHandle.KERNEL32(6CABFF1C), ref: 6CAC90C5
                              • GetLastError.KERNEL32 ref: 6CAC90F7
                              • __dosmaperr.LIBCMT ref: 6CAC90FE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID:
                              • API String ID: 4237864984-0
                              • Opcode ID: 021592c344c48d17ecbae610664a4505ae9938e0608eca453f0f3facabfbdcbd
                              • Instruction ID: 78d69aa6781551f45b6cc94c9a110a0206c7ddccba9b8ce4bc69c0fbe0300264
                              • Opcode Fuzzy Hash: 021592c344c48d17ecbae610664a4505ae9938e0608eca453f0f3facabfbdcbd
                              • Instruction Fuzzy Hash: 29A12732B041549FCF199F78C9517ED3BB1AB07328F18025AE811AF791DB35C89ACB52
                              Function 00F8CEF0 Relevance: 13.6, APIs: 9, Instructions: 77comsleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3631 f8cef0-f8cf34 call f9a660 3634 f8cf3f-f8cf50 call f9a2cc 3631->3634 3635 f8cf36-f8cf3c call f99e53 3631->3635 3640 f8cf5b-f8cf68 call f9a685 3634->3640 3641 f8cf52-f8cf58 call f99e53 3634->3641 3635->3634 3646 f8cf6a-f8cf70 call f99e53 3640->3646 3647 f8cf73-f8cf99 CoInitialize OleInitialize GetTickCount 3640->3647 3641->3640 3646->3647 3649 f8cf9b 3647->3649 3650 f8cfb5-f8cfe1 CoUninitialize OleUninitialize call f9b175 call f9bb3f 3647->3650 3652 f8cfa1-f8cfb3 call f8be20 Sleep 3649->3652 3652->3650
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InitializeUninitialize$Cnd_do_broadcast_at_thread_exitCnd_signalCountMtx_unlockSleepTick
                              • String ID:
                              • API String ID: 2752312933-0
                              • Opcode ID: 0da8cc8ca742de6b5f1bc06398d3d529d7c30d758d368a9f64d47f86cf7c62a8
                              • Instruction ID: d2dd2e9f33bf94337c289fe9aa847c85778e78ccfe5cde35c6979486c1204430
                              • Opcode Fuzzy Hash: 0da8cc8ca742de6b5f1bc06398d3d529d7c30d758d368a9f64d47f86cf7c62a8
                              • Instruction Fuzzy Hash: 4B21C7B1904104AFE701AF34DC05B49BBA5FF04324F15417AF90A97392DB7AE914DBE2
                              Function 00FCC5D4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3659 fcc5d4-fcc5fc call fcc03e call fcc09c 3664 fcc724-fcc780 call fb6756 call fd4d71 3659->3664 3665 fcc602-fcc60e call fcc044 3659->3665 3676 fcc78a-fcc78d 3664->3676 3677 fcc782-fcc788 3664->3677 3665->3664 3671 fcc614-fcc620 call fcc070 3665->3671 3671->3664 3678 fcc626-fcc647 call fc79ef GetTimeZoneInformation 3671->3678 3679 fcc7d0-fcc7e2 3676->3679 3681 fcc78f-fcc79f call fc7a29 3676->3681 3677->3679 3689 fcc64d-fcc66e 3678->3689 3690 fcc700-fcc723 call fcc038 call fcc02c call fcc032 3678->3690 3682 fcc7e4-fcc7e7 3679->3682 3683 fcc7f2 3679->3683 3697 fcc7a9-fcc7c2 call fd4d71 3681->3697 3698 fcc7a1 3681->3698 3682->3683 3688 fcc7e9-fcc7f0 call fcc3ff 3682->3688 3686 fcc7f7-fcc80e call fc79ef call f9b5dd 3683->3686 3687 fcc7f2 call fcc5d4 3683->3687 3687->3686 3688->3686 3693 fcc678-fcc67f 3689->3693 3694 fcc670-fcc675 3689->3694 3701 fcc697-fcc69a 3693->3701 3702 fcc681-fcc688 3693->3702 3694->3693 3712 fcc7c4-fcc7c5 3697->3712 3713 fcc7c7-fcc7cd call fc79ef 3697->3713 3704 fcc7a2-fcc7a7 call fc79ef 3698->3704 3708 fcc69d-fcc6be call fbc636 WideCharToMultiByte 3701->3708 3702->3701 3707 fcc68a-fcc695 3702->3707 3721 fcc7cf 3704->3721 3707->3708 3724 fcc6cc-fcc6ce 3708->3724 3725 fcc6c0-fcc6c3 3708->3725 3712->3704 3713->3721 3721->3679 3727 fcc6d0-fcc6ec WideCharToMultiByte 3724->3727 3725->3724 3726 fcc6c5-fcc6ca 3725->3726 3726->3727 3728 fcc6ee-fcc6f1 3727->3728 3729 fcc6fb-fcc6fe 3727->3729 3728->3729 3730 fcc6f3-fcc6f9 3728->3730 3729->3690 3730->3690
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FE5EB4), ref: 00FCC63E
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00FCC6B6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00FCC6E3
                              • _free.LIBCMT ref: 00FCC62C
                                • Part of subcall function 00FC79EF: HeapFree.KERNEL32(00000000,00000000,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?), ref: 00FC7A05
                                • Part of subcall function 00FC79EF: GetLastError.KERNEL32(?,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?,?), ref: 00FC7A17
                              • _free.LIBCMT ref: 00FCC7F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID: Eastern Standard Time$Eastern Summer Time
                              • API String ID: 1286116820-239921721
                              • Opcode ID: 604f25886f752b5f1e05a127e3d4c61ce5e6f5456361f3c6a48715884bb897fa
                              • Instruction ID: 9bce11212c2e9ad7146e54c77ff4a53cf1dca396fa09e101b12278d477d7f753
                              • Opcode Fuzzy Hash: 604f25886f752b5f1e05a127e3d4c61ce5e6f5456361f3c6a48715884bb897fa
                              • Instruction Fuzzy Hash: F151F671D0020AEBCB21DF79DE82EAA77B8EF41320F14026EE459E7191E7359D41AF90
                              Function 00F60760 Relevance: 12.1, APIs: 8, Instructions: 91COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3731 f60760-f607b0 call fb35c0 SHGetSpecialFolderPathW 3734 f607b2-f607c6 SHGetSpecialFolderPathW 3731->3734 3735 f607da-f607de 3731->3735 3734->3735 3736 f607c8-f607d4 GetTempPathW 3734->3736 3737 f607f6-f60814 PathAddBackslashW PathFileExistsW 3735->3737 3738 f607e0-f607e4 3735->3738 3736->3735 3739 f60826-f6084b PathFileExistsW 3737->3739 3740 f60816-f60820 SHCreateDirectoryExW 3737->3740 3741 f607e6 3738->3741 3742 f607e8-f607f0 PathAppendW 3738->3742 3743 f60850-f60859 3739->3743 3740->3739 3741->3742 3742->3737 3743->3743 3744 f6085b-f6087f call f60d30 call f9b5dd 3743->3744
                              APIs
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000), ref: 00F607A8
                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00F607BE
                              • GetTempPathW.KERNEL32(00000104,?), ref: 00F607D4
                              • PathAppendW.SHLWAPI(?), ref: 00F607F0
                              • PathAddBackslashW.SHLWAPI(?), ref: 00F607FD
                              • PathFileExistsW.SHLWAPI(?), ref: 00F60810
                              • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 00F60820
                              • PathFileExistsW.SHLWAPI(?), ref: 00F6082D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Path$ExistsFileFolderSpecial$AppendBackslashCreateDirectoryTemp
                              • String ID:
                              • API String ID: 3243460205-0
                              • Opcode ID: f404a5eb19370340391a51687feb3db0c291ad51b6df8df322d7bd80fbf3365e
                              • Instruction ID: 77b288ff63d028d35edad116e135435c088d7f9bb8df3bdf0c3f117fe5133b1f
                              • Opcode Fuzzy Hash: f404a5eb19370340391a51687feb3db0c291ad51b6df8df322d7bd80fbf3365e
                              • Instruction Fuzzy Hash: 1D31617194021D9BDB20DF64DC89FEA77BCFB54704F0405AAE919D7180DBB0AA88DFA1
                              Function 00F8F8E0 Relevance: 10.8, APIs: 7, Instructions: 344comCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3749 f8f8e0-f8f93e 3750 f8f940-f8f993 call f9bb4d call f81020 call f810f0 3749->3750 3756 f8f998-f8f99d 3750->3756 3757 f8f9aa-f8f9c2 call f9a685 3756->3757 3758 f8f99f-f8f9a7 call f9bb3f 3756->3758 3763 f8f9cd-f8f9ee call f9a5c9 call f9a262 3757->3763 3764 f8f9c4-f8f9ca call f99e53 3757->3764 3758->3757 3771 f8fa0d-f8fa19 call f8f060 3763->3771 3772 f8f9f0-f8fa0b 3763->3772 3764->3763 3773 f8fa1c-f8fa25 3771->3773 3772->3773 3776 f8fa59-f8fa9d call fb7ba1 CoInitialize OleInitialize 3773->3776 3777 f8fa27-f8fa31 3773->3777 3784 f8faa0-f8faab 3776->3784 3777->3750 3778 f8fa37-f8fa56 call f9b5dd 3777->3778 3785 f8fcfc-f8fd23 OleUninitialize CoUninitialize call f9b5dd 3784->3785 3786 f8fab1-f8fadf call f9a660 3784->3786 3791 f8faea-f8fafc call f9a685 3786->3791 3792 f8fae1-f8fae7 call f99e53 3786->3792 3797 f8fafe-f8fb04 call f99e53 3791->3797 3798 f8fb07-f8fb0d 3791->3798 3792->3791 3797->3798 3800 f8fb7b-f8fb86 3798->3800 3801 f8fb0f-f8fb2b call f9a660 3798->3801 3800->3785 3804 f8fb8c-f8fb9a call f8ff30 3800->3804 3807 f8fb2d-f8fb33 call f99e53 3801->3807 3808 f8fb36-f8fb52 call f9a2eb 3801->3808 3812 f8fba0-f8fbb4 call f9a660 3804->3812 3813 f8fcc1-f8fccd 3804->3813 3807->3808 3820 f8fb5d-f8fb6c call f9a685 3808->3820 3821 f8fb54-f8fb5a call f99e53 3808->3821 3825 f8fbbf-f8fbec call f90180 3812->3825 3826 f8fbb6-f8fbbc call f99e53 3812->3826 3814 f8fccf-f8fcd7 3813->3814 3815 f8fcf0-f8fcf7 3813->3815 3814->3815 3819 f8fcd9-f8fce7 3814->3819 3815->3784 3819->3815 3836 f8fce9-f8fceb 3819->3836 3833 f8fb6e-f8fb74 call f99e53 3820->3833 3834 f8fb77 3820->3834 3821->3820 3838 f8fbf2-f8fc12 call f9a685 3825->3838 3839 f8fd24-f8fd2f call f98611 3825->3839 3826->3825 3833->3834 3834->3800 3836->3815 3845 f8fc1d-f8fc3a call f9a660 3838->3845 3846 f8fc14-f8fc1a call f99e53 3838->3846 3852 f8fc3c-f8fc42 call f99e53 3845->3852 3853 f8fc45-f8fc4f 3845->3853 3846->3845 3852->3853 3855 f8fc5f-f8fc7d 3853->3855 3856 f8fc51 3853->3856 3859 f8fc9f-f8fcb6 call f9bb3f call f9a685 3855->3859 3860 f8fc7f-f8fc87 3855->3860 3858 f8fc54-f8fc57 3856->3858 3858->3855 3861 f8fc59-f8fc5d 3858->3861 3859->3813 3869 f8fcb8-f8fcbe call f99e53 3859->3869 3860->3859 3862 f8fc89-f8fc98 3860->3862 3861->3855 3861->3858 3862->3859 3868 f8fc9a 3862->3868 3868->3859 3869->3813
                              APIs
                                • Part of subcall function 00F81020: __Cnd_init.LIBCPMT ref: 00F81050
                                • Part of subcall function 00F81020: __Mtx_init.LIBCPMT ref: 00F81083
                                • Part of subcall function 00F810F0: __Thrd_start.LIBCPMT ref: 00F810FF
                              • __Mtx_unlock.LIBCPMT ref: 00F8F9B8
                                • Part of subcall function 00FB7BA1: _abort.LIBCMT ref: 00FB7BD7
                              • CoInitialize.OLE32(00000000), ref: 00F8FA8F
                              • OleInitialize.OLE32(00000000), ref: 00F8FA97
                              • __Mtx_unlock.LIBCPMT ref: 00F8FAF2
                              • __Mtx_unlock.LIBCPMT ref: 00F8FB62
                              • __Mtx_unlock.LIBCPMT ref: 00F8FC08
                                • Part of subcall function 00F99E53: std::_Throw_Cpp_error.LIBCPMT ref: 00F99E7A
                              • __Mtx_unlock.LIBCPMT ref: 00F8FCAC
                              • OleUninitialize.OLE32 ref: 00F8FCFC
                              • CoUninitialize.OLE32 ref: 00F8FD02
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$InitializeUninitialize$Cnd_initCpp_errorMtx_initThrd_startThrow__abortstd::_
                              • String ID:
                              • API String ID: 498520733-0
                              • Opcode ID: ee53880f905ea321cc80f1338fc4d326e5c7d508cf41ab55573509ff797f60fd
                              • Instruction ID: 3d47e8af9bd45d111aca2466ae2a4e0379ba3ff1f4b05a72357343d4019aa5b0
                              • Opcode Fuzzy Hash: ee53880f905ea321cc80f1338fc4d326e5c7d508cf41ab55573509ff797f60fd
                              • Instruction Fuzzy Hash: DED1B4B1D00209DFDF00EF68CD45B9EBBB4AF05324F198169E815A7381E775EA04DBA2
                              Function 00F86040 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000BC6,00000000,00000000), ref: 00F860E1
                              • __Mtx_unlock.LIBCPMT ref: 00F860EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageMtx_unlockPost
                              • String ID: C:\Windows\System32\kernel32.dll$invalid stoul argument$stoul argument out of range
                              • API String ID: 545632012-474098362
                              • Opcode ID: 089ecac6306a20708fd46ad5b1befcc548e26575504b4aebbe179bea7f769a94
                              • Instruction ID: 47c2c70458e44d5cf74efd6afe8d186ca296796011e3ab466a0f7e1e17122a12
                              • Opcode Fuzzy Hash: 089ecac6306a20708fd46ad5b1befcc548e26575504b4aebbe179bea7f769a94
                              • Instruction Fuzzy Hash: F731B2B4C00309EADB20AF658C46BDDB6B4FF04750F0442A9B918F6291EF745A45EF56
                              Function 6C9E1042 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C9E1049
                                • Part of subcall function 6C9834C0: EnterCriticalSection.KERNEL32(6CB38410,?,?,0000007C,?,6C96F878,00000001), ref: 6C9834F1
                                • Part of subcall function 6C9834C0: InitializeCriticalSection.KERNEL32(00000000,?,6C96F878,00000001), ref: 6C983507
                                • Part of subcall function 6C9834C0: LeaveCriticalSection.KERNEL32(6CB38410,?,6C96F878,00000001), ref: 6C983515
                                • Part of subcall function 6C9834C0: EnterCriticalSection.KERNEL32(00000000,?,0000007C,?,6C96F878,00000001), ref: 6C983522
                              • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C9E109C
                              • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C9E10B2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                              • String ID: DragDelay$DragMinDist$windows
                              • API String ID: 3965097884-2101198082
                              • Opcode ID: 785d62b528bc5203d5b97611c87683e2a93c088da0709ca8ecd27c904eb19440
                              • Instruction ID: 9ea8d09e374443e5808744bc559f36220e3386594d7cffb8874ca1dd096f53c5
                              • Opcode Fuzzy Hash: 785d62b528bc5203d5b97611c87683e2a93c088da0709ca8ecd27c904eb19440
                              • Instruction Fuzzy Hash: 440165B0A027409FDBA1CF788442719BAF0BB29704F40192EE149DBF80EB74E1408F94
                              Function 6CAC2B82 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25e063a42070cbbdb8fdace8f1d5b75858976f2dcf098efec3c35a1540e51744
                              • Instruction ID: ea34108d5d6c25b6ecee697424c26db2a46331a8b79217044a4c4df43ea80eb1
                              • Opcode Fuzzy Hash: 25e063a42070cbbdb8fdace8f1d5b75858976f2dcf098efec3c35a1540e51744
                              • Instruction Fuzzy Hash: 6EB1F470B04249AFDF02CFA9C944BED7BB0AF46318F185359E414ABB91C77099C6CB62
                              Function 00FBB6D7 Relevance: 9.3, APIs: 6, Instructions: 264COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 00FBB864
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FBB880
                              • __allrem.LIBCMT ref: 00FBB897
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FBB8B5
                              • __allrem.LIBCMT ref: 00FBB8CC
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FBB8EA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                              • Instruction ID: 31dbcb3b380321500505e6fb5423425ceb8e6f9f160438d47026aabe7716205a
                              • Opcode Fuzzy Hash: f3f1979d07c72e0da9149b071018468b7c6d250dff15f2c550c1b7d1d762c3d1
                              • Instruction Fuzzy Hash: 9D810A72A007069BE724AF6ACC42BEA73A9AF40734F24452EF114D7291EBF4DD01AF50
                              Function 6C959BF0 Relevance: 9.2, APIs: 6, Instructions: 240COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesA.KERNEL32 ref: 6C959C9B
                              • SHGetFolderPathA.SHELL32 ref: 6C959CE4
                              • GetFileAttributesA.KERNEL32 ref: 6C959DDF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AttributesFile$FolderPath
                              • String ID:
                              • API String ID: 1382956649-0
                              • Opcode ID: c81dce299e809b882e54e0c0af926143a8992c31b2e932f6553d59096d60ec8a
                              • Instruction ID: 8ccf15081331d263d311e0bb41ad97675d3e32477dd8f03b1172aebfeed5b04f
                              • Opcode Fuzzy Hash: c81dce299e809b882e54e0c0af926143a8992c31b2e932f6553d59096d60ec8a
                              • Instruction Fuzzy Hash: 66B117B0900314CFDB14EF68C99879DBBB0BF59304F4181AAD8199B790DB75DA99CF81
                              Function 6C9596B0 Relevance: 9.1, APIs: 6, Instructions: 135processCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
                              • String ID:
                              • API String ID: 4013288513-0
                              • Opcode ID: 6273863df35e6bb3b74866a9c9316a81d9c135ab0e95aa571a39efd797911247
                              • Instruction ID: 306b5617ac6f9fe4237b28d93c04f5a5c423a64062addbc3ea8e7150d1499520
                              • Opcode Fuzzy Hash: 6273863df35e6bb3b74866a9c9316a81d9c135ab0e95aa571a39efd797911247
                              • Instruction Fuzzy Hash: 265129B4E083089FDB00EFACD5856AEBFF0AF49304F41856DE495AB340D7349959CBA2
                              Function 00F81190 Relevance: 9.1, APIs: 6, Instructions: 122registryCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(?), ref: 00F811AB
                              • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00F811BB
                              • GetModuleHandleW.KERNEL32(00000000,00000000,-00000002), ref: 00F8123C
                              • RegisterClassW.USER32(?), ref: 00F81265
                              • CreateWindowExW.USER32(00000000,?,00FEEA54,00000000,00000000,00000000,00000001,00000001,000000FD,00000000,00000000,00000000), ref: 00F81292
                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F812A3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Long$ClassCreateHandleModuleRegister
                              • String ID:
                              • API String ID: 354519829-0
                              • Opcode ID: 0751f5bb3d413025ff26783bc56deef4b435266e1bd8ed77c2e34b0f327b06ea
                              • Instruction ID: 9108b0ce9bfbb7d728e61bb2d46ee4f535121ae07a9daf14247a86b1bfee8631
                              • Opcode Fuzzy Hash: 0751f5bb3d413025ff26783bc56deef4b435266e1bd8ed77c2e34b0f327b06ea
                              • Instruction Fuzzy Hash: BB410F302183009FD710DF28CC4AB9FBBE5AF89710F504A2DF556862D0DB75E805CB82
                              Function 00FC6EC4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 463abba70423ed98ad41343927198d85109e474092eaf347a8874464213f79ae
                              • Instruction ID: 671747145be2f801952d43c0ed1b4bf59b5ac105d6f51209cb9aa81410a5e1fa
                              • Opcode Fuzzy Hash: 463abba70423ed98ad41343927198d85109e474092eaf347a8874464213f79ae
                              • Instruction Fuzzy Hash: ADF0D13A94C60366C2227338BF1BF5E365A8BD17B1F20002EF516D61C2EE798C01B565
                              Function 00F81700 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 254COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,33902926,00000000,?), ref: 00F817AA
                              • GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,?), ref: 00F81803
                              • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 00F81867
                              • VerQueryValueW.VERSION(00000000,00FEEA50,?,00000034), ref: 00F81885
                                • Part of subcall function 00F617D0: __CxxThrowException@8.LIBVCRUNTIME ref: 00F617E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$InfoVersion$Exception@8ModuleNameQuerySizeThrowValue
                              • String ID: %d.%d.%d.%d
                              • API String ID: 4009888614-3491811756
                              • Opcode ID: 1d8f44e67066d6a2cf66e616584e0c8d6d76bbf3757c6eae3b80cf923ead3450
                              • Instruction ID: f770ec2da3ea9a3b0c5ec093a9144e89cb93a3ffec2fb6e9d55a932cbc9fe9da
                              • Opcode Fuzzy Hash: 1d8f44e67066d6a2cf66e616584e0c8d6d76bbf3757c6eae3b80cf923ead3450
                              • Instruction Fuzzy Hash: F8919D71D012599FDB20DF68DD49BEEB7F8FB48314F1042A9E809E7281E7789A84DB50
                              Function 6C95A620 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 215threadsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C95A150: GetModuleFileNameA.KERNEL32 ref: 6C95A1AC
                              • CreateThread.KERNEL32 ref: 6C95A7DD
                              • CreateThread.KERNEL32 ref: 6C95A819
                              • WaitForSingleObject.KERNEL32 ref: 6C95A846
                                • Part of subcall function 6C95A320: GetModuleFileNameA.KERNEL32 ref: 6C95A37C
                                • Part of subcall function 6C95A0E0: GetModuleFileNameA.KERNEL32 ref: 6C95A113
                                • Part of subcall function 6C95A520: GetModuleHandleA.KERNEL32 ref: 6C95A568
                                • Part of subcall function 6C959520: GetModuleHandleA.KERNEL32 ref: 6C95952F
                                • Part of subcall function 6C959520: FindResourceW.KERNEL32 ref: 6C959594
                                • Part of subcall function 6C959520: LoadResource.KERNEL32 ref: 6C9595BD
                                • Part of subcall function 6C959520: SizeofResource.KERNEL32 ref: 6C9595D6
                                • Part of subcall function 6C959520: LockResource.KERNEL32 ref: 6C9595E8
                                • Part of subcall function 6C9580D0: WSAStartup.WS2_32 ref: 6C9580FF
                                • Part of subcall function 6C9580D0: getaddrinfo.WS2_32 ref: 6C9581F9
                                • Part of subcall function 6C9580D0: WSACleanup.WS2_32 ref: 6C958215
                                • Part of subcall function 6C9580D0: freeaddrinfo.WS2_32 ref: 6C9583B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Module$Resource$FileName$CreateHandleThread$CleanupFindLoadLockObjectSingleSizeofStartupWaitfreeaddrinfogetaddrinfo
                              • String ID: IiViS$libcurl.dll
                              • API String ID: 1047316345-1299199552
                              • Opcode ID: 73992194c76127893eba8a3ca3771cf016eaf973c555a8cf39da3636d898ec11
                              • Instruction ID: 2e2efd121e072e38e70dc6298cb0fbcebcf49d2d2c1e95907bc66600812230b8
                              • Opcode Fuzzy Hash: 73992194c76127893eba8a3ca3771cf016eaf973c555a8cf39da3636d898ec11
                              • Instruction Fuzzy Hash: 7EA128B0900218CFDB08EF64D9557EDBBB0FF25304F41849AD44A9BB90DB749A48CFA6
                              Function 00F616A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00F61729
                              • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00F61754
                              • RegCloseKey.ADVAPI32(?), ref: 00F6175F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                              • API String ID: 3677997916-378819227
                              • Opcode ID: d164b0d512fb31f39d2ab7daae1c90914c4dba8364bcc91c5c3a3a3c9a0fa549
                              • Instruction ID: ba208ba9f2c531324f75a7f17da0388a7e855352660320c8b05361438e5fb328
                              • Opcode Fuzzy Hash: d164b0d512fb31f39d2ab7daae1c90914c4dba8364bcc91c5c3a3a3c9a0fa549
                              • Instruction Fuzzy Hash: BC21AE75A00208AFDB20DF68EC45EAAB7F9FF84710F04446AF916D7291DB71AD089B90
                              Function 00F61700 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?), ref: 00F61729
                              • RegQueryValueExW.ADVAPI32(?,UnionId,00000000,?,?,?), ref: 00F61754
                              • RegCloseKey.ADVAPI32(?), ref: 00F6175F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: SOFTWARE\XZDesktopCalendar$UnionId
                              • API String ID: 3677997916-378819227
                              • Opcode ID: 88ac034bfe78ff184f65e2d6f144d27fbb9a39dba502be76035c7ea1b9b5942a
                              • Instruction ID: 7ea979a74d4d4b4ef573fb195b5ae705bd0843744fe741f9d32323c2e236c9a6
                              • Opcode Fuzzy Hash: 88ac034bfe78ff184f65e2d6f144d27fbb9a39dba502be76035c7ea1b9b5942a
                              • Instruction Fuzzy Hash: FF013675E0121DBBEF109FA4DC49FAEB7BCEB04714F004055FD15E7281D675AA08AB91
                              Function 6CAA20A8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: dllmain_raw$dllmain_crt_dispatch
                              • String ID:
                              • API String ID: 3136044242-0
                              • Opcode ID: e40f9f2703cdd7aec3e22b35a5e00240a0e26c723533977d916743dbe78b2f8d
                              • Instruction ID: 0be49bb5ebafa4578a594343fa8cf2e398db855bfb6eae38c680115eeb766c23
                              • Opcode Fuzzy Hash: e40f9f2703cdd7aec3e22b35a5e00240a0e26c723533977d916743dbe78b2f8d
                              • Instruction Fuzzy Hash: 3721D372E41615ABDB214F97CD48AAF3A79EB80B98F044215F91C57B10D7318DABCBA0
                              Function 00F6D740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F6D79E
                                • Part of subcall function 00F9A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00F9A64A
                              • __Xtime_get_ticks.LIBCPMT ref: 00F6D844
                                • Part of subcall function 00F9939B: ___crtFlsFree.LIBCPMT ref: 00F993A4
                                • Part of subcall function 00F6D5F0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6D611
                                • Part of subcall function 00F6CCF0: Sleep.KERNEL32(?,?,00000010), ref: 00F6CE07
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6D939
                              Strings
                              • daily_file_sink: Invalid rotation time in ctor, xrefs: 00F6D91F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::create_stl_critical_sectionException@8FreeMtx_init_in_situSleepThrowUnothrow_t@std@@@Xtime_get_ticks___crt__ehfuncinfo$??2@
                              • String ID: daily_file_sink: Invalid rotation time in ctor
                              • API String ID: 4188573093-2939006100
                              • Opcode ID: e3c7e4f6abf2649e1116590223b52839eb7c966cf9ac74539f12f300d2817e49
                              • Instruction ID: 620f63ba087e425c54ac06cd85b5e3645a1199ac81ab0d8da832b77644946e71
                              • Opcode Fuzzy Hash: e3c7e4f6abf2649e1116590223b52839eb7c966cf9ac74539f12f300d2817e49
                              • Instruction Fuzzy Hash: 9E5101B0A007448BDB14DF28CD85B9ABBF4EF45300F10851DE8859B782EB78E944DBA1
                              Function 00F6CCF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(?,?,00000010), ref: 00F6CE07
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6CE93
                                • Part of subcall function 00FB2A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00FB2AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseSleepThrow
                              • String ID: for writing$Failed opening file
                              • API String ID: 38309065-807226085
                              • Opcode ID: 3fa7f38a64017e4f3d258179046f794de9b7a307516e60b74e6887ed90e87c32
                              • Instruction ID: e5dcf6ea679fa7bfb6b37580989e60b0581d675537f937aec2995835d1e54f73
                              • Opcode Fuzzy Hash: 3fa7f38a64017e4f3d258179046f794de9b7a307516e60b74e6887ed90e87c32
                              • Instruction Fuzzy Hash: 66511471E002489FDB14DFA8DC81BAEBBB5FF44310F144529E495A7381EB39A904EBD1
                              Function 6C97A7D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(Shell32,00000000,?,6C95CF8A), ref: 6C97A7DC
                              • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C97A7ED
                              Strings
                              • Shell32, xrefs: 6C97A7D5
                              • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C97A7E7
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                              • API String ID: 1646373207-2658420654
                              • Opcode ID: 0801afcd9f9c30163b7e7db135cd949c1c7b7030a0a824791b1169c1001a3395
                              • Instruction ID: 2d9d3b1e9db4687852351302b3ef8d119cdab293d84ff95724ed6fc0f9db177f
                              • Opcode Fuzzy Hash: 0801afcd9f9c30163b7e7db135cd949c1c7b7030a0a824791b1169c1001a3395
                              • Instruction Fuzzy Hash: 11E08635B03764678B252B65DC1D95B7B2CEA856A13100439F919D7F00DE34D802C7F8
                              Function 6C9695E5 Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9695EF
                                • Part of subcall function 6C978400: __EH_prolog3.LIBCMT ref: 6C978407
                              • GetCurrentThread.KERNEL32 ref: 6C96964E
                              • GetCurrentThreadId.KERNEL32 ref: 6C969657
                              • GetVersionExW.KERNEL32 ref: 6C9696F3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentThread$H_prolog3H_prolog3_Version
                              • String ID:
                              • API String ID: 786120064-0
                              • Opcode ID: 8f9128d3641d1f076627940b733457e14550380444b0ec91ed5e218e9887c733
                              • Instruction ID: e0cc9621fece328892edfbd80ef28790d8eb7adc74a029d35d991f2f394e2822
                              • Opcode Fuzzy Hash: 8f9128d3641d1f076627940b733457e14550380444b0ec91ed5e218e9887c733
                              • Instruction Fuzzy Hash: D25113B0A02B04CFEB258F2A958469AFBF5BF59704F51496ED4AEC7B00DB30A845CF50
                              Function 6C97E417 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C97E474
                              • VerSetConditionMask.KERNEL32(00000000), ref: 6C97E47C
                              • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C97E48D
                              • GetSystemMetrics.USER32(00001000), ref: 6C97E49E
                                • Part of subcall function 6C97E4D4: __EH_prolog3.LIBCMT ref: 6C97E4DB
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000016), ref: 6C97E4E4
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000F), ref: 6C97E4F7
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000015), ref: 6C97E50E
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000F), ref: 6C97E51A
                                • Part of subcall function 6C97E4D4: GetDeviceCaps.GDI32(?,0000000C), ref: 6C97E542
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000F), ref: 6C97E550
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000010), ref: 6C97E55E
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000015), ref: 6C97E56C
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000016), ref: 6C97E57A
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000014), ref: 6C97E588
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000012), ref: 6C97E596
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000011), ref: 6C97E5A4
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000006), ref: 6C97E5AF
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000D), ref: 6C97E5BA
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000E), ref: 6C97E5C5
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000005), ref: 6C97E5D0
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000008), ref: 6C97E5DE
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000009), ref: 6C97E5E9
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000007), ref: 6C97E5F4
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000002), ref: 6C97E5FF
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(00000003), ref: 6C97E60A
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000001B), ref: 6C97E618
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000001C), ref: 6C97E626
                                • Part of subcall function 6C97E4D4: GetSysColor.USER32(0000000A), ref: 6C97E634
                                • Part of subcall function 6C97E8F2: __EH_prolog3_GS.LIBCMT ref: 6C97E8FC
                                • Part of subcall function 6C97E8F2: GetDeviceCaps.GDI32(?,00000058), ref: 6C97E91C
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97E978
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97E996
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97E9B4
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97E9D2
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97E9F0
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97EA0E
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97EA2C
                                • Part of subcall function 6C97E8F2: DeleteObject.GDI32(00000000), ref: 6C97EA4A
                                • Part of subcall function 6C97EE11: GetSystemMetrics.USER32(00000031), ref: 6C97EE1F
                                • Part of subcall function 6C97EE11: GetSystemMetrics.USER32(00000032), ref: 6C97EE2D
                                • Part of subcall function 6C97EE11: SetRectEmpty.USER32(?), ref: 6C97EE40
                                • Part of subcall function 6C97EE11: EnumDisplayMonitors.USER32(00000000,00000000,6C97F5E9,?,?,?), ref: 6C97EE50
                                • Part of subcall function 6C97EE11: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C97EE5F
                                • Part of subcall function 6C97EE11: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C97EE8C
                                • Part of subcall function 6C97EE11: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C97EEA0
                                • Part of subcall function 6C97EE11: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C97EEC6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                              • String ID:
                              • API String ID: 2442922003-0
                              • Opcode ID: d1cb2afbf768d43a80119cbc04fbb70af9a7ba41baff39725894354f3427796a
                              • Instruction ID: 94d90e7999ec1ca716c72f6cfd332222bcdb32bf519dda22af82dc4d1e010db8
                              • Opcode Fuzzy Hash: d1cb2afbf768d43a80119cbc04fbb70af9a7ba41baff39725894354f3427796a
                              • Instruction Fuzzy Hash: 501173B0B00318AFDB259F759C4AFEB76BCEB99704F00446DA24697280CBB44A458BE0
                              Function 00F6C6A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6C70B
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6C8FD
                              Strings
                              • Failed writing to file , xrefs: 00F6C8C9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8ThrowUnothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: Failed writing to file
                              • API String ID: 110933538-3481382570
                              • Opcode ID: 39a7ffffa46e69d259f579a005ba7c10135a4c8f280311e251a7ef17d8d054e6
                              • Instruction ID: e15bf33e4cc92ab24f415ac9f9f7d6ca5c948b92e6e27c2eae9ac7c7f1d33f7a
                              • Opcode Fuzzy Hash: 39a7ffffa46e69d259f579a005ba7c10135a4c8f280311e251a7ef17d8d054e6
                              • Instruction Fuzzy Hash: D261D071D0121DABDB24DF24CC89BEDB775FF44300F108299E458A7291EB34AA84DF90
                              Function 00F585A0 Relevance: 4.7, APIs: 3, Instructions: 208COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F5F140: __Xtime_get_ticks.LIBCPMT ref: 00F5F152
                                • Part of subcall function 00F5F140: GetCurrentThreadId.KERNEL32 ref: 00F5F178
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588B3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588E3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588EE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_init_in_situ$CurrentThreadXtime_get_ticks
                              • String ID:
                              • API String ID: 2135877135-0
                              • Opcode ID: ed02d2a703920da8309b36340f9b7348a3ca86a3ebfec96f1fb9ad27611e4ab7
                              • Instruction ID: e7556252fd8f0f3862a83b9d4e11bc95d961c315241d59a5a6408bc405dd1a19
                              • Opcode Fuzzy Hash: ed02d2a703920da8309b36340f9b7348a3ca86a3ebfec96f1fb9ad27611e4ab7
                              • Instruction Fuzzy Hash: DD81D0B1900748DFDB20DF68CC49B9ABBF4EF44714F10855DE919AB280DB79AA48CF91
                              Function 00FC77BD Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4efbe451390d4b1c08e25b7eab4839290fba9395b84188fdd6a3a1638571a6e
                              • Instruction ID: 0485cb965105fff78db1c637be988c68d0dd49497db2d20b0bcc133a32a35c01
                              • Opcode Fuzzy Hash: b4efbe451390d4b1c08e25b7eab4839290fba9395b84188fdd6a3a1638571a6e
                              • Instruction Fuzzy Hash: 7651B371D0830B9ADB11AFA5CE4AFEE7BB4AF05324F24015DE504AB291DB389900EF61
                              Function 00F8E810 Relevance: 4.7, APIs: 3, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00F8E90F
                              • SetEvent.KERNEL32(?), ref: 00F8EA2C
                              • __Mtx_unlock.LIBCPMT ref: 00F8EA36
                                • Part of subcall function 00F81020: __Cnd_init.LIBCPMT ref: 00F81050
                                • Part of subcall function 00F81020: __Mtx_init.LIBCPMT ref: 00F81083
                                • Part of subcall function 00F810F0: __Thrd_start.LIBCPMT ref: 00F810FF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Cnd_initEventMtx_initThrd_start
                              • String ID:
                              • API String ID: 3085764595-0
                              • Opcode ID: a080a059b6bf88a8eab07c16380ee6a7e5c728d92d02b614c6fc5bdcb2f86d72
                              • Instruction ID: ba3ca0aa8e521a6e38c252d964fedaf7af2fa74d700f8c790e6cb683f97b6181
                              • Opcode Fuzzy Hash: a080a059b6bf88a8eab07c16380ee6a7e5c728d92d02b614c6fc5bdcb2f86d72
                              • Instruction Fuzzy Hash: 29616CB1D00208EFEB00EF68D845BDEBBF8FF05724F148169E815A7291DB75A944DBA1
                              Function 00FCC72F Relevance: 4.6, APIs: 3, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00FCC7A2
                              • _free.LIBCMT ref: 00FCC7F8
                                • Part of subcall function 00FCC5D4: _free.LIBCMT ref: 00FCC62C
                                • Part of subcall function 00FCC5D4: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FE5EB4), ref: 00FCC63E
                                • Part of subcall function 00FCC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Standard Time,000000FF,00000000,0000003F,00000000,?,?), ref: 00FCC6B6
                                • Part of subcall function 00FCC5D4: WideCharToMultiByte.KERNEL32(00000000,00000000,Eastern Summer Time,000000FF,?,0000003F,00000000,?), ref: 00FCC6E3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: 948e78cf35cd309b98a311320a6f22868d071a856c59e995dab69cde77aa6fc9
                              • Instruction ID: 029a903824ef1df6ec4decc300c039effb60cf7a8ff424918485615bf5804699
                              • Opcode Fuzzy Hash: 948e78cf35cd309b98a311320a6f22868d071a856c59e995dab69cde77aa6fc9
                              • Instruction Fuzzy Hash: 9621F932C0421757DB31A6249E83FEA7769CF81730F14029EE49DA2581EF785D85AED0
                              Function 00F8F2F0 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • __Cnd_signal.LIBCPMT ref: 00F8F346
                              • __Mtx_unlock.LIBCPMT ref: 00F8F35E
                              • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00F8F37A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalMtx_unlock
                              • String ID:
                              • API String ID: 2839255513-0
                              • Opcode ID: d1ae651d96c593432ac5f62b893bd8af01159c1dbb6eb02d00931120b2f19cff
                              • Instruction ID: c4562302ed14f19b39b2af9aff500649d2b1484a9faeda6a8ecc4ef094a24c22
                              • Opcode Fuzzy Hash: d1ae651d96c593432ac5f62b893bd8af01159c1dbb6eb02d00931120b2f19cff
                              • Instruction Fuzzy Hash: 4811CAB1D04600ABEB11AF64DC02B57B7A8EB04710F054539F81993751EB7AF51896A2
                              Function 00FBCBE2 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(?,?,Function_0006CA8E,00000000,?,?), ref: 00FBCC2B
                              • GetLastError.KERNEL32(?,?,?,?,?,00F99F7D,00000000,00000000,?,?,00000000,?,?,?,00F81104,?), ref: 00FBCC37
                              • __dosmaperr.LIBCMT ref: 00FBCC3E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread__dosmaperr
                              • String ID:
                              • API String ID: 2744730728-0
                              • Opcode ID: 7f86d57471c9b4dba58734a98f8dd27642194a6b0ae875875918f177b541a193
                              • Instruction ID: b9dd8e438a133ccc659f55dc91d87df5c7b49a5eb0821bb2023ddb7c3dd4ea81
                              • Opcode Fuzzy Hash: 7f86d57471c9b4dba58734a98f8dd27642194a6b0ae875875918f177b541a193
                              • Instruction Fuzzy Hash: B801DEB6901149ABCB159FA3DC069EF3F6AEF80320F104029F80983110DB358810FFE0
                              Function 00FC8102 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00FC81B1,?,?,00000002,00000000), ref: 00FC813B
                              • GetLastError.KERNEL32(?,00FC81B1,?,?,00000002,00000000,?,00FC7875,?,00000000,00000000,00000002,?,?,?,?), ref: 00FC8145
                              • __dosmaperr.LIBCMT ref: 00FC814C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID:
                              • API String ID: 2336955059-0
                              • Opcode ID: 22183c0d00180ecadc12d92ec30584a3d9e7346c46a4a1ccab9ee164417a7503
                              • Instruction ID: 65de7240daa546cf69d7ba682c1778c0a340c7ad46e1296a7087ef0ee725063e
                              • Opcode Fuzzy Hash: 22183c0d00180ecadc12d92ec30584a3d9e7346c46a4a1ccab9ee164417a7503
                              • Instruction Fuzzy Hash: 73012D37A10119ABCF058F65DC06DDE3759EB85370B280259F811CB190EE719D42BB90
                              Function 6CAC33E9 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(6CAB6361,?,6CAB6361,?), ref: 6CAC33F1
                              • GetLastError.KERNEL32(?,6CAB6361,?), ref: 6CAC33FB
                              • __dosmaperr.LIBCMT ref: 6CAC3402
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DeleteErrorFileLast__dosmaperr
                              • String ID:
                              • API String ID: 1545401867-0
                              • Opcode ID: 72f9ccdffa9ecdcc04c1096ec2d3ce412691e16e89489a25304ec48fa20a81da
                              • Instruction ID: 4d1612ed0fe698ce153f061377ab85961f21856c14c393d3376cd6418e35eb76
                              • Opcode Fuzzy Hash: 72f9ccdffa9ecdcc04c1096ec2d3ce412691e16e89489a25304ec48fa20a81da
                              • Instruction Fuzzy Hash: D9D02232305208279F002EF2AC0845B3F6C9B823793080226F02CC39E0DF31C4818110
                              Function 6C95AC10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_slist_free_all
                              • API String ID: 2030045667-2048950981
                              • Opcode ID: 1f3a914f02d6f3f644af8f180cf3896a79ddb6221f09a3185a31b9fa9dd780aa
                              • Instruction ID: 46b9c084f33f78a8362aa2359df99c49603d97a550b0a550dd23fa788e19e21c
                              • Opcode Fuzzy Hash: 1f3a914f02d6f3f644af8f180cf3896a79ddb6221f09a3185a31b9fa9dd780aa
                              • Instruction Fuzzy Hash: 37D017705182049BE740BF78C50A35A7BF4A740200F40886AD49C83241E7B980598BC2
                              Function 6C95AC50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_slist_append
                              • API String ID: 2030045667-3558798127
                              • Opcode ID: 6da43dd28da59acbfbcb5ffae48d77f4f71b699cfa348dc1022502dcfd477127
                              • Instruction ID: abb920dd39748afd5ad12c5fe107e47481ac41056932d131c22eecdf9d79ade5
                              • Opcode Fuzzy Hash: 6da43dd28da59acbfbcb5ffae48d77f4f71b699cfa348dc1022502dcfd477127
                              • Instruction Fuzzy Hash: 79D017705183049BE340BF78C60A31B7FF4A740200F40886ED49C83241E7B980558B83
                              Function 6C95AB10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: curl_easy_init
                              • API String ID: 2030045667-4195830768
                              • Opcode ID: f56117d5e6b579903eddb257ef72f9db1b4c74f68a022a1ee595418043a9db72
                              • Instruction ID: 2eb4923d5475a36849e048110203fd911cff82f9deaf90271bb738256f5e80f6
                              • Opcode Fuzzy Hash: f56117d5e6b579903eddb257ef72f9db1b4c74f68a022a1ee595418043a9db72
                              • Instruction Fuzzy Hash: E2D017705183049BE340BF78C50A31A7BF4A740204F408C6AD49C87242E7B984558BC2
                              Function 6C947170 Relevance: 3.2, APIs: 2, Instructions: 229COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                              • Instruction ID: 1587b98b74866ec4c28014936586566c9449c157a1a05c5c4579eacd4eb1f409
                              • Opcode Fuzzy Hash: b5f39b9f8888b6a99088da08a073816b7c7b33adbd34083e0161f13078e4d550
                              • Instruction Fuzzy Hash: 30C159B46093848FD364CF28C180B9ABBE2BF99354F10892EE999C7751D730E944CB43
                              Function 6CAA1E75 Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CAA1EC2
                                • Part of subcall function 6CAA226E: InitializeSListHead.KERNEL32(6CB3A058,6CAA1ECC,6CB2F718,00000010,6CAA2065,?,00000000,?,00000007,6CB2F738,00000010,6CAA2078,?,?,6CAA2101,?), ref: 6CAA2273
                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CAA1F2C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                              • String ID:
                              • API String ID: 3231365870-0
                              • Opcode ID: a3e78d8b621cfe6944d18588afd225509e2eea36256daa01a7b8177f05f36c6a
                              • Instruction ID: ae71d5f7854f7432ed1c2473ed6b162da15a6c406aadc23014a2786d4e167ccf
                              • Opcode Fuzzy Hash: a3e78d8b621cfe6944d18588afd225509e2eea36256daa01a7b8177f05f36c6a
                              • Instruction Fuzzy Hash: 1E2137767092C1EEEB109BF4D900BED73B1AF2A32DF14051AD65567FC0DB26C08E8655
                              Function 6CAA1F7C Relevance: 3.1, APIs: 2, Instructions: 75COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __RTC_Initialize.LIBCMT ref: 6CAA1FC3
                              • ___scrt_uninitialize_crt.LIBCMT ref: 6CAA1FDD
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Initialize___scrt_uninitialize_crt
                              • String ID:
                              • API String ID: 2442719207-0
                              • Opcode ID: 4500096cf9a997538c6e4be5e8c52710060ea19273dc03d060d78bc7435af66d
                              • Instruction ID: 8dc84633372a502310b9c5b38a32159fb4c9b80d8e318a294a82975412c0d6b8
                              • Opcode Fuzzy Hash: 4500096cf9a997538c6e4be5e8c52710060ea19273dc03d060d78bc7435af66d
                              • Instruction Fuzzy Hash: 59212972508245EBDB148FFB86047ED37B4AB15729F10821AD10993F80CB75C99BCA54
                              Function 6CABFE4F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,?,00008000,6CABFF1C,?,?,?,6CABFCD7,6CABFF1C,?,00000000,?,?), ref: 6CABFE8B
                              • GetLastError.KERNEL32(00000000,?,?,?,6CABFCD7,6CABFF1C,?,00000000,?,?,00000000,00008000,6CABFF1C,?,?,6CAC8E3B), ref: 6CABFE98
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: 7172669eb2a60353d5cb101a6d22ff8e01794ba9df3d51b2601e6fc8a5e61fd2
                              • Instruction ID: 7b98e07254ef2169e9e095006555f0ecb175f64939f46763076837d50e955bdb
                              • Opcode Fuzzy Hash: 7172669eb2a60353d5cb101a6d22ff8e01794ba9df3d51b2601e6fc8a5e61fd2
                              • Instruction Fuzzy Hash: 6801D63A714655AFCF058F59CC05CAE3B79DB86364B2C0209F811AB6A2EB71D991CB90
                              Function 00F81440 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000EB), ref: 00F81457
                              • DefWindowProcW.USER32(?,?,?,?), ref: 00F814A0
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$LongProc
                              • String ID:
                              • API String ID: 2275667008-0
                              • Opcode ID: c8f2ceb9224432260c4be0499cd0c341e37125dae852097a0e330ccb1f751bab
                              • Instruction ID: e5b1a19cd428c24d1764c3794612594e33b8c15236e39e646f7ebcaaf69bd262
                              • Opcode Fuzzy Hash: c8f2ceb9224432260c4be0499cd0c341e37125dae852097a0e330ccb1f751bab
                              • Instruction Fuzzy Hash: A3015E3160010DABCF01DF64ED149EE7BB5EF49310F40425AFD0257290DB329A25EB90
                              Function 00FBCA8E Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00FFEEC0,00000010,00000003,00FC6F47), ref: 00FBCAA1
                              • ExitThread.KERNEL32 ref: 00FBCAA8
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 49708aec413fc026824d46d5980c52e82d6a5e2811134a42d094d2fab127a1c3
                              • Instruction ID: cc63881f419bf67c082c04c9010054e087392713a528dcfd3cfebb5174f311ff
                              • Opcode Fuzzy Hash: 49708aec413fc026824d46d5980c52e82d6a5e2811134a42d094d2fab127a1c3
                              • Instruction Fuzzy Hash: 9DF0AF70944209AFDB01EBB0CE0AFAE7B76EF44710F10455AF4025B2A2CB796D05FBA1
                              Function 6CAC17C0 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6CAC17AF,6CAC9011,?,00000000,00000000), ref: 6CAC1816
                              • GetLastError.KERNEL32(?,00000000,?,6CAC17AF,6CAC9011,?,00000000,00000000), ref: 6CAC1820
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast
                              • String ID:
                              • API String ID: 918212764-0
                              • Opcode ID: 5f1b0cd8b4ea100af4de7d80e378ef75950832064671b550a89fad3b9eed6f94
                              • Instruction ID: 21d62a493859183107c2ec2673ac0fdfa37686137b71beddffe283e80dbe0039
                              • Opcode Fuzzy Hash: 5f1b0cd8b4ea100af4de7d80e378ef75950832064671b550a89fad3b9eed6f94
                              • Instruction Fuzzy Hash: B3114C32B092141AD71116759588BFD37A98F8373DF2D0329EB289BEC0EB30C4C54792
                              Function 00F90F50 Relevance: 1.8, APIs: 1, Instructions: 295COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00F9110F
                                • Part of subcall function 00F99E53: std::_Throw_Cpp_error.LIBCPMT ref: 00F99E7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cpp_errorMtx_unlockThrow_std::_
                              • String ID:
                              • API String ID: 2243708590-0
                              • Opcode ID: f8c1e2dbe89e9c1a44ad1c2b2d6b3c1a3e23d9eafdc66047d775978a6fd89ae2
                              • Instruction ID: 7418371d1361ce820474dcbf9100ccb2ea6a27e35a88f4ff817079eada4190a7
                              • Opcode Fuzzy Hash: f8c1e2dbe89e9c1a44ad1c2b2d6b3c1a3e23d9eafdc66047d775978a6fd89ae2
                              • Instruction Fuzzy Hash: A2B18C71A002059FEF14DF68C990B6ABBF4FF49320F1981A9E919AB391D735ED40DB90
                              Function 6CAB5AFD Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da3567c5845e43f8c7ae9d55a452b283b93a0b0dc282f0f14c36398ee6f769aa
                              • Instruction ID: d9990296487f32192c5e82a717286ee582919b91456f7641749d095b7bb0d681
                              • Opcode Fuzzy Hash: da3567c5845e43f8c7ae9d55a452b283b93a0b0dc282f0f14c36398ee6f769aa
                              • Instruction Fuzzy Hash: 4651C770A00204AFDF05CF58C984E9D7FBAEF4A328F298159E8086B751D371ED85CB90
                              Function 00F8E1B0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock
                              • String ID:
                              • API String ID: 1418687624-0
                              • Opcode ID: c7463b30d4daf08fb9c6777d3a9369b76a962267695f72cc7a90799a2f94508a
                              • Instruction ID: 4843ca2fee773a5d49cff62da619efc2254702aee90cccba562c1d181c23b6fa
                              • Opcode Fuzzy Hash: c7463b30d4daf08fb9c6777d3a9369b76a962267695f72cc7a90799a2f94508a
                              • Instruction Fuzzy Hash: 7F418EB2E006159FDB10EF18D945B9ABBE8FB44714F0981A9EC099B342E736ED01DB91
                              Function 00F8B9A0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F81020: __Cnd_init.LIBCPMT ref: 00F81050
                                • Part of subcall function 00F81020: __Mtx_init.LIBCPMT ref: 00F81083
                                • Part of subcall function 00F810F0: __Thrd_start.LIBCPMT ref: 00F810FF
                              • __Mtx_unlock.LIBCPMT ref: 00F8BA5B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_initMtx_initMtx_unlockThrd_start
                              • String ID:
                              • API String ID: 2901745279-0
                              • Opcode ID: 89f79fba39c8c7857af5923705c486353bef2307d5cd516f2ec2275ec303ffd7
                              • Instruction ID: b240bf143307fc23ff2927f0299df535a6e133cece3373a6324975c268e66522
                              • Opcode Fuzzy Hash: 89f79fba39c8c7857af5923705c486353bef2307d5cd516f2ec2275ec303ffd7
                              • Instruction Fuzzy Hash: 9C3194B1D042489FDF10EFA8DC42BDEBBB4EF14720F144169E901A7381E779A944DBA2
                              Function 6C97E0BB Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C97E0C2
                                • Part of subcall function 6C97E417: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C97E474
                                • Part of subcall function 6C97E417: VerSetConditionMask.KERNEL32(00000000), ref: 6C97E47C
                                • Part of subcall function 6C97E417: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C97E48D
                                • Part of subcall function 6C97E417: GetSystemMetrics.USER32(00001000), ref: 6C97E49E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                              • String ID:
                              • API String ID: 2710481357-0
                              • Opcode ID: 3aa8659de78140618b0bf9e1e91371b97b925590b3bc312f477f950eb89e36db
                              • Instruction ID: ac99224ca409f2c1600b9edbdd1aa3e803f713e223606aad9621b60a04193851
                              • Opcode Fuzzy Hash: 3aa8659de78140618b0bf9e1e91371b97b925590b3bc312f477f950eb89e36db
                              • Instruction Fuzzy Hash: 2A51DDB0906F418FD3A9CF3A85417C6FAE0BF99304F108A2E91AED6760EB706184CF55
                              Function 6CABFED2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 2631655337b703cae553f62a68c206284a4f4c6c5bf15e9d8a7ee8c751685183
                              • Instruction ID: 79b6d12adc054a3119add6f10949dfd4f08a5568d36a1ec69687afd661dca3cc
                              • Opcode Fuzzy Hash: 2631655337b703cae553f62a68c206284a4f4c6c5bf15e9d8a7ee8c751685183
                              • Instruction Fuzzy Hash: CC114C75A0420AAFCF05DF68E94099B7BF9EF49308F144069F819EB301D771E915CBA5
                              Function 00FCCDA5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 001b920d5d38435bfa35ed9ba03f09800aa5741e473abeb636f3c4db00a86b31
                              • Instruction ID: 70c066fd06f043e0eab82f0d15a5a21ce87e4dc3d4baa16500be4ccbed81f62e
                              • Opcode Fuzzy Hash: 001b920d5d38435bfa35ed9ba03f09800aa5741e473abeb636f3c4db00a86b31
                              • Instruction Fuzzy Hash: AD115A71A0410AAFCF05DF58E941E9B7BF8EF48314F1040A9F809AB301D631DD11DBA4
                              Function 00FCCD20 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: d3f3acc490a2462f546756c98a579fc07f27995cca43600fea28aeaa8d9ad9d2
                              • Instruction ID: 92504a34d87b660494f4066ef162bff82b9827370a52c7e78791d6a2be30afff
                              • Opcode Fuzzy Hash: d3f3acc490a2462f546756c98a579fc07f27995cca43600fea28aeaa8d9ad9d2
                              • Instruction Fuzzy Hash: EB114872A0420AAFCF06DF58E941E9B7BF5EF48314F044069F819AB301D631D9119BA5
                              Function 00F6C450 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock
                              • String ID:
                              • API String ID: 1418687624-0
                              • Opcode ID: a76f9127c373b8484377fdad9c2a31b9eb178df64ff097d9875d92a4f85e49fa
                              • Instruction ID: 02aacb30270b8e9ffd77330102fcca23a5df069a8a5de91747e601991deea04a
                              • Opcode Fuzzy Hash: a76f9127c373b8484377fdad9c2a31b9eb178df64ff097d9875d92a4f85e49fa
                              • Instruction Fuzzy Hash: 250188B2D04114ABEB01DF54DC05B9BB7ACEB05720F05413BF80593741EBB6E51496E2
                              Function 00FC9213 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00FC6EF2,00000001,00000364,?,00FBCAB3,00FFEEC0,00000010), ref: 00FC9254
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 4917e9513d394afd38fef0d5248163900162b34d83b9afe59d8bd46bc28b40be
                              • Instruction ID: aa78e90f4d24c48655a59638390b5fbba6860326f6e02f21a83c1d7e2ecc201e
                              • Opcode Fuzzy Hash: 4917e9513d394afd38fef0d5248163900162b34d83b9afe59d8bd46bc28b40be
                              • Instruction Fuzzy Hash: BAF0E932A4D53AB69B216B269E0FFDF774CBF41770B14411DF894D6484CBA5E800B6E0
                              Function 6CABC808 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,6CAB6292,?,?,6CAB9790,00000001,00000364,?,00000006,000000FF,?,?,6CAB6292,?,6C935557), ref: 6CABC849
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 99ddbbf781e2f71595beeb4b83da6fb2115358889681532f8299a0e01f766d06
                              • Instruction ID: 381a3ce8faa51ca6a065d219715c9ba1527be35109fca6647308af2ebe8bfd49
                              • Opcode Fuzzy Hash: 99ddbbf781e2f71595beeb4b83da6fb2115358889681532f8299a0e01f766d06
                              • Instruction Fuzzy Hash: 56F0B43164652497EB116AF6980DF9B375CAB4177CB298125A814BBD80EB70D88586E0
                              Function 00FD5545 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                              • Instruction ID: 1bfc99e951498cb22ef63c1b7be601f5bdcdb4d8ae17a72b8c9eb48b1c05c91f
                              • Opcode Fuzzy Hash: f4536d16d5e2002196e3e388b5418d82556e96934cad0ee61007cf63d4b8e722
                              • Instruction Fuzzy Hash: F4F05433514109BBCF119E95EC02EDE3B6FEF49374F184156FD1492150DA36CA21AB90
                              Function 00F6D5F0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6D611
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 885266447-0
                              • Opcode ID: de224b9126b452fc5ee4249ac4680a8a022be4f66a9d78e6acc50d7094edcb4d
                              • Instruction ID: 9fd5d7ab01c0a8db8a5e8779aeaa2f167703de24d1e9def3945a8fefcb45ddff
                              • Opcode Fuzzy Hash: de224b9126b452fc5ee4249ac4680a8a022be4f66a9d78e6acc50d7094edcb4d
                              • Instruction Fuzzy Hash: 87016D31D0430CABDB01DFA8DC019EEB7B4FF58310F44861AF98576241EB70A6948B84
                              Function 00F810F0 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Thrd_start
                              • String ID:
                              • API String ID: 2176944979-0
                              • Opcode ID: 435708aa6ddf95cb38a7a4c0030b6447372514563b7e928f2cffc119ccf62698
                              • Instruction ID: 07a7f5bcddd8d6ea7d679e3dbc34202be67c69351684f9b807814ee55e0e5975
                              • Opcode Fuzzy Hash: 435708aa6ddf95cb38a7a4c0030b6447372514563b7e928f2cffc119ccf62698
                              • Instruction Fuzzy Hash: F5F0ECB1D0070066FF3632159C0ABD77A8D5F10760F04853DFA0B90151E59BEC65A7A3
                              Function 00FC7A29 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00FCA0DD,?,?,?,?,?,00FBCAEB,00000000), ref: 00FC7A5B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: af52351ffe1ff9ff219cf1c9f4fed724ba07934c553e5cb970900dff8345d432
                              • Instruction ID: cd8fab6fa7a9fcb08ad79284ddc82576a3a7a55146a158c1f8ed3a9275adb719
                              • Opcode Fuzzy Hash: af52351ffe1ff9ff219cf1c9f4fed724ba07934c553e5cb970900dff8345d432
                              • Instruction Fuzzy Hash: AFE0A031909B2356D7213A659E07F6F3648AF427B0F150129A885965E0DB2DDA00BAA0
                              Function 00F9BB4D Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9C845
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw
                              • String ID:
                              • API String ID: 2005118841-0
                              • Opcode ID: 4825434280da2f680cc2ccbcb3e94c20f09162d66b6daf4a5fd9395eadb3c91b
                              • Instruction ID: 84f78c14869f48e5fecf8dc4613ff20e3aff3fbaa1840c3812d0da3d4abd6321
                              • Opcode Fuzzy Hash: 4825434280da2f680cc2ccbcb3e94c20f09162d66b6daf4a5fd9395eadb3c91b
                              • Instruction Fuzzy Hash: 56E0923580420DA6AF106EA9ED06EAD775C5E007B0B104230F929554F2EFB4D955B5D1
                              Function 00FD5284 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,00FD565F,?,?,00000000,?,00FD565F,00000000,0000000C), ref: 00FD52A1
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 1dce52cf74fce6aa4992d0d8ccf713e9d8eae3293849a3fe7ba84f2aeae5c64c
                              • Instruction ID: 57ddee91843a02745ce469ab7bc5f7c43483f0bf21fa5be315b744e42ab776d0
                              • Opcode Fuzzy Hash: 1dce52cf74fce6aa4992d0d8ccf713e9d8eae3293849a3fe7ba84f2aeae5c64c
                              • Instruction Fuzzy Hash: 3BD06C3200014DBBDF028F84DC06EDA3BAAFB88715F018110BA1856120C772E861AB90
                              Function 6CAC9223 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(6C94A8D0,00000000,?,6CAC8EC7,?,?,00000000,?,6CAC8EC7,6C94A8D0,0000000C), ref: 6CAC9240
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: be91741e5356eed5887fd3d07bdd7855ba784d35464d2af4b7f6653de258612b
                              • Instruction ID: 6de34bf140ed1768a69ebc98fc22931fd1899b08901713e616c06e63b11dc0d5
                              • Opcode Fuzzy Hash: be91741e5356eed5887fd3d07bdd7855ba784d35464d2af4b7f6653de258612b
                              • Instruction Fuzzy Hash: ADD06C3210010DBFDF029E84DC46EDA3BAAFB48714F014110BA1856020C732E822EB90
                              Function 6C9632BA Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 6C9632C9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DeleteObject
                              • String ID:
                              • API String ID: 1531683806-0
                              • Opcode ID: 34d1a0fba957bb3ca17e46cd8e3026c043a4eea1e94d27cbb3176d09e9d4c694
                              • Instruction ID: a186d9e3fe566f4c6b455b97dbb9f6359fd20c2f229992fdf2548649e92d52ca
                              • Opcode Fuzzy Hash: 34d1a0fba957bb3ca17e46cd8e3026c043a4eea1e94d27cbb3176d09e9d4c694
                              • Instruction Fuzzy Hash: 4FB09270D25244AAEF40AA328A0C74A36687B5130AF1498A4A00583C84DB39C009C540
                              Function 6C935510 Relevance: 1.3, APIs: 1, Instructions: 86sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 47fe30c3d5dc7393619ea53d48134474a43137608dc3c5d2f432c514e5eebcee
                              • Instruction ID: 9ca0500ee05bd7a7054b234313732ebcf3aa2aae7b06a530daa559443cfe9444
                              • Opcode Fuzzy Hash: 47fe30c3d5dc7393619ea53d48134474a43137608dc3c5d2f432c514e5eebcee
                              • Instruction Fuzzy Hash: B4316AB1E04368CFCB05EFA8D90169DBFB1BF1A704F015529D8199BB50D735E809CBA2
                              Function 6C959AC0 Relevance: 1.3, APIs: 1, Instructions: 67sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C9596B0: CreateToolhelp32Snapshot.KERNEL32 ref: 6C959702
                              • Sleep.KERNEL32 ref: 6C959B9F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CreateSleepSnapshotToolhelp32
                              • String ID:
                              • API String ID: 684154974-0
                              • Opcode ID: ff37fa8becd143870a03f275752c27e02cc302ede063afb8d28d477f7350270e
                              • Instruction ID: c948f1cb854f1a3c809e04d690b48fc1af2def0cf7238925f2c856bb52dc8d4a
                              • Opcode Fuzzy Hash: ff37fa8becd143870a03f275752c27e02cc302ede063afb8d28d477f7350270e
                              • Instruction Fuzzy Hash: 29214AB4E00358CFDB04DFA8C8456EEBBB5FF19720F40062AD8266BB84D7749509CB91
                              Function 6C959680 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 47400f5c0d8551e33d7ff54f7bf996b66192620b16c058919ef3f409b084b4ca
                              • Instruction ID: 260775931706daa49682bb72b071e4da7a11e1ab4d9aca9d577a24fcb13f016b
                              • Opcode Fuzzy Hash: 47400f5c0d8551e33d7ff54f7bf996b66192620b16c058919ef3f409b084b4ca
                              • Instruction Fuzzy Hash: B0D09E75D402089FC740FFBCE54649EBFF4AB44210F004075E985D7704E6749694CB96

                              Non-executed Functions

                              Function 00F97280 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?), ref: 00F972B7
                              • GetProcAddress.KERNEL32(00000000), ref: 00F972BE
                              • GetCurrentProcess.KERNEL32(00F9771E), ref: 00F972CE
                              • LoadLibraryW.KERNEL32(ntdll.dll,?), ref: 00F97304
                              • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 00F9731A
                              • FreeLibrary.KERNEL32(00000000), ref: 00F97338
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressLibraryProc$CurrentFreeHandleLoadModuleProcess
                              • String ID: IsWow64Process$RtlGetNtVersionNumbers$kernel32$ntdll.dll
                              • API String ID: 1719414290-67787543
                              • Opcode ID: 54d65268eb0b59b3d6eb2384f1de489468dea7b99e8aa28b38179088c72f7627
                              • Instruction ID: 5f492f63b5b02617b0ef6b9a57a72cba822a17a3f1fef4a9272034499fff4a48
                              • Opcode Fuzzy Hash: 54d65268eb0b59b3d6eb2384f1de489468dea7b99e8aa28b38179088c72f7627
                              • Instruction Fuzzy Hash: 4861CA31A1830C56EF28FB65F8657FD73A5EF59320F54015BE84AC7280DB6A8E44AB50
                              Function 00F82EE0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 265encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000), ref: 00F82F97
                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00F82FBC
                              • LocalAlloc.KERNEL32(00000040,?,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F82FD4
                              • CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,?), ref: 00F82FF8
                              • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,?), ref: 00F83015
                              • LocalAlloc.KERNEL32(00000040,?,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F83027
                              • CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,?), ref: 00F83043
                                • Part of subcall function 00F82AF0: lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,33902926), ref: 00F82B5B
                                • Part of subcall function 00F82AF0: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00F82B8D
                                • Part of subcall function 00F82AF0: LocalAlloc.KERNEL32(00000040,?,?,?,33902926), ref: 00F82BA0
                                • Part of subcall function 00F82AF0: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00F82BD6
                                • Part of subcall function 00F82AF0: CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00F82BF9
                              • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,?,00000000), ref: 00F83136
                              • CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,?,00000000), ref: 00F831B3
                              Strings
                              • %02d/%02d/%04d %02d:%02d, xrefs: 00F8321D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Crypt$Param$AllocCertLocalObject$CertificateDecodeFindStore$NameQuerylstrcmp
                              • String ID: %02d/%02d/%04d %02d:%02d
                              • API String ID: 2053929674-4051342895
                              • Opcode ID: be7b39ad13427001958701352f4af57a7bf01f6cfe55f71bbada7dfc8d18fb31
                              • Instruction ID: 2c9497709b3a089a505941b9550f91b6c75d796c71e0890194b792c79121efc0
                              • Opcode Fuzzy Hash: be7b39ad13427001958701352f4af57a7bf01f6cfe55f71bbada7dfc8d18fb31
                              • Instruction Fuzzy Hash: D7A15F75E012289BDB24DF14CC51FEAB7B9BF49B00F1441DAE909A7290DB71AE81DF50
                              Function 00F82AF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155encryptionmemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,33902926), ref: 00F82B5B
                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00F82B8D
                              • LocalAlloc.KERNEL32(00000040,?,?,?,33902926), ref: 00F82BA0
                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00F82BD6
                              • CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00F82BF9
                              • CertNameToStrW.CRYPT32(00010001,?,00000003,00000000,00000000), ref: 00F82C26
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CertCryptDecodeNameObject$AllocLocallstrcmp
                              • String ID: 1.3.6.1.4.1.311.2.1.12
                              • API String ID: 2110785831-2596186611
                              • Opcode ID: f053b14e3766679166d48b44898a4dfeb93a64edc48fb6a083e950935f5b4f67
                              • Instruction ID: 7f2ac5c1682903e43c6a78ad9849fe08f22129a0014f0b9ecb4f7a8e36952f4c
                              • Opcode Fuzzy Hash: f053b14e3766679166d48b44898a4dfeb93a64edc48fb6a083e950935f5b4f67
                              • Instruction Fuzzy Hash: 93518971A00209AFDB14DFA9C885FEEBBF5FF49724F14812DE506AB291D771A800DB60
                              Function 00F832B1 Relevance: 12.0, APIs: 8, Instructions: 41encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • LocalFree.KERNEL32(?,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832C2
                              • LocalFree.KERNEL32(?,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832C9
                              • LocalFree.KERNEL32(?,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832D6
                              • LocalFree.KERNEL32(00000000,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832DD
                              • LocalFree.KERNEL32(?,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832EA
                              • CertFreeCertificateContext.CRYPT32(00000000,00F83283,?,00000400,00000002,00000000,?,?,?,00000000,00000000,00000000,33902926), ref: 00F832F7
                              • CertCloseStore.CRYPT32(00000000,00000000), ref: 00F8330A
                              • CryptMsgClose.CRYPT32(00000000), ref: 00F8331B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Free$Local$CertClose$CertificateContextCryptStore
                              • String ID:
                              • API String ID: 506982671-0
                              • Opcode ID: 1d0efbec3280bdafefd17deb559da1ff61efa22126d5cc855380bbd8926753f0
                              • Instruction ID: d909d2c14289505c1709d32e163df1a506a4517529b7f5ff74b11b7c57fb7952
                              • Opcode Fuzzy Hash: 1d0efbec3280bdafefd17deb559da1ff61efa22126d5cc855380bbd8926753f0
                              • Instruction Fuzzy Hash: 1CF0EC70F0222997DF21AB758D88F9A77AC6F04B51F04449AA805E3251CB75DE40AF60
                              Function 00F82DB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91encryptionmemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(?,1.2.840.113549.1.9.6), ref: 00F82E18
                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00F82E47
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00F82E56
                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00F82E82
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                              • String ID: 1.2.840.113549.1.9.6
                              • API String ID: 3284379815-2921522063
                              • Opcode ID: 2660e0b7aa4adee3b82b25ee3cdd3f0ca66359c4934194a6ab09c129cb998267
                              • Instruction ID: 5ae3338aace9c681b2e834a1a8457cd0cf0987e806b2054bee90a5af41cb76b6
                              • Opcode Fuzzy Hash: 2660e0b7aa4adee3b82b25ee3cdd3f0ca66359c4934194a6ab09c129cb998267
                              • Instruction Fuzzy Hash: 15317C71A40209EFDB10DFA9CC45FEABBF5FF48710F10416AE502AB2A0DB75A804DB64
                              Function 00FD2704 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00FD279D
                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00FD27C6
                              • GetACP.KERNEL32 ref: 00FD27DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 57f7230d293d78ac5ae7f52d102b93028eefffa46dae46a812ed81e23262a024
                              • Instruction ID: 5761c1eed43356ca60259acba8af805d686e4277e52312e762cefd79145a5911
                              • Opcode Fuzzy Hash: 57f7230d293d78ac5ae7f52d102b93028eefffa46dae46a812ed81e23262a024
                              • Instruction Fuzzy Hash: 4E21B226A00105A7DBB48F54C901B97B7A7AB74B70B5E8466E80AC7310E732DD41E3D0
                              Function 00F82CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79timestringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpA.KERNEL32(1.2.840.113549.1.9.5,00000000), ref: 00F82D10
                              • CryptDecodeObject.CRYPT32(00010001,1.2.840.113549.1.9.5,?,00000008,00000000,?,00000008), ref: 00F82D60
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F82D72
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F82D7F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Time$File$CryptDecodeLocalObjectSystemlstrcmp
                              • String ID: 1.2.840.113549.1.9.5
                              • API String ID: 1508694121-925610549
                              • Opcode ID: 1b7a1e6336b3407f82d194f6349823515f3b2afc27fedf1f0b728b6f430c6064
                              • Instruction ID: 2a095d1971ecce31129a05c658c81aac7116995d205472d7ee80cac196470864
                              • Opcode Fuzzy Hash: 1b7a1e6336b3407f82d194f6349823515f3b2afc27fedf1f0b728b6f430c6064
                              • Instruction Fuzzy Hash: 28216D32A0010DAFCF10EFA8DC85AEEBBB9FF48310B45016AE906D7151DA31A9499B90
                              Function 00FD28D8 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FC6EC4: GetLastError.KERNEL32(?,?,00FBCAB3,00FFEEC0,00000010), ref: 00FC6EC8
                                • Part of subcall function 00FC6EC4: _free.LIBCMT ref: 00FC6EFB
                                • Part of subcall function 00FC6EC4: SetLastError.KERNEL32(00000000), ref: 00FC6F3C
                                • Part of subcall function 00FC6EC4: _abort.LIBCMT ref: 00FC6F42
                                • Part of subcall function 00FC6EC4: _free.LIBCMT ref: 00FC6F23
                                • Part of subcall function 00FC6EC4: SetLastError.KERNEL32(00000000), ref: 00FC6F30
                              • GetUserDefaultLCID.KERNEL32 ref: 00FD29E4
                              • IsValidCodePage.KERNEL32(00000000), ref: 00FD2A3F
                              • IsValidLocale.KERNEL32(?,00000001), ref: 00FD2A4E
                              • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00FD2A96
                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00FD2AB5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID:
                              • API String ID: 745075371-0
                              • Opcode ID: 4c53c30c727e4300aa9c85f5a10c62d7d16ab13aa78e19bc9fd8eaca60f85376
                              • Instruction ID: a179a92530ae7cd16df500b4c56486495bfb6fdce7b19f6a53c22cc6d9317f20
                              • Opcode Fuzzy Hash: 4c53c30c727e4300aa9c85f5a10c62d7d16ab13aa78e19bc9fd8eaca60f85376
                              • Instruction Fuzzy Hash: 1A517472D0020A9BDB90DFA5CC45BBE73BAFF24711F08416BE914E7250D7749A44B7A1
                              Function 00F5B010 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00F5B45C
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00F5B487
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F5B4C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: invalid type specifier
                              • API String ID: 1173841540-1382033351
                              • Opcode ID: c9537661e7ebb67b4f6fa55bc82c1950957321039bc0289f6b1d713dc217f31d
                              • Instruction ID: 9137df54451f73db32ac393bcc3c98ce14d42e38fdb23ddb54090b4971501ca0
                              • Opcode Fuzzy Hash: c9537661e7ebb67b4f6fa55bc82c1950957321039bc0289f6b1d713dc217f31d
                              • Instruction Fuzzy Hash: 9F025E71D046498FCB25CF68C890AAEFBF5BF48310F1486AED95AA7741D730A988CF50
                              Function 6C9684BD Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 6C9687C4
                                • Part of subcall function 6C97BF38: SetWindowPos.USER32(?,00000115,00000000,00000000,00000002,00000002,00000000,?,?,6C9795CB,00000000,00000002,00000002,00000000,00000000,00000115), ref: 6C97BF60
                              • SetRectEmpty.USER32(?), ref: 6C968852
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: RectWindow$Empty
                              • String ID: @
                              • API String ID: 650961088-2766056989
                              • Opcode ID: 875747253bd623647105c126f68bbcc38a5dd637a47bab911e9de90feddb9efd
                              • Instruction ID: 97afceb5e06d6e89c92dd4e126edc65bb7fdf04963538c0ca394aa6125e21c4e
                              • Opcode Fuzzy Hash: 875747253bd623647105c126f68bbcc38a5dd637a47bab911e9de90feddb9efd
                              • Instruction Fuzzy Hash: 1CE13571E01219AFEB08CFA9C985AEEBBB5FF49314F24415AE815B7780DB30A941CB54
                              Function 00F9B4C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F78840: InitializeCriticalSectionAndSpinCount.KERNEL32(00FFD73C,00000000,00F9B4F4,?,?,00FFD73C), ref: 00F78843
                                • Part of subcall function 00F78840: GetLastError.KERNEL32(?,?,00FFD73C), ref: 00F7884D
                              • IsDebuggerPresent.KERNEL32(?,?,00FFD73C), ref: 00F9B4F8
                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00FFD73C), ref: 00F9B507
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F9B502
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 450123788-631824599
                              • Opcode ID: 7994e7617c6aa151619a06b91ae0cda0b95e4f7be87da11a9926ff3d311652cf
                              • Instruction ID: 2f851975ae197b1b4087eb5a80e5a8616c0e40bd99a7a280ca3781f1bb22bf45
                              • Opcode Fuzzy Hash: 7994e7617c6aa151619a06b91ae0cda0b95e4f7be87da11a9926ff3d311652cf
                              • Instruction Fuzzy Hash: A6E06D742013418BD7309F26E91874ABBE4AF04341F44892EE896C7295EBB8D448AFA2
                              Function 00FB655F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00FB6657
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FB6661
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00FB666E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 99e0bb331fc2ccb40b8bedd47474fe602489fdb8f1248d9fefc8ebacf120dc4f
                              • Instruction ID: a3a4ea22d956dfc517c22cf07ef67ce7271eb015a8adc740ddda89211f66152a
                              • Opcode Fuzzy Hash: 99e0bb331fc2ccb40b8bedd47474fe602489fdb8f1248d9fefc8ebacf120dc4f
                              • Instruction Fuzzy Hash: BC31B37590121C9BCB21DF69DD89BDDBBB8AF08310F5042EAE81CA7250EB749B859F44
                              Function 00FC46B3 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000003,?,00FC4689,00000003,00FFEEE0,0000000C,00FC47E0,00000003,00000002,00000000,?,00FBCA8D,00000003), ref: 00FC46D4
                              • TerminateProcess.KERNEL32(00000000,?,00FC4689,00000003,00FFEEE0,0000000C,00FC47E0,00000003,00000002,00000000,?,00FBCA8D,00000003), ref: 00FC46DB
                              • ExitProcess.KERNEL32 ref: 00FC46ED
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 98686ab4c1e70f76248cd0712dfaa49895d80db564947cca105a1ab2069ae947
                              • Instruction ID: d14dd148bf186fdf50fd4cf21175f97d00a4b934e3784bb961e8478aac1db99f
                              • Opcode Fuzzy Hash: 98686ab4c1e70f76248cd0712dfaa49895d80db564947cca105a1ab2069ae947
                              • Instruction Fuzzy Hash: F6E0463140110AABCF016F20CE0AF883BAAEF41351B004028F80A8A131CB39ED92FA80
                              Function 00F96390 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • GetAdaptersInfo.IPHLPAPI(?), ref: 00F963CC
                              • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00F963EF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AdaptersInfo
                              • String ID:
                              • API String ID: 3177971545-0
                              • Opcode ID: 9201638d2cbbe046539003ab07ad565341a95eba6616a76417c3291e32af10dc
                              • Instruction ID: 70cb71468bc7ef620aadba01e05acdd5ba4b4f627afe8460fbe89e2f243608f8
                              • Opcode Fuzzy Hash: 9201638d2cbbe046539003ab07ad565341a95eba6616a76417c3291e32af10dc
                              • Instruction Fuzzy Hash: 1021FC72A042045FEB21DF64EC41EABB7D8AF94321F44053AF959D7140DB3598099B92
                              Function 6C96E96E Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Iconic
                              • String ID:
                              • API String ID: 110040809-0
                              • Opcode ID: 3f6e6e05536f27bf82ab4eaa57fadc6091777fe5aa32883a15ff406d3a6d0935
                              • Instruction ID: 8203e860927bab4885b28e4f1c71f88a9656ec38dbb0f97554d4136d14ce33b4
                              • Opcode Fuzzy Hash: 3f6e6e05536f27bf82ab4eaa57fadc6091777fe5aa32883a15ff406d3a6d0935
                              • Instruction Fuzzy Hash: DFD0C931125A60CBD7615E2AA8447C6B7B9BF49319B00092AD08286EB0D6A0D880CA80
                              Function 00F61AD0 Relevance: 1.3, APIs: 1, Instructions: 47memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F9B7AB: EnterCriticalSection.KERNEL32(01004F38,?,?,?,00F61B5C,01005B90,00F51077,33902926,?,00FDBE3E,000000FF), ref: 00F9B7B6
                                • Part of subcall function 00F9B7AB: LeaveCriticalSection.KERNEL32(01004F38,?,?,?,00F61B5C,01005B90,00F51077,33902926,?,00FDBE3E,000000FF), ref: 00F9B7F3
                              • GetProcessHeap.KERNEL32 ref: 00F61B11
                                • Part of subcall function 00F9BB2A: __onexit.LIBCMT ref: 00F9BB30
                                • Part of subcall function 00F9B761: EnterCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B76B
                                • Part of subcall function 00F9B761: LeaveCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B79E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$HeapProcess__onexit
                              • String ID:
                              • API String ID: 1320482808-0
                              • Opcode ID: 368dee5d6662e0a5638ffac0842274e0eff8381cb8968e6083393c98e3a33faf
                              • Instruction ID: 2c686e00f143d6e5b4867def91be2058acc55438293e8563715a7eaf29685319
                              • Opcode Fuzzy Hash: 368dee5d6662e0a5638ffac0842274e0eff8381cb8968e6083393c98e3a33faf
                              • Instruction Fuzzy Hash: 371182B4900E04CFF772AF64FD0AB593BA0B754324F540218E2C54A2C9E7BE78449F52
                              Function 00F97EE0 Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 359comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitializeEx.OLE32(00000000,00000000,33902926,?), ref: 00F97F1F
                              • CoCreateInstance.OLE32(00FE28F0,00000000,00000001,00FE2820,?), ref: 00F97F46
                              • InterlockedDecrement.KERNEL32(?), ref: 00F97FB3
                              • SysFreeString.OLEAUT32(00000000), ref: 00F97FC8
                              • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00F98007
                              • CoUninitialize.OLE32 ref: 00F98023
                              • VariantInit.OLEAUT32(?), ref: 00F98080
                              • InterlockedDecrement.KERNEL32(?), ref: 00F980D4
                              • SysFreeString.OLEAUT32(00000000), ref: 00F980E9
                              • VariantInit.OLEAUT32(?), ref: 00F98128
                                • Part of subcall function 00F6B340: SysAllocString.OLEAUT32(?), ref: 00F6B3A0
                              • InterlockedDecrement.KERNEL32(?), ref: 00F9817C
                              • SysFreeString.OLEAUT32(00000000), ref: 00F98191
                              • VariantInit.OLEAUT32(?), ref: 00F981D0
                                • Part of subcall function 00F97540: _com_util::ConvertStringToBSTR.COMSUPP ref: 00F975A0
                              • InterlockedDecrement.KERNEL32(?), ref: 00F98224
                              • SysFreeString.OLEAUT32(00000000), ref: 00F98239
                              • VariantClear.OLEAUT32(?), ref: 00F982AD
                              • CoUninitialize.OLE32 ref: 00F982C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: String$DecrementFreeInterlockedVariant$Init$Uninitialize$AllocBlanketClearConvertCreateInitializeInstanceProxy_com_util::
                              • String ID: MSSMBios_RawSMBiosTables$ROOT\WMI$SMBiosData$SmbiosMajorVersion$SmbiosMinorVersion$`)u
                              • API String ID: 2776751823-2377987326
                              • Opcode ID: d3ba25c3a5e4088b6e8e1a905db48ac484ec3db683abbfa74a93cd47f55170e5
                              • Instruction ID: 8642bf99a5be284cd7ca1a83ba1d513a7bf1f0b5e5970d64e46ce84588f1be9f
                              • Opcode Fuzzy Hash: d3ba25c3a5e4088b6e8e1a905db48ac484ec3db683abbfa74a93cd47f55170e5
                              • Instruction Fuzzy Hash: 3FD15D71A013089FEF20DFA4CC45FAEBBB8AF09750F144159F915AB290DB75E906EB60
                              Function 6C962ED4 Relevance: 30.3, APIs: 20, Instructions: 265windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C962EDB
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C962F30
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C962F48
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C962F60
                              • GetObjectW.GDI32(00000004,00000018,?), ref: 6C962F80
                              • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C962FA6
                              • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,6CADDA40), ref: 6C962FC9
                              • CreatePatternBrush.GDI32(?), ref: 6C962FDB
                              • DeleteObject.GDI32(?), ref: 6C96300A
                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C96301B
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C963063
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C963089
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 6C9630B1
                              • FillRect.USER32(?,?,?), ref: 6C963113
                                • Part of subcall function 6C964160: __EH_prolog3.LIBCMT ref: 6C964167
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C963141
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 6C96315C
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 6C963173
                              • DeleteDC.GDI32(00000000), ref: 6C9631E0
                              • DeleteDC.GDI32(00000000), ref: 6C9631FC
                              • DeleteDC.GDI32(00000000), ref: 6C96321B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Delete$BitmapCompatible$Object$BrushFillH_prolog3H_prolog3_PatternPixelRect
                              • String ID:
                              • API String ID: 308707564-0
                              • Opcode ID: 2980437779d6cf9cacb8f05f8a0ffaab9675fe9146451d515a4313a7c4ed2109
                              • Instruction ID: 3365b609eca085da7ee1162897a616ee6d3de17a8aa6e832e8a687f07d395425
                              • Opcode Fuzzy Hash: 2980437779d6cf9cacb8f05f8a0ffaab9675fe9146451d515a4313a7c4ed2109
                              • Instruction Fuzzy Hash: C2B1D5B2D01208AFEF119FE5CD859EDBB79FF28348F204029E515A7A90DB319945DB60
                              Function 6C980A95 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C980A9C
                              • CreateRectRgnIndirect.GDI32(?), ref: 6C980AD4
                              • CopyRect.USER32(?,?), ref: 6C980AE8
                              • InflateRect.USER32(?,?,?), ref: 6C980AFE
                              • IntersectRect.USER32(?,?,?), ref: 6C980B0A
                              • CreateRectRgnIndirect.GDI32(?), ref: 6C980B14
                              • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C980B29
                              • CombineRgn.GDI32(?,?,?,00000003), ref: 6C980B43
                              • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C980B8A
                              • SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C980BA7
                              • CopyRect.USER32(?,?), ref: 6C980BB2
                              • InflateRect.USER32(?,?,?), ref: 6C980BC8
                              • IntersectRect.USER32(?,?,?), ref: 6C980BD4
                              • SetRectRgn.GDI32(?,?,?,?,?), ref: 6C980BE9
                              • CombineRgn.GDI32(?,?,?,00000003), ref: 6C980BFA
                              • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C980C0E
                              • CombineRgn.GDI32(?,?,?,00000003), ref: 6C980C28
                                • Part of subcall function 6C9809F1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C980A38
                                • Part of subcall function 6C9809F1: CreatePatternBrush.GDI32(00000000), ref: 6C980A45
                                • Part of subcall function 6C9809F1: DeleteObject.GDI32(00000000), ref: 6C980A51
                              • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C980C86
                                • Part of subcall function 6C9635E3: SelectObject.GDI32(?,00000000), ref: 6C963603
                                • Part of subcall function 6C9635E3: SelectObject.GDI32(?,00000000), ref: 6C963619
                                • Part of subcall function 6C963A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C963A5A
                                • Part of subcall function 6C963A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C963A70
                              • PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C980CE9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
                              • String ID:
                              • API String ID: 770706554-0
                              • Opcode ID: f8f109ee4a77e7a01b7893b3d1275b2afebe05780b8674e8f6eb359aae15fceb
                              • Instruction ID: 82e8f8e12af6374ae8e401936d6e2cdad80fbd10151707a97739a015a9bd1238
                              • Opcode Fuzzy Hash: f8f109ee4a77e7a01b7893b3d1275b2afebe05780b8674e8f6eb359aae15fceb
                              • Instruction Fuzzy Hash: 4B9103B2A01218AFCF05DFE4C999DEEBBB9FF59304B144419F906E3A50DB34A905DB60
                              Function 6C9C6A6A Relevance: 27.3, APIs: 18, Instructions: 337windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • InflateRect.USER32(?,00000004,00000004), ref: 6C9C6AC3
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C9C6AD5
                              • UpdateWindow.USER32(?), ref: 6C9C6ADE
                              • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9C6B1F
                              • DispatchMessageW.USER32(?), ref: 6C9C6B31
                              • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9C6B41
                              • GetCapture.USER32 ref: 6C9C6B4B
                              • SetCapture.USER32(?), ref: 6C9C6B5C
                              • GetCapture.USER32 ref: 6C9C6B68
                              • GetWindowRect.USER32(?,?), ref: 6C9C6B90
                              • SetCursorPos.USER32(?,?), ref: 6C9C6BB7
                              • GetCapture.USER32 ref: 6C9C6BBD
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9C6BD6
                              • DispatchMessageW.USER32(?), ref: 6C9C6C00
                              • ReleaseCapture.USER32 ref: 6C9C6C40
                              • IsWindow.USER32(?), ref: 6C9C6C49
                              • SendMessageW.USER32(8589084D,00000010,00000000,00000000), ref: 6C9C6C62
                              • SetTimer.USER32(?,0000EC05,00000000), ref: 6C9CA71C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendTimerUpdate
                              • String ID:
                              • API String ID: 3094444671-0
                              • Opcode ID: b3a6775902e6bd9e1ea871c8d5b6d32bf7103d66a7fb166c4ad24aee8b9c94e6
                              • Instruction ID: 3b1833c111b977b97e26899d3e711fa7c7943cdd5358a851c5c6ce7b973ff45a
                              • Opcode Fuzzy Hash: b3a6775902e6bd9e1ea871c8d5b6d32bf7103d66a7fb166c4ad24aee8b9c94e6
                              • Instruction Fuzzy Hash: EBB18231B45215AFDF149BA4DC95ABE7BB9FF59314F140129E905EBA80DF30E900CB52
                              Function 00F949F0 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • curl_easy_setopt.LIBCURL(00FEE204,00000029,00000001,00000000,?), ref: 00F94A0E
                              • curl_easy_setopt.LIBCURL(00FEE204,00000040,00000000,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A1E
                              • curl_easy_setopt.LIBCURL(00FEE204,00000051,00000000,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A25
                              • curl_easy_setopt.LIBCURL(00FEE204,000000D5,00000001,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A32
                              • curl_easy_setopt.LIBCURL(00FEE204,000000D6,00000078,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A3C
                              • curl_easy_setopt.LIBCURL(00FEE204,000000D7,0000003C,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A46
                              • curl_easy_setopt.LIBCURL(00FEE204,00000063,00000001,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A4D
                              • curl_easy_setopt.LIBCURL(00FEE204,0000000D,00000708,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A57
                              • curl_easy_setopt.LIBCURL(00FEE204,0000004E,0000003C,?,?,?,00000000,00FED748,00000001,g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp), ref: 00F94A5E
                              • curl_easy_setopt.LIBCURL(00FEE204,00002722,Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36), ref: 00F94A6E
                              • curl_easy_setopt.LIBCURL(00FEE204,0000002B,00000000), ref: 00F94A75
                              • curl_easy_setopt.LIBCURL(00FEE204,00000034,00000001), ref: 00F94A7C
                              • curl_easy_setopt.LIBCURL(00FEE204,00002749), ref: 00F94A85
                              • curl_easy_setopt.LIBCURL(00FEE204,00004E58,00F95270), ref: 00F94A92
                              Strings
                              • Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36, xrefs: 00F94A63
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: curl_easy_setopt
                              • String ID: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
                              • API String ID: 2879491745-4105674886
                              • Opcode ID: f06e27a7826c84d72e96a8c3e7f0fe5b4eb34fee5635e9e61a74dd82c74a6caa
                              • Instruction ID: 0e7d612cb6408b045427720a1d50ebf6b871c76681ea4d92183762e35a056a2a
                              • Opcode Fuzzy Hash: f06e27a7826c84d72e96a8c3e7f0fe5b4eb34fee5635e9e61a74dd82c74a6caa
                              • Instruction Fuzzy Hash: 4711D7617C2B6875F53232655C4BFDF2A0C9FE2F55F064001FB047D5C19AC9664289EA
                              Function 00F5DEC0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Getcvt
                              • String ID: .,$false$true
                              • API String ID: 1921796781-276263365
                              • Opcode ID: f3bec7d0793583eb7f54714e1348e0845a998703d5534a8087d4509ac4714615
                              • Instruction ID: 6e8fa5a1ee2c406c553d78dedd8bf9ec980e73d9f4392195668ed27a59080f15
                              • Opcode Fuzzy Hash: f3bec7d0793583eb7f54714e1348e0845a998703d5534a8087d4509ac4714615
                              • Instruction Fuzzy Hash: A8714531E042408FDF25DF58C8417AABBB5EB84320F04815EED556B382CB7AAD09DB90
                              Function 6C984ABE Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204timekeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000001), ref: 6C984AC9
                              • GetCursorPos.USER32(?), ref: 6C984AEE
                              • ScreenToClient.USER32(?,?), ref: 6C984AFB
                              • GetCapture.USER32 ref: 6C984B6D
                              • ClientToScreen.USER32(?,?), ref: 6C984BB0
                              • WindowFromPoint.USER32(?,?), ref: 6C984BBC
                              • IsChild.USER32(?,?), ref: 6C984BD4
                              • KillTimer.USER32(?,0000EC0A), ref: 6C984C14
                              • KillTimer.USER32(?,0000EC09), ref: 6C984C3D
                                • Part of subcall function 6C96ED80: GetForegroundWindow.USER32 ref: 6C96ED8D
                                • Part of subcall function 6C96ED80: GetLastActivePopup.USER32(?), ref: 6C96ED9E
                              • GetParent.USER32(?), ref: 6C984C94
                              • IsAppThemed.UXTHEME ref: 6C984CEE
                              • OpenThemeData.UXTHEME(?,REBAR), ref: 6C984D00
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorDataForegroundFromLastOpenParentPointPopupStateThemeThemed
                              • String ID: REBAR
                              • API String ID: 214255902-925029515
                              • Opcode ID: bb077efd18af2e4775355185fffcc529261b34b8daa5b6f4501e59d75f1339a3
                              • Instruction ID: d25bf0dcd3c2649ea3c9e6d23abd8ade801fc5a4d4f44340ce46ea1b4e3d2ced
                              • Opcode Fuzzy Hash: bb077efd18af2e4775355185fffcc529261b34b8daa5b6f4501e59d75f1339a3
                              • Instruction Fuzzy Hash: CC619471B022199FDF059F75C8A4AAE7BBDBF55718B100969E811D7A90EB30DD01CF90
                              Function 6C974BE8 Relevance: 22.8, APIs: 15, Instructions: 313windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C980207: GetFocus.USER32 ref: 6C98020B
                                • Part of subcall function 6C980207: GetParent.USER32(00000000), ref: 6C98022C
                                • Part of subcall function 6C980207: GetWindowLongW.USER32(00000000,000000F0), ref: 6C98024B
                                • Part of subcall function 6C980207: GetParent.USER32(00000000), ref: 6C980259
                                • Part of subcall function 6C980207: GetDesktopWindow.USER32 ref: 6C980261
                                • Part of subcall function 6C980207: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C980275
                              • GetMenu.USER32(?), ref: 6C974C69
                              • GetMenuItemCount.USER32(?), ref: 6C974CA7
                              • GetSubMenu.USER32(?,00000000), ref: 6C974CBD
                              • GetMenuItemCount.USER32(?), ref: 6C974CE2
                              • GetMenuItemID.USER32(?,00000000), ref: 6C974CFC
                              • GetSubMenu.USER32(?,?), ref: 6C974D18
                              • GetMenuItemID.USER32(?,00000000), ref: 6C974D30
                              • GetMenuItemCount.USER32(?), ref: 6C974D51
                              • GetMenuItemID.USER32(?,?), ref: 6C974D87
                              • SendMessageW.USER32(?,00000362,-0000E001,00000000), ref: 6C974E43
                              • UpdateWindow.USER32(?), ref: 6C974E64
                              • GetKeyState.USER32(00000079), ref: 6C974E82
                              • GetKeyState.USER32(00000012), ref: 6C974E93
                              • GetParent.USER32(?), ref: 6C974F55
                              • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C974F6F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Menu$Item$CountMessageParentWindow$SendState$DesktopFocusLongPostUpdate
                              • String ID:
                              • API String ID: 1315724587-0
                              • Opcode ID: c00a29592edd80331a5a8c02cbe500e9b44ffb3fe85d81f953aeebcc58c98df2
                              • Instruction ID: b869d2faccd8203bb79705356b50fc1396d4d9fa48d54513f355b85093fd3662
                              • Opcode Fuzzy Hash: c00a29592edd80331a5a8c02cbe500e9b44ffb3fe85d81f953aeebcc58c98df2
                              • Instruction Fuzzy Hash: 9AC1BE31B02209EFDF159F64C944BADBBB9BF45314F148169E815A7A91DB30E850CFA0
                              Function 00FBC6AD Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: ef8693e81cf06143d12e8613560d17f7e17674a0a224c54b9a823c0eafc38d43
                              • Instruction ID: 327af555668c4602d7ae484a775346312085e72e8463d17a45dc2eaa5016d070
                              • Opcode Fuzzy Hash: ef8693e81cf06143d12e8613560d17f7e17674a0a224c54b9a823c0eafc38d43
                              • Instruction Fuzzy Hash: 34B19F71D04306AFDB11DF66C882BEEBBB5BF08310F14406EF599A7642D7759841AFA0
                              Function 6C962C1F Relevance: 22.7, APIs: 15, Instructions: 212windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C962C26
                              • GetSysColor.USER32(00000014), ref: 6C962C5D
                                • Part of subcall function 6C963367: __EH_prolog3.LIBCMT ref: 6C96336E
                                • Part of subcall function 6C963367: CreateSolidBrush.GDI32(6C96F82B), ref: 6C963389
                              • GetSysColor.USER32(00000010), ref: 6C962C72
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C962C86
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C962C9E
                              • GetObjectW.GDI32(10C2C95B,00000018,?), ref: 6C962CC1
                              • CreateBitmap.GDI32(?,?,?,?,00000000), ref: 6C962CE2
                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6C962D03
                                • Part of subcall function 6C963D86: SelectObject.GDI32(6C96F82B,?), ref: 6C963D8F
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C962D4B
                                • Part of subcall function 6C963696: SetBkColor.GDI32(?,6C96F82B), ref: 6C9636AB
                                • Part of subcall function 6C963696: SetBkColor.GDI32(?,6C96F82B), ref: 6C9636BD
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C962D74
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 6C962D9E
                              • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 6C962E09
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 6C962E32
                              • DeleteDC.GDI32(00000000), ref: 6C962EA7
                              • DeleteDC.GDI32(00000000), ref: 6C962EC6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Color$BitmapCompatibleDeleteH_prolog3Object$BrushPixelSelectSolid
                              • String ID:
                              • API String ID: 2254850417-0
                              • Opcode ID: 8d10599b3a723f6e39b88a4abdf399a104549aa16cdf49919b48669becfc4614
                              • Instruction ID: d2deceeec06f70442601cb62916f8aae7e55bc5f22906fb4f5bae0d1a961f7c9
                              • Opcode Fuzzy Hash: 8d10599b3a723f6e39b88a4abdf399a104549aa16cdf49919b48669becfc4614
                              • Instruction Fuzzy Hash: B1810872901208AFEF029FE1CD45AEEBB79FF28704F104128F505B6AA0DB719A55DB60
                              Function 6C99EE4B Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C99EE55
                              • GetClientRect.USER32(?,?), ref: 6C99EE73
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C99EEAC
                              • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C99EF01
                              • CreateDIBSection.GDI32(?,?), ref: 6C99EF73
                              • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C99EFAC
                              • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C99EFDF
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C99F047
                              • GetWindowRect.USER32(?,?), ref: 6C99F0B6
                              • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C99F206
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                              • String ID: (
                              • API String ID: 2918208214-3887548279
                              • Opcode ID: 846f19955d31a3e93b38ced34db8689e956ffde6215845ae9a250a2ee10782b2
                              • Instruction ID: 4c23eafbbe225826d737c5bac57c33e73f5c4b7e584bf77cac38e4c933b90d0c
                              • Opcode Fuzzy Hash: 846f19955d31a3e93b38ced34db8689e956ffde6215845ae9a250a2ee10782b2
                              • Instruction Fuzzy Hash: ACD13775A00609AFDF15CFA9C994AEEFBB9FF09308F144129E519A7A10DB30AD45CF90
                              Function 6C9ECECE Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C9ECED5
                                • Part of subcall function 6C9DE380: __EH_prolog3.LIBCMT ref: 6C9DE387
                              • GetWindowRect.USER32(?,?), ref: 6C9ECFBB
                                • Part of subcall function 6C97BCF3: GetDlgCtrlID.USER32(?), ref: 6C97BCFE
                                • Part of subcall function 6C9EEBDB: GetWindowRect.USER32(?,?), ref: 6C9EEBE9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3RectWindow$Ctrl
                              • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                              • API String ID: 2598721110-2628993547
                              • Opcode ID: 91bb6ade79d66e228dfc7717e51d06b03b14a3866704f0fba9323920f93d1648
                              • Instruction ID: 6b1a59d6e5fa3de978ea0995ee9a650861ace83bb95a06c92a5a1b81684a8f27
                              • Opcode Fuzzy Hash: 91bb6ade79d66e228dfc7717e51d06b03b14a3866704f0fba9323920f93d1648
                              • Instruction Fuzzy Hash: 4A812A35A00209DFCF05DFA4C894AFDB776BF99314F190468E916AB7A1DB35A805CF50
                              Function 00FD158E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 00FD15D2
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD093E
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0950
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0962
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0974
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0986
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0998
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD09AA
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD09BC
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD09CE
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD09E0
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD09F2
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0A04
                                • Part of subcall function 00FD0921: _free.LIBCMT ref: 00FD0A16
                              • _free.LIBCMT ref: 00FD15C7
                                • Part of subcall function 00FC79EF: HeapFree.KERNEL32(00000000,00000000,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?), ref: 00FC7A05
                                • Part of subcall function 00FC79EF: GetLastError.KERNEL32(?,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?,?), ref: 00FC7A17
                              • _free.LIBCMT ref: 00FD15E9
                              • _free.LIBCMT ref: 00FD15FE
                              • _free.LIBCMT ref: 00FD1609
                              • _free.LIBCMT ref: 00FD162B
                              • _free.LIBCMT ref: 00FD163E
                              • _free.LIBCMT ref: 00FD164C
                              • _free.LIBCMT ref: 00FD1657
                              • _free.LIBCMT ref: 00FD168F
                              • _free.LIBCMT ref: 00FD1696
                              • _free.LIBCMT ref: 00FD16B3
                              • _free.LIBCMT ref: 00FD16CB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 1e4319d33b0b567331d27994fa7df98886bec33d6c3136429b1ba6278d2c3e02
                              • Instruction ID: dd9595d4010508fdaeb6a23cd1a23b3a1deb53262256e47815aba73a15daea80
                              • Opcode Fuzzy Hash: 1e4319d33b0b567331d27994fa7df98886bec33d6c3136429b1ba6278d2c3e02
                              • Instruction Fuzzy Hash: 5A313D71904305AFEB21AA79DD86B5673EABB00360F18491FF45AD7651DF39EC80EB20
                              Function 6C9ECCD1 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C9ECCD8
                                • Part of subcall function 6C9DE380: __EH_prolog3.LIBCMT ref: 6C9DE387
                                • Part of subcall function 6C97BCF3: GetDlgCtrlID.USER32(?), ref: 6C97BCFE
                                • Part of subcall function 6C9EA024: __EH_prolog3.LIBCMT ref: 6C9EA02B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3$Ctrl
                              • String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
                              • API String ID: 3879667756-2628993547
                              • Opcode ID: c0dbad36f355aca53d1e7dda73d62d8b89f0ff726cc3dff022fc105c645d558b
                              • Instruction ID: 1e273fa649672bf84f27de55ea8556393c2b72cf58a92cb7636f93b83d638d0a
                              • Opcode Fuzzy Hash: c0dbad36f355aca53d1e7dda73d62d8b89f0ff726cc3dff022fc105c645d558b
                              • Instruction Fuzzy Hash: 9C51BF35A00219EFCF04DF64C894AFEBB7AFF59318B140458E816AB781DB35AD05CB91
                              Function 00FD0A1F Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: cb46934f3822d7e7417e5446ff13d0c9cc1bbf381ee513011323df0f27fde746
                              • Instruction ID: 342c476c62b92de2d6e013b9a1035132719998deff9200d90725291dfc0c141e
                              • Opcode Fuzzy Hash: cb46934f3822d7e7417e5446ff13d0c9cc1bbf381ee513011323df0f27fde746
                              • Instruction Fuzzy Hash: B2C155B2D40205AFDB20DBA8CD83FDE77F99B48710F150165FA05EB382DA74AD419B60
                              Function 6CA16FF3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6CA16FFA
                              • GetObjectW.GDI32(00000018,00000018,00000000), ref: 6CA17011
                                • Part of subcall function 6CA16F50: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6CA16FC7
                              • CreateCompatibleDC.GDI32(00000000), ref: 6CA17091
                              • SelectObject.GDI32(?,00000018), ref: 6CA170A4
                              • CreateCompatibleDC.GDI32(00000000), ref: 6CA170C2
                              • SelectObject.GDI32(?,?), ref: 6CA170D7
                              • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CA170F6
                              • SelectObject.GDI32(?,00000000), ref: 6CA17104
                              • SelectObject.GDI32(?,00000000), ref: 6CA1710E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Select$Create$Compatible$H_prolog3Section
                              • String ID:
                              • API String ID: 2431383920-3916222277
                              • Opcode ID: 787dd555f486c93b38d52fec2af13d4e2bb4a2b6547fc509badfb1da72c3e34a
                              • Instruction ID: 220f25acd67423ba7406f8ff4faa2cb1d126f3990070f2b145cf330aa35095c6
                              • Opcode Fuzzy Hash: 787dd555f486c93b38d52fec2af13d4e2bb4a2b6547fc509badfb1da72c3e34a
                              • Instruction Fuzzy Hash: 9E418D32D04219AFDB019FB4CC54AEEBB79FF55318F144128E511E7AA0DB718949CBA0
                              Function 6C99E8AB Relevance: 17.0, APIs: 11, Instructions: 497windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C99E8B2
                              • GetClientRect.USER32(?,?), ref: 6C99E8D0
                              • SetRectEmpty.USER32(?), ref: 6C99E924
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99E96F
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99E9F8
                              • GetWindowRect.USER32(?,?), ref: 6C99EA1D
                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C99EA49
                              • OffsetRect.USER32(?,00000000,00000000), ref: 6C99EAF7
                              • InflateRect.USER32(?,00000000,00000000), ref: 6C99EB55
                              • IsRectEmpty.USER32(?), ref: 6C99EC53
                              • IsRectEmpty.USER32(?), ref: 6C99EDE3
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$EmptyWindow$Points$ClientH_prolog3_InflateOffset
                              • String ID:
                              • API String ID: 302641110-0
                              • Opcode ID: 745ed9f6b72a770b8c28bcd3e62dae4701fb813874a5c5e1ef04505541150b7e
                              • Instruction ID: fff18e0fa501e5937562a68e4ef79344f311e3830106f6b9d16edc72afed15e5
                              • Opcode Fuzzy Hash: 745ed9f6b72a770b8c28bcd3e62dae4701fb813874a5c5e1ef04505541150b7e
                              • Instruction Fuzzy Hash: 9D129A31E01A199FDF05DFA4C944AEEBBB6FF49314F180129E816AB784DB71AD45CB80
                              Function 00FBB96C Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?), ref: 00FBB9C4
                              • GetLastError.KERNEL32 ref: 00FBB9D1
                              • __dosmaperr.LIBCMT ref: 00FBB9D8
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,?), ref: 00FBBA04
                              • GetLastError.KERNEL32 ref: 00FBBA0E
                              • __dosmaperr.LIBCMT ref: 00FBBA15
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 00FBBA58
                              • GetLastError.KERNEL32 ref: 00FBBA62
                              • __dosmaperr.LIBCMT ref: 00FBBA69
                              • _free.LIBCMT ref: 00FBBA75
                              • _free.LIBCMT ref: 00FBBA7C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: 065aa3c5009ff2dcc5b7ee546c95a7e28de3fb1b25a1d72533389476cf364bd3
                              • Instruction ID: fccfcebd199e8d00e9e380985a601e9450216b3ef165c4fdadfa7a03cd09c339
                              • Opcode Fuzzy Hash: 065aa3c5009ff2dcc5b7ee546c95a7e28de3fb1b25a1d72533389476cf364bd3
                              • Instruction Fuzzy Hash: B6318F7280420AABDF11AFA6DC49EEE3B6DAF01364B10412AF911961A1DB798D10FF61
                              Function 00F6E6C0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 327COMMON
                              Download Yara Rule
                              APIs
                              • WriteConsoleA.KERNEL32(?,?,?,00000000,00000000), ref: 00F6E793
                              • GetConsoleScreenBufferInfo.KERNEL32(?,?,?,?,?), ref: 00F6E8BC
                              • SetConsoleTextAttribute.KERNEL32(?,?), ref: 00F6E8D6
                              • WriteConsoleA.KERNEL32(?,?,?,00000000,00000000), ref: 00F6E8F7
                              • SetConsoleTextAttribute.KERNEL32(?,?), ref: 00F6E903
                              • WriteConsoleA.KERNEL32(?,?,00000000,00000000,00000000), ref: 00F6E935
                              • __Mtx_unlock.LIBCPMT ref: 00F6E995
                              • __Mtx_unlock.LIBCPMT ref: 00F6EABC
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Console$Write$AttributeMtx_unlockText$BufferInfoScreen
                              • String ID: list<T> too long
                              • API String ID: 1661840912-4027344264
                              • Opcode ID: ecbf35c6092959fd48562d76806bb0b697e00d51131e61cda659a7823281ea01
                              • Instruction ID: fc201e3b8aebb40dca3768100d6cabe55acb398229b71a479e530cd8bdce2c0c
                              • Opcode Fuzzy Hash: ecbf35c6092959fd48562d76806bb0b697e00d51131e61cda659a7823281ea01
                              • Instruction Fuzzy Hash: 5DC19E76A00208AFDB14DF68CC49B99B7B5FF48310F1481AAE809EB291D775EE44DF91
                              Function 00F8FA60 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 239comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 00F8FA8F
                              • OleInitialize.OLE32(00000000), ref: 00F8FA97
                              • __Mtx_unlock.LIBCPMT ref: 00F8FAF2
                              • __Mtx_unlock.LIBCPMT ref: 00F8FB62
                              • __Mtx_unlock.LIBCPMT ref: 00F8FC08
                                • Part of subcall function 00F99E53: std::_Throw_Cpp_error.LIBCPMT ref: 00F99E7A
                              • __Mtx_unlock.LIBCPMT ref: 00F8FCAC
                              • OleUninitialize.OLE32 ref: 00F8FCFC
                              • CoUninitialize.OLE32 ref: 00F8FD02
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$InitializeUninitialize$Cpp_errorThrow_std::_
                              • String ID: list<T> too long
                              • API String ID: 669680987-4027344264
                              • Opcode ID: 4b0bd2c4af51cf9840b2be1f671a39e0ae78709de1386fb866b5f9c1120d3ee3
                              • Instruction ID: 1a0f4dbc4d79fd7518a2cc6e0e5147ee037d143503e2bbf5746d4b87b2b55124
                              • Opcode Fuzzy Hash: 4b0bd2c4af51cf9840b2be1f671a39e0ae78709de1386fb866b5f9c1120d3ee3
                              • Instruction Fuzzy Hash: C691D571D00205DFDF10EF68CD45B9ABBB4AF05324F198169EC199B382E775EA04DBA2
                              Function 6C9A8F1D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9A8F27
                              • GetCurrentThemeName.UXTHEME(?,000000FF,?,000000FF,00000000,00000000), ref: 6C9A8F7D
                              • GetThemeColor.UXTHEME(00000000,00000001,00000000,00000EEF,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6C9A9047
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Theme$ColorCurrentH_prolog3_Name
                              • String ID: Aero$Luna$homestead$metallic$normalcolor$royale
                              • API String ID: 2781885202-2881773410
                              • Opcode ID: 37d3779ab0d1d8bf62e328681050bfbd25860ce9f4fed1430a5134d7c93638ab
                              • Instruction ID: f6afde803e465eae4359b375cb07e8dc46cf7e4a5c54c7fcfeeb5f42285c78c9
                              • Opcode Fuzzy Hash: 37d3779ab0d1d8bf62e328681050bfbd25860ce9f4fed1430a5134d7c93638ab
                              • Instruction Fuzzy Hash: 5B51B87590512CAADB24CA61CC44BDB767DFF51368F040599E018A3A80DF72DBD9CEA4
                              Function 6C9DC86E Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 139memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C98583D: __EH_prolog3_catch.LIBCMT ref: 6C985844
                              • GetModuleHandleW.KERNEL32(comctl32.dll,6C9DC9ED,?,00000000,?,?,6C98C8E4,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC8A1
                              • GetUserDefaultUILanguage.KERNEL32(?,?,6C98C8E4,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC8B1
                              • FindResourceExW.KERNEL32(00000000,00000005,000003EE,0000FC11,?,?,6C98C8E4,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC8EF
                              • FindResourceW.KERNEL32(00000000,000003EE,00000005,?,?,6C98C8E4,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC90E
                              • LoadResource.KERNEL32(00000000,00000000,?,?,6C98C8E4,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC91A
                                • Part of subcall function 6C9DCA2B: GetDC.USER32(00000000), ref: 6C9DCA7E
                                • Part of subcall function 6C9DCA2B: EnumFontFamiliesExW.GDI32(00000000,?,6C9DCA15,?,00000000,?,?,?,?,?,00000000,00000000), ref: 6C9DCA99
                                • Part of subcall function 6C9DCA2B: ReleaseDC.USER32(00000000,00000000), ref: 6C9DCAA1
                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0000001C,6C98B741,?,?), ref: 6C9DC94A
                              • GlobalFree.KERNEL32(00000001), ref: 6C9DC9C2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$FindGlobal$AllocDefaultEnumFamiliesFontFreeH_prolog3_catchHandleLanguageLoadModuleReleaseUser
                              • String ID: MS UI Gothic$comctl32.dll
                              • API String ID: 1488066090-3248924666
                              • Opcode ID: 5fddd120ac235063f5b7339c2e3b088b7991df9856d57f2950bb4162ea57245a
                              • Instruction ID: b1c9a58e71cc967e8fea337d3b447fc0e5486d95fadb85d0e909a716815b3f14
                              • Opcode Fuzzy Hash: 5fddd120ac235063f5b7339c2e3b088b7991df9856d57f2950bb4162ea57245a
                              • Instruction Fuzzy Hash: 46411331202A05ABE7157B64CC45BBA37ACDF95758F118139F856EBF80DB30E8458661
                              Function 00FB079C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00FB07B5
                                • Part of subcall function 00FB0A84: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00FB04E8), ref: 00FB0A94
                              • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00FB07CA
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FB07D9
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FB07E7
                              • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00FB085D
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FB089D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FB08AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                              • String ID: pContext$switchState
                              • API String ID: 3151764488-2660820399
                              • Opcode ID: 0554f0a292cf377e8b2e358ba3d812344742d6a32297496823a30a775338cece
                              • Instruction ID: c0fcd23b920f2cdf98b1d5f04e50ff5c26a7c73c184d7a110676b15d0345f1b1
                              • Opcode Fuzzy Hash: 0554f0a292cf377e8b2e358ba3d812344742d6a32297496823a30a775338cece
                              • Instruction Fuzzy Hash: 3931B235E00214ABCF04EF65C881EAF7379AF44320F208569E911A7251DF74EE06EE91
                              Function 00FA56E5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00FA5707
                              • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00FA5711
                              • DuplicateHandle.KERNEL32(00000000), ref: 00FA5718
                              • SafeRWList.LIBCONCRT ref: 00FA5737
                                • Part of subcall function 00FA3706: __EH_prolog3.LIBCMT ref: 00FA370D
                                • Part of subcall function 00FA3706: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00FA3717
                                • Part of subcall function 00FA3706: List.LIBCMT ref: 00FA3721
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FA5749
                              • GetLastError.KERNEL32 ref: 00FA5758
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00FA576E
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA577C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8H_prolog3HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                              • String ID: eventObject
                              • API String ID: 3870774015-1680012138
                              • Opcode ID: 003898eb9c5a1dd12c74c820aabf9e1993c393438dd6eb1c9f9c91a1ed3ca39c
                              • Instruction ID: 596ae92857c5145edc009fc2fc74d473740268780ec01590a16cb4e592a85ec9
                              • Opcode Fuzzy Hash: 003898eb9c5a1dd12c74c820aabf9e1993c393438dd6eb1c9f9c91a1ed3ca39c
                              • Instruction Fuzzy Hash: 0F1182B190020DEBCB14EBB4DD49FAE77BDAF01720F204126B516E20A1DB74DA05E761
                              Function 6C9A2B50 Relevance: 15.2, APIs: 10, Instructions: 224timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C9A2B97
                              • ScreenToClient.USER32(?,?), ref: 6C9A2BA4
                              • PtInRect.USER32(?,?,?), ref: 6C9A2BE3
                              • PtInRect.USER32(?,?,?), ref: 6C9A2C08
                              • KillTimer.USER32(0000EC16,0000EC16), ref: 6C9A2C3B
                              • InvalidateRect.USER32(00000001,?,00000001), ref: 6C9A2C53
                              • InvalidateRect.USER32(00000001,?,00000001), ref: 6C9A2C65
                              • KillTimer.USER32(00000000,0000EC15), ref: 6C9A2DCC
                              • ValidateRect.USER32(00000000,00000000), ref: 6C9A2DF9
                              • RedrawWindow.USER32(00000000,00000000,00000000,00000185,00000000,00000000,00000000), ref: 6C9A2E36
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
                              • String ID:
                              • API String ID: 1459077570-0
                              • Opcode ID: e200f93c3d5dd800bc2de00967b5406c691dbd850d90969f474a23dc8367d63f
                              • Instruction ID: 311339f3b40fa31450faf3f164ccd3bb2a226ada5f7d1b8aa680b3150338f642
                              • Opcode Fuzzy Hash: e200f93c3d5dd800bc2de00967b5406c691dbd850d90969f474a23dc8367d63f
                              • Instruction Fuzzy Hash: 1E917D71B00A1AAFCB15DFB4C989AADFBB9FF49304F140265E419E3A51DB30E951DB80
                              Function 6C982A3E Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                              • String ID:
                              • API String ID: 2135910768-0
                              • Opcode ID: 8ec538c1b968aee2dc626f4f9b556affde350dd17d6cee9b056da6f3c08298b0
                              • Instruction ID: 299d39e8e8129c2a75e953004f7f598b640c8c2ae58a8cbd6763ee2c5306e625
                              • Opcode Fuzzy Hash: 8ec538c1b968aee2dc626f4f9b556affde350dd17d6cee9b056da6f3c08298b0
                              • Instruction Fuzzy Hash: 7D71D635F066169FDF149F64C888ABEB775FF49314F150965E806A7A80CB38EC41CB90
                              Function 6CA12881 Relevance: 15.2, APIs: 10, Instructions: 211windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C96B928: __EH_prolog3_catch.LIBCMT ref: 6C96B92F
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 6CA128E4
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6CA12919
                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6CA12944
                              • LoadIconW.USER32(?,00000000), ref: 6CA12979
                              • LoadIconW.USER32(00000000,00007F00), ref: 6CA1298C
                              • GetClassLongW.USER32(?,000000F2), ref: 6CA129BB
                              • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CA12A44
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 6CA12A06
                                • Part of subcall function 6C9B162E: __EH_prolog3_catch.LIBCMT ref: 6C9B1638
                                • Part of subcall function 6C9B162E: CloseHandle.KERNEL32(00000000,?,00000000,00000080,6CA13131,?,00000000,?,?,00000000), ref: 6C9B1673
                                • Part of subcall function 6C9B162E: GetTempPathW.KERNEL32(00000104,00000000,00000104,?,00000000,00000080,6CA13131,?,00000000,?,?,00000000), ref: 6C9B1694
                                • Part of subcall function 6C9B162E: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000104,000000FF,?,?,00000000), ref: 6C9B16E9
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CA12AFB
                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CA12B15
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$H_prolog3_catchIconLoad$ClassCloseCreateFileHandleLongPathTemp
                              • String ID:
                              • API String ID: 2083023585-0
                              • Opcode ID: 4371fd607e42355ee8d58129345b588f6c7d70358d286156611e92d23e4c0a79
                              • Instruction ID: d943ddcbdc0898536857b8fd9cc3765fc8029996432b7ca437bc28ac01c33b63
                              • Opcode Fuzzy Hash: 4371fd607e42355ee8d58129345b588f6c7d70358d286156611e92d23e4c0a79
                              • Instruction Fuzzy Hash: 15719E31705614AFDF259F14CC88BAE3B75EF46725F180176E919ABB91CB70A940CFA0
                              Function 6C9E4CB4 Relevance: 15.2, APIs: 10, Instructions: 200COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9E4CBE
                              • GetObjectW.GDI32(?,00000018,?), ref: 6C9E4CE3
                              • GetObjectW.GDI32(?,00000054,?), ref: 6C9E4D28
                              • CreateCompatibleDC.GDI32(00000000), ref: 6C9E4E14
                              • SelectObject.GDI32(?,?), ref: 6C9E4E36
                              • GetPixel.GDI32(?,00000000,00000000), ref: 6C9E4E95
                              • GetPixel.GDI32(?,?,00000000), ref: 6C9E4EA7
                              • SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6C9E4EB6
                              • SetPixel.GDI32(?,?,00000000,00000000), ref: 6C9E4EC8
                              • SelectObject.GDI32(?,00000000), ref: 6C9E4F16
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
                              • String ID:
                              • API String ID: 1266819874-0
                              • Opcode ID: 62a858527c404e0537f0103a618ddf0344233d26bca083f010b01d44d1ca696c
                              • Instruction ID: fd3595e09da27ffc17b7646710fb819632bf9b7b845d60fae65742f064873df4
                              • Opcode Fuzzy Hash: 62a858527c404e0537f0103a618ddf0344233d26bca083f010b01d44d1ca696c
                              • Instruction Fuzzy Hash: A1811971E00228DBDF21CFA9C884A9DBBB9FF59704F248169E858A7741DB30AD85CF50
                              Function 6C99CA95 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C99CAB8
                              • ScreenToClient.USER32(?,?), ref: 6C99CAC5
                              • KillTimer.USER32(?,0000EC17), ref: 6C99CADD
                              • PtInRect.USER32(?,?,?), ref: 6C99CB0C
                              • KillTimer.USER32(?,0000EC18), ref: 6C99CB9B
                              • GetParent.USER32(?), ref: 6C99CBB0
                              • PtInRect.USER32(?,?,?), ref: 6C99CBDC
                              • KillTimer.USER32(?,0000EC07), ref: 6C99CC3B
                              • GetClientRect.USER32(?,?), ref: 6C99CC4F
                              • PtInRect.USER32(?,?,?), ref: 6C99CC5F
                                • Part of subcall function 6C97BF95: ShowWindow.USER32(?,00000000,?,?,6C97977A,00000000), ref: 6C97BFA6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$KillTimer$Client$CursorParentScreenShowWindow
                              • String ID:
                              • API String ID: 966434589-0
                              • Opcode ID: 42e9c5e9e68a634a236f388d1dd21f73b92480f6c1856dcfc416b0bea825a9dd
                              • Instruction ID: 3e547dc5330058aa1831687dfa1c4e53a54109e561ce430b7c22b48ef6c140d6
                              • Opcode Fuzzy Hash: 42e9c5e9e68a634a236f388d1dd21f73b92480f6c1856dcfc416b0bea825a9dd
                              • Instruction Fuzzy Hash: C851A431B00616DFDF05AF64CC58ABEBB79FF45709F14022AE815A3A50EB34E851CB90
                              Function 6C984E40 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C984E5F
                              • GetWindowRect.USER32(?,?), ref: 6C984E7E
                              • SetRect.USER32(?,?,00000000,?,?), ref: 6C984EBD
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C984ECC
                              • SetRect.USER32(?,?,00000000,?,?), ref: 6C984EE4
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C984EF3
                              • SetRect.USER32(?,00000000,?,?,?), ref: 6C984F1B
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C984F2A
                              • SetRect.USER32(?,00000000,?,00000001,?), ref: 6C984F41
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C984F50
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Invalidate$Window$Proc
                              • String ID:
                              • API String ID: 570070710-0
                              • Opcode ID: eff89bf1ac50504a8df9eb6457749138c3a4a45dd1a8d1417c5552f310980cdd
                              • Instruction ID: e755e3acca10d8150bd315b4b63a04c41d3cc8f34eb1edb78b4ed7f3d129ce2c
                              • Opcode Fuzzy Hash: eff89bf1ac50504a8df9eb6457749138c3a4a45dd1a8d1417c5552f310980cdd
                              • Instruction Fuzzy Hash: 3D41F572A00209AFDB10DFA4C989FAFBBBDFB09304F200529F645E3590D771AA40CB61
                              Function 00FC6DD0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00FC6DE4
                                • Part of subcall function 00FC79EF: HeapFree.KERNEL32(00000000,00000000,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?), ref: 00FC7A05
                                • Part of subcall function 00FC79EF: GetLastError.KERNEL32(?,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?,?), ref: 00FC7A17
                              • _free.LIBCMT ref: 00FC6DF0
                              • _free.LIBCMT ref: 00FC6DFB
                              • _free.LIBCMT ref: 00FC6E06
                              • _free.LIBCMT ref: 00FC6E11
                              • _free.LIBCMT ref: 00FC6E1C
                              • _free.LIBCMT ref: 00FC6E27
                              • _free.LIBCMT ref: 00FC6E32
                              • _free.LIBCMT ref: 00FC6E3D
                              • _free.LIBCMT ref: 00FC6E4B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: c320b6eb20d40289c50738cb32385968834d0a90f2f22f20638cb412b387a67d
                              • Instruction ID: 3ee0a95df20121b6f96267a84cd71a2c3c36a79c239ed96a2b5366d5f4b81fac
                              • Opcode Fuzzy Hash: c320b6eb20d40289c50738cb32385968834d0a90f2f22f20638cb412b387a67d
                              • Instruction Fuzzy Hash: 5F11AA75508109AFCB41FF55CE83DD93B66EF04350B01405AB9498B522E635DE50EF40
                              Function 00F81E80 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 317libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetDesktopFolder.SHELL32(?), ref: 00F82036
                              • LoadLibraryW.KERNEL32(shell32.dll), ref: 00F820B2
                              • GetProcAddress.KERNEL32(00000000,SHOpenFolderAndSelectItems), ref: 00F820C4
                              • FreeLibrary.KERNEL32(00000000), ref: 00F820E1
                              • FreeLibrary.KERNEL32(00000000), ref: 00F820FA
                              • SHOpenWithDialog.SHELL32(00000000,?), ref: 00F821FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Library$Free$AddressDesktopDialogFolderLoadOpenProcWith
                              • String ID: SHOpenFolderAndSelectItems$shell32.dll
                              • API String ID: 3033948749-666694915
                              • Opcode ID: 14a547b6f2340d75b10d3bbb3827a691d01dea5727a5b79a04a41068fa14c458
                              • Instruction ID: 4c5e8d50b4fc7b5ad10bb7d60a92e0a09fb63f824ca119f2d2aab79e25e04eab
                              • Opcode Fuzzy Hash: 14a547b6f2340d75b10d3bbb3827a691d01dea5727a5b79a04a41068fa14c458
                              • Instruction Fuzzy Hash: D9C1C171A01308EBEB21EF65CD48B99B7F4AF14720F148198F949AB291D774EE41EF80
                              Function 6C96AA64 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                              • EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • DecodePointer.KERNEL32(00000000), ref: 6C96AAB1
                              • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C96AAD9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                              • String ID: SetDefaultDllDirectories$\$kernel32.dll
                              • API String ID: 2101061299-3881611067
                              • Opcode ID: 7da4218ec5062d71a88a5117d9d7e81602201b10102f18fc87a50bd7d8fbef01
                              • Instruction ID: 6157490bb098e7c135095d925d98c5c85ce58fa89a42da011e98534f34c5327d
                              • Opcode Fuzzy Hash: 7da4218ec5062d71a88a5117d9d7e81602201b10102f18fc87a50bd7d8fbef01
                              • Instruction Fuzzy Hash: 4721D871A41128A7EB20EA778D48FEF3BBDAF16358F040466E805E3D80EF74D544C691
                              Function 6C98CDB4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • GetStockObject.GDI32(00000011), ref: 6C98CDD6
                              • GetStockObject.GDI32(0000000D), ref: 6C98CDE2
                              • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C98CDF3
                              • GetDC.USER32(00000000), ref: 6C98CE02
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C98CE19
                              • MulDiv.KERNEL32(?,00000048,00000000), ref: 6C98CE25
                              • ReleaseDC.USER32(00000000,00000000), ref: 6C98CE31
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$Stock$CapsDeviceRelease
                              • String ID: System
                              • API String ID: 46613423-3470857405
                              • Opcode ID: 95392c2fadf7c93cdc96cbf787c6be84e81da60524ac810b598ee3eac7167d63
                              • Instruction ID: a1ca92ae05e6ae9496537df859e80ffa5c41bba8e6e1328a50227a7c63e87faf
                              • Opcode Fuzzy Hash: 95392c2fadf7c93cdc96cbf787c6be84e81da60524ac810b598ee3eac7167d63
                              • Instruction Fuzzy Hash: 6C115E71701318ABEF14AF65CC4ABAE7BB9FB56B45F204129F606DB680DB70DC04CA60
                              Function 6C96ECC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$ActiveFocus$MessageSend
                              • String ID: u
                              • API String ID: 1556911595-4067256894
                              • Opcode ID: 205263e6621f5d0f463524aeb9da7c5f53fff37ab0bb4a06ffddd70bb2d22fe9
                              • Instruction ID: 009dc97ca2d4c92a5990207be2455a064d80d2232da77a7b052358bfa744d349
                              • Opcode Fuzzy Hash: 205263e6621f5d0f463524aeb9da7c5f53fff37ab0bb4a06ffddd70bb2d22fe9
                              • Instruction Fuzzy Hash: 7811EC32301614ABFF112B76CD58AAA3BBCEF4A309B208134E9118ADD5CB78C8049BD0
                              Function 00FC8C75 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3cb39f3c4fa49a1643a2b8abcbf05bb5779d81f88e6de730ffc4bd8a5ca3882
                              • Instruction ID: 617a8e4060175241d5719c6be5bafc591fab45b2bd19dfd220af37bcd84202d7
                              • Opcode Fuzzy Hash: a3cb39f3c4fa49a1643a2b8abcbf05bb5779d81f88e6de730ffc4bd8a5ca3882
                              • Instruction Fuzzy Hash: 05C10470E0424AAFDB11DFA8D946FADBBB1BF09350F14005DE555AB382CB389942EF60
                              Function 00F9A3BA Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                              • String ID:
                              • API String ID: 3943753294-0
                              • Opcode ID: 46c6689245e4065e73a5d2029bdca8e473ca7cea5d768ca7f39bcb64c41feeb7
                              • Instruction ID: aaacc8330ed6af3985aa4cee338095fb0b7e368672a7dfbcf7691d09808ead73
                              • Opcode Fuzzy Hash: 46c6689245e4065e73a5d2029bdca8e473ca7cea5d768ca7f39bcb64c41feeb7
                              • Instruction Fuzzy Hash: AF51A131A00109CFEF10DF28D98896977B1FF08320B29806AE8079B165CB71ED45EFA2
                              Function 6C990A97 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch.LIBCMT ref: 6C990AA1
                                • Part of subcall function 6C9DE380: __EH_prolog3.LIBCMT ref: 6C9DE387
                              • IsWindow.USER32(?), ref: 6C990BD4
                                • Part of subcall function 6C97BCF3: GetDlgCtrlID.USER32(?), ref: 6C97BCFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CtrlH_prolog3H_prolog3_catchWindow
                              • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
                              • API String ID: 1537839037-190999575
                              • Opcode ID: 7609baad7a8fa5df0343ad3beadb5681b0c25ae5abf92d9ee0767bfbc0a69aa0
                              • Instruction ID: 78c0d84cef9a6f28be55585fc9f472085e5f81d8eb9d4ca9d0d61ee628c6f5c1
                              • Opcode Fuzzy Hash: 7609baad7a8fa5df0343ad3beadb5681b0c25ae5abf92d9ee0767bfbc0a69aa0
                              • Instruction Fuzzy Hash: 8571BD74E00259DFDF01CBA4C990AEEBBB9AF29318F144058E815B7790DB34DE05CBA1
                              Function 6C9A6C3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 6C9A6CC9
                              • GetSystemMetrics.USER32(0000004D), ref: 6C9A6CD4
                              • GetSystemMetrics.USER32(0000004E), ref: 6C9A6CDF
                              • GetSystemMetrics.USER32(0000004F), ref: 6C9A6CED
                              • IntersectRect.USER32(?,?,?), ref: 6C9A6D46
                              • IntersectRect.USER32(?,?,?), ref: 6C9A6DA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MetricsSystem$IntersectRect
                              • String ID: "
                              • API String ID: 1124862357-123907689
                              • Opcode ID: 936eeca1ea06a067950a04795e3b41dc3451f4552265c86c1cb65f5451c8e45c
                              • Instruction ID: 72dec42fd8cc7197bd027d404af2a52ae15c269e6a79c724bb1c8937c1d72086
                              • Opcode Fuzzy Hash: 936eeca1ea06a067950a04795e3b41dc3451f4552265c86c1cb65f5451c8e45c
                              • Instruction Fuzzy Hash: 2D61A2B2A01209DFCF44DFA8C9C5A9DBBB9FF09314F10416AE905EB209EB31E944CB50
                              Function 00F823E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • GetNativeSystemInfo.KERNEL32(?,33902926), ref: 00F82420
                              • Wow64DisableWow64FsRedirection.KERNEL32(00000000), ref: 00F8243A
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00F824E6
                              • GetLastError.KERNEL32 ref: 00F824EC
                              • CoTaskMemFree.OLE32(00000000), ref: 00F824FA
                              • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00F82509
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Wow64$Redirection$DisableErrorExecuteFreeInfoLastNativeRevertShellSystemTask
                              • String ID: <
                              • API String ID: 2498432326-4251816714
                              • Opcode ID: c82d6859a8a592298538f92a9a729be01950efc1c2e5145d73a1f17e2dc7ee21
                              • Instruction ID: a6340edec0f79c1755847c63d5751cf28653249c50e42958c450d5d267b0b44b
                              • Opcode Fuzzy Hash: c82d6859a8a592298538f92a9a729be01950efc1c2e5145d73a1f17e2dc7ee21
                              • Instruction Fuzzy Hash: 4C515B74D00208CFCB50DFA8C988A9EBBF5FF08314F24426AE416AB251D731E946DF90
                              Function 00FB4EC5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00FB4F18
                              • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00FB4F31
                              • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00FB4F38
                              • PMDtoOffset.LIBCMT ref: 00FB4F57
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FindInstanceTargetType$Offset
                              • String ID: Bad dynamic_cast!
                              • API String ID: 1467055271-2956939130
                              • Opcode ID: 97ab62a557b869cb0dc1a4e4040e9a37d748f730382129e521222bb0a4882972
                              • Instruction ID: 0ede407d87acdf84762232a41d13ce7dfaf4ea54ce33ffd0c5284a115ddbea2d
                              • Opcode Fuzzy Hash: 97ab62a557b869cb0dc1a4e4040e9a37d748f730382129e521222bb0a4882972
                              • Instruction Fuzzy Hash: CC21D172A002059FCF14DF66DE06EEA77B5FB84724B108259E92193282D734F900AE91
                              Function 6C99A972 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • ScreenToClient.USER32(?,?), ref: 6C99A98E
                              • GetParent.USER32(?), ref: 6C99A99E
                              • GetClientRect.USER32(?,?), ref: 6C99A9E2
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99A9F4
                              • PtInRect.USER32(?,?,?), ref: 6C99AA04
                              • GetClientRect.USER32(?,?), ref: 6C99AA31
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99AA43
                              • PtInRect.USER32(?,?,?), ref: 6C99AA53
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$ParentScreen
                              • String ID:
                              • API String ID: 1944725958-0
                              • Opcode ID: 33ebfb6b4fd3a338f7ad9337b354ba7dfe15d0ab527f26e13241b7fa52974e40
                              • Instruction ID: 6ecf339b824d90283b32975302789e9017a97777d5fd58a9dda476192db4198e
                              • Opcode Fuzzy Hash: 33ebfb6b4fd3a338f7ad9337b354ba7dfe15d0ab527f26e13241b7fa52974e40
                              • Instruction Fuzzy Hash: 6E319133A11529AFCF01AFA4CD498AEBBBAFF59704B144129F946E7650DF31DE048B90
                              Function 6C97EE11 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(00000031), ref: 6C97EE1F
                              • GetSystemMetrics.USER32(00000032), ref: 6C97EE2D
                              • SetRectEmpty.USER32(?), ref: 6C97EE40
                              • EnumDisplayMonitors.USER32(00000000,00000000,6C97F5E9,?,?,?), ref: 6C97EE50
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C97EE5F
                              • SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C97EE8C
                              • SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C97EEA0
                              • SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C97EEC6
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
                              • String ID:
                              • API String ID: 2614369430-0
                              • Opcode ID: da6c0f57a3173487641475ea68430675120c549173971f6113b7f3c1b2a0f9b7
                              • Instruction ID: 86d5e480d65d97d4b42a953f80bde6e5dcf3670e368dfcf1fc8208e27bc99cad
                              • Opcode Fuzzy Hash: da6c0f57a3173487641475ea68430675120c549173971f6113b7f3c1b2a0f9b7
                              • Instruction Fuzzy Hash: 2D2136B2301616BFE7145F71888AAE3BBACFF0A355F104529E949C7540D7B0A8558BA0
                              Function 6CABE405 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr
                              • String ID:
                              • API String ID: 3213747228-0
                              • Opcode ID: 5190b319bde8bdb40870973bd59ec0e1e05736a5c04f87247dd0c88a7e395357
                              • Instruction ID: 0fd804c486fdaf3d1c99c22dfcd97ccd20fb576f86f536e7dcbe25d982a96fa2
                              • Opcode Fuzzy Hash: 5190b319bde8bdb40870973bd59ec0e1e05736a5c04f87247dd0c88a7e395357
                              • Instruction Fuzzy Hash: 42B15572A052569FDB018F68CC90BEE7BB9EF06314F184295E800BB781E374E985C7E1
                              Function 00F51F89 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 307timeCOMMON
                              Download Yara Rule
                              APIs
                              • _strrchr.LIBCMT ref: 00F5203A
                              • _strrchr.LIBCMT ref: 00F5204D
                              • SetTimer.USER32(FFFFFFFF,000007C5,000003E8,00000000), ref: 00F5231B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr$Timer
                              • String ID: OnWMHandle$WM_INSTALLOK$g:\zcsd\xzrecordalone\xzrecordalone\xzcalendarserver\application.cpp
                              • API String ID: 951948468-3093241845
                              • Opcode ID: 3925971d19bf6c0c12987fada8cf41957365e882328ad8440a0cdb3b8de37632
                              • Instruction ID: 032349a8d2ac920cd3f793cba4393008af7bb96c18921c166622354761dda6c4
                              • Opcode Fuzzy Hash: 3925971d19bf6c0c12987fada8cf41957365e882328ad8440a0cdb3b8de37632
                              • Instruction Fuzzy Hash: 8DB10530B006449FEB04DF68CC89B5EBBB2BF45301F148218EA15AB3D2D774E949EB91
                              Function 00FD6809 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,00FD6AE2,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00FD68B5
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00FD6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00FD6938
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00FD6AE2,?,00FD6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00FD69CB
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FD6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00FD69E2
                                • Part of subcall function 00FC7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FCA0DD,?,?,?,?,?,00FBCAEB,00000000), ref: 00FC7A5B
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00FD6AE2,00000000,00000000,?,00000001,?,?,?,?), ref: 00FD6A5E
                              • __freea.LIBCMT ref: 00FD6A89
                              • __freea.LIBCMT ref: 00FD6A95
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 2829977744-0
                              • Opcode ID: 2813675afe47153de463ca33bf15c1cbdf6effb0acf5bb899c2c4c73d05c698a
                              • Instruction ID: c6067833910ac92c7d3e785d7930a8a50c584f6e966de06685476fdd6ac726eb
                              • Opcode Fuzzy Hash: 2813675afe47153de463ca33bf15c1cbdf6effb0acf5bb899c2c4c73d05c698a
                              • Instruction Fuzzy Hash: 3491C472E002169ADF249F64CC51AEEBBA6AF09720F1C856BE845E7341D739DC44FB60
                              Function 00FD0E44 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: aff5225c605b3706c44587c95139f5803573995ee4be42567a7fe3aeceb50429
                              • Instruction ID: a2daa463ad9c3efa31f9a71b4b8edbdf8ec06c676731e1a1d87bd076a1cb8c0e
                              • Opcode Fuzzy Hash: aff5225c605b3706c44587c95139f5803573995ee4be42567a7fe3aeceb50429
                              • Instruction Fuzzy Hash: 0A61B372D04306AFDB20DF64C942B9EBBF6EF45720F28056AE944EB341DB749D81AB50
                              Function 6CA7C4E7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch.LIBCMT ref: 6CA7C4EE
                                • Part of subcall function 6CA7C7B1: OleGetClipboard.OLE32(00000000), ref: 6CA7C7C7
                              • ReleaseStgMedium.OLE32(?), ref: 6CA7C572
                              • ReleaseStgMedium.OLE32(?), ref: 6CA7C5B9
                              • ReleaseStgMedium.OLE32(?), ref: 6CA7C5C8
                              • CoTaskMemFree.OLE32(?,?,00000000,?,00000040,6C9E729C,?,00000000,00000000,0000005C), ref: 6CA7C678
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
                              • String ID: '
                              • API String ID: 3213536121-1997036262
                              • Opcode ID: ee0ec77caa3fc260f8b9ccb6a41ad764d19973adab6a0f400884e72c9aacdb1a
                              • Instruction ID: 6062dc4ef388b14b035ecf1c460681c738911fef110c278a7e328973644df4a8
                              • Opcode Fuzzy Hash: ee0ec77caa3fc260f8b9ccb6a41ad764d19973adab6a0f400884e72c9aacdb1a
                              • Instruction Fuzzy Hash: E4519E75A402099BDF21EFB8C584AEDBBB5BF5831CF145019E910E7A80DB75DA84CB70
                              Function 6C972427 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C99D7A9: IsWindow.USER32(?), ref: 6C99D7B5
                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9725EB
                                • Part of subcall function 6C99DE27: GetClientRect.USER32(?,?), ref: 6C99DE4F
                                • Part of subcall function 6C99DE27: PtInRect.USER32(?,00000000,?), ref: 6C99DE69
                              • ScreenToClient.USER32(?,?), ref: 6C9724B8
                              • PtInRect.USER32(?,?,?), ref: 6C9724CB
                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9724FD
                              • GetParent.USER32(?), ref: 6C97252D
                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9725AB
                              • GetFocus.USER32 ref: 6C9725B1
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageRectSend$Client$FocusParentScreenWindow
                              • String ID:
                              • API String ID: 1639644240-0
                              • Opcode ID: cc8e86013c03a30113d754dd90926cfb6b97f76c4a6725d5c766edfa5af32788
                              • Instruction ID: 86dd3943471bf1ebb401074a1e02dc8b9c63b5caf66ea7ece7c1cde229ae38a2
                              • Opcode Fuzzy Hash: cc8e86013c03a30113d754dd90926cfb6b97f76c4a6725d5c766edfa5af32788
                              • Instruction Fuzzy Hash: 01516E75A22619EFDF20DFA5C958AAE7BB8FF49315B10406AE815E7750DB30D900CFA0
                              Function 00FC7142 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00FC78B7,?,?,?,?,?,?), ref: 00FC7184
                              • __fassign.LIBCMT ref: 00FC71FF
                              • __fassign.LIBCMT ref: 00FC721A
                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00FC7240
                              • WriteFile.KERNEL32(?,?,00000000,00FC78B7,00000000,?,?,?,?,?,?,?,?,?,00FC78B7,?), ref: 00FC725F
                              • WriteFile.KERNEL32(?,?,00000001,00FC78B7,00000000,?,?,?,?,?,?,?,?,?,00FC78B7,?), ref: 00FC7298
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: 18f80c86b0be00c115f94ffe0c60b1e7c42b32cb231129866977048b8217d687
                              • Instruction ID: 859acac8f5a40a71276fbeb16c46b25d25f5b63eeae5b1517460e2fd8bc64486
                              • Opcode Fuzzy Hash: 18f80c86b0be00c115f94ffe0c60b1e7c42b32cb231129866977048b8217d687
                              • Instruction Fuzzy Hash: DF518E71A0424A9FDB10DFA8D946FEEBBF9FB09310F14411EE956E7241D630A941DF60
                              Function 00F82920 Relevance: 10.6, APIs: 7, Instructions: 134encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CertGetNameStringW.CRYPT32(?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F82982
                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F82998
                              • CertGetNameStringW.CRYPT32(33902926,00000004,00000001,00000000,00000000,00000000,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F829B7
                              • LocalFree.KERNEL32(00000000,00000000,-00000002,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F829ED
                              • CertGetNameStringW.CRYPT32(33902926,00000003,00000000,00000000,00000000,00000000,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F829FF
                              • LocalAlloc.KERNEL32(00000040,00000000,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F82A11
                              • CertGetNameStringW.CRYPT32(33902926,00000003,00000000,00000000,00000000,33902926,?,00000004,00000001,00000000,00000000,00000000,33902926), ref: 00F82A2B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CertNameString$Local$Alloc$Free
                              • String ID:
                              • API String ID: 1148605495-0
                              • Opcode ID: 5abf3482bf673c9554e1be3544a21472d5fbd437f310f6d5226ced8767e04f46
                              • Instruction ID: bd51c68172b7f669afffe8320d67b52c2b075acdb8f07c74a52e9d0f49129ec9
                              • Opcode Fuzzy Hash: 5abf3482bf673c9554e1be3544a21472d5fbd437f310f6d5226ced8767e04f46
                              • Instruction Fuzzy Hash: 1A41E571E01315ABDB24AF65CC45FEABBB9FF49B50F10811AF906E7281D774A900DBA0
                              Function 6CAA2A70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6CAA2AA7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CAA2AAF
                              • _ValidateLocalCookies.LIBCMT ref: 6CAA2B38
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CAA2B63
                              • _ValidateLocalCookies.LIBCMT ref: 6CAA2BB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 0032aae8ff67a745ba460bcaee45d95df4695954c805f1d70a36b3f2a6122640
                              • Instruction ID: 08e638d6506f004f70114b6cf5263d29c7832834324f14b96a08cde17a25fd15
                              • Opcode Fuzzy Hash: 0032aae8ff67a745ba460bcaee45d95df4695954c805f1d70a36b3f2a6122640
                              • Instruction Fuzzy Hash: 3841EA34A0011A9BCF04CFA9C884ADEBBB5FF4532CF148255D81C6BB51D731DA9ACB90
                              Function 00FB47D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 00FB47FB
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00FB4803
                              • _ValidateLocalCookies.LIBCMT ref: 00FB4891
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00FB48BC
                              • _ValidateLocalCookies.LIBCMT ref: 00FB4911
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 201d5c2b67445351c3f1cc204e115362d57a0fb84e2be49af98e2c4d2b1edbad
                              • Instruction ID: 5b0ca52801962e226b8869e711e2359aeb6b12491a4425347ccd55b4b3283b43
                              • Opcode Fuzzy Hash: 201d5c2b67445351c3f1cc204e115362d57a0fb84e2be49af98e2c4d2b1edbad
                              • Instruction Fuzzy Hash: E941A134E00248ABCB10DF6ACD84ADEBBB5AF45324F148165E8159B393D775EA05EF90
                              Function 6C960DF2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C960DFC
                              • GetClassNameW.USER32(?,?,000000FF), ref: 6C960E56
                              • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C960EE7
                              • GetStockObject.GDI32(00000005), ref: 6C960EF8
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClassH_prolog3_NameObjectStockThemed
                              • String ID: Button$Static
                              • API String ID: 2434646892-2498952662
                              • Opcode ID: abeaf60eef88afc3692dce1d2e6b54bbe0aea1e0fd75bd8ee56ae7b68dc49393
                              • Instruction ID: 2f06e70f82937019b3711dc03ec62a3013a8f8be9e6cff80a4f438e338db7494
                              • Opcode Fuzzy Hash: abeaf60eef88afc3692dce1d2e6b54bbe0aea1e0fd75bd8ee56ae7b68dc49393
                              • Instruction Fuzzy Hash: EF31E531981669DBEF25CB65C9C8BDA7378AF24328F100199D419A7EC0DB70EE84CB65
                              Function 00FD65B1 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2aff1680d126cc290f7c674f5da45fa7b97e8496e1b28f7e981ac6d5e329cd3b
                              • Instruction ID: f3d1633e2436ce8ecd7590a2447ca920cd6aaee71a9d5ff64c890ea3ceaa2d5a
                              • Opcode Fuzzy Hash: 2aff1680d126cc290f7c674f5da45fa7b97e8496e1b28f7e981ac6d5e329cd3b
                              • Instruction Fuzzy Hash: 8911D872505115AADB112F729C09E6B3B6EEF82734B14462AF802DB241DE39C800BA70
                              Function 6C97AE4D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,00000000,?,00000000), ref: 6C97AE88
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C97AEB4
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 6C97AEE0
                              • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C97AEF2
                              • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C97AF01
                                • Part of subcall function 6C97A71A: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C97A72B
                                • Part of subcall function 6C97A71A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C97A73B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseCreate$AddressHandleModuleOpenProc
                              • String ID: software
                              • API String ID: 550756860-2010147023
                              • Opcode ID: f9b962f255c71bfd8b00d864015f0ae5831e338b528357c27c6559c103fe212c
                              • Instruction ID: 6ffd41abb8fc9836492bd2750128b719a6825170136839fdc62552237d1003fe
                              • Opcode Fuzzy Hash: f9b962f255c71bfd8b00d864015f0ae5831e338b528357c27c6559c103fe212c
                              • Instruction Fuzzy Hash: 1F211D72A06119FFEB15DAA4D849EBF7B7DEF45704F105069E905E2500DB30CA418BB5
                              Function 6C9E0F51 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9E0F58
                                • Part of subcall function 6C9E1042: __EH_prolog3.LIBCMT ref: 6C9E1049
                                • Part of subcall function 6C9E1042: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C9E109C
                                • Part of subcall function 6C9E1042: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C9E10B2
                              • CopyRect.USER32(?,?), ref: 6C9E0F8D
                              • GetCursorPos.USER32(?), ref: 6C9E0F9F
                              • SetRect.USER32(?,?,?,?,?), ref: 6C9E0FB2
                              • IsRectEmpty.USER32(?), ref: 6C9E0FCD
                              • InflateRect.USER32(?,00000002,00000002), ref: 6C9E0FDF
                              • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6C9E1027
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                              • String ID:
                              • API String ID: 1837043813-0
                              • Opcode ID: f2d6e446ace07fedbc6895455d7f2c436b3260d2aa795da5563f5f97773001af
                              • Instruction ID: b0fc533e498af0483a2a1115aa01da38e54a46ab756695362ef64076c79d3af0
                              • Opcode Fuzzy Hash: f2d6e446ace07fedbc6895455d7f2c436b3260d2aa795da5563f5f97773001af
                              • Instruction Fuzzy Hash: F7314B71A02258DFDF01EFE4C9489EE7BB9BF69704B100015E805ABA44DB34D91ADBA1
                              Function 6C9A6F59 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9A6F73
                              • DispatchMessageW.USER32(?), ref: 6C9A6F85
                              • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9A6F93
                              • SetRectEmpty.USER32(?), ref: 6C9A6FBB
                              • GetDesktopWindow.USER32 ref: 6C9A6FD3
                              • LockWindowUpdate.USER32(?,00000000), ref: 6C9A6FE4
                              • GetDCEx.USER32(?,00000000,00000003), ref: 6C9A6FFB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                              • String ID:
                              • API String ID: 1192691108-0
                              • Opcode ID: bfd5db315f7348d9146b76ffe6002382bf3532c5a569373e41ba9831cf0030ca
                              • Instruction ID: b3505cb635882dcfad5dee1cb9e76033bb1d087ac444af763c42cdf1cdc8d188
                              • Opcode Fuzzy Hash: bfd5db315f7348d9146b76ffe6002382bf3532c5a569373e41ba9831cf0030ca
                              • Instruction Fuzzy Hash: 642100B2A00615AFDB11AFBAC889A97BFBCFF09254B00453AE515D7941DB35E811CBA0
                              Function 00FD1319 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD1060: _free.LIBCMT ref: 00FD1089
                              • _free.LIBCMT ref: 00FD1367
                                • Part of subcall function 00FC79EF: HeapFree.KERNEL32(00000000,00000000,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?), ref: 00FC7A05
                                • Part of subcall function 00FC79EF: GetLastError.KERNEL32(?,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?,?), ref: 00FC7A17
                              • _free.LIBCMT ref: 00FD1372
                              • _free.LIBCMT ref: 00FD137D
                              • _free.LIBCMT ref: 00FD13D1
                              • _free.LIBCMT ref: 00FD13DC
                              • _free.LIBCMT ref: 00FD13E7
                              • _free.LIBCMT ref: 00FD13F2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 1b949273ff0dbac6fc567f52d423280c6276c866aa5a098b7bd2d37697f8ca35
                              • Instruction ID: 2435fc57c493f7c8f50c03586d630a76d089214104fb386f33ce6e5f699dd31a
                              • Opcode Fuzzy Hash: 1b949273ff0dbac6fc567f52d423280c6276c866aa5a098b7bd2d37697f8ca35
                              • Instruction Fuzzy Hash: F7118131580B48BBD530B7B0CC4BFCB779EBF01740F44881AF29A66256DA78B544AA51
                              Function 6C96EABD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 6C96EAD4
                              • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C96EAFC
                              • SizeofResource.KERNEL32(?,00000000), ref: 6C96EB0E
                              • LoadResource.KERNEL32(?,00000000), ref: 6C96EB1A
                              • LockResource.KERNEL32(00000000), ref: 6C96EB25
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$FindLoadLockSizeofWindow
                              • String ID: AFX_DIALOG_LAYOUT
                              • API String ID: 2582447065-2436846380
                              • Opcode ID: 0288255da977a4ce50436f59781f858159909b70f9f7d23209b09e0cf3b9e804
                              • Instruction ID: 6f5a551d8b2cfd3ca9097b655748f7e2844330f241a9dcc0de47cd4b3535a7f0
                              • Opcode Fuzzy Hash: 0288255da977a4ce50436f59781f858159909b70f9f7d23209b09e0cf3b9e804
                              • Instruction Fuzzy Hash: 5C118271601705EBFB015B77CC89E6FB7BDEF85254B140525A902D3E84EB74D940C7A0
                              Function 00F9E4B5 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E4C3
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E4C9
                              • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E4F6
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E500
                              • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E512
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E528
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E536
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                              • String ID:
                              • API String ID: 4227777306-0
                              • Opcode ID: 096eb4c85e9d39fe6f6f2b32e6db8a129512e5edba3232083686b7914348ccad
                              • Instruction ID: 726ca86ed1d866e2a1bd58403b2acc05f85a764cbfc4bf5abdf486b1ea3fc0ba
                              • Opcode Fuzzy Hash: 096eb4c85e9d39fe6f6f2b32e6db8a129512e5edba3232083686b7914348ccad
                              • Instruction Fuzzy Hash: 8701F739600109A7DF20EB75EC4DFEF37AD9F41365F144426F107D2061EB24EA04BAA1
                              Function 6C986ABA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C986ACC
                              • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C986ADC
                              • EncodePointer.KERNEL32(00000000), ref: 6C986AE5
                              • DecodePointer.KERNEL32(00000000), ref: 6C986AF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                              • String ID: TaskDialogIndirect$comctl32.dll
                              • API String ID: 2061474489-2809879075
                              • Opcode ID: b2edc89a551467c864024ff73e7bc9cad4fd658a92e01780c9aabd124073e7d1
                              • Instruction ID: 8d66b434fdef7f2b60f7d8ea806d534b66e70ffba00015b57af3a1dfb0df3e6f
                              • Opcode Fuzzy Hash: b2edc89a551467c864024ff73e7bc9cad4fd658a92e01780c9aabd124073e7d1
                              • Instruction Fuzzy Hash: E8F0907674625AAB8F116F688C0896E3BBCAF0A7957004831FD19DBA00DB35CC00CAA5
                              Function 6C9864AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(user32.dll), ref: 6C9864C0
                              • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C9864D0
                              • EncodePointer.KERNEL32(00000000), ref: 6C9864D9
                              • DecodePointer.KERNEL32(00000000), ref: 6C9864E7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                              • String ID: ChangeWindowMessageFilter$user32.dll
                              • API String ID: 2061474489-2498399450
                              • Opcode ID: 4cccb99dbba32f23e108331c3114d8a5871c5c2ae9980b02a11fd919bff56b24
                              • Instruction ID: 1c22d7b8b5ce724030ad5d008458ea5cf2d143f390147529e61d65a321699619
                              • Opcode Fuzzy Hash: 4cccb99dbba32f23e108331c3114d8a5871c5c2ae9980b02a11fd919bff56b24
                              • Instruction Fuzzy Hash: 6FF08C35716215AB8F222B74880C89E3BBCAB0B6A93010822FC19D7A44EB30D900CAA1
                              Function 6C986459 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C969B81,00000001), ref: 6C98646B
                              • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C98647B
                              • EncodePointer.KERNEL32(00000000,?,6C969B81,00000001), ref: 6C986484
                              • DecodePointer.KERNEL32(00000000,?,?,6C969B81,00000001), ref: 6C986492
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                              • String ID: ApplicationRecoveryFinished$kernel32.dll
                              • API String ID: 2061474489-1962646049
                              • Opcode ID: 5613c52e2fb3348d8fe83610b07bc67726fc97c20aa888a835e647f72ddf7ac3
                              • Instruction ID: 5e24e769579ea4ed19b539e21ef79ae458a462ffaf9d945f7b6402b68fc50dec
                              • Opcode Fuzzy Hash: 5613c52e2fb3348d8fe83610b07bc67726fc97c20aa888a835e647f72ddf7ac3
                              • Instruction Fuzzy Hash: DEF06575713725AF9F116B75C858D5D3BBDBB066AB3004821FC1AD7A04DB34D900CAA1
                              Function 6C986A6F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C986A7E
                              • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C986A8E
                              • EncodePointer.KERNEL32(00000000), ref: 6C986A97
                              • DecodePointer.KERNEL32(00000000), ref: 6C986AA9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                              • String ID: TaskDialogIndirect$comctl32.dll
                              • API String ID: 2061474489-2809879075
                              • Opcode ID: 73823884486161ab761e8d7373723928a0935896426074b6d3a634e67336c459
                              • Instruction ID: a1533bd27372450c97c51c28922fe6cfa38572c04f970b287b456f420f0b604a
                              • Opcode Fuzzy Hash: 73823884486161ab761e8d7373723928a0935896426074b6d3a634e67336c459
                              • Instruction Fuzzy Hash: DCE04875B572619F5F11AF799909D5A37B8AF061D73064C72F802DBA40E728CC008661
                              Function 6C9A0A44 Relevance: 9.2, APIs: 6, Instructions: 229windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F00), ref: 6C9A0A53
                                • Part of subcall function 6C9609A7: __EH_prolog3.LIBCMT ref: 6C9609AE
                              • GetClientRect.USER32(?,?), ref: 6C9A0A95
                                • Part of subcall function 6C964071: ClientToScreen.USER32(?,6C99DE60), ref: 6C964080
                                • Part of subcall function 6C964071: ClientToScreen.USER32(?,6C99DE68), ref: 6C96408D
                              • IsWindowVisible.USER32(?), ref: 6C9A0CCE
                              • SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C9A0CF1
                              • InvalidateRect.USER32(?,00000000,00000001,6CB37B18,00000000,00000000,00000000,00000000,00000053), ref: 6C9A0D60
                              • UpdateWindow.USER32(?), ref: 6C9A0D69
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Client$RectScreenWindow$CursorH_prolog3InvalidateLoadTimerUpdateVisible
                              • String ID:
                              • API String ID: 3378768144-0
                              • Opcode ID: 3122567ec220706216729802ffe16b5ef415b1b76690ba10857ba6295898ab37
                              • Instruction ID: 99b2d163675645d06ec2c628f66fe6765a9ed66012398b9872bceaedf5a77bc2
                              • Opcode Fuzzy Hash: 3122567ec220706216729802ffe16b5ef415b1b76690ba10857ba6295898ab37
                              • Instruction Fuzzy Hash: 3DA18A70A012059FDF14DFA4C9947ED3BB5BF49318F18017AEC0AABB95DB74A846CB90
                              Function 00FCD64B Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000001,7FFFFFFF,00000000,?,?,?,00FCD89C,00000001,00000001,?), ref: 00FCD6A5
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FCD89C,00000001,00000001,?,?,?,?), ref: 00FCD72B
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FCD825
                              • __freea.LIBCMT ref: 00FCD832
                                • Part of subcall function 00FC7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FCA0DD,?,?,?,?,?,00FBCAEB,00000000), ref: 00FC7A5B
                              • __freea.LIBCMT ref: 00FCD83B
                              • __freea.LIBCMT ref: 00FCD860
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                              • String ID:
                              • API String ID: 1414292761-0
                              • Opcode ID: ad75434c28c520b5dbcd6fd515584563091f601472590c5b81c70e0fabcdbf08
                              • Instruction ID: 2fb6874487e7986ac3d405bd3a117b5e0fe3b6706e92931e74fa2eddfd5241ee
                              • Opcode Fuzzy Hash: ad75434c28c520b5dbcd6fd515584563091f601472590c5b81c70e0fabcdbf08
                              • Instruction Fuzzy Hash: 9F51C372A00217ABEB258F64CD46FAE77A9EF80760F19463DFC09D6190EB39DC40E650
                              Function 6C9964F4 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON
                              Download Yara Rule
                              APIs
                              • CallNextHookEx.USER32(00000000,?,?), ref: 6C99650F
                              • WindowFromPoint.USER32(?,?), ref: 6C996539
                              • ScreenToClient.USER32(00000020,00000200), ref: 6C99656F
                              • GetParent.USER32(00000020), ref: 6C9965D6
                              • UpdateWindow.USER32(?), ref: 6C99663C
                              • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 6C9966BA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$CallClientFromHookMessageNextParentPointScreenSendUpdate
                              • String ID:
                              • API String ID: 4074787488-0
                              • Opcode ID: b30cc207fb4a32b8729d209570d7bc6512738ed99f3b101e9aa5b55771ba2330
                              • Instruction ID: 1d74f5979104cf04ccd1d9801be9bede581e5a485e094ca0f1e702a36c122dae
                              • Opcode Fuzzy Hash: b30cc207fb4a32b8729d209570d7bc6512738ed99f3b101e9aa5b55771ba2330
                              • Instruction Fuzzy Hash: 7251D436701205EFDF149F64C854EAD7BBAFF49318F24416AE929D7AA0CB32D911CB90
                              Function 00F70670 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 385COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID: list<T> too long
                              • API String ID: 0-4027344264
                              • Opcode ID: 9306dfd1ef279632cd0a1693fe26e6999c5e5b940feff7cee26818d1fdef8d6e
                              • Instruction ID: 3192080b91268cdded6c014d0e2a1088f4491e8821748d22ac7d66ad3b68c979
                              • Opcode Fuzzy Hash: 9306dfd1ef279632cd0a1693fe26e6999c5e5b940feff7cee26818d1fdef8d6e
                              • Instruction Fuzzy Hash: 23E1AD70A00208DFDB15DF58D945B5EBBB1FF84304F14815AE848AB386CBBAA905DF92
                              Function 6C9A8CAC Relevance: 9.1, APIs: 6, Instructions: 131COMMON
                              Download Yara Rule
                              APIs
                              • FillRect.USER32(?,?,00000000), ref: 6C9A8CEB
                              • GetParent.USER32(?), ref: 6C9A8D0C
                              • GetWindowRect.USER32(?,?), ref: 6C9A8D29
                              • GetClientRect.USER32(?,?), ref: 6C9A8DCC
                              • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9A8DDE
                              • DrawThemeBackground.UXTHEME(?,?,00000000,00000000,?,00000000), ref: 6C9A8E06
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Window$BackgroundClientDrawFillParentPointsTheme
                              • String ID:
                              • API String ID: 2136005349-0
                              • Opcode ID: d7c1c7a02537e032e02f2f1ecee449a2ed6d840d55aeea6522e7f2e9d71d540f
                              • Instruction ID: afc76a8ec7a37a9524ba94b637e3b27545e5912e28d20e07f0549d2052bfcb1c
                              • Opcode Fuzzy Hash: d7c1c7a02537e032e02f2f1ecee449a2ed6d840d55aeea6522e7f2e9d71d540f
                              • Instruction Fuzzy Hash: 28415975A00619DFCF04DFA9C9549EE7BF8FF69314B14416AE805A7A10EB30E941CBA4
                              Function 00F5F7A0 Relevance: 9.1, APIs: 6, Instructions: 123COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F5F7E9
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F5F80B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5F82B
                              • __Getctype.LIBCPMT ref: 00F5F8C1
                              • std::_Facet_Register.LIBCPMT ref: 00F5F8E0
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5F8F8
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: c4c25eccc11c5d1720eada57b5ccbd4e223dafca1401844f0f19a09c56ffe1e1
                              • Instruction ID: 3d4f8ca457c2f74f50d1e9d9710217624108d7623f7a83bc718d89305420d802
                              • Opcode Fuzzy Hash: c4c25eccc11c5d1720eada57b5ccbd4e223dafca1401844f0f19a09c56ffe1e1
                              • Instruction Fuzzy Hash: A041FD71D002048FDB21DF68D841BAEB7F4EF04721F1441ADED55AB281EB35AE08DB91
                              Function 6C9A2E52 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                              Download Yara Rule
                              APIs
                              • PtInRect.USER32(?,?,?), ref: 6C9A2E71
                              • ReleaseCapture.USER32 ref: 6C9A2E7F
                              • PtInRect.USER32(?,?,?), ref: 6C9A2ED4
                              • InvalidateRect.USER32(?,?,00000001,?,?,?,6C9A1FCF,00000000,00000000,00000000), ref: 6C9A2F3E
                              • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C9A2F62
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$CaptureInvalidateReleaseTimer
                              • String ID:
                              • API String ID: 2903485716-0
                              • Opcode ID: d649ca1feb73d6488972b50f9bed4ac1446ab4b63c422d30bf4ae53e3bf99d2d
                              • Instruction ID: a38132cdf6e5c0dba9d0d2319ec5150b464d3fb2f39f1552bb76078cbd8bd62d
                              • Opcode Fuzzy Hash: d649ca1feb73d6488972b50f9bed4ac1446ab4b63c422d30bf4ae53e3bf99d2d
                              • Instruction Fuzzy Hash: AB318D31705A17EFDF045F61CC48BAABB79FF49355F004139E92983A90D770A421DB91
                              Function 6C97EEDD Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C97EEE4
                              • CreateRectRgnIndirect.GDI32(00000000), ref: 6C97EF04
                                • Part of subcall function 6C963A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C963A5A
                                • Part of subcall function 6C963A3A: SelectClipRgn.GDI32(?,00000000), ref: 6C963A70
                              • GetParent.USER32(00000000), ref: 6C97EF24
                              • DrawThemeParentBackground.UXTHEME(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000018), ref: 6C97EF45
                              • MapWindowPoints.USER32(00000000,?,00000000,00000001), ref: 6C97EF79
                              • SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6C97EFA5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClipParentSelect$BackgroundCreateDrawH_prolog3IndirectMessagePointsRectSendThemeWindow
                              • String ID:
                              • API String ID: 935984306-0
                              • Opcode ID: 074211fa201b81b9c019e87a9ad1c1de12d3692d6b316d62f7d8d90c3556e621
                              • Instruction ID: ae109aee6710fcddbbe0d9ba367c307b1b3e9eda64c9788973d11bd941ca9dd9
                              • Opcode Fuzzy Hash: 074211fa201b81b9c019e87a9ad1c1de12d3692d6b316d62f7d8d90c3556e621
                              • Instruction Fuzzy Hash: 3F315C72A0120AEFDF11DFA4C985BEE7BB5FF18304F004018E605ABAA1DB75D914DBA0
                              Function 6C968CAB Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9849DD
                                • Part of subcall function 6C963F98: __EH_prolog3.LIBCMT ref: 6C963F9F
                                • Part of subcall function 6C963F98: GetWindowDC.USER32(00000000,00000004,6C97E53A,00000000), ref: 6C963FCB
                              • GetClientRect.USER32(?,?), ref: 6C9849FF
                              • GetWindowRect.USER32(?,?), ref: 6C984A13
                                • Part of subcall function 6C9640B0: ScreenToClient.USER32(?,6C979501), ref: 6C9640BF
                                • Part of subcall function 6C9640B0: ScreenToClient.USER32(?,6C979509), ref: 6C9640CC
                              • OffsetRect.USER32(?,?,?), ref: 6C984A34
                                • Part of subcall function 6C963A7D: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C963AB4
                                • Part of subcall function 6C963A7D: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C963AD1
                              • OffsetRect.USER32(?,?,?), ref: 6C984A56
                                • Part of subcall function 6C963ADE: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C963B15
                                • Part of subcall function 6C963ADE: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C963B32
                              • SendMessageW.USER32(?,00000014,?,00000000), ref: 6C984A8E
                                • Part of subcall function 6C963FED: ReleaseDC.USER32(?,00000000), ref: 6C964021
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
                              • String ID:
                              • API String ID: 3860140383-0
                              • Opcode ID: b96d6499edb7fd2568920f70fe3ae1a9130b377d0b8350c13f813a9b2cf888db
                              • Instruction ID: 0e05b284bb2d330e3de3a15679764a77d7d4bd21bf7f380ee45b027e1239431c
                              • Opcode Fuzzy Hash: b96d6499edb7fd2568920f70fe3ae1a9130b377d0b8350c13f813a9b2cf888db
                              • Instruction Fuzzy Hash: 4D312B71A1012DAFDF05DBA4CD55EFDB779FF69304F140219F402A3A90EB24AA59CB60
                              Function 6C9EEF65 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EEFFA
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EF010
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EF01B
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EF026
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EF031
                              • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C9EF03C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ContextExternal$BaseBase::~Concurrency::details::
                              • String ID:
                              • API String ID: 1690591649-0
                              • Opcode ID: 0dd7e20fa8e786d705af37ff26b88d4c7999a19f64e358f16bce03b701847c03
                              • Instruction ID: 23b1370aacfb43dae738ebba83e0cb0a4f4acae9beca17612c7fef753526e547
                              • Opcode Fuzzy Hash: 0dd7e20fa8e786d705af37ff26b88d4c7999a19f64e358f16bce03b701847c03
                              • Instruction Fuzzy Hash: FF21BE32300941AFCB08DBB4C9A0BEDF726FF64218F404628D52A57B80DF24A95ACAD5
                              Function 00FB50B7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00FB50AE,00FB284A,00F9993F,00000008,00F99C64,?,?,?,?,00F5EE17,?,?,33902926), ref: 00FB50C5
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FB50D3
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FB50EC
                              • SetLastError.KERNEL32(00000000,?,00FB50AE,00FB284A,00F9993F,00000008,00F99C64,?,?,?,?,00F5EE17,?,?,33902926), ref: 00FB513E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: c45dd5ecbe9e9e81ceaaf096de1b40aa4c380230171f1436d7cebbb92e9aec66
                              • Instruction ID: f844fdc2bd5ce6c917f999e4aab3c78ff44e94684849f751e56b228738f61e41
                              • Opcode Fuzzy Hash: c45dd5ecbe9e9e81ceaaf096de1b40aa4c380230171f1436d7cebbb92e9aec66
                              • Instruction Fuzzy Hash: FE01DD3250D7126DB635267B6C45BD63B54DB06BF1B20023AF114811D5EE5E8C067E40
                              Function 6CAB8B4F Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                              Download Yara Rule
                              APIs
                              • type_info::operator==.LIBVCRUNTIME ref: 6CAB8C6E
                              • CallUnexpected.LIBVCRUNTIME ref: 6CAB8EE7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CallUnexpectedtype_info::operator==
                              • String ID: csm$csm$csm
                              • API String ID: 2673424686-393685449
                              • Opcode ID: cfb033fa3526f2e598502c27429b8c09218319c822cd1fbc3b2eaea92882a018
                              • Instruction ID: 8dd42da77baadcb2a885af0a1a0f39fa28ba22f6308d91b8d497f5a916271efb
                              • Opcode Fuzzy Hash: cfb033fa3526f2e598502c27429b8c09218319c822cd1fbc3b2eaea92882a018
                              • Instruction Fuzzy Hash: C1B18D7180120ADFCF14CFA9C98099EBBB9BF04318F18415BE8147BA15D735EA99CB91
                              Function 00F99EB5 Relevance: 9.0, APIs: 6, Instructions: 27threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,00000002,00000001,00000000,?,?,?,00F99E7F,00FFD518,00000000,811C9DC5,00F99E7F,00000006,?,00F6E21A,00000000), ref: 00F99EC4
                              • GetCurrentThread.KERNEL32 ref: 00F99ECB
                              • GetCurrentProcess.KERNEL32(00000000,?,?,?,00F99E7F,00FFD518,00000000,811C9DC5,00F99E7F,00000006,?,00F6E21A,00000000,00000001), ref: 00F99ED2
                              • DuplicateHandle.KERNEL32(00000000,?,?,?,00F99E7F,00FFD518,00000000,811C9DC5,00F99E7F,00000006,?,00F6E21A,00000000,00000001), ref: 00F99ED9
                              • CloseHandle.KERNEL32(00000000,?,?,?,00F99E7F,00FFD518,00000000,811C9DC5,00F99E7F,00000006,?,00F6E21A,00000000,00000001), ref: 00F99EE6
                              • GetCurrentThreadId.KERNEL32 ref: 00F99EF2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Current$HandleProcessThread$CloseDuplicate
                              • String ID:
                              • API String ID: 490430852-0
                              • Opcode ID: 93adda1e4fee6a5a96ae5595a049ec4bb4a29838768f064c5bd8b3abca40265e
                              • Instruction ID: 40e1ebf9eef361aaba775b7f158f11012ff7b53704b43b5731097a4f4ee14f56
                              • Opcode Fuzzy Hash: 93adda1e4fee6a5a96ae5595a049ec4bb4a29838768f064c5bd8b3abca40265e
                              • Instruction Fuzzy Hash: E2F0307190520DFBDB009BF0DC0DF5E3B7EAF04315F104026B203D2150D7B49604AB20
                              Function 6C9A8ADB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C9A8AE2
                              • DrawThemeBackground.UXTHEME(00000000,?,00000001,00000000,?,00000000,?,?,?,?,?,?,?,0000001C), ref: 6C9A8B16
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 6C9A8B38
                              • DrawThemeBackground.UXTHEME(00000000,?,00000003,00000000,?,00000000,?,?,?,?,?,?,?,?,0000001C), ref: 6C9A8B70
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: BackgroundDrawTheme$H_prolog3_InflateRect
                              • String ID: %d%%
                              • API String ID: 1553386484-1518462796
                              • Opcode ID: d411e296f15cf37ec5154426d08fc8dcbe531e85b88b6eb3fe9113dfd41b735e
                              • Instruction ID: cfcb234bb9d4fd15e82c63fba94d662d90324b4e6790b335071670d952e18ec1
                              • Opcode Fuzzy Hash: d411e296f15cf37ec5154426d08fc8dcbe531e85b88b6eb3fe9113dfd41b735e
                              • Instruction Fuzzy Hash: 08415572A10209AFCF04CFA4CD95BEE77B9BF59318F140569E901BB690DB70E905CBA0
                              Function 00F822A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              • GetNativeSystemInfo.KERNEL32(?,33902926), ref: 00F822E0
                              • Wow64DisableWow64FsRedirection.KERNEL32(00000000), ref: 00F822FA
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00F82375
                              • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00F82384
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Wow64$Redirection$DisableExecuteInfoNativeRevertShellSystem
                              • String ID: <
                              • API String ID: 226314799-4251816714
                              • Opcode ID: c29be3c55a3a2636ab854e86336ec3d747511845abdfd2f514fa947fbb7f722b
                              • Instruction ID: 58a495bb4176781354c15badea3a7aae4ffbb1c4ecce7273db3552ba19a937fa
                              • Opcode Fuzzy Hash: c29be3c55a3a2636ab854e86336ec3d747511845abdfd2f514fa947fbb7f722b
                              • Instruction Fuzzy Hash: F1416A75D00208CFCB10DFA8C948A9EBBF5FF49311F20426AE415AB250E734A945DF80
                              Function 6C986DFA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(Advapi32.dll,195F0026,?,?,?,Function_0019C030,000000FF), ref: 6C986E41
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6C986E51
                                • Part of subcall function 6C97B7FC: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6C97B80F
                                • Part of subcall function 6C97B7FC: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C97B81F
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: Advapi32.dll$RegDeleteKeyExW
                              • API String ID: 1646373207-2191092095
                              • Opcode ID: 24a8d7200007d65a9a470977d4be5f548015c884499e9141f29eae7acaf1cce9
                              • Instruction ID: 827c4ef58cafde76d6f68133b51711914fe8d85bd691e0aba57e46a9574d0cfd
                              • Opcode Fuzzy Hash: 24a8d7200007d65a9a470977d4be5f548015c884499e9141f29eae7acaf1cce9
                              • Instruction Fuzzy Hash: CD119475616144EFDF118F15C804B4EBF79FB0A758F00492AF81AD7A50D736E820CBA1
                              Function 00F60140 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6016D
                                • Part of subcall function 00FB2A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00FB2AAA
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F601B2
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw$ExceptionRaise
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3476068407-1866435925
                              • Opcode ID: cb3e313ec6f24569989ef680047cd7544df90ca56fde2711e4e350daa97497e2
                              • Instruction ID: 163ba5c4a28dec8015ed3642eae0697f8b1d1e6b422501f356de205bff5e7895
                              • Opcode Fuzzy Hash: cb3e313ec6f24569989ef680047cd7544df90ca56fde2711e4e350daa97497e2
                              • Instruction Fuzzy Hash: F3F0D672D003086AD710DA59DC16BEB338C5B05310F284569FEA49B0C3EA689944A791
                              Function 00FB4FB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00FB4FFB
                              • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00FB502F
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FB503F
                              Strings
                              • Attempted a typeid of nullptr pointer!, xrefs: 00FB5026
                              • Bad read pointer - no RTTI data!, xrefs: 00FB4FF2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::__non_rtti_object::__construct_from_string_literal$Exception@8Throw
                              • String ID: Attempted a typeid of nullptr pointer!$Bad read pointer - no RTTI data!
                              • API String ID: 3406231999-4195314292
                              • Opcode ID: 3cb4f729e0ec55fd9214f261adea4d47f9c437ed9217cafb1d5089a71e7fea01
                              • Instruction ID: b352c32e3dce669d13f1066349a790f294596104216f492b96bdc4b698cd8c60
                              • Opcode Fuzzy Hash: 3cb4f729e0ec55fd9214f261adea4d47f9c437ed9217cafb1d5089a71e7fea01
                              • Instruction Fuzzy Hash: D7F04472A043089FDB24DB96D946FED73E8EB48B60F20445AF211971E1E779F900AB61
                              Function 00FC4738 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FC46E9,00000003,?,00FC4689,00000003,00FFEEE0,0000000C,00FC47E0,00000003,00000002), ref: 00FC4758
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FC476B
                              • FreeLibrary.KERNEL32(00000000,?,?,?,00FC46E9,00000003,?,00FC4689,00000003,00FFEEE0,0000000C,00FC47E0,00000003,00000002,00000000), ref: 00FC478E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 132d0f9aed24e6ded5539cf42d05889fd794568f50582fee658e9feb67a80524
                              • Instruction ID: 732c2cdc21a849b92b96255532d66382629cde0e6f24c927bee7a8394f1eb141
                              • Opcode Fuzzy Hash: 132d0f9aed24e6ded5539cf42d05889fd794568f50582fee658e9feb67a80524
                              • Instruction Fuzzy Hash: FFF0AF30A0120DFBDB119FA1DC09F9EBFB9EF44721F004169F806A2190DB74AA48EA90
                              Function 6C986823 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C98685C
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C986845
                              • EncodePointer.KERNEL32(00000000), ref: 6C98684E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmDefWindowProc$dwmapi.dll
                              • API String ID: 1102202064-234806475
                              • Opcode ID: f796c8292efee39ca258870851dd27a68eb2e60a95e8face9b6fa67aa5f5a255
                              • Instruction ID: 02ac50138e1a063c77707e0fa4319c17f40f39ed9b10c1fb3b7c728d016fc3de
                              • Opcode Fuzzy Hash: f796c8292efee39ca258870851dd27a68eb2e60a95e8face9b6fa67aa5f5a255
                              • Instruction Fuzzy Hash: E5F0903661621AAB9F022FA5DC1885E3FB9AB092A43000871FC08D7E10DB31C910CFA0
                              Function 6C9868E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C986920
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C986909
                              • EncodePointer.KERNEL32(00000000), ref: 6C986912
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetWindowAttribute$dwmapi.dll
                              • API String ID: 1102202064-3105884578
                              • Opcode ID: 52fb4c7e8d6b6200d99ad337ca35951eea36986ab3163b09fa65ac73001667ad
                              • Instruction ID: c771fd7c74ff4681a4d22608fbdd3a4bf086b4cd3be285d620dcb3a23a47dded
                              • Opcode Fuzzy Hash: 52fb4c7e8d6b6200d99ad337ca35951eea36986ab3163b09fa65ac73001667ad
                              • Instruction Fuzzy Hash: 04F0E036643215AF8F111F65DD0886D3BBCEB097693000421FD18DBE50D732C810CB60
                              Function 6C986A0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C986A43
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C986A2C
                              • EncodePointer.KERNEL32(00000000), ref: 6C986A35
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
                              • API String ID: 1102202064-1757063745
                              • Opcode ID: 58d79164e9d88a61dd2b36f36310c59a1c45fb3ab2e9a47b8afd16e240a4d253
                              • Instruction ID: a0462ac012c2e455e12ed89d77b99f393b3c2f4061811b044d07c4323b8e8f90
                              • Opcode Fuzzy Hash: 58d79164e9d88a61dd2b36f36310c59a1c45fb3ab2e9a47b8afd16e240a4d253
                              • Instruction Fuzzy Hash: 2AF0E977652216AB8F116F68CC1886E3FBCBB057547008821FD09DBE00EB35CC00CBA0
                              Function 00FA8E07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00FA8E1B
                              • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 00FA8E3F
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FA8E52
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA8E60
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                              • String ID: pScheduler
                              • API String ID: 3657713681-923244539
                              • Opcode ID: 80c8ccbe7eca09315e8759dd4cefb05896b838a98afd5178758bfd7111b61a94
                              • Instruction ID: 660346aeecbcd1412b916828e329bb3ce72489dbffa120f68a97ed7950cc883f
                              • Opcode Fuzzy Hash: 80c8ccbe7eca09315e8759dd4cefb05896b838a98afd5178758bfd7111b61a94
                              • Instruction Fuzzy Hash: 54F09E71900208EBCB20FB94DC92CEEB379DE827707208529E10257192DFB4ED07E692
                              Function 6C986888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000,?,?,6C97F22E,6CB3825C,0000002C), ref: 6C9868C1
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C9868AA
                              • EncodePointer.KERNEL32(00000000,?,?,6C97F22E,6CB3825C,0000002C), ref: 6C9868B3
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmIsCompositionEnabled$dwmapi.dll
                              • API String ID: 1102202064-1198327662
                              • Opcode ID: 45c68f2e3b60f34b7f19b92a54c1f87b3ae5ce4449efbbabd3833fc3c7fc2f43
                              • Instruction ID: 4c94b4c1fc5fc86773d3f6ddd6da18f3648b1748ead833fee0faf00c6835ea65
                              • Opcode Fuzzy Hash: 45c68f2e3b60f34b7f19b92a54c1f87b3ae5ce4449efbbabd3833fc3c7fc2f43
                              • Instruction Fuzzy Hash: EEF08935616625AFDF116B64D90565D3BBCAB067957050472F80DDBE40EB35D800CAA4
                              Function 6C98694C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C986985
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C98696E
                              • EncodePointer.KERNEL32(00000000), ref: 6C986977
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmSetIconicThumbnail$dwmapi.dll
                              • API String ID: 1102202064-2331651847
                              • Opcode ID: 3586d9c0a1a167b8e10f3ccef168eb03b1f12ed9ec47f8de8c3b3f3d771e3804
                              • Instruction ID: b16361eaa468674c5adab003e2c2506ab729757578d07e784678bc7dc250faf6
                              • Opcode Fuzzy Hash: 3586d9c0a1a167b8e10f3ccef168eb03b1f12ed9ec47f8de8c3b3f3d771e3804
                              • Instruction Fuzzy Hash: 44F0E939652216ABCF112F64CD08D5D3BFCAB067A53000421FC09DBE80DB32C800CAA5
                              Function 6C9869AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • DecodePointer.KERNEL32(00000000), ref: 6C9869E7
                                • Part of subcall function 6C96AA64: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6C96AA8A
                                • Part of subcall function 6C96AA64: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C96AA9A
                                • Part of subcall function 6C96AA64: EncodePointer.KERNEL32(00000000), ref: 6C96AAA3
                              • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C9869D0
                              • EncodePointer.KERNEL32(00000000), ref: 6C9869D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Pointer$AddressEncodeProc$DecodeHandleModule
                              • String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
                              • API String ID: 1102202064-1901905683
                              • Opcode ID: 4e9259b2e951f62416ecb3b883eec70790850d166b8b238642ebb6e2c4ba2e39
                              • Instruction ID: 63448a1eb7542fc4015333ee72406d54a0bd66f395e5ffc1e8eeab677d121aa2
                              • Opcode Fuzzy Hash: 4e9259b2e951f62416ecb3b883eec70790850d166b8b238642ebb6e2c4ba2e39
                              • Instruction Fuzzy Hash: 4BF0A7357567559B9B116B64891A85D37BC5B067993014422FC0DDBE40EB39CC00CEA5
                              Function 6C9A64FB Relevance: 7.9, APIs: 5, Instructions: 385COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C9A6F59: PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9A6F93
                                • Part of subcall function 6C9A6F59: SetRectEmpty.USER32(?), ref: 6C9A6FBB
                                • Part of subcall function 6C9A6F59: GetDesktopWindow.USER32 ref: 6C9A6FD3
                                • Part of subcall function 6C9A6F59: LockWindowUpdate.USER32(?,00000000), ref: 6C9A6FE4
                                • Part of subcall function 6C9A6F59: GetDCEx.USER32(?,00000000,00000003), ref: 6C9A6FFB
                                • Part of subcall function 6C9634E9: GetLayout.GDI32(?,6C9A652C), ref: 6C9634EC
                              • GetWindowRect.USER32(?,?), ref: 6C9A655D
                                • Part of subcall function 6C9634F3: SetLayout.GDI32(?,?), ref: 6C9634FC
                                • Part of subcall function 6C9A6395: AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 6C9A63A5
                              • InflateRect.USER32(?,00000002,00000002), ref: 6C9A687B
                              • InflateRect.USER32(00000000,00000002,00000002), ref: 6C9A6892
                                • Part of subcall function 6C9A7612: OffsetRect.USER32(?,00000000,00000000), ref: 6C9A764B
                                • Part of subcall function 6C9A68FD: OffsetRect.USER32(?,?,?), ref: 6C9A6917
                                • Part of subcall function 6C9A68FD: OffsetRect.USER32(?,?,?), ref: 6C9A6923
                                • Part of subcall function 6C9A68FD: OffsetRect.USER32(?,?,?), ref: 6C9A692F
                                • Part of subcall function 6C9A68FD: OffsetRect.USER32(?,?,?), ref: 6C9A693B
                                • Part of subcall function 6C9A7177: GetCapture.USER32 ref: 6C9A7181
                                • Part of subcall function 6C9A7177: SetCapture.USER32(?), ref: 6C9A7195
                                • Part of subcall function 6C9A7177: GetCapture.USER32 ref: 6C9A71A1
                                • Part of subcall function 6C9A7177: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9A71BF
                                • Part of subcall function 6C9A7177: DispatchMessageW.USER32(?), ref: 6C9A71FB
                                • Part of subcall function 6C9A7177: GetCapture.USER32 ref: 6C9A7259
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Offset$CaptureWindow$Message$InflateLayout$AdjustDesktopDispatchEmptyLockPeekUpdate
                              • String ID:
                              • API String ID: 2444846054-0
                              • Opcode ID: 9f01920c5d15085ee1f963e2d78f0d3d547f8624cefeed6d10fd62f608ef3a71
                              • Instruction ID: 8cdcf02bc67dcd960fbee9b4009fa922d8b6c81f8e18eee8411df182ba74dee6
                              • Opcode Fuzzy Hash: 9f01920c5d15085ee1f963e2d78f0d3d547f8624cefeed6d10fd62f608ef3a71
                              • Instruction Fuzzy Hash: 56E1F576E006189FCF05CF98D840AEEBBB6BF49314F15811AF919BB350DB71A942CB94
                              Function 6C99AE57 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C99AE5E
                              • IsWindow.USER32(00000000), ref: 6C99AE72
                              • GetClientRect.USER32(00000000,00000000), ref: 6C99AEC7
                              • GetCursorPos.USER32(?), ref: 6C99B090
                              • ScreenToClient.USER32(00000000,?), ref: 6C99B09D
                                • Part of subcall function 6C9959F1: __EH_prolog3_GS.LIBCMT ref: 6C9959FB
                                • Part of subcall function 6C9959F1: GetClientRect.USER32(00000000,00000000), ref: 6C995A55
                                • Part of subcall function 6C99382B: __EH_prolog3_GS.LIBCMT ref: 6C993835
                                • Part of subcall function 6C99382B: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C993860
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
                              • String ID:
                              • API String ID: 3214297127-0
                              • Opcode ID: 6846c18e75b076028e98b8a3629dc7a509314a127c6ca2a4d3f4f3003c3b8fd1
                              • Instruction ID: d8ddb57d7bc0b2a5b8cf0e6086159be37beee97010127e0d6281046a68514040
                              • Opcode Fuzzy Hash: 6846c18e75b076028e98b8a3629dc7a509314a127c6ca2a4d3f4f3003c3b8fd1
                              • Instruction Fuzzy Hash: 57917971E002188FDF05DFA5C884ADDBBB9FF59308F18416AE805AB655DB34E905CF60
                              Function 00FCCF33 Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7465fd8e612e251668a8089566904dcac96fe997abc65ab2674d78d4371e63a5
                              • Instruction ID: 6e41a64c52346efb5335d468eb80abbfc8ba9c330917831df4b9c8b63d19666d
                              • Opcode Fuzzy Hash: 7465fd8e612e251668a8089566904dcac96fe997abc65ab2674d78d4371e63a5
                              • Instruction Fuzzy Hash: 05718E31D002579BEB218F55CE46FBEBBB5EB41360F18423EE81597181D7718D85EBA0
                              Function 00FC4FFC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 8687e72ab7ab774c0f85dfa8c70abf9b6737827afb4ef7faf1808fac5859a5de
                              • Instruction ID: 2f96dbd659b339bc462e9fb319efa0b63bb0c82055fa4cc5dca574f0a257a25e
                              • Opcode Fuzzy Hash: 8687e72ab7ab774c0f85dfa8c70abf9b6737827afb4ef7faf1808fac5859a5de
                              • Instruction Fuzzy Hash: DA41D032E006019BDB20DF78CA86B5AB3A1EF88724F1585ADE555EB381DB31FD41DB80
                              Function 6C966E67 Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(00000000), ref: 6C966E7C
                              • GetKeyState.USER32(00000011), ref: 6C966E84
                              • ScreenToClient.USER32(?,00000000), ref: 6C966F1C
                              • ClientToScreen.USER32(?,00000000), ref: 6C966F69
                              • SetCursorPos.USER32(00000000,00000000), ref: 6C966F75
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorScreen$State
                              • String ID:
                              • API String ID: 3982492586-0
                              • Opcode ID: a19fcc5ac70ac848098516323cafa8dac1a9f309c95590704a32c9fafd42e4c5
                              • Instruction ID: 50c66d38c52c1f545342c891c144ae75138737cc1369b2e8c7cb9a3c85b111be
                              • Opcode Fuzzy Hash: a19fcc5ac70ac848098516323cafa8dac1a9f309c95590704a32c9fafd42e4c5
                              • Instruction Fuzzy Hash: D731B372611505EBDB09CBB9C9556ADBBB5FB46314F20426AE412D3DD0D730DE60CB40
                              Function 00F6A390 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F6A3C6
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F6A3E6
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A406
                              • std::_Facet_Register.LIBCPMT ref: 00F6A4A1
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A4B9
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                              • String ID:
                              • API String ID: 459529453-0
                              • Opcode ID: 6d71ad9a65f086dea9ce561c1d867971e943426dc0c7813afbc045c99615f1ad
                              • Instruction ID: 43b903a094a718d6684d6409753ebb3e62f73fbf6103fc64a39742a53bf8404b
                              • Opcode Fuzzy Hash: 6d71ad9a65f086dea9ce561c1d867971e943426dc0c7813afbc045c99615f1ad
                              • Instruction Fuzzy Hash: 4F41FF71D002148FDF25DF54DC45BAEBBB4EB00710F11401DE8466B292DBB9AD06DF82
                              Function 00F57B40 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F57B76
                              • std::_Lockit::_Lockit.LIBCPMT ref: 00F57B96
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F57BB6
                              • std::_Facet_Register.LIBCPMT ref: 00F57C51
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 00F57C69
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                              • String ID:
                              • API String ID: 459529453-0
                              • Opcode ID: f973d41820b5937ad539902e3b4ac8599177dcc0bb0a57015ad9c46e23f01fb7
                              • Instruction ID: 7b608a09479c29830b77ea69e58487db6e905a615b55bd16c824967e4a451eaa
                              • Opcode Fuzzy Hash: f973d41820b5937ad539902e3b4ac8599177dcc0bb0a57015ad9c46e23f01fb7
                              • Instruction Fuzzy Hash: F1410171D082489FDB25EF58E881B6EB7B4EF40710F10815DE9466B381DB75AD09DBD0
                              Function 6C998CF3 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorScreen$Rect
                              • String ID:
                              • API String ID: 1082406499-0
                              • Opcode ID: 69a39ccaf447e9fa822abf0c33be0d1ed9dc1b712150d54d3d0bbd62d7b9b512
                              • Instruction ID: 29f068197f830917fda1bd8276fa9016c74e4cd05fe282673ffddc1921779577
                              • Opcode Fuzzy Hash: 69a39ccaf447e9fa822abf0c33be0d1ed9dc1b712150d54d3d0bbd62d7b9b512
                              • Instruction Fuzzy Hash: D531AD31B0020ADFCF08DFA4C894AEEB7B9FF59308F14012AE415A7A50DB34E955CB95
                              Function 6C96248D Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C97BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C97BBEF
                                • Part of subcall function 6C962201: GetParent.USER32(?), ref: 6C962204
                                • Part of subcall function 6C962201: GetParent.USER32(00000000), ref: 6C96220B
                              • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6C962501
                              • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C96252A
                              • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C962549
                              • SendMessageW.USER32(?,00000222,?,00000000), ref: 6C962563
                              • SendMessageW.USER32(?,00000222,00000000,?), ref: 6C96258C
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$Parent$LongWindow
                              • String ID:
                              • API String ID: 4191550487-0
                              • Opcode ID: c55b921c2b8b0e4aaee02f3a69f068b5b945b871850b7a45311302505cb810e7
                              • Instruction ID: 7e44cff11961d3b2394060ecaf32162dffe98a0634256360f673425970d9f612
                              • Opcode Fuzzy Hash: c55b921c2b8b0e4aaee02f3a69f068b5b945b871850b7a45311302505cb810e7
                              • Instruction Fuzzy Hash: C7219172704A04BBFB215B62CC8DFAE767DFB2875CF140228E59296DD0DB71ED5086A0
                              Function 6C99CE79 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C99CEC2
                              • GetClientRect.USER32(?,?), ref: 6C99CEEE
                              • PtInRect.USER32(?,?,?), ref: 6C99CF06
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C99CF2F
                              • SendMessageW.USER32(?,00000200,?,?), ref: 6C99CF4E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientCursorMessagePointsSendWindow
                              • String ID:
                              • API String ID: 1257894355-0
                              • Opcode ID: bb7296bfce0faf9b631227df0e8681ad3ce02673eb654421a22a7087d5b56197
                              • Instruction ID: 0d07177b5b7cd7fe69bda48db0601d9327c51357aefc8e8785c6075532f5ba36
                              • Opcode Fuzzy Hash: bb7296bfce0faf9b631227df0e8681ad3ce02673eb654421a22a7087d5b56197
                              • Instruction Fuzzy Hash: 1B319371A00209EFDF109F64CD409BEBBB9FF05354F14422AF92A93950D731E920CB90
                              Function 6C998E2C Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C99686C: __EH_prolog3_GS.LIBCMT ref: 6C996873
                                • Part of subcall function 6C99686C: GetWindowRect.USER32(00000000,00000000), ref: 6C9968BC
                                • Part of subcall function 6C99686C: CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C9968E6
                                • Part of subcall function 6C99686C: SetWindowRgn.USER32(00000000,?,00000000), ref: 6C9968FC
                              • GetSystemMenu.USER32(?,00000000), ref: 6C998EB6
                              • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6C998ED3
                              • DeleteMenu.USER32(?,0000F020,00000000), ref: 6C998EE2
                              • DeleteMenu.USER32(?,0000F030,00000000), ref: 6C998EF1
                              • EnableMenuItem.USER32(?,0000F060,00000001), ref: 6C998F19
                                • Part of subcall function 6C997650: SetRectEmpty.USER32(?), ref: 6C99767B
                                • Part of subcall function 6C997650: ReleaseCapture.USER32 ref: 6C997681
                                • Part of subcall function 6C997650: SetCapture.USER32(?,?,?,?,6C98F5F2,?), ref: 6C997694
                                • Part of subcall function 6C997650: RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C997794
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Menu$DeleteRectWindow$Capture$CreateEmptyEnableH_prolog3_ItemRedrawReleaseRoundSystem
                              • String ID:
                              • API String ID: 4022425685-0
                              • Opcode ID: b482fd5e4de8a083a219ffc1e536a0bf6dbc1e0d8c7f9fa1322b4e19a27a4a3c
                              • Instruction ID: a67af537891fd6760f869c19e0caeb1e0ccf8949bf55f093026de003d1b2234c
                              • Opcode Fuzzy Hash: b482fd5e4de8a083a219ffc1e536a0bf6dbc1e0d8c7f9fa1322b4e19a27a4a3c
                              • Instruction Fuzzy Hash: C221B531301215EFDF152B61CD499AE7F3AFF59754B08007AF9059B791CB31D910DAA4
                              Function 6C968FB6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 6C969005
                              • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C969019
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C96902C
                              • SetWindowLongW.USER32(?,000000F0,?), ref: 6C969063
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C969078
                                • Part of subcall function 6C97BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C97BBEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Long
                              • String ID:
                              • API String ID: 3430364388-0
                              • Opcode ID: 92193ecaa35c6e1447997bd96027a541379909c90e72b4a1150ee1b777494bcb
                              • Instruction ID: 6a78faeb6d6c5b9f468e4d399b681c18103dc067bf40982969cd8c91ec658679
                              • Opcode Fuzzy Hash: 92193ecaa35c6e1447997bd96027a541379909c90e72b4a1150ee1b777494bcb
                              • Instruction Fuzzy Hash: 0021D472301614FFEB208F65CC85E6A7BB9FB55718F21823DA296A7A90DB72DC00C750
                              Function 00FD003A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 00FD0043
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FD0066
                                • Part of subcall function 00FC7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FCA0DD,?,?,?,?,?,00FBCAEB,00000000), ref: 00FC7A5B
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FD008C
                              • _free.LIBCMT ref: 00FD009F
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FD00AE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: ae0adf1eb99c0c6f6f2720d5e3a6d137e1e4d2cd183dd31b2d77687cc481ce0a
                              • Instruction ID: 5b644fc66a52e3adaa2caa7c7548d0eca41a28f68dd7e7bc379afb0c1162ffae
                              • Opcode Fuzzy Hash: ae0adf1eb99c0c6f6f2720d5e3a6d137e1e4d2cd183dd31b2d77687cc481ce0a
                              • Instruction Fuzzy Hash: 3B017173A02215BF632116B6AC8DF7B7A6EDAC2B70718412BB90AC2200DE658D01B1B0
                              Function 6C968DF1 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 6C968E40
                              • SendMessageW.USER32(?,00000455,00000000,00000000), ref: 6C968E54
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C968E67
                              • SetWindowLongW.USER32(?,000000F0,?), ref: 6C968E86
                              • SendMessageW.USER32(?,00000454,00000000,00000000), ref: 6C968E9C
                                • Part of subcall function 6C97BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C97BBEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Long
                              • String ID:
                              • API String ID: 3430364388-0
                              • Opcode ID: 5f1bafed4081aa9a9c36acf8a42b647cfa8948b8edb0323ae93e01e8ca406b40
                              • Instruction ID: ce77685707f944d17fe50eec2f1953686013efdc7351e6adc9839e0b220d11e4
                              • Opcode Fuzzy Hash: 5f1bafed4081aa9a9c36acf8a42b647cfa8948b8edb0323ae93e01e8ca406b40
                              • Instruction Fuzzy Hash: CF11D672701604BBEB212B66CC09F5B7AB9FBD2B14F20422AA14197AE0DBB1DC40C764
                              Function 6C97AA83 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C97AAA7
                              • RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C97AAC7
                              • RegCloseKey.ADVAPI32(00000000), ref: 6C97AAF8
                                • Part of subcall function 6C97AE4D: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C97AEF2
                                • Part of subcall function 6C97AE4D: RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 6C97AF01
                              • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C97AAEF
                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C97AB13
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Close$DeleteValue$PrivateProfileStringWrite
                              • String ID:
                              • API String ID: 222425065-0
                              • Opcode ID: bd4b7c27c1d4504245ca93453542fe857a5a526eec724ec31cee827dcfa30e88
                              • Instruction ID: b9dd7e93da88b97258a3c6b093c06a86fdf46d597ba241ef5fcff936d057a391
                              • Opcode Fuzzy Hash: bd4b7c27c1d4504245ca93453542fe857a5a526eec724ec31cee827dcfa30e88
                              • Instruction Fuzzy Hash: 2011A032603626BBCF265A759D08E9F3B7FEF46364B005420F9199A910DF31C85187B0
                              Function 6C99686C Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6C996873
                              • GetWindowRect.USER32(00000000,00000000), ref: 6C9968BC
                              • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C9968E6
                              • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C9968FC
                              • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C996914
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Rect$CreateH_prolog3_Round
                              • String ID:
                              • API String ID: 2502471913-0
                              • Opcode ID: bbd235df69dc8091a5218550351cd7bfb6f123b8e3c76d046415b0070666b10c
                              • Instruction ID: cf5a2326f8630b4a9e0da5b6ab838a2b02d6b35dd4913981c84887b5b936ba0a
                              • Opcode Fuzzy Hash: bbd235df69dc8091a5218550351cd7bfb6f123b8e3c76d046415b0070666b10c
                              • Instruction Fuzzy Hash: 73115971A0061DAFDF059FA4C894AEDBB79BF19708F240129E505A3A50DB30AD90CBA0
                              Function 00FC6F48 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,00FB6807,00FC9265,?,00FC6EF2,00000001,00000364,?,00FBCAB3,00FFEEC0,00000010), ref: 00FC6F4D
                              • _free.LIBCMT ref: 00FC6F82
                              • _free.LIBCMT ref: 00FC6FA9
                              • SetLastError.KERNEL32(00000000), ref: 00FC6FB6
                              • SetLastError.KERNEL32(00000000), ref: 00FC6FBF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: e880a26551b55d91ee96aa26465c889976bececf8057eee94e9dc093d6242fb7
                              • Instruction ID: 953f3136dd17c7fe9c099bd6d5b8718981460fe4c0d774e309ed457fe9325153
                              • Opcode Fuzzy Hash: e880a26551b55d91ee96aa26465c889976bececf8057eee94e9dc093d6242fb7
                              • Instruction Fuzzy Hash: 3901D67694C60366822266347F8BF1E365B9BC63B1B21012DF546D2182FE798C15B570
                              Function 6C964BCF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(?), ref: 6C964BDA
                                • Part of subcall function 6C9809F1: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C980A38
                                • Part of subcall function 6C9809F1: CreatePatternBrush.GDI32(00000000), ref: 6C980A45
                                • Part of subcall function 6C9809F1: DeleteObject.GDI32(00000000), ref: 6C980A51
                              • SelectObject.GDI32(?,?), ref: 6C964BF9
                              • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6C964C1E
                              • SelectObject.GDI32(?,00000000), ref: 6C964C2C
                              • ReleaseDC.USER32(?,?), ref: 6C964C38
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
                              • String ID:
                              • API String ID: 2474928807-0
                              • Opcode ID: 1d8757dc25e855fce9f25599236c4d18537b0bc7c2c0620f72d8ef97deb3f02f
                              • Instruction ID: cfff01b88601c974b1654fd54ba43058872a902af47d05a161c988eddab81549
                              • Opcode Fuzzy Hash: 1d8757dc25e855fce9f25599236c4d18537b0bc7c2c0620f72d8ef97deb3f02f
                              • Instruction Fuzzy Hash: 00011A37200200AFDB029FA9CD49C96BFB9FF4A7483108569F519C7921CB33D812DB50
                              Function 00FA38BF Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F9E800: TlsGetValue.KERNEL32(?,?,00F9DD7A,00F9DB93,?,?), ref: 00F9E806
                              • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00FA38E9
                                • Part of subcall function 00FACFB0: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00FACFD7
                                • Part of subcall function 00FACFB0: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00FACFF0
                                • Part of subcall function 00FACFB0: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00FAD066
                                • Part of subcall function 00FACFB0: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00FAD06E
                              • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00FA38F7
                              • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00FA3901
                              • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00FA390B
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA3929
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                              • String ID:
                              • API String ID: 4266703842-0
                              • Opcode ID: 4c74f4d402f10cb437df9baa19d295567b1897794f09d16bd4102e198d02960d
                              • Instruction ID: 7137f222272375b84d81ac24543cfe8b9284746f26c261b87993aa1aa1835975
                              • Opcode Fuzzy Hash: 4c74f4d402f10cb437df9baa19d295567b1897794f09d16bd4102e198d02960d
                              • Instruction Fuzzy Hash: 1CF0F6B1E002146BCB25B665CC069AEF72A5F82B20B044029F51193291DF7DDF00BBD5
                              Function 00FD0DDB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00FD0DF3
                                • Part of subcall function 00FC79EF: HeapFree.KERNEL32(00000000,00000000,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?), ref: 00FC7A05
                                • Part of subcall function 00FC79EF: GetLastError.KERNEL32(?,?,00FD108E,?,00000000,?,00000000,?,00FD1332,?,00000007,?,?,00FD1726,?,?), ref: 00FC7A17
                              • _free.LIBCMT ref: 00FD0E05
                              • _free.LIBCMT ref: 00FD0E17
                              • _free.LIBCMT ref: 00FD0E29
                              • _free.LIBCMT ref: 00FD0E3B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 3eab32b25dec3e58f1b294859fbc7bf18492efdde0b29a42ae9736574886facb
                              • Instruction ID: 6d77c093cef337f6a9f16935b848713252fd50f8f4fda87fa7b20c99f68c208a
                              • Opcode Fuzzy Hash: 3eab32b25dec3e58f1b294859fbc7bf18492efdde0b29a42ae9736574886facb
                              • Instruction Fuzzy Hash: 1DF01272909201AB8A75EB68E9C7E1B73DBEA04720B581C0BF049D7A45CF39FC906B54
                              Function 00F70E50 Relevance: 7.5, APIs: 5, Instructions: 40threadCOMMON
                              Download Yara Rule
                              APIs
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00F70E74
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00F70E63
                                • Part of subcall function 00F99E80: std::system_error::system_error.LIBCPMT ref: 00F99EA1
                                • Part of subcall function 00F99E80: __CxxThrowException@8.LIBVCRUNTIME ref: 00F99EAF
                              • GetCurrentThreadId.KERNEL32 ref: 00F70E7C
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00F70E88
                              • std::_Throw_Cpp_error.LIBCPMT ref: 00F70EA5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cpp_errorThrow_std::_$CurrentException@8ThreadThrowstd::system_error::system_error
                              • String ID:
                              • API String ID: 1635414652-0
                              • Opcode ID: 03a6080fc6aca861af7f47eb9df50a6336c73184098da6c0a8359ec9da657530
                              • Instruction ID: 5f845029f872e7a2310f407147095b85b64435916f612869a230923052feb967
                              • Opcode Fuzzy Hash: 03a6080fc6aca861af7f47eb9df50a6336c73184098da6c0a8359ec9da657530
                              • Instruction Fuzzy Hash: B6F062B1A047009AFA30BBA99C03B9372C84F14729F05493DF95D951C2FAD6E810A6E7
                              Function 00F9A56C Relevance: 7.5, APIs: 5, Instructions: 39timeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 00F9E1A3
                              • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00F9E1C3
                                • Part of subcall function 00F9DB6C: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00F9DB8E
                                • Part of subcall function 00F9DB6C: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00F9DBAF
                              • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00F9E1D6
                              • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00F9E1E2
                              • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00F9E1EB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadRegisterSchedulerSwitch_to_active
                              • String ID:
                              • API String ID: 1236927926-0
                              • Opcode ID: 84d20d17111ceb3cf867a57832dd0528919358b7b90a22a3ecdade42fdea9cda
                              • Instruction ID: 688ad38a23ac346d244ede3cb20e625c0d63330d5b1e29d89d092343a3174615
                              • Opcode Fuzzy Hash: 84d20d17111ceb3cf867a57832dd0528919358b7b90a22a3ecdade42fdea9cda
                              • Instruction Fuzzy Hash: 07F0E231A00208A7BF18FFB44C12ABE3A965F81364F280129F512AB3D2CF798D45B6D4
                              Function 00FC0A29 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __freea
                              • String ID: a/p$am/pm
                              • API String ID: 240046367-3206640213
                              • Opcode ID: 4e438de3b6d800d106f12eb86c04183850145d58d6ab4ac87828cacced5dec16
                              • Instruction ID: 4dfd41d24968935d223d59b0cfa4bdaa6a68f699c79c14cbf0911756155f8ca4
                              • Opcode Fuzzy Hash: 4e438de3b6d800d106f12eb86c04183850145d58d6ab4ac87828cacced5dec16
                              • Instruction Fuzzy Hash: 14D11032D40207DADB288F68CA57FBAB7B0FF05720F24451DE905AB290DB759D82EB50
                              Function 00F92AD0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 354COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _strrchr
                              • String ID: Stop$g:\zcsd\xzpublic\xzpublic\xzbase\http\mmcurl.cpp
                              • API String ID: 3213747228-2130820020
                              • Opcode ID: 464ff4ca44c27c647f83a8da7d1ca10ed4693be1998859144f5998a1817afff8
                              • Instruction ID: 6db90bc7e339b0f05b6a715ea0991860ed4b18275b895d557987b722f83eab87
                              • Opcode Fuzzy Hash: 464ff4ca44c27c647f83a8da7d1ca10ed4693be1998859144f5998a1817afff8
                              • Instruction Fuzzy Hash: 29D10230B00244AFEB54DFA8CC85B9DBBB1BF85310F148128E915AB3D2DB75E945EB91
                              Function 00F5C530 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00F5C981
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00F5C9AC
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F5C9ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: invalid type specifier
                              • API String ID: 1173841540-1382033351
                              • Opcode ID: f1a4be5ba54b63a89abd6dc9837afe154a67daa81a7d54e49cd988fd2b160be1
                              • Instruction ID: 9850b572182a7dc14cc7797e8cae2ecbdd4706a39ff518113815543472315923
                              • Opcode Fuzzy Hash: f1a4be5ba54b63a89abd6dc9837afe154a67daa81a7d54e49cd988fd2b160be1
                              • Instruction Fuzzy Hash: 02D12DB5D042498FCB15CFA8C880ADDFBF5BF49310F14829AD85AA7342D734A989DF90
                              Function 00FCF358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • _strpbrk.LIBCMT ref: 00FCF3A7
                              • _free.LIBCMT ref: 00FCF4C4
                                • Part of subcall function 00FB6756: IsProcessorFeaturePresent.KERNEL32(00000017,00FB6728,00000016,00FBCA5B,0000002C,00FFF1E8,00FCDA8F,?,?,?,00FB6735,00000000,00000000,00000000,00000000,00000000), ref: 00FB6758
                                • Part of subcall function 00FB6756: GetCurrentProcess.KERNEL32(C0000417,00FBCA5B,00000016,00FC6F47), ref: 00FB677A
                                • Part of subcall function 00FB6756: TerminateProcess.KERNEL32(00000000), ref: 00FB6781
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: cce4fac394f90a233da062968b7d4018cdc495cc5be0f769d60417158563eb6b
                              • Instruction ID: 00f337e8fa49640cb2469035174ba79269a694af4db965e5b6beaf260d85c92f
                              • Opcode Fuzzy Hash: cce4fac394f90a233da062968b7d4018cdc495cc5be0f769d60417158563eb6b
                              • Instruction Fuzzy Hash: 4B518075E0020AAFDF14DFA8C982AAEF7B6EF48310F24417EE444E7341D6759A059B50
                              Function 00F58770 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588B3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588E3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F588EE
                              Strings
                              • Unknown exception in logger, xrefs: 00F5877E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_init_in_situ
                              • String ID: Unknown exception in logger
                              • API String ID: 3366076730-1706402959
                              • Opcode ID: c6a181c023812391a2b11c1bb435d0f6170a7133da29b5d7e1dc8b90fa957d23
                              • Instruction ID: 617548737b792c50561d97b4ab400552e34b56417b9c14583b490a480dac1b6d
                              • Opcode Fuzzy Hash: c6a181c023812391a2b11c1bb435d0f6170a7133da29b5d7e1dc8b90fa957d23
                              • Instruction Fuzzy Hash: 9051F4B1900744DFEB20DF64CC49B9ABBF0EF04714F04854CE559AB281DB79A948DF91
                              Function 00FC4833 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe,00000104), ref: 00FC4873
                              • _free.LIBCMT ref: 00FC493E
                              • _free.LIBCMT ref: 00FC4948
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\Public\Bilite\Axialis\RuntimeBrokers.exe
                              • API String ID: 2506810119-2871517531
                              • Opcode ID: 2c6fa6508c42b566f777df74a7c0870a2e2d7939c7d980059285dbf5fa409f43
                              • Instruction ID: a1d04f3aad8eb7ff7419786e527f27bb4e7f4cd4b1b7538d645ed21d9553b377
                              • Opcode Fuzzy Hash: 2c6fa6508c42b566f777df74a7c0870a2e2d7939c7d980059285dbf5fa409f43
                              • Instruction Fuzzy Hash: 23318171E00259AFDB21DB99DD92E9EBBE8EF85320F10406AF90497241D6756E40EF50
                              Function 6C990D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C990D09
                                • Part of subcall function 6C9DE380: __EH_prolog3.LIBCMT ref: 6C9DE387
                                • Part of subcall function 6C97BCF3: GetDlgCtrlID.USER32(?), ref: 6C97BCFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3$Ctrl
                              • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                              • API String ID: 3879667756-2016111687
                              • Opcode ID: 0b883d813d06ce3885614ca659af27aaa918bce3521c1c441d05bde69f556b39
                              • Instruction ID: 5545fbc9a6bc9848c974067148c9f01fc443e8baca838bf641c49d1f35f6ae69
                              • Opcode Fuzzy Hash: 0b883d813d06ce3885614ca659af27aaa918bce3521c1c441d05bde69f556b39
                              • Instruction Fuzzy Hash: D221F171A0024AABCF00DFA4C890AFEB734BF65318F140528D82137790DB30EE05CBA1
                              Function 00F5D190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_copy.LIBVCRUNTIME ref: 00F5D21C
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 00F5D247
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F5D27D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throw___std_exception_copy___std_exception_destroy
                              • String ID: invalid type specifier
                              • API String ID: 1173841540-1382033351
                              • Opcode ID: a34e031d03102cbf8146e233e583bbccb73f3ba372acf1febf3127e64e35cae4
                              • Instruction ID: bc6c348e9f36156a5712092cec8d6db3f196eb798a499e81a45a0ba2bccfc28c
                              • Opcode Fuzzy Hash: a34e031d03102cbf8146e233e583bbccb73f3ba372acf1febf3127e64e35cae4
                              • Instruction Fuzzy Hash: 673128B1C092C99EDB21DF90CC407EEFFF9AF56311F180196D90176242D7789688E755
                              Function 6C99CF77 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CursorH_prolog3
                              • String ID: Control Panel\Desktop$MenuShowDelay
                              • API String ID: 634316419-702829638
                              • Opcode ID: c2c0a397dfcccfd006c5aec1363c8f7af7f71c741248dc8ef235defde3955210
                              • Instruction ID: a17219a120e46f7c3d125d01c9d12e4846dcf799575327a18ab18e7a86e042bd
                              • Opcode Fuzzy Hash: c2c0a397dfcccfd006c5aec1363c8f7af7f71c741248dc8ef235defde3955210
                              • Instruction Fuzzy Hash: E1216D31B0160ACFCF04DB64C994ABD7BB5AF69318F180569D925EBB80EB34ED05CB91
                              Function 6C990DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C990DE7
                                • Part of subcall function 6C9DE380: __EH_prolog3.LIBCMT ref: 6C9DE387
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3
                              • String ID: %TsMFCToolBarParameters$LargeIcons$MFCToolBars
                              • API String ID: 431132790-953485693
                              • Opcode ID: 3f2848648193084f6500f2542f3e6d8fbee87c43d04283500cbe0ed955db804e
                              • Instruction ID: 21f51bb64d9b3263a23a595f58a95709ff9c26f6a6ef7f6740086272a602b6c0
                              • Opcode Fuzzy Hash: 3f2848648193084f6500f2542f3e6d8fbee87c43d04283500cbe0ed955db804e
                              • Instruction Fuzzy Hash: 64216874A0024A9BCF04DFA4C894AFEB775BF68308F140468D515BB781DB38EA09CBA1
                              Function 00F99929 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_catch.LIBCMT ref: 00F99930
                              • make_shared.LIBCPMT ref: 00F9997B
                                • Part of subcall function 00F99570: __EH_prolog3.LIBCMT ref: 00F99577
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: H_prolog3H_prolog3_catchmake_shared
                              • String ID: MOC$RCC
                              • API String ID: 1798871530-2084237596
                              • Opcode ID: 2fcec2779842d22a0b206d4cf3383f11a5a4263a5ea33ad5aaca25b6fcd52af1
                              • Instruction ID: abd631bdf879f35625f17cc672af376b21b44e3e300e8c7eb300278090e47709
                              • Opcode Fuzzy Hash: 2fcec2779842d22a0b206d4cf3383f11a5a4263a5ea33ad5aaca25b6fcd52af1
                              • Instruction Fuzzy Hash: 44F04F74915114DFEF92AF58C84259C3B64EF15700B06409AF4105B232CBBD9E41EFA2
                              Function 00FB0216 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00FB0248
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FB025A
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FB0268
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                              • String ID: pScheduler
                              • API String ID: 1381464787-923244539
                              • Opcode ID: 25bd215a0ee9c91491ae4edfecb27cd51a03ae37b10e33f944c1de377d49cd7f
                              • Instruction ID: ab713185ce576c81542410cfed55bbcb9f16efa253b08f481a15e63acdff754b
                              • Opcode Fuzzy Hash: 25bd215a0ee9c91491ae4edfecb27cd51a03ae37b10e33f944c1de377d49cd7f
                              • Instruction Fuzzy Hash: 90F0EC31A01208ABCF14FFA5DC56DEF73795E40700B10856DB54257192DF74E94DEA41
                              Function 6C9D8A2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • swprintf.LIBCMT ref: 6C9D8A58
                              • GetFileAttributesW.KERNEL32(00000104,AFX,00000000,00000104,00000104,000000FF), ref: 6C9D8A63
                              • GetTempFileNameW.KERNEL32(000000FF,00000104,00000000,00000104,?,?,6C9B16C9,?,AFX,00000000,00000104,00000104,000000FF), ref: 6C9D8A7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: File$AttributesNameTempswprintf
                              • String ID: %s%s%X.tmp
                              • API String ID: 2659213859-596088238
                              • Opcode ID: fb26a58f903abf05eebd10894ca7de18a233ecec219a56e1b0935d76fc8b9895
                              • Instruction ID: 6e44a94ab51fb24c6327ebe646be8b4c1d720def6d86ce45799feb9039d9386e
                              • Opcode Fuzzy Hash: fb26a58f903abf05eebd10894ca7de18a233ecec219a56e1b0935d76fc8b9895
                              • Instruction Fuzzy Hash: 8FF08C3640024AFBCF029FA0CD06ECE3B7AFF05369F108150FA11A48A0C732D660BB44
                              Function 00FAA617 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                              Download Yara Rule
                              APIs
                              • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 00FAA639
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FAA64C
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAA65A
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                              • String ID: pContext
                              • API String ID: 1990795212-2046700901
                              • Opcode ID: 597279af254ff99d644d398b31ea85f2eacfb9682dfe24996bc899036473d223
                              • Instruction ID: f78bc20b1eb17c4f9fb8bbd7cc955493189b3c721e5937271becaaef22937af2
                              • Opcode Fuzzy Hash: 597279af254ff99d644d398b31ea85f2eacfb9682dfe24996bc899036473d223
                              • Instruction Fuzzy Hash: 2DE0D835B002086BCF04FB69DC4AC9FB76D9FC57607144025EA12A33A1DF78E949EAD2
                              Function 00FA1D29 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FA1D59
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA1D67
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pScheduler$version
                              • API String ID: 1687795959-3154422776
                              • Opcode ID: 3982ae1cf9e72e14c081bf2d7b3c5519c037a2940e68222285381da5edbe02d6
                              • Instruction ID: 479f89a4a35c417dfd98542aea23d203e28183e4aed8453f15213e1f7ec5e20b
                              • Opcode Fuzzy Hash: 3982ae1cf9e72e14c081bf2d7b3c5519c037a2940e68222285381da5edbe02d6
                              • Instruction Fuzzy Hash: DEE0863094020CBACF24FF56CC0AFDD37687B01354F108421B912550A1D7B8D699FA42
                              Function 00FCA467 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: 96a269de09d9680867b794114bf0d318214a916deeafb4c3a33bbf21dd94a7a3
                              • Instruction ID: e69bd1c94ea3271be0cd9b016480e2474c6bc1f6472c910a43068b86bf81db15
                              • Opcode Fuzzy Hash: 96a269de09d9680867b794114bf0d318214a916deeafb4c3a33bbf21dd94a7a3
                              • Instruction Fuzzy Hash: AAA15972D0438B9FDB21CE18C992FADBBB5EF11368F18416DD4449B281D638AD41EB52
                              Function 00F8BAF0 Relevance: 6.3, APIs: 4, Instructions: 264COMMON
                              Download Yara Rule
                              APIs
                              • __Mtx_unlock.LIBCPMT ref: 00F8BB61
                              • __Mtx_unlock.LIBCPMT ref: 00F8BB73
                              • __Mtx_unlock.LIBCPMT ref: 00F8BD9B
                              • __Mtx_unlock.LIBCPMT ref: 00F8BC5C
                                • Part of subcall function 00F99E53: std::_Throw_Cpp_error.LIBCPMT ref: 00F99E7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$Cpp_errorThrow_std::_
                              • String ID:
                              • API String ID: 787541473-0
                              • Opcode ID: a76085e0a7a63d7c5d6c0b36c5f934715be6408d8c589583c8fa14311324526c
                              • Instruction ID: d3daded972144aaacc16ec43b096e52f080a109b1d3c58d1fffda99360c65b88
                              • Opcode Fuzzy Hash: a76085e0a7a63d7c5d6c0b36c5f934715be6408d8c589583c8fa14311324526c
                              • Instruction Fuzzy Hash: FAA15DB1E00209EFDF04EF68C955BAEB7B5BF49304F188169E805AB351DB35E904DBA1
                              Function 00F8BE20 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$CountTick
                              • String ID:
                              • API String ID: 1506932912-0
                              • Opcode ID: 1be9754be675b6c806018c3f056ef555ccfd2eb77c28362fe92173cb76559648
                              • Instruction ID: 9f5828b718250f49df9bb344386f2ffa1f08760efe710771933f8095f3103852
                              • Opcode Fuzzy Hash: 1be9754be675b6c806018c3f056ef555ccfd2eb77c28362fe92173cb76559648
                              • Instruction Fuzzy Hash: 5C813BB0E00209DFDF14DF68D945BAEB7B4BF04314F1581A9E80997352DB35EA44EBA1
                              Function 6CAB8876 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AdjustPointer
                              • String ID:
                              • API String ID: 1740715915-0
                              • Opcode ID: ec4fc5a649edee7df92b462248a34cb208027fa917f6054144b021a39871ad74
                              • Instruction ID: 32e35e66c30fa9984461266847c1ee861da80b2466081d1980b7f9951578ef38
                              • Opcode Fuzzy Hash: ec4fc5a649edee7df92b462248a34cb208027fa917f6054144b021a39871ad74
                              • Instruction Fuzzy Hash: 8551E5725066079FEF158F98C940BAA77A8FF04718F28052EE81577A90E731D8C5CB51
                              Function 00FD6678 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 1b49d14b42a3094a1c13efcebf696731bd4f7a862be9cae34a15c644ecf4084f
                              • Instruction ID: 1e0e96ebcf67b28bc268464122d2a02269b014a38bd9af257ee8e8549034106b
                              • Opcode Fuzzy Hash: 1b49d14b42a3094a1c13efcebf696731bd4f7a862be9cae34a15c644ecf4084f
                              • Instruction Fuzzy Hash: 6941EA31E001156ADB216BB98C87BAE3BA6EF05378F2C0617F418D6391DF7C89417661
                              Function 00F8F720 Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __Cnd_destroy_in_situ.LIBCPMT ref: 00F8F753
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00F8F7ED
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00F8F7F6
                              • __Mtx_destroy_in_situ.LIBCPMT ref: 00F8F814
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_destroy_in_situ$Cnd_destroy_in_situ
                              • String ID:
                              • API String ID: 3308344742-0
                              • Opcode ID: 1cd71338fc5b350cce3ff33723f634e47472c13547aad063c20b4b320aa62dd5
                              • Instruction ID: f0977c3c8e018ad8c7de0477768043337da26a0aa2d8858819aa27a1c187e9bc
                              • Opcode Fuzzy Hash: 1cd71338fc5b350cce3ff33723f634e47472c13547aad063c20b4b320aa62dd5
                              • Instruction Fuzzy Hash: 6E411471A00609AFEB14EF24DC45B99F7A8FF04720F14823AE418C7681EB79F918DB91
                              Function 00F8E9C0 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Mtx_unlock$CloseEventHandle
                              • String ID:
                              • API String ID: 986198054-0
                              • Opcode ID: 30d7520733518a0cda31ff90c11716b130317c66f6f951e9a3dec7376a0b85ca
                              • Instruction ID: 8c3f011221213a74411982c8a49396093429466562345bf7e2129d4b6f8af1d7
                              • Opcode Fuzzy Hash: 30d7520733518a0cda31ff90c11716b130317c66f6f951e9a3dec7376a0b85ca
                              • Instruction Fuzzy Hash: EC41E471900205CFEB14EF18CC85B9AB7A4FF05714F1949A9E81997382DB79ED04DBA1
                              Function 00FBB4DB Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9cd4427a363f345cd82784d33cc521cd3462e9a37b960ccb8ec9b80b704174ba
                              • Instruction ID: 8a3be9a5b69a3d75b8d01c4dca0dc0924cfa0b713d3ee3abb4d66bb3a697ea32
                              • Opcode Fuzzy Hash: 9cd4427a363f345cd82784d33cc521cd3462e9a37b960ccb8ec9b80b704174ba
                              • Instruction Fuzzy Hash: 7041F8B2A00704AFE725AF79CC41BEABBE9EB48710F14462AF115DB2C5D7B599409B80
                              Function 6C99E440 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EmptyRect
                              • String ID:
                              • API String ID: 2270935405-0
                              • Opcode ID: 2d4c461f96bc07dab84d2338e8f5dd6b0c90e0cc6be24097fee2d8c289dbd314
                              • Instruction ID: 4f3d8ac72d6ecf9dce0f691095113e0b23a8693c41716b7a7b264541bec04e12
                              • Opcode Fuzzy Hash: 2d4c461f96bc07dab84d2338e8f5dd6b0c90e0cc6be24097fee2d8c289dbd314
                              • Instruction Fuzzy Hash: 0251C7B09112258FCB648F19C4C46E93BA8BB09B54F1842BBED1CCFA4AC7B09145DFE1
                              Function 6C97A904 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileStringW.KERNEL32(?,?,6CB18060,?,00001000,?), ref: 6C97AA51
                                • Part of subcall function 6C97ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C97A828,?,00000000), ref: 6C97AE3E
                              • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,195F0026,?,?,?,?,6CACC0C1,000000FF), ref: 6C97A99F
                              • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6CACC0C1,000000FF), ref: 6C97A9DB
                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,6CACC0C1,000000FF), ref: 6C97A9F5
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseQueryValue$PrivateProfileString
                              • String ID:
                              • API String ID: 2114517702-0
                              • Opcode ID: e8c2d7d80727f4eeb9cda13b468d6b6a9ba985483e770f86dc3a162bf139c59d
                              • Instruction ID: 24b47ad9f7a0afd702e46c095974d736b479e89c99de160ca2ad8649279eb656
                              • Opcode Fuzzy Hash: e8c2d7d80727f4eeb9cda13b468d6b6a9ba985483e770f86dc3a162bf139c59d
                              • Instruction Fuzzy Hash: C4415D71A00269DFEF25CB25CC48AEEB7B9EF55314F0001AAE419A3681DB30DE55CF61
                              Function 6C99AD18 Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 6C99ADB1
                              • ScreenToClient.USER32(000000FF,?), ref: 6C99ADC1
                              • PtInRect.USER32(000000D8,?,?), ref: 6C99ADD4
                              • PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C99ADEF
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ClientCursorMessagePostRectScreen
                              • String ID:
                              • API String ID: 1913696736-0
                              • Opcode ID: 70c0b9cac886246118b23f6619da938c7094c97e6cac1587edf70b2134c1b433
                              • Instruction ID: c6d47cd5db7d9368f0a961ae65a79fd916b86e87e8bf74810bfbcc498efa8c18
                              • Opcode Fuzzy Hash: 70c0b9cac886246118b23f6619da938c7094c97e6cac1587edf70b2134c1b433
                              • Instruction Fuzzy Hash: 6531C535F00219EFCF119F64C844AAE7BBDFF49358F240165E829A76A0DF30D9018B94
                              Function 00FCD52E Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000001,7FFFFFFF,?,00000001,00000000,?,00000001,00000000,00000000), ref: 00FCD57B
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FCD604
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FCD616
                              • __freea.LIBCMT ref: 00FCD61F
                                • Part of subcall function 00FC7A29: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FCA0DD,?,?,?,?,?,00FBCAEB,00000000), ref: 00FC7A5B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                              • String ID:
                              • API String ID: 2652629310-0
                              • Opcode ID: 2f177ecf05e77434774b4aebdd5b48f857a40b6c896864fb6ce58db5d1db76d8
                              • Instruction ID: e8d2d2ed22ee27075423b646686c73f394106af445f2b5326c04359dbfe88406
                              • Opcode Fuzzy Hash: 2f177ecf05e77434774b4aebdd5b48f857a40b6c896864fb6ce58db5d1db76d8
                              • Instruction Fuzzy Hash: 2531E572A0010AABDF249F65DD46EAE7BA5EB40714F08413DFC09D7191EB39CD54EB90
                              Function 6C96E98F Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C97BBE2: GetWindowLongW.USER32(F44D8BF4,000000F0), ref: 6C97BBEF
                              • GetClientRect.USER32(?,?), ref: 6C96E9F7
                              • IsMenu.USER32(00000000), ref: 6C96EA33
                              • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C96EA4B
                              • GetClientRect.USER32(?,?), ref: 6C96EA93
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$ClientWindow$AdjustLongMenu
                              • String ID:
                              • API String ID: 3435883281-0
                              • Opcode ID: 096b244171479c95d208d18033acddae7d23fb4ef89ae1c22a88257c16ec132f
                              • Instruction ID: 9861979f215223ab481fc1c40f40b81c650acb3b54e73ba745af83b94a59abfd
                              • Opcode Fuzzy Hash: 096b244171479c95d208d18033acddae7d23fb4ef89ae1c22a88257c16ec132f
                              • Instruction Fuzzy Hash: 10318531A01209AFDB10DBA5CD84EBFB7BDFF55208F154119E901A7A80EB30E9448BE0
                              Function 00F70EC0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Cnd_destroy_in_situCnd_signalMtx_destroy_in_situMtx_unlock
                              • String ID:
                              • API String ID: 876560159-0
                              • Opcode ID: bd1d98cf735dbf3da05999bafcaced84d9854ff714cf0a363d11391e5bccfd4c
                              • Instruction ID: 29f82e00d392f6ec5481965c5a97c560e8986ec038cb794d896d2d147234d468
                              • Opcode Fuzzy Hash: bd1d98cf735dbf3da05999bafcaced84d9854ff714cf0a363d11391e5bccfd4c
                              • Instruction Fuzzy Hash: AE21BB71D04304EAEB21E7649C06B9BB79CDF11714F15C46AF80992242EB79E908E6F3
                              Function 00F57070 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000003,?,?,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 00F570CD
                              • GetLastError.KERNEL32(?,?,?,?,?), ref: 00F570DE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000003,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00F570FB
                              • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 00F57124
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 937f560e134f3f42d3d7dda4396323f924b00d0dc95f28ce4eddf4f7175348a9
                              • Instruction ID: 6aaa11934e9d5134192d74fac1a86f9973bf20f3da3cc6e2d947b30af50d0b71
                              • Opcode Fuzzy Hash: 937f560e134f3f42d3d7dda4396323f924b00d0dc95f28ce4eddf4f7175348a9
                              • Instruction Fuzzy Hash: AE21F775600306BBDB206F94EC89F9B7B69EF05351F204125FF069B190E771BD189690
                              Function 6CA6AC09 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3_GS.LIBCMT ref: 6CA6AC13
                              • CoTaskMemFree.OLE32(?,?,?,?,?,00000000,?,00000040,6C9E729C,?,00000000,00000000,0000005C), ref: 6CA6ACB7
                              • CoTaskMemFree.OLE32(?,?,?,00000000,?,00000040,6C9E729C,?,00000000,00000000,0000005C), ref: 6CA6ACF7
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,00000003,000000FF,00000000,?,00000000,?,00000040,6C9E729C,?,00000000,00000000), ref: 6CA6AD15
                                • Part of subcall function 6C9609A7: __EH_prolog3.LIBCMT ref: 6C9609AE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: FreeTask$CreateGlobalH_prolog3H_prolog3_Stream
                              • String ID:
                              • API String ID: 655328227-0
                              • Opcode ID: 1e8c3a734d7335b1d80780660b8cdb80fb7ac54905a2ee20ccd7cd33dae57c4d
                              • Instruction ID: a295e88a3454a09e0cc049ec5769cfa0444fd2236059c3a6569f408efef47483
                              • Opcode Fuzzy Hash: 1e8c3a734d7335b1d80780660b8cdb80fb7ac54905a2ee20ccd7cd33dae57c4d
                              • Instruction Fuzzy Hash: 8431C471A0522DABDF119F65CC99BEEB779BF20718F000195E505A7B90CB319E84DFA0
                              Function 6C99CCB7 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 6C99CCD9
                              • PtInRect.USER32(?,?,?), ref: 6C99CD03
                                • Part of subcall function 6C99A972: ScreenToClient.USER32(?,?), ref: 6C99A98E
                                • Part of subcall function 6C99A972: GetParent.USER32(?), ref: 6C99A99E
                                • Part of subcall function 6C99A972: GetClientRect.USER32(?,?), ref: 6C99AA31
                                • Part of subcall function 6C99A972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99AA43
                                • Part of subcall function 6C99A972: PtInRect.USER32(?,?,?), ref: 6C99AA53
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C99CD2C
                              • SendMessageW.USER32(?,00000202,?,?), ref: 6C99CD4B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                              • String ID:
                              • API String ID: 2689702638-0
                              • Opcode ID: 648d1a6ac1ed16ed7df3805d6fe1edc5ae293249d0b215823b6e00c6b1b8dfd3
                              • Instruction ID: 81596ffb316d44220d40caf14da45e7f47cb6ca5a9c903bbe6e101c64afc224c
                              • Opcode Fuzzy Hash: 648d1a6ac1ed16ed7df3805d6fe1edc5ae293249d0b215823b6e00c6b1b8dfd3
                              • Instruction Fuzzy Hash: 6131D031600618EBDF12EF65CC049AE7FBAFF49714F14412AF85997660EB31E910CBA0
                              Function 6C964ADF Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                              • RedrawWindow.USER32(00000041,?,?,00000041), ref: 6C964B02
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 6C964B45
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: InflateRectRedrawWindow
                              • String ID:
                              • API String ID: 3190756164-0
                              • Opcode ID: 5f12b7d4a3d455d303fc3ffe40594023c0939d463c51f62f56fb83ce04bef2e9
                              • Instruction ID: eee87a48c1d8a96cf4a88947c96ca4d94481b463cd2aeb74e141fba9c425a8dc
                              • Opcode Fuzzy Hash: 5f12b7d4a3d455d303fc3ffe40594023c0939d463c51f62f56fb83ce04bef2e9
                              • Instruction Fuzzy Hash: A721717560021EAFCF10DFA5CD84DAE77B9EB06328B204626B525A79D0CB36D908CB61
                              Function 6CAA4D4D Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bbf7eebe9635db937819145be26b2a90a0f6d21463ed893c29533ee91dc29202
                              • Instruction ID: 95050c9ad17071971ce62c108426a2be8fd571dab347d2475dcebc8c744e0756
                              • Opcode Fuzzy Hash: bbf7eebe9635db937819145be26b2a90a0f6d21463ed893c29533ee91dc29202
                              • Instruction Fuzzy Hash: 4621A171244606AFDB219FE6CD808DB7BB9AF413687089615F82997A50EF30ECD68790
                              Function 6CAB09B7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d0a3b870be258ed2f75426d78616873787cd3412ed01397ecea8e5a23626587
                              • Instruction ID: 7182372cf6a812b5149607261632e0ab73034996d21921bbbd0caefdf725e3a1
                              • Opcode Fuzzy Hash: 7d0a3b870be258ed2f75426d78616873787cd3412ed01397ecea8e5a23626587
                              • Instruction Fuzzy Hash: 731120B1710648AFDB215BE58E05B9B7BBCFB427A4F190529E511F7990E7708C84C760
                              Function 00FAFF67 Relevance: 6.1, APIs: 4, Instructions: 71COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00FAFFFB
                              • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00FAFFAC
                                • Part of subcall function 00FA6BE5: SafeRWList.LIBCONCRT ref: 00FA6BF6
                              • SafeRWList.LIBCONCRT ref: 00FAFFF1
                              • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00FB0011
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                              • String ID:
                              • API String ID: 336577199-0
                              • Opcode ID: d2813a863a5bf52350a2a548deebbeb0f4aeb1c9ed8b06011c63c7ecc84831f9
                              • Instruction ID: e9979781c0c8279b4d9a38327f4a1be5034631f8638634fd104cf8078dfc8fa0
                              • Opcode Fuzzy Hash: d2813a863a5bf52350a2a548deebbeb0f4aeb1c9ed8b06011c63c7ecc84831f9
                              • Instruction Fuzzy Hash: 8121957260420E9FC704DF24C881FA5FBA9BB96714F1492A6E4054F142DB35E999DBD0
                              Function 00FAF6EC Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,00000000), ref: 00FAF736
                              • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00FAF71E
                                • Part of subcall function 00FA77EF: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00FA7810
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAF767
                              • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00FAF790
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                              • String ID:
                              • API String ID: 2630251706-0
                              • Opcode ID: 6fc8a05eb7c13c1afb820b84f96e11a855cf6971029bd0c12d8479e57d3545e5
                              • Instruction ID: 9e44d25d7558731d29351e49a332d055a7b9e8e34bca486657b86c116e0dba36
                              • Opcode Fuzzy Hash: 6fc8a05eb7c13c1afb820b84f96e11a855cf6971029bd0c12d8479e57d3545e5
                              • Instruction Fuzzy Hash: C0112B71700204ABCB44AFA5DC89EAE7769EF45330B144075FA16DB292CF74DC05EA90
                              Function 6C99C9C1 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON
                              Download Yara Rule
                              APIs
                              • KillTimer.USER32(?,0000EC17), ref: 6C99C9D5
                              • KillTimer.USER32(?,0000EC18), ref: 6C99C9E3
                              • IsWindow.USER32(?), ref: 6C99CA53
                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C99CA7A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: KillTimer$MessagePostWindow
                              • String ID:
                              • API String ID: 3970157719-0
                              • Opcode ID: cd6b2369a7120dd38c13189bac6ae7ff8f43518293b36b0992f921d2bfad8b99
                              • Instruction ID: b97a73119f4c84cee5c39b8205db14e5624456b466d697d81dff96d33b66977f
                              • Opcode Fuzzy Hash: cd6b2369a7120dd38c13189bac6ae7ff8f43518293b36b0992f921d2bfad8b99
                              • Instruction Fuzzy Hash: 9821CD32701215AFEF04AF71CC85B99BBB9BF89354F140179E906AB691DF70E800CB90
                              Function 6C99CDB3 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32 ref: 6C99CDE5
                              • PtInRect.USER32(?,?,?), ref: 6C99CDFE
                                • Part of subcall function 6C99A972: ScreenToClient.USER32(?,?), ref: 6C99A98E
                                • Part of subcall function 6C99A972: GetParent.USER32(?), ref: 6C99A99E
                                • Part of subcall function 6C99A972: GetClientRect.USER32(?,?), ref: 6C99AA31
                                • Part of subcall function 6C99A972: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C99AA43
                                • Part of subcall function 6C99A972: PtInRect.USER32(?,?,?), ref: 6C99AA53
                              • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C99CE34
                              • SendMessageW.USER32(?,00000201,?,?), ref: 6C99CE53
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$Client$PointsWindow$MessageParentScreenSend
                              • String ID:
                              • API String ID: 2689702638-0
                              • Opcode ID: 4aed47439ba077935be2e3d5680cd57143cfa09be3588807aeb9ba31b9ab7eb3
                              • Instruction ID: 202f098e9e038fdb1cc2a4999c9c798e6b7915c80f82fafc3ca2803d442bd24b
                              • Opcode Fuzzy Hash: 4aed47439ba077935be2e3d5680cd57143cfa09be3588807aeb9ba31b9ab7eb3
                              • Instruction Fuzzy Hash: D2218031A00209EBDF159FA1CC05AFE7BB6FF48704F10811AF81662650EB71E960DBA0
                              Function 6C96EFE2 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C96F01C
                              • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C96F046
                              • GetCapture.USER32 ref: 6C96F05C
                              • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C96F06B
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: MessageSend$Capture
                              • String ID:
                              • API String ID: 1665607226-0
                              • Opcode ID: 5c59cee268c130f37890696941aec5daf9542a4ae724392ad9e63cf02912645d
                              • Instruction ID: 287303344fd8169e6a3520c4bc61d3989a285b08f2d954c70042562ff5d535ab
                              • Opcode Fuzzy Hash: 5c59cee268c130f37890696941aec5daf9542a4ae724392ad9e63cf02912645d
                              • Instruction Fuzzy Hash: 2F115E76301619BFFE212B218C89FBA766EFB48B88F140064F64557AD5DBA09C1096A0
                              Function 6C96EC3E Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • GetObjectW.GDI32(?,0000000C,?), ref: 6C96EC89
                              • SetBkColor.GDI32(?,?), ref: 6C96EC93
                              • GetSysColor.USER32(00000008), ref: 6C96ECA3
                              • SetTextColor.GDI32(?,?), ref: 6C96ECAB
                                • Part of subcall function 6C9802A7: GetWindowLongW.USER32(?,000000F0), ref: 6C9802C2
                                • Part of subcall function 6C9802A7: GetClassNameW.USER32(?,?,0000000A), ref: 6C9802D7
                                • Part of subcall function 6C9802A7: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,?,?,?,?,6C967B06,?,?), ref: 6C9802EE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Color$ClassCompareLongNameObjectStringTextWindow
                              • String ID:
                              • API String ID: 3274569906-0
                              • Opcode ID: 83f51f4f8324960fdc4241f807563ac598eafb4722cddf8c05fb13e787178ee0
                              • Instruction ID: 19f3bc004a52b97c0d5908b61a4edb226c59d3424ce36fdd68069aa5eae4042f
                              • Opcode Fuzzy Hash: 83f51f4f8324960fdc4241f807563ac598eafb4722cddf8c05fb13e787178ee0
                              • Instruction Fuzzy Hash: BA01AD75611508ABAB11DF6ACD45AAF37BDAF0A218F608514F921D3AC0CB34D90086E1
                              Function 6C97A87B Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C97A8B6
                              • RegCloseKey.ADVAPI32(00000000), ref: 6C97A8BF
                              • swprintf.LIBCMT ref: 6C97A8DC
                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C97A8ED
                                • Part of subcall function 6C97ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C97A828,?,00000000), ref: 6C97AE3E
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Close$PrivateProfileStringValueWriteswprintf
                              • String ID:
                              • API String ID: 581541481-0
                              • Opcode ID: 41c7e7f7c494b19ad1ceacbd0372cd38dfdd7219c0bee22ce50939e6a0627da0
                              • Instruction ID: 18c5fdae5dbe472cbf09a0a8a8a85bfdb59972203cc4f7324d48553eb0f0c3eb
                              • Opcode Fuzzy Hash: 41c7e7f7c494b19ad1ceacbd0372cd38dfdd7219c0bee22ce50939e6a0627da0
                              • Instruction Fuzzy Hash: 8B01C432600209BBDB21DB64CC45FEF73BDEF59618F100469F611A7580DB74ED058760
                              Function 00FC9418 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00FC93BF,?,00000000,00000000,00000000,?,00FC96EB,00000006,FlsSetValue), ref: 00FC944A
                              • GetLastError.KERNEL32(?,00FC93BF,?,00000000,00000000,00000000,?,00FC96EB,00000006,FlsSetValue,00FE51F0,FlsSetValue,00000000,00000364,?,00FC6F96), ref: 00FC9456
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FC93BF,?,00000000,00000000,00000000,?,00FC96EB,00000006,FlsSetValue,00FE51F0,FlsSetValue,00000000), ref: 00FC9464
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: 79081758f1fcd43d4b54cf42d694ff8f84ed5074a709a12246dcc211565e6fdb
                              • Instruction ID: eb2f15ef4c8b049feba785c358536207a9839a9a5019798e2a06e3326a7f3fff
                              • Opcode Fuzzy Hash: 79081758f1fcd43d4b54cf42d694ff8f84ed5074a709a12246dcc211565e6fdb
                              • Instruction Fuzzy Hash: BD012432A0A22BEBC7258A78AE4DF563799AB417727208229E947D7140D660D806E7E0
                              Function 6C966FD7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgCtrlID.USER32(?), ref: 6C966FE7
                              • GetScrollPos.USER32(?,00000002), ref: 6C966FFA
                              • SendMessageW.USER32(?,00000114,?,?), ref: 6C967034
                              • SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C967052
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Scroll$CtrlMessageSend
                              • String ID:
                              • API String ID: 1219558039-0
                              • Opcode ID: a4c9d9d53ea2afaf0a2543e88b2468cf18caa49d09b11ced262a8b9d48520983
                              • Instruction ID: ec878d0325461aa2f5d345c5a06cd419b2185de09731d467aa2ba7296f81aaec
                              • Opcode Fuzzy Hash: a4c9d9d53ea2afaf0a2543e88b2468cf18caa49d09b11ced262a8b9d48520983
                              • Instruction Fuzzy Hash: 6611CE72700218EFEF019FA9CC49EAE7B75FB4A740F010479F985AB591D670AC10DBA0
                              Function 00FB207D Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00FB2097
                              • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00FB20AB
                              • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00FB20C3
                              • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00FB20DB
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                              • String ID:
                              • API String ID: 78362717-0
                              • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                              • Instruction ID: a521c1166c8cfeaba95276a5de103af3ef835809ff2f1fb3d76def27359360af
                              • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                              • Instruction Fuzzy Hash: 9F01A236700514A7CB66BE5A8C41EEF779DAF953A0F000555FC12A7282DA74ED00EBA0
                              Function 6C9A68FD Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: OffsetRect
                              • String ID:
                              • API String ID: 177026234-0
                              • Opcode ID: 8f8665409cf1ad9c73376b8cccc711d6ec7285be5e578cc7349808d03be8c2ea
                              • Instruction ID: 51e0b056f7d1ac40170017ab445e82c6fe8654961139f9a2e59d60b932db655b
                              • Opcode Fuzzy Hash: 8f8665409cf1ad9c73376b8cccc711d6ec7285be5e578cc7349808d03be8c2ea
                              • Instruction Fuzzy Hash: C4010076601114AFCF509FA9C889ECA7FBCEF86755B00816AFD09DB609D630E844CBA0
                              Function 6C9944B0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • InflateRect.USER32(?,00000002,00000002), ref: 6C9944EF
                              • InvalidateRect.USER32(?,?,00000001), ref: 6C994503
                              • UpdateWindow.USER32(?), ref: 6C99450C
                              • SetRectEmpty.USER32(?), ref: 6C994513
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Rect$EmptyInflateInvalidateUpdateWindow
                              • String ID:
                              • API String ID: 3040190709-0
                              • Opcode ID: f329f6715b9d989aa051c64b58d712f8dd4e9d56f0cad831b57ebaf5c96c6078
                              • Instruction ID: bccba5399f892778ee7433838153a4901cb75b9731177a3288e827630d7e9bcf
                              • Opcode Fuzzy Hash: f329f6715b9d989aa051c64b58d712f8dd4e9d56f0cad831b57ebaf5c96c6078
                              • Instruction Fuzzy Hash: 42018031A00209DFDB10EF69C88AFAB7BF8FB4A325F110679E556E7190D7706904CB50
                              Function 6C96EECE Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • GetTopWindow.USER32(?), ref: 6C96EED5
                              • GetTopWindow.USER32(00000000), ref: 6C96EF18
                              • GetWindow.USER32(00000000,00000002), ref: 6C96EF3A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window
                              • String ID:
                              • API String ID: 2353593579-0
                              • Opcode ID: 5cf5e0d5c5c622f09d1c4cf4f2c887edf4270239e278ff830b8c31e6579982d9
                              • Instruction ID: 1271bcef295dba0318554dbbfbbefa771aa3f8ed5c8c217d3fc8b2a69dd659c1
                              • Opcode Fuzzy Hash: 5cf5e0d5c5c622f09d1c4cf4f2c887edf4270239e278ff830b8c31e6579982d9
                              • Instruction Fuzzy Hash: FF01A53210551AEBEF035F968C05EDF3B2AAF15355F044010FA2065DA0CB36C975EBD5
                              Function 6C96EE57 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 6C96EE61
                              • GetTopWindow.USER32(00000000), ref: 6C96EE6E
                                • Part of subcall function 6C96EE57: GetWindow.USER32(00000000,00000002), ref: 6C96EEBD
                              • GetTopWindow.USER32(?), ref: 6C96EEA2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Window$Item
                              • String ID:
                              • API String ID: 369458955-0
                              • Opcode ID: 5919c555069d0e066dcb3f901e05267d1df75350a3875c69cbaedd202fd0489c
                              • Instruction ID: dd1f05b4aa6754dc3fa5b819d3a8f133e9106dac7d46b513ff2d792e9ca08409
                              • Opcode Fuzzy Hash: 5919c555069d0e066dcb3f901e05267d1df75350a3875c69cbaedd202fd0489c
                              • Instruction Fuzzy Hash: D3016D31105626ABEF136F6B8C04A8F3B7CAF12BA9F044120FC24A5DD4DB32C92086D1
                              Function 00F9B761 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B76B
                              • LeaveCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B79E
                              • SetEvent.KERNEL32(00000000,00F61BBF,01005B90,00FDE390), ref: 00F9B82C
                              • ResetEvent.KERNEL32 ref: 00F9B838
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalEventSection$EnterLeaveReset
                              • String ID:
                              • API String ID: 3553466030-0
                              • Opcode ID: 7c6f113655dcf845b572216f95fb974ea4f810f863e839917823327a3bc76303
                              • Instruction ID: 0e73bef61719e981b2d21b9d52f64e7ec3e8e7a52760f82e72bb3a2109d2f077
                              • Opcode Fuzzy Hash: 7c6f113655dcf845b572216f95fb974ea4f810f863e839917823327a3bc76303
                              • Instruction Fuzzy Hash: B901F239A01614CFDB12DF28F90CDA537A9EB09311B00402EFA86C3314CB79AC04DF94
                              Function 00FA7EF0 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00FA7F22
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00FA7F32
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00FA7F42
                              • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 00FA7F56
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Compare_exchange_acquire_4std::_
                              • String ID:
                              • API String ID: 3973403980-0
                              • Opcode ID: 529e0fdd2c016244a3bef5f65bb0f00612f976ece003730d46f4cee600e92fd8
                              • Instruction ID: 2349c2996e11d3698739f0f9ceb3e8c7c408266e70e29363da153858b1206542
                              • Opcode Fuzzy Hash: 529e0fdd2c016244a3bef5f65bb0f00612f976ece003730d46f4cee600e92fd8
                              • Instruction Fuzzy Hash: F6013CB7508249BFCF12AE94DD02DAD3B66BB07360B149415FA1888031C732CB72BBC1
                              Function 00F9F4AB Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00F9F4C4
                                • Part of subcall function 00F9E972: ___crtGetTimeFormatEx.LIBCMT ref: 00F9E988
                                • Part of subcall function 00F9E972: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00F9E9A7
                              • GetLastError.KERNEL32 ref: 00F9F4E0
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9F4F6
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9F504
                                • Part of subcall function 00F9E748: SetThreadPriority.KERNEL32(?,?), ref: 00F9E754
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                              • String ID:
                              • API String ID: 1674182817-0
                              • Opcode ID: 5b1828b4e805f9378109a5d1ef0193050ff2b7382b517b95b08d275755e87870
                              • Instruction ID: a5fa1ddea3821367a7ef8fc2e24d868b8bb0a1807cec2c4f58c7e82c452f2c9d
                              • Opcode Fuzzy Hash: 5b1828b4e805f9378109a5d1ef0193050ff2b7382b517b95b08d275755e87870
                              • Instruction Fuzzy Hash: 9FF0A7B29003193AFB30F67A9C0BFBB36DC9B01760F500826B556E6082EDA8E50466B1
                              Function 00F9E6B4 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RegisterWaitForSingleObject.KERNEL32(?,00000000,00FAF58F,000000A4,000000FF,0000000C), ref: 00F9E6CB
                              • GetLastError.KERNEL32(?,?,?,?,?,00FA4568,?), ref: 00F9E6DA
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E6F0
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E6FE
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                              • String ID:
                              • API String ID: 3803302727-0
                              • Opcode ID: 74da1ef20c48e8f1a20a975a25401a48c16fc3d72c62e5856eacd4e85ff4ae7f
                              • Instruction ID: 85653e7083595cd7c714be3988990df3920af3ce1d1c89cb562890756686f7bb
                              • Opcode Fuzzy Hash: 74da1ef20c48e8f1a20a975a25401a48c16fc3d72c62e5856eacd4e85ff4ae7f
                              • Instruction Fuzzy Hash: E5F0A07560020EBBCF10EFA1CD06EEE37BCAF00320F200225B616E50E1DA74D704AB60
                              Function 00F9E3D9 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___crtCreateEventExW.LIBCPMT ref: 00F9E3EF
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?), ref: 00F9E3FD
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E413
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E421
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                              • String ID:
                              • API String ID: 200240550-0
                              • Opcode ID: 2da587acaa510c2bf134f206cb16350066eed732718fd6912f75325a42a896d9
                              • Instruction ID: 5f199a48d50a5aaed959124c0a78324203d0743dccacf00a1ebb4dbf5fdc38e4
                              • Opcode Fuzzy Hash: 2da587acaa510c2bf134f206cb16350066eed732718fd6912f75325a42a896d9
                              • Instruction Fuzzy Hash: 2CE0D865A403192AFB60F7758C07FBA369C5B00704F440861FA15D10D3FD68D60065A1
                              Function 00FA5268 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F9E7B5: TlsAlloc.KERNEL32(00000000,?,?), ref: 00F9E7BB
                              • TlsAlloc.KERNEL32(00000000,?,?), ref: 00FAF97C
                              • GetLastError.KERNEL32 ref: 00FAF98E
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00FAF9A4
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAF9B2
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                              • String ID:
                              • API String ID: 3735082963-0
                              • Opcode ID: 6397ad9abfc0f6b9116cc54e9ff9c73dec0cbe55b96874002a04261934b636b2
                              • Instruction ID: dad3bfd2bd32e55ebd8933474eca30909053cd01ad2e7979e65c16dbd9343b6e
                              • Opcode Fuzzy Hash: 6397ad9abfc0f6b9116cc54e9ff9c73dec0cbe55b96874002a04261934b636b2
                              • Instruction Fuzzy Hash: 28E09BB48102096AD710BFF49C4ABBB33686A04360F504A35B062D51A1EE7CD1086BA1
                              Function 00F9E5F0 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,00000000,?), ref: 00F9E5FA
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,00000000,?,?), ref: 00F9E609
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E61F
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E62D
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                              • String ID:
                              • API String ID: 3016159387-0
                              • Opcode ID: dfc86ba3bdc92b3e6c1c11ec11f0b1183ca0dab1dd449d56806c1a2f3bb3e2c5
                              • Instruction ID: ee8512e16f3e01dffa2642c50596ad3eff8119052adff8de72f449caa31b1e6e
                              • Opcode Fuzzy Hash: dfc86ba3bdc92b3e6c1c11ec11f0b1183ca0dab1dd449d56806c1a2f3bb3e2c5
                              • Instruction Fuzzy Hash: A9E04874A0020EDBCB10EBB5DD4AEEF73AC5A00715B600465A143E2051EA68DB04A771
                              Function 00F9E748 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetThreadPriority.KERNEL32(?,?), ref: 00F9E754
                              • GetLastError.KERNEL32 ref: 00F9E760
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E776
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E784
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                              • String ID:
                              • API String ID: 4286982218-0
                              • Opcode ID: 2298a4f78ad7cb2adba6694e9074cdcf410476bfd5457f8d569579834fd92ca0
                              • Instruction ID: 28b00e9fc36c075fa604f3d43a64bf5482809b1adc7c83420f64e8ab15022ef6
                              • Opcode Fuzzy Hash: 2298a4f78ad7cb2adba6694e9074cdcf410476bfd5457f8d569579834fd92ca0
                              • Instruction Fuzzy Hash: A2E04F7850020EAADF10ABB1DC0ABBA37AD6B00754F004865B566D10B2DE79D614AAA2
                              Function 00F9E80E Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • TlsSetValue.KERNEL32(?,00000000,00FA3910,00000000,?,?,?,?), ref: 00F9E81A
                              • GetLastError.KERNEL32 ref: 00F9E826
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E83C
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E84A
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                              • String ID:
                              • API String ID: 1964976909-0
                              • Opcode ID: a247a74a593a88127629ee5ed564b8ca5c63a083228962e4e36d5177c8eba661
                              • Instruction ID: 77959b2793b156e03f42dc921eb172add9ec159ded5ae37f7eb0b860782e54d4
                              • Opcode Fuzzy Hash: a247a74a593a88127629ee5ed564b8ca5c63a083228962e4e36d5177c8eba661
                              • Instruction Fuzzy Hash: 78E04F7450020E6BDB10ABB1DC0AFBE37ADAB00350B444465B516D10A2DA79E504A6A0
                              Function 00F9E7B5 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • TlsAlloc.KERNEL32(00000000,?,?), ref: 00F9E7BB
                              • GetLastError.KERNEL32 ref: 00F9E7C8
                              • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00F9E7DE
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9E7EC
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                              • String ID:
                              • API String ID: 3103352999-0
                              • Opcode ID: c9427c24be9e1532b0d231cd6e31ce7bda75ae1c56c43e7f6ce88b8898b12d67
                              • Instruction ID: 1e0f2b82f9cdbdb6e85d950e5bf206c6e01b96f142c8d0c38728f55e25ada42b
                              • Opcode Fuzzy Hash: c9427c24be9e1532b0d231cd6e31ce7bda75ae1c56c43e7f6ce88b8898b12d67
                              • Instruction Fuzzy Hash: 81E0C23890021D56DB10F7B59C4AAFE33AD6A00324B500B21F132D10F2EE68E50966A2
                              Function 6C97CDF3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                              • API String ID: 3732870572-1956417402
                              • Opcode ID: 668aea5cd934f74d0c42917792adcec1c8d6a2199cea058b1445ab159e4e2166
                              • Instruction ID: fb6af71b379179f7605cada61f5260def97afdba5b7f86495ba578f692bc5eb9
                              • Opcode Fuzzy Hash: 668aea5cd934f74d0c42917792adcec1c8d6a2199cea058b1445ab159e4e2166
                              • Instruction Fuzzy Hash: 1461E970E462499FDB21AEB9C8407AEBBFDAF49314F244059E890E7B40D774C985CB71
                              Function 00F6F490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F5,33902926,?,?,?), ref: 00F6F4E9
                                • Part of subcall function 00F9B7AB: EnterCriticalSection.KERNEL32(01004F38,?,?,?,00F61B5C,01005B90,00F51077,33902926,?,00FDBE3E,000000FF), ref: 00F9B7B6
                                • Part of subcall function 00F9B7AB: LeaveCriticalSection.KERNEL32(01004F38,?,?,?,00F61B5C,01005B90,00F51077,33902926,?,00FDBE3E,000000FF), ref: 00F9B7F3
                              • __Mtx_init_in_situ.LIBCPMT ref: 00F6F524
                                • Part of subcall function 00F9A63F: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 00F9A64A
                                • Part of subcall function 00F9BB2A: __onexit.LIBCMT ref: 00F9BB30
                                • Part of subcall function 00F9B761: EnterCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B76B
                                • Part of subcall function 00F9B761: LeaveCriticalSection.KERNEL32(01004F38,?,?,00F61BBF,01005B90,00FDE390), ref: 00F9B79E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$Concurrency::details::create_stl_critical_sectionHandleMtx_init_in_situ__onexit
                              • String ID: list<T> too long
                              • API String ID: 2689493819-4027344264
                              • Opcode ID: 485f6af061654e9e351a66d4afda1dad5a7f6b711714be3d394eb0c98cb0a036
                              • Instruction ID: 2b5bc2aff4a6b004052336625044e8d80be6a237430da8455c0cc590fb408dfd
                              • Opcode Fuzzy Hash: 485f6af061654e9e351a66d4afda1dad5a7f6b711714be3d394eb0c98cb0a036
                              • Instruction Fuzzy Hash: 8F517EB1900219DBDB00DF95DC46BAFB7F4FF44704F04456AE8159B381E7B8AA18DBA1
                              Function 00F6DE70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F6DFC0
                                • Part of subcall function 00FB2A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00FB2AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseThrow
                              • String ID: ' already exists$logger with name '
                              • API String ID: 3976011213-1723946186
                              • Opcode ID: 294201ce74ddaf479031c74427ba3bd6c8b86593cea9d6f6c5070880a28d3687
                              • Instruction ID: 8d61efaffd6d23d0997fbb9d5661562de787934b9c399ef7fb546e31bf52619d
                              • Opcode Fuzzy Hash: 294201ce74ddaf479031c74427ba3bd6c8b86593cea9d6f6c5070880a28d3687
                              • Instruction Fuzzy Hash: A341C171F00605DBCB18DF58D881AAEB3B6FF98304F204569E416AB741D732AD46DBA1
                              Function 6CAB8F73 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,6CAB8E74,?,?,00000000,00000000,00000000,?), ref: 6CAB8F98
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: EncodePointer
                              • String ID: MOC$RCC
                              • API String ID: 2118026453-2084237596
                              • Opcode ID: 3766de1ef9fa2566ce95445799d12ccbd5e58f762b711e14287323e18bda884f
                              • Instruction ID: df3555e69e32d263016a5a2f97183bf985f146b142d447547a14ed1f46526c74
                              • Opcode Fuzzy Hash: 3766de1ef9fa2566ce95445799d12ccbd5e58f762b711e14287323e18bda884f
                              • Instruction Fuzzy Hash: 93419D71A00109AFDF01DFA8CE80AEE7BB9FF48308F184159FA1477A51D33699A0DB51
                              Function 00FA9A05 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FA9A4D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FA9A5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pContext
                              • API String ID: 1687795959-2046700901
                              • Opcode ID: 4835385861e3ca3f2c4edcb00dc772e9f5f08959ed2f1e87d93f84242312770a
                              • Instruction ID: ee93b571902bb4f81500329a690dfbf146bf56b5dfc7db93608a1dbcd28bb3a8
                              • Opcode Fuzzy Hash: 4835385861e3ca3f2c4edcb00dc772e9f5f08959ed2f1e87d93f84242312770a
                              • Instruction Fuzzy Hash: 06418F75F052199FCB04DF99C8C09AEB7B5FF85324B1480BAD902AB312DB74AD42DB90
                              Function 00F74680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDynamicTimeZoneInformation.KERNEL32(?,?,?,00989680,00000000,33902926), ref: 00F746F1
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F74787
                              Strings
                              • Failed getting timezone info. , xrefs: 00F7474F
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DynamicException@8InformationThrowTimeZone
                              • String ID: Failed getting timezone info.
                              • API String ID: 1852265600-813541962
                              • Opcode ID: 6af9e39c916b153102d9aaab8c0b9a977af87ee5d90314c51cd690be9d460915
                              • Instruction ID: 878f319ffb6279dafba51e67db72237f6c4e475b17642bf320572f6b205c3339
                              • Opcode Fuzzy Hash: 6af9e39c916b153102d9aaab8c0b9a977af87ee5d90314c51cd690be9d460915
                              • Instruction Fuzzy Hash: 77319E75A00518EFCB28DF68DC85F99F7B4FB49310F0086A6E819A7681D734B944DF91
                              Function 6C97AC56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C97ADF9: RegCloseKey.ADVAPI32(00000000,?,?,?,?,6C97A828,?,00000000), ref: 6C97AE3E
                              • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C97AC88
                              • RegCloseKey.ADVAPI32(00000000), ref: 6C97AC91
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4498254806.000000006C931000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C930000, based on PE: true
                              • Associated: 00000004.00000002.4498240764.000000006C930000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498381816.000000006CADA000.00000002.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498417849.000000006CB30000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498433799.000000006CB33000.00000008.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB35000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498450149.000000006CB37000.00000004.00000001.01000000.00000006.sdmpDownload File
                              • Associated: 00000004.00000002.4498483241.000000006CB3D000.00000002.00000001.01000000.00000006.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_6c930000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Close$Value
                              • String ID: A
                              • API String ID: 299128501-3554254475
                              • Opcode ID: 20f75123eaea23294031f71423c9bd97e3cadd46e8e1f47ae27d5c6836bb66ea
                              • Instruction ID: 5adb917a6fdca2391c813d37c76122de08c46606a12f61b81cf4d42a5fea59fe
                              • Opcode Fuzzy Hash: 20f75123eaea23294031f71423c9bd97e3cadd46e8e1f47ae27d5c6836bb66ea
                              • Instruction Fuzzy Hash: 6A214536600224BFCF258F69D849AEE7BB9EF49720F204059F808CB690EB31CD42C760
                              Function 00F9AC62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetLastError.KERNEL32(0000000D,?,?,ios_base::failbit set,?,00F98AD0,00000001,?,00F6019A,00000000,?,00F5FF77,01005B80,00F5FF40,01005B78), ref: 00F9ACE6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ErrorLast
                              • String ID: ios_base::failbit set
                              • API String ID: 1452528299-3924258884
                              • Opcode ID: bf10d8cdf74c807004a7eda86225ddf551291bb8f2fdbcb40550cf5a5a8f6691
                              • Instruction ID: d0c4ed563e47821ad50a2ce5096308595819485fe4d5602e10e84c1124bb1055
                              • Opcode Fuzzy Hash: bf10d8cdf74c807004a7eda86225ddf551291bb8f2fdbcb40550cf5a5a8f6691
                              • Instruction Fuzzy Hash: C711A132700129AFEF129F64DD44A6ABB66FF08721B108039F916DA210DB71DC55FBE2
                              Function 00F605B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\XZDesktopCalendar,00000000,00020019,?,7508EB20,00000000,00000000,?,00F556F6,AppPath,?), ref: 00F605DA
                              • RegCloseKey.ADVAPI32(?), ref: 00F60631
                              Strings
                              • SOFTWARE\XZDesktopCalendar, xrefs: 00F605D4
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: CloseOpen
                              • String ID: SOFTWARE\XZDesktopCalendar
                              • API String ID: 47109696-2602408674
                              • Opcode ID: 883898aeb7607a23a122001b6d30cf90a2cfc80232359901ac68d756c422bb3d
                              • Instruction ID: 29b27eb6023bf7eb80924917f182c10fb666bff31281748e9ab868aaf8a254bb
                              • Opcode Fuzzy Hash: 883898aeb7607a23a122001b6d30cf90a2cfc80232359901ac68d756c422bb3d
                              • Instruction Fuzzy Hash: 1F118E75A00208AFDB10AF68DC45AAEB7B9EF89714F404599E806D7241EB75AE089BD0
                              Function 00F6B2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(00000008), ref: 00F6B2EE
                              • SysFreeString.OLEAUT32(00000000), ref: 00F6B303
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DecrementFreeInterlockedString
                              • String ID: `)u
                              • API String ID: 3298718523-4279031584
                              • Opcode ID: dec343d78082972c57c340ff34a51bb4ffbf3e3b811afb2abb529014ba8f1559
                              • Instruction ID: 158c968c16487fab2007e97ed2e45cf6e2b8ce939a0b0ae0e499ddb5528660c0
                              • Opcode Fuzzy Hash: dec343d78082972c57c340ff34a51bb4ffbf3e3b811afb2abb529014ba8f1559
                              • Instruction Fuzzy Hash: 15F05E71E0161187EB305F25ED05B0BB7D89F40B10F150429E849DB340E734D884A790
                              Function 00F6B290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(?), ref: 00F6B298
                              • SysFreeString.OLEAUT32(00000000), ref: 00F6B2AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: DecrementFreeInterlockedString
                              • String ID: `)u
                              • API String ID: 3298718523-4279031584
                              • Opcode ID: e594b63fcf021edc1a0dfbed64d89468f55b7cb7aeedd67b87f20cd6db9ab506
                              • Instruction ID: 79d8ae6fe2119594b9c7205791f81bc09a861ab7b1a0d91b33a771a2f73c071e
                              • Opcode Fuzzy Hash: e594b63fcf021edc1a0dfbed64d89468f55b7cb7aeedd67b87f20cd6db9ab506
                              • Instruction Fuzzy Hash: 56F0E5B6E0170147DA316F28EC19B4B73EC9F80721F05042AFD86D7240EB34E8449760
                              Function 00FAD2B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00FAD2D8
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FAD2E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                              • String ID: pThreadProxy
                              • API String ID: 1687795959-3651400591
                              • Opcode ID: 72b3c967e4d858045472d1565ad30b70c49ae01366b04c1252bd6a718b4c617b
                              • Instruction ID: b1ecf8dcef630839d43dea75aad1c725fb9508fcc861a5c76b8bf3ef05454907
                              • Opcode Fuzzy Hash: 72b3c967e4d858045472d1565ad30b70c49ae01366b04c1252bd6a718b4c617b
                              • Instruction Fuzzy Hash: BBD05E71D0030C6ACB00FBAAD906FCE77AC5F10754F008075AA11A6552EAB4E505DEA1
                              Function 00F98631 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F9863D
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00F9864B
                                • Part of subcall function 00FB2A4A: RaiseException.KERNEL32(?,?,?,?), ref: 00FB2AAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ExceptionException@8RaiseThrowstd::invalid_argument::invalid_argument
                              • String ID: bad function call
                              • API String ID: 4038826145-3612616537
                              • Opcode ID: f58e4a70fd5c96c01585fa372122134a1b67cdf9130997d407d47e60fbb95533
                              • Instruction ID: facfc819e5e3801223ab80bb227ce641169cb148b66a532a22c40114fc580b11
                              • Opcode Fuzzy Hash: f58e4a70fd5c96c01585fa372122134a1b67cdf9130997d407d47e60fbb95533
                              • Instruction Fuzzy Hash: E6C01228C0010C7BCF00FAA5DC56ECC772D6E00300F9844617A1092156EABCE619A6C2
                              Function 00FCBBEB Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,33902926,00000000,00000000,00000000,00000000,00F5E161,00F5E161,00000000,00000000,00000000,33902926), ref: 00FCBC81
                              • GetLastError.KERNEL32(?,00F5E161), ref: 00FCBC8F
                              • MultiByteToWideChar.KERNEL32(00000004,00000001,?,?,33902926,00000000,?,00F5E161), ref: 00FCBCEA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: aa00e4fbf08ffdc247c108729669bc0fe11dc7ccd457a467bf47b2b613b99d31
                              • Instruction ID: 03dff1904c545e92ab2da86bd4430cd33f0fd67a03ecf16a5ee5d4e18017a9a6
                              • Opcode Fuzzy Hash: aa00e4fbf08ffdc247c108729669bc0fe11dc7ccd457a467bf47b2b613b99d31
                              • Instruction Fuzzy Hash: 6141B539A04247AFCB21CFA5C947FBA7BA5AF51320F14816DF8569B1A1DB318D01EB60
                              Function 00F57150 Relevance: 5.1, APIs: 4, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5719B
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F571AC
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?), ref: 00F571C5
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,00000000,?,?), ref: 00F571EA
                              Memory Dump Source
                              • Source File: 00000004.00000002.4497053061.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                              • Associated: 00000004.00000002.4497035965.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497096968.0000000000FDF000.00000002.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497124402.0000000001001000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497139890.0000000001002000.00000008.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497154215.0000000001004000.00000004.00000001.01000000.00000005.sdmpDownload File
                              • Associated: 00000004.00000002.4497171245.0000000001007000.00000002.00000001.01000000.00000005.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_f50000_RuntimeBrokers.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 9c4ff37c3e1307ed14451f68fa199b9963fe5123d505af2c1bd3b0b5308c3882
                              • Instruction ID: 3f60a574d97381e96947ac82c39cc13f67829cc4030d634e9a5621a3c4d9ad26
                              • Opcode Fuzzy Hash: 9c4ff37c3e1307ed14451f68fa199b9963fe5123d505af2c1bd3b0b5308c3882
                              • Instruction Fuzzy Hash: DF21D77560030ABFDB106F64EC89FAB7B6EEF44355F208126FE0687111DB71AD1897A0